Best Practices Workgroup Call for Consensus: Best Practices for HISPs

STATUS: Due 1/25/2011


The term Health Information Service Provider (HISP) has been used by the Direct project both to describe a function (the management of security and transport for directed exchange) and an organizational model (an organization that performs HISP functions on behalf of the sending or receiving organization or individual). In this best practice document, we are mainly concerned with the HISP organization and the implications for privacy, security and transparency when the HISP is a separate business entity from the sending or receiving organization.

This document describes some of the key best practices required to ensure that individuals and organizations can participate in directed information exchange with confidence. As with all best practice documents, this document covers some ground being considered by HIT Policy Committee (HITPC) workgroups. These include, in particular, the Privacy and Security Tiger Team and the Governance Workgroup. The intent is to harmonize this document over time with the final recommendations of the HITPC.


Consensus voting on: Best Practices for HISPs

Workgroup Participant Organization
Endorsement
(Yes or No)
If No, what can be changed to make it Yes?
Akira Technologies, Inc


Alere


Allscripts
Yes

American Academy of Family Physicians


Atlas Development


Axolotl


CareSpark


Cerner
Yes

Christus Health


Clinical Groupware Collaborative


CMS


Covisint


CSC


DoD


eClinicalWorks


Emdeon


Epic


FEI


Garden State Health Systems/Health-ISP
Yes, with comment
Consider explicit discussion of directed exchange trigger conditions for meaningful consent.
GE


Google


Greenway Medical Technologies


GSI Health


Harris Corporation
Yes

Healthcare Information Xchange of NY


High Pine Associates


HLN Consulting, LLC
Yes

IBM


ICA


Inpriva


Intel


Kryptiq


LabCorp


Massachusetts eHealth Collaborative


MedAllies


Medical University of SC, South Carolina Rese


MEDfx
Yes

Medicity


MedNET


MedPATH Networks


MedPlus/Quest Diagnostics


Microsoft


Mirth Corporation


Misys Open Source Solutions (MOSS)


Mobile MD


NextGen Healthcare Information Systems, Inc.


NIH NCI


NIST


NoMoreClipboard.com


NYC Dept. of Health and Mental Hygiene’s PCIP


Oregon HIE Planning Team


Redwood MedNet


RelayHealth


Rhode Island Quality Institute
Yes

Secure Exchange Solutions


Serendipity Health
Yes, with comments
It is recommended that this document be reviewed again after the pilot implementations are brought into production to allow further discussions with real providers and the implications that may be found with data sharing agreements and other policies for the implementing organizations.
Siemens
Yes with comments
The first paragraph is helpful in clarifying the difference between HISP (the software functionality) vs HISP (a separate organization). Since this document applies to the organization only, I suggest renaming it to "Best Practices for Organizations Providing HISP Services"
I also suggest modified wording near the end: "For instance, such uses would include the use of a directed push to a registry and/or repository which is then used for subsequent queries." The reason is that in some HIEs, such as those based on IHE XDS, an EHR might or might not physically push the document to an HIE-based repository, but may make its document available from its own repository and merely update the registry so it can "point to" the new document.
Surescripts


Techsant Technologies


TN State HIE


VA


VisionShare



Previous Voting Blocks:


Consensus voting on: Best Practices for HISPs

Workgroup Participant Organization
Endorsement
(Yes or No)
If No, what can be changed to make it Yes?
Akira Technologies, Inc


Alere


Allscripts
Yes

American Academy of Family Physicians


Atlas Development


Axolotl


CareSpark/Serendipity Health


Cerner
Yes
Should be updated as needed, pending HITSC review on 12/17
Christus Health


Clinical Groupware Collaborative


CMS


Covisint


CSC


DoD


eClinicalWorks


Emdeon


Epic


FEI


Garden State Health Systems


GE


Google


Greenway Medical Technologies


GSI Health


Harris Corporation


Healthcare Information Xchange of NY


High Pine Associates


HLN Consulting, LLC


IBM
Yes

ICA


Inpriva


Intel


Kryptiq


LabCorp


Massachusetts eHealth Collaborative


MedAllies


Medical University of SC, South Carolina Rese


Medicity


MedNET


MedPATH Networks


MedPlus/Quest Diagnostics
Yes

Microsoft


Mirth Corporation


Misys Open Source Solutions (MOSS)


Mobile MD


NextGen Healthcare Information Systems, Inc.


