Best Practices Meeting 2010-10-21

Notes from Best Practices WG
Date: October 21, 2010
Time: 1:00 – 2:00pm EST
Attendees: Greg Chittim, Gary Christensen, Richard Elmore, John Feikema, Michael Firriolo, Don Jorgenson, David Kibbe, Patrick Pyette, Mark Stine, Laurie Tull, John Williams, Karen Witting, Arien Malec, Uvinie Hettiaratchy, Caitlin Ryan

Actions

Actions
Actions for This Week

#	Date	Action	Status	Owner	Due Date
18	10/21/10	Make changes according to comments offered	Open	Arien Malec, Rich Elmore, ??	11/4/10
19	10/21/10	Reach out to organizations for additional reviewing resources	Open	Don Jorgenson, David Kibbe	11/4/10
20	10/21/10	Draft content about HISP breaches	Open	Arien Malec, Gerg Chittim	11/4/10
21	10/21/10	Vote on Best Practices for HISPs Call for Consensus	Opens 10/21/10	Best Practices WG members	11/4/10

Actions from Last Week

#	Date	Action	Status	Owner	Due Date
15	10/14/10	Send Certificate Pilot Recommendations Consensus link to Implementation Geographies WG	Closed	Uvinie Hettiaratchy, Caitlin Ryan	10/15/10
16	10/14/10	Make edits to Best Practices for HISPs document: · Clarify that an organization only needs to sign a BAA with one external HISP, with a chain of connected HISPs allowing for network wide exchange · Add language specifying that this document applies to the HISP as an organizational model, not a function that is internal to a covered entity · Explain that discussion about the individual was left out intentionally because the individual and traffic to/from the individual is well recognized within HIPAA Then send around fro Call for Consensus	Closed	Arien Malec	10/18/10
17	10/14/10	Set up Call for Consensus page for Best Practices for HISPs	Closed	Caitlin Ryan	10/15/10

Agenda

• Review the comments from the “no” votes for the Best Practices for HISPs Best Practices WG call for consensus

Notes
Rich Elmore

• Thinks it is a good document, it has come a long way
• His first concern is about best practices for the Stage One MU individual use cases
• Need to make individual case is covered in terms of HISP responsibility
• During an earlier phase of the Direct Project, they were going to prioritize Stage One, provider to individual, but were not going to prioritize the individual back to the provider
• Feels the individual to the provider use case has implications from a best practices perspective that the Best Practices WG should provide guidance for HISPs about

Arien Malec

• Are the confining issues the issues of legal agreements, security, privacy, transparency?
• There seem to be other ID assurance, workflow issues involved
• Are there any particular edits you’d like to make to makes sure the current Best Practices for HISPS document covers individuals more?
• Trying not to address ID issues in this document
• This is about protecting privacy, security, transparency as a HISP

Rich Elmore

• Hasn’t spent the time necessary to develop recommendations, but he believes there would be some that would apply in those categories

Arien Malec

• So far this document is not talking about individuals
• HIPAA may not even talk about business associates of individuals
• Gets complicated easily, he isn’t sure the law is clear

Rich Elmore

• Agrees with the summary
• His other concern is that when a provider sends info to an individual, what is our best practice position in terms of disabling or enabling a reply that was not Stage One for this project?

Arien Malec

• Suggests it is a different topic about ID assurance and workflow for individuals and not about privacy, security, transport

Rich Elmore

• If a HISP gets a response back from individual, will it pass through?

Arien Malec

• If operating in agent mode, will apply consistent models to accept or reject transaction
• Any particular workflow needs to be done at the provider level
• Definition of a business association: provides functions or activities on behalf of the covered entity
• Which makes dealing with the individual in really confusing in this document

David Kibbe

• Asked if all WG members understand the amended HIPAA business association definitions?
• He doesn’t have them in front of him, but the idea of a business association and their responsibilities, obligations has significantly increased as a result of the NPRM
• Wants to make sure people were not criticizing circa HIPAA 2009

Arien Malec

• Right but now the NPRM has no enabling mechanism
• When we get to a final rule, will need to revisit this document

