Notes from Implementation Geographies Workgroup – “Plan-a-thon”
Date: August 17, 2010
Time: 9:30am-12:00pm

Attendees: Gary Christensen, Jason Colquitt, Tim Cromwell, Mark Gingrich, Uvinie Hettiaratchy, Dan Kazzaz, Susan Johnston, Don Jorgenson, David McCallie, Will Ross, Jas Singh, Mark Stine, Aaron Stranahan, Susan Torzewski, Paul Tuten, Chris Voigt

Current Action Items
ID
Date
Action
Status
Owner
Due Date
29
8/11/2010
Update Implementation Geographies Checklist
Open
Paul Tuten
8/18/2010
30
8/11/2010
Clean Up and Refresh NHIN Direct Wiki
Open
Arien Malec
8/18/2010
31
8/11/2010
Bring up to Document and Testing WG the following Issue: ensuring that the correct clinical message is being sent to the correct physician e-mail client, given physicians have multiple e-mail addresses at various practices, etc.
Open
Arien Malec
8/18/2010
32
8/17/2010
Update Geographies WG on outcome of the “Plan-a-thon” and greater Face-to-Face Meeting
Open
Paul Tuten + Arien Malec
8/25/2010
33
8/17/2010
Ensure the Document and Testing WG dispels the mentality of “If it’s going through Direct, then we can save a record?” through their work
Open
Paul Tuten + Chris Voigt
8/25/2010
34
8/17/2010
Coordinate Reference Implementation WG Update for the Geographies WG Meetings
Open
Paul Tuten + Susan Johnston
Recurring
35
8/17/2010
Compare User Stories v. Final Rule on Meaningful Use
Open
Paul Tuten + WG
9/1/2010
36
8/17/2010
Create a Lessons Learned Repository for the Various Pilot Projects
Open
Paul Tuten + WG
9/1/2010

Past Action Items
ID
Date
Action
Status
Owner
Due Date
29
8/11/2010
Update Implementation Geographies Checklist
Open
Paul Tuten
8/18/2010
30
8/11/2010
Clean Up and Refresh NHIN Direct Wiki
Open
Arien Malec
8/18/2010
31
8/11/2010
Bring up to Document and Testing WG the following Issue: ensuring that the correct clinical message is being sent to the correct physician e-mail client, given physicians have multiple e-mail addresses at various practices, etc.
Open
Arien Malec
8/18/2010

Introduction
Paul Tuten
  • Opened discussion on “what we can do” and asked:
    • What work does the Geographies work group depend on?
    • “How can we distribute to the different work groups?”
    • How do you compare user stories vs. meaningful use criteria?
    • What legal frameworks are necessary?
  • Highlighted current work
    • Gary Christensen (Rhode Island Quality Institute) has legal frameworks established in terms of constituencies
    • Will Ross (Redwood MedNet) – is working on his own legal model
Gary Christensen
  • Currently putting the project plan together
  • Asked what moving parts are becoming available from the rest of the teams
    • The EHR vendors needs to be explained what reference code they might be getting
    • The state HIE needs to be able to point them to something
    • Current Situation: Can’t yet explain the parameters
  • Hoping that information can be organized so this can be sent out
  • Has an architecture in mind, hopes to validate that perception in his head now

Rhode Island Quality Institute
Gary Christensen
  • Questioned ability to conduct point-to-point messaging between doctors asynchronously v. synchronously
  • Noted that if this is going to be an easy and cheap way to communicate between doctors, then this should also apply in the same way to the HIE
  • Mentioned sending a CCD if there is a change in the patient summary
  • Rhode Island needs a HISP b/c they don’t want to be a HISP themselves (everything else is planned out)
  • Need the reference implementations completed in reasonable time

Pilot: CareSpark/MobileMD
Chris Voigt
  • Clarified that CareSpark is a HIE working with over 25 providers in Virginia and Tennessee
  • CareSpark finds the NHIN direct messaging component as very important
  • Asked: Which vendor is going to be the HISP?
    • The major EMR vendors in the area are not involved in this project
  • CareSpark is already using the NHIN Connect, mostly with respect to CMS
  • Asked if NHIN Direct can go through Connect
Tim Cromwell
  • Brought in the perspective of the Department of Veteran Affairs
  • Commented that the VA outsources a lot of things
  • In particular, the VA has many female veterans and their mammographies are primarily outsourced to the private sector (example of a user-story)

