Best Practices for HISPs Call for Consensus - Best Practices WG
Best Practices Workgroup Call for Consensus: Best Practices for HISPs
STATUS: Due 1/25/2011
The term Health Information Service Provider (HISP) has been used by the Direct project both to describe a function (the management of security and transport for directed exchange) and an organizational model (an organization that performs HISP functions on behalf of the sending or receiving organization or individual). In this best practice document, we are mainly concerned with the HISP organization and the implications for privacy, security and transparency when the HISP is a separate business entity from the sending or receiving organization.
This document describes some of the key best practices required to ensure that individuals and organizations can participate in directed information exchange with confidence. As with all best practice documents, this document covers some ground being considered by HIT Policy Committee (HITPC) workgroups. These include, in particular, the Privacy and Security Tiger Team and the Governance Workgroup. The intent is to harmonize this document over time with the final recommendations of the HITPC.
Consensus voting on: Best Practices for HISPs
Workgroup Participant Organization |
Endorsement (Yes or No) |
If No, what can be changed to make it Yes? |
Akira Technologies, Inc |
||
Alere |
||
Allscripts |
Yes |
|
American Academy of Family Physicians |
||
Atlas Development |
||
Axolotl |
||
CareSpark |
||
Cerner |
Yes |
|
Christus Health |
||
Clinical Groupware Collaborative |
||
CMS |
||
Covisint |
||
CSC |
||
DoD |
||
eClinicalWorks |
||
Emdeon |
||
Epic |
||
FEI |
||
Garden State Health Systems/Health-ISP |
Yes, with comment |
Consider explicit discussion of directed exchange trigger conditions for meaningful consent. |
GE |
||
Google |
||
Greenway Medical Technologies |
||
GSI Health |
||
Harris Corporation |
Yes |
|
Healthcare Information Xchange of NY |
||
High Pine Associates |
||
HLN Consulting, LLC |
Yes |
|
IBM |
||
ICA |
||
Inpriva |
||
Intel |
||
Kryptiq |
||
LabCorp |
||
Massachusetts eHealth Collaborative |
||
MedAllies |
||
Medical University of SC, South Carolina Rese |
||
MEDfx |
Yes |
|
Medicity |
||
MedNET |
||
MedPATH Networks |
||
MedPlus/Quest Diagnostics |
||
Microsoft |
||
Mirth Corporation |
||
Misys Open Source Solutions (MOSS) |
||
Mobile MD |
||
NextGen Healthcare Information Systems, Inc. |
||
NIH NCI |
||
NIST |
||
NoMoreClipboard.com |
||
NYC Dept. of Health and Mental Hygiene’s PCIP |
||
Oregon HIE Planning Team |
||
Redwood MedNet |
||
RelayHealth |
||
Rhode Island Quality Institute |
Yes |
|
Secure Exchange Solutions |
||
Serendipity Health |
Yes, with comments |
It is recommended that this document be reviewed again after the pilot implementations are brought into production to allow further discussions with real providers and the implications that may be found with data sharing agreements and other policies for the implementing organizations. |
Siemens |
Yes with comments |
The first paragraph is helpful in clarifying the difference between HISP (the software functionality) vs HISP (a separate organization). Since this document applies to the organization only, I suggest renaming it to "Best Practices for Organizations Providing HISP Services" I also suggest modified wording near the end: "For instance, such uses would include the use of a directed push to a registry and/or repository which is then used for subsequent queries." The reason is that in some HIEs, such as those based on IHE XDS, an EHR might or might not physically push the document to an HIE-based repository, but may make its document available from its own repository and merely update the registry so it can "point to" the new document. |
Surescripts |
||
Techsant Technologies |
||
TN State HIE |
||
VA |
||
VisionShare |
Previous Voting Blocks:
Consensus voting on: Best Practices for HISPs
Workgroup Participant Organization |
Endorsement (Yes or No) |
If No, what can be changed to make it Yes? |
Akira Technologies, Inc |
||
Alere |
||
Allscripts |
Yes |
|
American Academy of Family Physicians |
||
Atlas Development |
||
Axolotl |
||
CareSpark/Serendipity Health |
||
Cerner |
Yes |
Should be updated as needed, pending HITSC review on 12/17 |
Christus Health |
||
Clinical Groupware Collaborative |
||
CMS |
||
Covisint |
||
CSC |
||
DoD |
||
eClinicalWorks |
||
Emdeon |
||
Epic |
||
FEI |
||
Garden State Health Systems |
||
GE |
||
