Best Practices Meeting 2010-11-04

Notes from Best Practices WG
Date: November 4, 2010
Time: 1:00 – 1:50pm EST
Attendees: Gary Christensen, Don Jorgenson, David McCallie, Mark Stine, John Williams, Karen Witting, Arien Malec, Uvinie Hettiaratchy, Caitlin Ryan

Actions

Actions for This Week

#	Date	Action	Status	Owner	Due Date
22	11/4/10	Create visual that shows the data flows (see notes below)	Open	Communications WG	11/3010
23	11/4/10	Ask Rich Elmore, Janet Campbell, Sean Nolan and possibly someone from Google if they want to draft up best practices for individuals	Open	Arien Malec	11/8/10

Actions from Two Weeks Ago

#	Date	Action	Status	Owner	Due Date
18	10/21/10	Make changes according to comments offered	Open	Arien Malec, Rich Elmore, ??	11/4/10
19	10/21/10	Reach out to organizations for additional reviewing resources	Open	Don Jorgenson, David Kibbe	11/4/10
20	10/21/10	Draft content about HISP breaches	Open	Arien Malec, Gerg Chittim	11/4/10
21	10/21/10	Vote on Best Practices for HISPs Call for Consensus	Opens 10/21/10	Best Practices WG members	11/4/10

Notes
Arien Malec

The face to face meeting really didn’t focus on policy or best practices matters
Might want to add in some technical best practices for the work that is being done
Certificate Recommendations
Passed consensus, ready for IG consensus
Certificate and identity
Is wondering if it would be better to hold until the Privacy and Security Tiger Team finishes its work on this issue

Second piece in flight is Best Practices for HISPs
Got a fair amount of feedback, both through internal reviews and through this group
He did a pass at editing to address the common concerns
There are a number of organizations that wanted to get their legal teams involved
We’ve had a little bit of legal review so far
Might be worthwhile for him to re-review, go over edits

Third and fourth topics that have been the subject of active discussion
1) Best practices related to individuals, identity assurance as well as continuation of discussion from early in the project about use cases, provider to patient
2) Best practices relating to attachment sizes and virus scanning and the things that become part of normal e-mail processing requirements
Sentiment so far has been that it’s better to complete the two things in flight rather than take on new business

David McCallie

Do changes to the documents reflect some of the comments from the Standards Committee meeting?

Arien Malec

Did a review with Dixie on the privacy and security aspects of the two current specs, she will have the Privacy and Security WG of the Standards Committee review
Should probably wait until they conclude their review to make changes

David McCallie

Dixie has not formally asked the committee to review yet
Some of their questions do relate to best practice issues, and other questions just show that they still don’t quite understand what we are doing, which means we need stronger messaging

Arien
Have 4 topics of discussion for this meeting

1) Certificate best practices
2) Where we are with the best practices for HISPs document
3) Feedback from the HIT Standards Committee in terms of addressing
4) Whether we want to take on additional best practices

Topic 1: Certificates best practices

We have the certificate handling best practices document, pretty well done
Has been reviewed a number of times, has gone through a couple sets of review, both with this group and through the Security and Trust WG
Next step would be for it to go to IG Consensus
Noted that the Security and Trust WG had two organizations that went on to do a separate review, so the document is not complete through the Security and Trust WG
Should complete as of today’s meeting (11/4)
Assuming the document passes through the Security and Trust WG, we could take two approaches
1) Keep essentially as a sub-IG consensus approved deliverable until Tiger Team has finished its conversation
2) Go ahead and get approved at IG level, understanding we may need to revise
Asked for any strong opinions

David McCallie

The fewer times we have to change things, the better
Would prefer waiting if changes are likely
It is such a complicated topic, seems like something will come up in review

Gary Christensen

Doesn’t have a strong opinion, but thinks decisions should be based on what the utility of the document is with respect to the other ongoing activities
If we think it is generally useful and generally right, we should make it available for folks to use
If we think it isn’t relevant to the ongoing activities, we can hold it for now