Independent: Secure Exchange Solutions
Dan Kazzaz
  • Secure Exchange Solutions has been working with SMTP along with S/MIME for a while now
  • Working in Maryland, they have parts and pieces that are essentially a “HISP in a Box”
  • Regardless of the format of data, they are facilitating the transfer of information
    • Ex: PDFs are being sent back and forth
  • Mentioned that Allscripts is working on a Mac Version of HISP in a Box

Pilot: VisionShare
Paul Tuten
  • This pilot aims to cover the “priority one” user stories
    • They are weakest in the public health-immunization case
    • Focusing on three or four states
      • These states are waiting on regulatory or administrative approval
  • VisionShare would serve as the HISP
    • There is a considerable number of providers locally available in participating states
    • Desires cross entity participation
    • There will be no charge for the pilot program

Pilot: MedAllies
Susan Johnston
  • Current Status:
    • Two practices are scheduled to come online in September
    • Two hospitals may potentially come onboard – working out kinks
  • Mentioned there is some community viewing through a query model
  • Asked: Should the names of the HIE’s be announced? Are they fully committed?
  • Noted differences such that some say they will use SMTP and others say they will use REST

Discussion
Don Jorgenson
  • Representative from Inpriva
  • Specifically interested in providing HISP, as well as HISP in a box
  • Asked if anyone else integrating with other networks (NCI?)
    • Trying to make sure everything is compatible
Dan Kazzaz
  • Raised the following “big” question: How are the certificates exchanged?
    • Can XYZ hospital trust an ABC certificate?
  • It is rather simple figuring out certificates internally, but if you are communicating with a doctor external to your network, how do you certify it is actually that doctor?
    • In the code, how do you assign the privileges and responsibilities to that doctor?
Don Jorgenson
  • Stressed importance of getting the issues out into the standards community as soon as possible
Dan Kazzaz
  • Comments that these certificate issues are widespread
  • These certificate issues are being avoided in the short term, but should be addressed
  • Ex: How do you do a two-factor certification for a pharmacy request??
David McCallie
  • NHIN direct is not a trust transference program
  • If you can validate the public signature by a signing authority, then you are okay as long as you trust the signing authority itself
Mark Gingrich
  • Especially considering what is being requested (ex: controlled substances), this system needs to be secure
David McCallie
  • Raised a potential policy question of whether there is a signing authority
  • Believes that suggestions from the pilots would be useful
Dan Kazzaz
  • Agrees that this is why the pilots are so critical to NHIN Direct
  • Asserts that NHIN Direct will work fine in small communities
    • Yet asks about when one wants to bridge into the NHIN? What happens then?
    • Further asked about how to bridge into the maps of the NHIN (as well as specific policies and requirements)
David McCallie
  • Reminds the group that NHIN Direct is supposed to be a low threshold model
    • Gives metaphor of a “business card trust” model, not the federal trust model
    • There should be simple, direct messaging
    • Based on the two parties that know each other and the cryptographic
  • With public key infrastructure (PKI) in mind, David asked about how the public certificates will be made available?
  • Asked if the DNS will be utilized to distribute the certificates
  • Believes something needs to play the role of authenticating a signature as valid
    • Asked if authentication can be done without a personally controlled HISP
Dan Kazzaz
  • Believes there is going to have to be a very specific solution – perhaps a HISP in a Box capability?
    • May involve the sharing of direct re-information
    • Possibly could hold everyone’s public keys
  • Asked again what the HISP in a box will be able to do
David McCallie
  • Believes the HISP should make available which certificates it is managing through a “query model”
    • However, points this may be out of the scope of the model…
  • Asked how to do S/MIME e-mail in a consistent way
    • Given multiple options, they need to constrain it enough to a point of success
  • Asked how to manage messaging between a high security level and a low security level
Gary Christensen
  • This is a non-issue for Rhode Island Quality Institute because it has a directory
David McCallie
  • Asserted they can probably get through the pilots by managing the certificates locally
  • On a separate note, Public Health is an example of a secure drop box
Don Jorgenson
  • Asked: Do we just use a DNS?? Do we need something more complicated?
Gary Christensen
  • A lot of disparate elements linger, need to “tick the box” still to launch the pilots
  • Asked: What are the bare minimums to complete a pilot project??
  • Assumes/hopes that the reference implementations group is addressing the technical issues
Mark Stine
  • From a business perspective, Mark asked if there are auditing requirements for NHIN Direct
Gary Christensen
  • Suggested group do a right round on all open items so a list could be established