Rich Elmore

• His second comment was about making sure healthcare stakeholders have a real easy way to be able to sign up for the Direct Project, and to connect to others without a lot of bureaucracy
• In an ideal situation, a provider would sign up once with a HISP and that HISP is in turn responsible for having the right kinds of agreements with other HISPs
• It would be a single act of signing up with a single HISP
• If we do that we have a shot at rapid and wide adoption
• Or else providers are almost forced into doing agreements party by party

Arien Malec

• Goal of the document was to get away from that
• Acknowledges that is the world we are trying to get to
• HIPAA provides responsibly and strong protection to individuals for the privacy and security of their health information through covered entities
• HIPAA then extends those provisions to make this simpler, to business associations
• Complication: really strong protection for covered entities, strong for business associates, but if you have a transaction for a third party between business associates, gets murky
• As David Kibbe notes, recent NPRM changes may make it less murky
• Definitionally, the HISPs for state immunization aren’t a business assoc, which is why he added language about “equivalent contractually binding legal agreements”
• Reason to limit in this way is to get away from the need for reciprocal arrangements
• If you go beyond the boundaries of HIPAA, you run into more murky nuance
• Very complicated, but those complicated situations happen often

Rich Elmore

• Shouldn’t be ambiguous
• Should go back to ONC

Arien Malec

• Which is great, ONC can give governance guidance and regulatory guidance, but the process for doing both of those is long-term, not short-term, not likely to help with Direct Project pilots

Don Jorgenson

• In a HISP to HISP situation, would it make sense to provide guidance for what provisions between them would allow for reduction in number of documents?

Arien Malec

• Ideally these transactions don’t require reciprocal legal agreements in order to function, because that model is unscalable
• If we want an open dynamic market for information exchange and high levels of trust, transparency, and security, it would be great to not have reciprocal agreements

Don Jorgenson

• If there is guidance on that, and the HISP agrees to provisions and to defining important criteria, then they have a pivot point to move toward from each one

Arien Malec

• The sender alone is responsible, which helps us a lot in policy
• Next steps: Needs to do a second take, all seem to agree on overall principles, but don’t see a need for lots of reciprocal agreements

Round the Room: Rich Elmore’s Comments on Best Practices for HISPs

Laurie Tull	No comment
	Doesn’t want this to be “big H big I big E,” should be simpler If I’m a user and I have a relationship with a HISP, that should be enough, so that I can communicate with another provider
John Williams	HISP breach and breach reporting is also important
Michael Firriolo	No comment
Karen Witting	Read that the certificates would be used as the basis of trust, so that the sender and receiver have an anchor that is the basis for trust, and that anchor determines which policies both sides agreed to Someone has to resolve that I’m sending/receiving to endpoints, the senders have to have a level of trust that is compatible Arien Malec With regard to certificates, the main trust issue is a) Are you the you I think I’m sending to? b) Am I the me you think you are receiving from? c) Do I have confidence my mail isn’t being opened and nothing else unknown is happening in flight? Karen Witting What about other policies? Is that where the murkiness is? Arien Malec Policies define essentially what the ground should be for the pilots HIPAA provides at least reasonably strong protections for individuals, but doesn’t apply to everybody A lot of what we are discussing, HIPAA should be able to apply to all parties and transactions	*
Don Jorgenson	No comment
Patrick Pyette	No comment
Mark Stine	No comment
Gary Christensen	Requirement: should be scalable Second, not so clear if we end up needing to have HISP to HISP agreement, not as much of a non-starter Arien Malec Neither of those two principles are set out in the preamble, he will add
Greg Chittim	No comment
John Feikema	Gary’s comments are aligned with mine in terms of what the larger issue is HISP to HISP agreements might be problematic, not a problem if they can sign a common agreement, much like the DURSA

Pat Pyette

• First, HIPAA is very focused on PHI; does this document intend to do the same?
• We have to make sure that PHI is either called out very specifically, or broaden the definition to include all kinds of personal info

Arien Malec

• Interesting, because the protected data has a definitive definition under HIPAA< but there may be a broader spectrum of data that needs to the same protections as in HIPAA

Pat Pyette

• HIT Policy Committee Is coming out with recommendations and will continue to come out with recommendations
• Direct Project documents should say “recommendations as they currently are currently stated”

Arien Malec

• Great point
• The pass between HIT Policy Committee recommendations becoming regulations is going to be a long time
• Recommendations as they currently exist should be the aim, even if they may end up being best practices with no enforcement mechanism in some cases, but regardless, the Direct Project organizations will abide by them