Don Jorgenson

Useful feedback, as a guide

Arien Malec

Can pass for now, and assuming it gets through the Security & Trust WG, can submit to full IG
They had put in a reference to NIST Level 2, and later felt it didn’t make sense
Would be better to say “equivalent to” rather than saying “NIST Level 2”

David McCallie

Thinks that is in the spirit of how NIST approaches things, not to be proscriptive, but provides examples
Has no trouble with
Has question about whether or not we should specify a NIST level at all, can come back to that question

<No other WG member had an issue with using “equivalent”>

David McCallie

Question about using NIST at all
Standards for users connecting to an HIE
Should ONC require very specific credentialing to connect to an HIE?
In providers’ workflow, EMR, already on the hook to ensure that only the proper users have access to the EMR in the first place and that securities are in place so functions available to a provider match their role
Do we want to have an additional authentication step?
Or “if you are a provider authorized to use your system, you can use Direct?”

Arien Malec

We have language about that in the document already

David McCallie

That’s the spirit exactly—if you’ve already crossed that hurdle, you don’t have to go through additional steps
If coming into an isolated portal, it’s a different story

Arien Malec

Remembers Farzad Mostashari making the point that if I can change things but not send a message electronically, that seems silly

Don Jorgenson

Ultimately it is the issue Arien raised – we need to have vocabulary, terminology appropriate to describe what the levels of proofing and assurance are that can be applied to making the decision whether trust is appropriate, using NIST language or not

Arien Malec

That was the direction he was going in by using “equivalent with” or “consistent with”

Don Jorgenson

Thinks that’s fine for now,

Arien Malec

Thinks the Tiger Team will come out with recommendations that will go through the Policy Committee and be part of a governance process

David McCallie

Initial focus is on entities authentication rather than individual, but the Tiger Team discussion will likely move to individual level

Arien Malec

Current recommendations talk about organizations

Second topic: Best Practices for HISPs

Current status is there are a number of organizations that requested an extension of the review to get legally reviewed
Couple instances where additional legal review is needed
Kryptiq, Surescripts, requested additional legal review
Did one pass with MedPlus/Quest Diagnostics
He will reach out to Surescripts and Kryptiq
He made changes
He took out language about it not covering individuals, wasn’t necessary
Examples of why BAAs might not be explicitly required, if contractee is not a covered entity
Changed “PHI” to “PII”
Noted that when he mentioned “equivalent protection” in cases where the organization is not a covered entity, then organizations that are HISPs to that organization will not be BAs under the terms of HIPAA
Noted in the recommendations that either you need to be an individual covered entity and therefore a BA as covered by HIPAA or else have a equivalent and contractual agreement
Deven pointed out you can’t ever be equivalent b/c don’t have enforcement powers
Added “collection” to list of duties performed by HISP
Note from Inpriva, “minimal use” rather than function of exchange
Transformation services, more than is minimally required
Can see change log if you click on history/changes

David McCallie

Question, someone asked if we had discussed or been approached about Homeland Security Patriot Act-like implications of the way we are doing encryption

Arien Malec

We will know we are successful when we get questions like that

David McCallie

Would prefer not to worry about this issue, but do we have to? Richard Marks, HIPAA lawyer asked, used to work for the NSA

Arien Malec

Third Topic: Discuss feedback from HIT Standards Committee
Most of the feedback was not relevant, was an odd meeting
“Why did you choose REST?”
“Is this simple enough?”
“Why do you keep mentioning XDR?”
Asked David to help summarize

David McCallie

Covered one class of questions that came up, “it’s too complicated” on the one hand, and on the other,” it is too complicated, why do you keep using XDR, XDM?”
Did a good job of addressing questions, people weren’t really asking as much as making a point
No critical issues other than our continued need to communicate exactly what we are doing
Second set of issues from Dixie Baker, misunderstanding how our security model works
Potential for inadvertent exposure of patient data at HISP that we haven’t accounted for
She is failing to recognize that we are treating the HISP as a BA, and expect the same best practices around PII that we would if they were hold an EHR
Can encrypt the desktop, if they choose to do so