Right Round - List of Open Items
Mark Stine - MPS
  • What are the domain names of the different entities?
    • How broad are they in terms of level?
  • Are there naming conventions for the domains?
    • The wiki has very different examples (Ex: NHIN-D)
  • Security: How granular will the certificates be?
    • Physician level/domain level (during the pilots)
  • With respect to the provision/exchange/installation of certificates, will this be completed manually or through a DNS server?
    • Does a UDDI registry come into play (as with Connect)?
  • Considering connectivity of protocols – what edge clients are involved?
    • Who provides the HISP in the pilots?
    • What will they support on their edges?
    • Ex: Are they going to use Thunderbird/Outlook/etc?
  • For the pilots, will the HISPs use SMTP or XDR/XDD?
    • How do you reconcile the various protocols in the backbone due to the variety of vendors?
      • David McCallie: Try to avoid the XDD backbone
      • Gary Christensen: This is up to the HISP in his case
    • A REST spec is still out on the wiki for edge REST type services
      • Is that an IHE type approach?
    • Do you instruct the vendors to simply implement what the Reference Implementation work group assembles?
      • Gary Christensen: Doesn’t matter as long as code is ready for the pilots
      • Jason Colquitt: Currently working on XD/SMTP
  • What type of data medium should be employed? (CCD/PDF/Doc?)
    • Evaluate what works well with which EHR system
    • It is important to discuss what type of content will be exchanged during the various pilots
    • Dan Kazzaz: Sending MRIs probably will not work
Zachary Gillen - Kaiser
  • Concerned with the policy/legal issues associated with NHIN Direct
    • Noticed many issues around hospitals arising in the Exchange model
    • Similarly for NHIN Direct, they won’t emerge until later
    • Curious about laws for “re-disclosure”
      • David McCallie: Should not have to change laws (policy panel)
Don Jorgenson - Inpriva
  • Would like an expanded consideration of the Final Rule on Meaningful Use
Dan Kazzaz - Secure Exchange
  • Does it matter if smaller offices don’t have their own domain name?
    • Aside informational purposes, they don’t have an office e-mail server
    • Ex: Many use G-mail to access secure e-mail
      • Currently fine since no one has access to this on public servers
      • Got around policy decisions because of that
      • In their implementation no one is transferring CCDs
        1. Essentially Docs and PDFs are being exchanged
    • Haven’t attempted to send documents through a state HIE
      • Probably don’t want someone to read through and assign patient info
  • How do clinician support communities without physicians create trust?
    • These entities still need to communicate with physicians
    • Ex: How do you create trust between a school and a doctor’s office?
  • Does it matter that not all SMTP servers are created equal?
    • Claimed this is not reflected in Reference Implementation code
Tim Cromwell - VA
  • How does a pilot standardize the data that comes in?
    • The data is provided through various media (e-mails, faxes, etc)
    • The VA outsources not only mammographies, but many other products
  • How does that information get back to the proper location?
    • How does it get to the proper patient?
    • How does it get back into the VLER or right department?
  • If an entity has signed the DURSA for Connect, does that apply to Direct?
    • It’s a federal issue when data is sent out over their firewall, not internally
    • Don Jorgenson - Look at HITECH for disclosure rules
David McCallie - Cerner
  • How do the pilots address consumer credentialing, if at all?
    • Mark Gingrich: Through HealthVault patients can receive information, but they can’t reply to those messages
    • David McCallie: They will keep the certificates very high level
      • Depends on HealthVault’s appropriation and certification
    • Mark Gingrich: How do you validate it is actually the patient?
      • Patient will be validated by HealthVault
      • Patient has little incentive to share a false address for their own personal health information
    • Dan Kazzaz: How about when family/relatives try to access such data?
Susan Johnston - GSI Health
  • Concerned about getting hospitals and vendors onboard in time
    • Generally small vendors work quickly, but how about larger vendors?
Jason Colquitt - Greenway Medical Technologies
  • Concerned with EHR directories – where should data be sent?
  • In what cases should NHIN Direct be utilized instead of NHIN Connect?
    • Should NHIN Direct primarily be used for referrals?
    • In contrast, should NHIN Connect primarily be used for CMS?
  • Will there be a unity of specifications for the HISPs across the pilots?
    • XDR versus SMTP
    • Do we implement our own HISP?
      • David McCallie: A number of EMR vendors will do it that way
  • Will universal addressing be achieved?
    • David McCallie: SMTP will work until vendors start asking for a special way to send information – at that point it will no longer be NHIN Direct