NIH NCI


NIST


NoMoreClipboard.com


NYC Dept. of Health and Mental Hygiene’s PCIP


Oregon HIE Planning Team


Redwood MedNet


RelayHealth


Rhode Island Quality Institute


Secure Exchange Solutions


Siemens


Surescripts


Techsant Technologies


TN State HIE


VA


VisionShare
Yes



Consensus voting on: Best Practices for HISPs

Workgroup Participant Organization
Endorsement
(Yes or No)
If No, what can be changed to make it Yes?
Akira Technologies, Inc


Alere


Allscripts
Yes

American Academy of Family Physicians


Atlas Development


Axolotl


CareSpark/Serendipity Health


Cerner


Christus Health


Clinical Groupware Collaborative
Yes
Provisional. Agree with Allscript's call for simplicity of agreement as above.
CMS


Covisint


CSC


DoD


eClinicalWorks


Emdeon


Epic


FEI


Garden State Health Systems


GE


Google


Greenway Medical Technologies


GSI Health


Harris Corporation


Healthcare Information Xchange of NY


High Pine Associates


HLN Consulting, LLC


IBM
Yes

ICA


Inpriva
Yes (conditional)
#1 - Should this go further to include Personal Information, not just PHI?
#5 - Recommend amendment to this to read "...HITPC recommendations as they currently exist, by including..."
#6 - Suggest rewording this. The intention is to avoid use/disclosure for purposes other than direct exchange. This indicates that even for exchange the HISP somehow has control over the message payload, which it should not. In addition, value-added services that can be included in BAA's may be for other services (e.g. disclosure audit, consent mangement, etc.). Suggested amendment: "... minimizing data use, retention, and disclosure to that absolutely required to meet the service obligations of the HISP."
Intel


Kryptiq
No
Need more time to do legal analysis. Request that the date be pushed out to allow for this.
LabCorp


Massachusetts eHealth Collaborative


MedAllies


Medical University of SC, South Carolina Rese


Medicity


MedNET


MedPATH Networks


MedPlus/Quest Diagnostics
No
We need more time to review the recommendations with our security, legal and compliance teams. Requesting that the due date for the consensus vote be moved out.
Microsoft


Mirth Corporation


Misys Open Source Solutions (MOSS)


Mobile MD


NextGen Healthcare Information Systems, Inc.


NIH NCI


NIST


NoMoreClipboard.com


NYC Dept. of Health and Mental Hygiene’s PCIP


Oregon HIE Planning Team


Redwood MedNet
no
Pilot Recommendations under "HIPAA and Legal Agreements" are inadequate. Requiring only a BAA for a HISP is necessary but insufficient. The standard Participation Agreement used by Redwood MedNet is a network access contract with strict definitions that identify a "Participant" as a party that has entered into a participation agreement (a contract) with Redwood MedNet, and an "Authorized User" as an individual who is authorized by a Participant to use the HIE service on behalf of the Participant. This type of explicit clarity of roles and responsibilities goes way above and beyond a simple BAA, and is, I think, a minimum feature of a "Directed Exchange Participation Agreement." To suggest that only a BAA is needed is, I think, inadequate for a best practice.
RelayHealth


Rhode Island Quality Institute
Yes (conditional)
Concur with additional points that will be added by our Pilot HISP partner Inpriva. Conditionally approve on assumption that their comments are incorporated into the final version.
Secure Exchange Solutions
Yes

Siemens


Surescripts
No
Need more time to do legal analysis. Request that the date be pushed out to allow for this.
Techsant Technologies


TN State HIE


VA


VisionShare