Arien Malec

In private discussion she also raised whether the specs themselves cover audit or the requirement to audit
That may come up during the workgroup review
Thinks the next step is for Dixie to request a workgroup review

David McCallie

There is still a lack of understand what we are doing
He used the current slide set about two weeks ago
We are missing a knock-out visual that shows the data flows; we have all the right words, but you can’t point and show where the doctor sits, where the HISP sits, here is where it gets encrypted, here is where it gets decrypted

Arien Malec

Thinks the visual should cover HISP agent model as well as the pure routing model

David McCallie

Right, so two pictures, Option One and Option Two
There is a gap in understanding, not a gap in design

Arien Malec

Asked for comments on Standards Committee review if anyone heard

David McCallie

Dixie made the assertion that the Standards Committee made recommendations and Direct ignored them all, but Arien addressed those concerns well

Arien Malec
Fourth topic—New areas of focus

Asked whether there is any energy to take on best practices related to two other wants and needs from the implementation geographies
1) Identity assurance for patients, bilaterally
2) Bp related to attachment handling
He’s unable to work on himself

David McCallie

Asked if a PHR is participating in a pilot

Arien Malec

Yes

David McCallie

Would they have an approach to handle consumers that might be participating?
Individuals using the system who aren’t providers
Would Microsoft or anyone else by facing this issue?

Arien Malec

This topic has also been a lot of interest to Rich Elmore
Asked Gary if he feels he has appropriate best practices for this issue
Are they involving individuals in their pilot?

Gary Christensen

Was just about to say that he would put the consumer/individual issue below the attachments issue
Because initial user groups will likely be doctors, not individuals
We’re not focused on that yet

David McCallie

Just doesn’t want to ignore the individuals issue, so folks with a vested interest in approaching consumers should drive this conversation
Arien when advice on individuals would be needed

Don Jorgenson

Sometime, but there is no sense of urgency yet
Have ability to send any kind of messaging
Not an issue in the pilot early on, he’s fine with deferring for a little while
Microsoft, PHR vendors

David McCallie

Discussion on size of message, back when initially debating
essentially not allowed through public SMTP channels
Debated notion that they could pick arbitrarily large message size and set as practice
Now perfectly feasible that S/MIME could go over standard mail channels
We cannot guarantee the size

Arien Malec

Have people who want to use same transactions for claims attachments
CMS is planning on massive file sizes

Gary Christensen

Asked Don if questions came up in the working group

Don Jorgenson

Thinks it’s an implementation and capability issue for service provider rather than a best practices issue
Probably should steer clear of at this level

Gary Christensen

Are there any things that say that’s a good question, we should get consensus on it?
Or else if we aren’t hitting up against it in our pilot, we don’t need best practice guidance yet

Don Jorgenson

Might double check with Pat Pyette

David McCallie

Can’t guarantee every gateway will handle an arbitrarily large file

Don Jorgenson

Depends on the implementers, if we get into how to resolve, how do we discover, that’s a different issue

David McCallie

Not sure it is technically possible to guarantee an arbitrarily large size
Would be an implementation’s decision
Would fit in a best practices document, could set limit
Would want to talk to more of an SMTP expert

Gary Christensen

Besides size, are there any other issues?

Arien

Requirements about whether every HISP must provide virus screening services, for example
Hearing lots of good discussion, but no one signing up to write first draft

John Williams

What about addressing other security considerations?

Arien Malec
We do require compliance with HIPAA security rules

John Williams

Would like to see expansion on that
Seems like a starting point

Arien Malec

Ends up being much more detailed
At a high level right now for best practice perspective, at the next level down we would need security officers involved to look at scanning, protection, policies for open ports, etc.
Will ask Rich Elmore, Janet Campbell, Sean Nolan and possibly someone from Google if they want to work on individuals
Thinks there is a set of known patterns on how to do this, thinks someone could write the first draft quickly

Best Practices Meeting 2010-11-04

Actions

Navigation menu

Search