      • That’s why we need a backbone
      • The pilots may shake things out and one option may emerge
  • How is the correct address found?
    • Believes direct discovery is not resolved by NHIN Direct
    • Some believe the receiving address is responsible for figuring that out
    • Directories are a dual edged sword
      • They are useful because they make addresses available
      • However, they may expose addresses with no true relationship
    • David McCallie: NHIN Direct is not there to determine the proper address, yet rather to send a message securely to a known address
  • Is there a workflow for the products with respect to the user-cases?
Aaron Stranahan - ICA
  • Curious about the certificate management issues
  • What are the common user-cases coming out of the pilot projects?
  • How direct will the messaging for NHIN Direct be?
    • Believes it is important to recognize certain indirect messaging will occur
    • What are the policy implications of this “brushing under the carpet?”
  • Similarly concerned regarding the workflow
Chris Voigt - CareSpark
  • Maintains similar questions regarding certificate management
  • Some think: “If it’s going through Direct, then we can save a record?”
    • Need to rid this mentality because it is inconsistent with NHIN Direct
    • Applies to the Documentation & Communication Work Groups
  • Faces similar problems with security and addressing
  • Attempting to manage the diversity of standards (XDR/XDS/SMTP)
Mark Gingrich - SureScripts
  • How do we work around naming conventions for domain names?
    • Scale-wise – need a clean way of doing that
  • How do we trust that a HISP is viable?
    • May not be legitimate - correct safeguards needs to be in place
  • Scalability of the DNS approach
    • Is the DNS going to be able to operate beyond a controlled pilot setting?
Macro Issues
Paul Tuten
  • What actually makes a viable HISP?
    • Every HISP serves its own certificate
    • What is the mechanism by which those certificate authorities work?
  • Plugging Pilots into one another?
    • Believes this should be done from a cold start
    • Would be a good test of HISP-HISP interoperability
      • Probably will not work right out of the box
    • Ex. Veterans spend months in different places - two pilots could test this together
  • Greater demand for work group inter-communication
    • Decided to take off-line a suggestion for work group lead meetings
    • Possibly having presentations from the reference implementations work group
    • Status updates of the deliverables from the reference implementation WG during the weekly meetings
  • Possibly simulating the test of a scaled environment with “fictional data”
    • Current pilots will not cover the eventual scale intended by NHIN Direct
    • With respect to certificate management, looking at how long it takes to deal with an individual provider
    • Some pilots are already identifying what isn’t scalable and having people working on them
      • Is broader participation possible in this regard?
Supporting Pilot Projects (How many providers, who are they, how will I communicate with them?)
Paul Tuten
  • VisionShare Template
    • Step 1: Sign up states who will participate
      • Approach state agencies who are interested
      • Wait for said state agencies to get approval
      • Secure funding for their participation
    • Step 2: Integrate the state agencies into the overall pilot plan
    • Step 3: Recruit providers
      • Easy to reach into existing provider community
      • Recruit providers that are not from VisionShare’s community
    • Step 4: Identify the networks you need to interoperate with and advance
      • User-cases are limited b/c dealing with immunizations primarily
Tim Cromwell
  • Each pilot project faces information blackout because they are operating in silos
  • Urges that each pilot pump up lessons learned to all pilots
    • Possibly create a “lessons learned repository”
Dan Kazzaz
  • Believes NHIN Direct should have the pilot projects interface with each other
Chris Voigt
  • Needs the final reference implementation to test against
Paul Tuten
  • Recognizes a key challenge: the pilots are each starting in different places
  • Hoping technically they will be able to interoperate
Chris Voigt
  • Asked if there are formalized timelines for the pilot projects
  • Project plan depends on the completed reference implementation
    • Needs concrete descriptions of when things will be complete
    • Does not know what is coming and the size of that step
Gary Christensen
  • Reminds that the documentation-side is also important
  • Vendors are curious what they are going to be doing
Uvinie Hettiaratchy
  • Informs that the communications group has a matrix on the Wiki
    • Includes: stakeholders, priorities, timeline, information needs
    • Also includes the medium for delivery – presentation, document, etc.
  • Key Priorities:
    • Get the pilots up and running on time
    • Keeping the key stakeholders involved, and hence keep NHIN Direct moving