Google |
||
Greenway Medical Technologies |
||
GSI Health |
||
Harris Corporation |
||
Healthcare Information Xchange of NY |
||
High Pine Associates |
||
HLN Consulting, LLC |
||
IBM |
Yes |
|
ICA |
||
Inpriva |
||
Intel |
||
Kryptiq |
||
LabCorp |
||
Massachusetts eHealth Collaborative |
||
MedAllies |
||
Medical University of SC, South Carolina Rese |
||
Medicity |
||
MedNET |
||
MedPATH Networks |
||
MedPlus/Quest Diagnostics |
Yes |
|
Microsoft |
||
Mirth Corporation |
||
Misys Open Source Solutions (MOSS) |
||
Mobile MD |
||
NextGen Healthcare Information Systems, Inc. |
||
NIH NCI |
||
NIST |
||
NoMoreClipboard.com |
||
NYC Dept. of Health and Mental Hygiene’s PCIP |
||
Oregon HIE Planning Team |
||
Redwood MedNet |
||
RelayHealth |
||
Rhode Island Quality Institute |
||
Secure Exchange Solutions |
||
Siemens |
||
Surescripts |
||
Techsant Technologies |
||
TN State HIE |
||
VA |
||
VisionShare |
Yes |
Consensus voting on: Best Practices for HISPs
Workgroup Participant Organization |
Endorsement (Yes or No) |
If No, what can be changed to make it Yes? |
Akira Technologies, Inc |
||
Alere |
||
Allscripts |
Yes |
|
American Academy of Family Physicians |
||
Atlas Development |
||
Axolotl |
||
CareSpark/Serendipity Health |
||
Cerner |
||
Christus Health |
||
Clinical Groupware Collaborative |
Yes |
Provisional. Agree with Allscript's call for simplicity of agreement as above. |
CMS |
||
Covisint |
||
CSC |
||
DoD |
||
eClinicalWorks |
||
Emdeon |
||
Epic |
||
FEI |
||
Garden State Health Systems |
||
GE |
||
Google |
||
Greenway Medical Technologies |
||
GSI Health |
||
Harris Corporation |
||
Healthcare Information Xchange of NY |
||
High Pine Associates |
||
HLN Consulting, LLC |
||
IBM |
Yes |
|
ICA |
||
Inpriva |
Yes (conditional) |
#1 - Should this go further to include Personal Information, not just PHI? #5 - Recommend amendment to this to read "...HITPC recommendations as they currently exist, by including..." #6 - Suggest rewording this. The intention is to avoid use/disclosure for purposes other than direct exchange. This indicates that even for exchange the HISP somehow has control over the message payload, which it should not. In addition, value-added services that can be included in BAA's may be for other services (e.g. disclosure audit, consent mangement, etc.). Suggested amendment: "... minimizing data use, retention, and disclosure to that absolutely required to meet the service obligations of the HISP." |
Intel |
||
Kryptiq |
No |
Need more time to do legal analysis. Request that the date be pushed out to allow for this. |
LabCorp |
||
Massachusetts eHealth Collaborative |
||
MedAllies |
||
Medical University of SC, South Carolina Rese |
||
Medicity |
||
MedNET |
||
MedPATH Networks |
||
MedPlus/Quest Diagnostics |
No |
We need more time to review the recommendations with our security, legal and compliance teams. Requesting that the due date for the consensus vote be moved out. |
Microsoft |
||
Mirth Corporation |
||
Misys Open Source Solutions (MOSS) |
||
Mobile MD |
||
NextGen Healthcare Information Systems, Inc. |
||
NIH NCI |
||
NIST |
||
NoMoreClipboard.com |
||
NYC Dept. of Health and Mental Hygiene’s PCIP |
||
Oregon HIE Planning Team |
||
Redwood MedNet |
no |
Pilot Recommendations under "HIPAA and Legal Agreements" are inadequate. Requiring only a BAA for a HISP is necessary but insufficient. The standard Participation Agreement used by Redwood MedNet is a network access contract with strict definitions that identify a "Participant" as a party that has entered into a participation agreement (a contract) with Redwood MedNet, and an "Authorized User" as an individual who is authorized by a Participant to use the HIE service on behalf of the Participant. This type of explicit clarity of roles and responsibilities goes way above and beyond a simple BAA, and is, I think, a minimum feature of a "Directed Exchange Participation Agreement." To suggest that only a BAA is needed is, I think, inadequate for a best practice. |
RelayHealth |
||
Rhode Island Quality Institute |
Yes (conditional) |
Concur with additional points that will be added by our Pilot HISP partner Inpriva. Conditionally approve on assumption that their comments are incorporated into the final version. |
Secure Exchange Solutions |
Yes |
|
Siemens |
||
Surescripts |
No |
Need more time to do legal analysis. Request that the date be pushed out to allow for this. |
Techsant Technologies |
||
TN State HIE |
||
VA |
||
VisionShare |