Pat Pyette

• You can only agree with what is in front of you today, not what may come tomorrow
• Next, a comment on Recommendation #6: We really want to be in concert with principle of minimum collection
• However, a HISP doing just HISP work will not survive long in the marketplace, so the recommendation could identify other value added services
• Language edit “service obligations of the HISP” rather than “function of exchange required”
• May offer other value-added services, just needs to be disclosed

David Kibbe

• Seems likely that once there are 35 or 112 HISPs, there will be some kind of association representing those organizations, and that they will all in effect represent an industry group that has a strong mutual interest in conducting business in a standardized manner within the framework we are discussing now
• They may find a way to create a convention with respect to BA agreement to add additional
• For now this is just a theoretical comment
• We can’t over-determine how these organizations choose to behave in the future, but we can hope they will behave in line with ideals we set out

Arien Malec

• 1) Setting best practices for pilots so that at least with respect to the pilots we have some level of voluntary commitment to maintain public trust
• 2) Setting out rules that organizations have voluntarily adhered to, foster innovation, protect privacy and security, all of which could be an input to the governance process for the Nationwide Health Information Network, which could include rules for effective messaging
• Distinction between regulation and voluntary associations --- Direct is voluntary
• Other comments on Best Practices for HISPS document:
• Will Ross makes the point that only a BA is inadequate for best practices
• I think that’s what the best practices were acknowledging—BA is necessary but not efficient
• Asked for volunteers for mini-review of Best Practices for HISPs document
• Suggested a Round on if we address these topics, if we are ready to move forward

Round the Room: Will the Best Practices for HISPs document be ready if revisions discussed above are made? Are there volunteers to help review?

Laurie Tull	Will all of the best practices documents be rolled up into one big one, or will they be chapters? Arien Malec Great suggestion, would be a really nice thing to do Thinks it is hard enough already to get the documents through consensus individually, so might make sense to send them through as chapters Trying to take off logical chunks Laurie Tull Realizes it will be a work in progress Right now they are trying to get best practices for the pilot programs, and not look further down the road
Rich Elmore	Happy to assist in follow up work Can think through the implications of the document and help in that perspective, but would be good to have an expert on rules and proposed rules Thinks the document will be complete after next round of review Arien Malec He does internal reviews with ONC, but they cannot actually make recommendations Direct is all voluntary Would be useful for someone in Direct to be involved in that level of review
John Williams	No comment
Michael Firriolo	No comment
Karen Witting	No comment
Gary Christensen	Is there anything we want to be talking about in terms of the “don’t look at the message” idea, as a best practice? Arien Malec The Policy Committee was looking into that
Don Jorgenson	Has a resource to offer for reviewing
Mark Stine	No comment
John Feikema	Is comfortable with review plan
David Kibbe	Has another CGC, lawyer he will ask to assist with reviewing She is strong with regulatory law Also willing to participate

Gary Christensen

• Doesn’t want to lose track of the breach issue

Arien Malec

• Also thinks breach issue is important to look at
• It is the sender’s responsibility

Greg Chittim

• Thought WG was tabling the discussion on this, but if moving forward will serve on review team

Arien Malec

• They will propose something on HISP breaches, will get back to the WG
• There are at least two other potential best practice areas to explore
• Expectations on e-mail infrastructure: attachment links, virus scanning
• Set of issues Rich Elmore raised relating to the individual
• The Tiger Team hasn’t looked at individuals at all yet, so this would be unchartered territory
• Any interest in doing these, writing up draft?

Round the Room: Seeking volunteers to draft content for next best practices focus

Rich Elmore	No
Laurie Tull	No
John Williams	No
Michael Firriolo	No
Karen Witting	Overwhelmed with things to read Arien Malec Open questions tracker for pilots
Don Jorgenson	Can assist
John Feikema	No
David Kibbe	Important that the individual be considered Informs other use cases
Greg Christensen	Biggest issue is who is the type of person who has the right background Who can address e-mail issues?
Greg Chittim	Is addressing HISP issues, for now

Arien Malec

• Will make revisions
• Will allow an additional week after the face to face meeting to make revisions, new Call for Consensus due 11/4/10