Session Notes 7
Jump to navigation
Jump to search
Session 7: Contracting with HISP Vendors
4/13/11: 8:30 --10:15AM
Session Objectives
● Discuss state perspectives around approaches, learnings, and best practices around contracting with HISP vendors
Presenters/Panelists
● Greg Chittim, Director of Provider Services, Arcadia Solutions
● Christopher M. Henkenius, Program Director, NeHII, Inc.
● Fred Richards, COO/CIO, Ohio Health Information Partnership LLC
Introduction, Ross Martin and Brian Ahier
● Four approaches to offering HISP services
○ Set the playing field - let the market drive
○ Designate a HISP of last resort
○ Provide core services to HISPs
○ Be the HISP
○ There are impacts to all of these in costs and revenue options
● Set the playing field
○ State can play governance role – certifying and qualifying HISP
○ Create a market where states can facilitate vendors coming into the marketplace
○ Set minimum requirements
- For example, dictate that HISPs must connect to other HISPs
○ Advertise who is out there that meets approval
○ Serve as a matchmaker - make sure providers know who vendors are
○ Costs
- Governance operations
- Certification/qualifying process
- Fewer customers, limited revenue model
● Designate a HISP of last resort
○ Contract with one or several HISP vendors so that they can accept any willing provider
○ Identify eligible providers that you want to target (provider vouchers to help cover the costs for providing HISP services to underserved areas where market drivers don't justify investment)
○ Costs
- Add in providing vouchers
○ Revenue options
- Registration/certification fees for HISP vendors
- Sponsoring state agency where current process is replaced by Direct-mediated service
● Provide core services to HISPs
○ State augments what HISPs are providing with state-level services:
- Provider directory - serve as “source of truth”
- Certificate authority - can be a certificate authority, set levels
- Customers are HISP vendors
● Be the HISP
○ Environment may be HIT “limited” (geographically distributed, many providers/data sources, etc. with limited HIT capacity)
○ Contract with single vendor to provide statewide services
○ Provide HISP services directly
● Key issues:
○ Establishing trust
○ Contractual and legal agreements
○ Compliance with HIPAA
○ Risk assessment and mitigation
○ Encryption
○ Certificate issuance, management, discovery
○ Transparency
- People understand what your role is, what is being offered
- What are you promising with Direct?
○ Minimum necessary
- Clear that you are using minimum necessary information to make transactions happen
○ Separation of functions
● Questions for you?
○ Ross : How are you thinking about providing HISP services?
- Illinois: Leaning towards not being the HISP and setting the playing field instead. Don’t have a handle on where the marketplace is. Expect that there is enough coverage in the state
● Survey HISP availability
● Work with REC to determine what the availability is
● Want to set the standards, certification for HISPs
● We’ll be able to attract HISP vendors because of the size of the state and the size of the market
- Oregon is working on setting up a HISP of last resort.
○ Arien: Work with the federal government to every extent possible. Think about national regulatory timeframes. NPRM will likely be in the summertime. When national regulation comes out, states should try to align with it or be flexible with your regulatory approach to adapt.
○ Comment: Nothing local about being a HISP. HISPs can serve disparate geographies.
- HISP services do not need to be geographically located.
- David Kibbe: It’s the health internet. The real issue is to assure that if you have HISPs operating in your state are not “walled gardens.” Make sure that HISPs will accept any message from a provider with a valid Direct address. No closed networks. Want to make sure that you have maximum interoperability.
○ OK: State plan has not been approved. We do not mention HISPs, we mention HIOs. Are HISPs and HIOs the same thing?
- Brian: There is a clear distinction. HIO may act as a HISP, but not necessarily be a HISP.
○ Claudia: If you are planning to launch a HISP, there are some key questions:
- If you determine that there is a white space, you need a strategy to enable messages to flow to and from multiple HISPs.
- Role of ensuring trust and interoperability in a state might extend to setting standards for HISPs in a state
● This fits in nicely with the concept of qualified entities that many states were already considering.
- Key question: no matter what your approach, how do you ensure that HISPs do not become walled gardens?
● What goes into a RFP?
○ General terms and conditions
- These will not typically change from one RFP to another.
○ Special terms and conditions
- Assuming that states build their RFPs off of a shared template, states will be able to select the options that work for them from a set of special terms and conditions.
○ Scope of work/services
- These are typically completed by the contract monitor or state point of contact.
○ Texas has its RFQ posted right now.
○ Specifications based on extensive input from stakeholders
○ A clear vision of the tasks the HIE entity will perform
○ Well-defined technical expectations
○ Maintenance and upgrade needs
○ Vendor must be cooperative and flexible to adapt to technological and administrative changes
- Things will continue to change. Maintain flexibility so that you can adapt. As rule making process moves forward, flexibility is key.
○ Build performance metrics and milestones into contracts
○ Include general timeframes and costs
● Key questions:
○ Describe your applicable credentials, certifications and experience
○ Are you on the state's preferred vendor list?
- Rhode Island is developing a preferred vendor list
● Make sure that the vendor does not have a walled garden approach
● HISP-to-HISP connectivity
● Does your solution/service meet all applicable state and federal laws?
● How does your solution/service accommodate our particular state requirements?
● Describe your existing privacy, security safeguards, including your security plan.
● Does your solution describe your approach to connecting to other HISPs?
● Are you a participant in the Direct project?
● Would want a vendor that has helped from the beginning?
● What is their outreach strategy to stakeholders?
Presentation 1, Greg Chittim, RIQI
● RIQI is taking a setting the “playing field” approach.
○ There is a lot of security and regulatory implications that come with being a HISP that we wanted to avoid.
○ We are focused on connecting providers with pre-qualified HISPs.
● RIQI has interesting opportunities from wearing multiple hats (Beacon, HIE, REC).
○ Want to be HISP-agnostic; pre-qualifying HISPs (probably around 4-6 and may expand)
○ Choose HISPs that best match providers’ needs.
○ Some HISPs may only provide core services.
○ Some will provide value-added services.
● Application to participate (ATP) is due in a few hours
○ Several evaluation categories
- Business info
● Complementary business lines
- REC requirements
● Discounts, robust support processes
- Financial info
● Must be financial viable
- Direct project contribution
● Everyone that intended to respond has been pretty involved
- Minimum HISP specifications
● Compliance with best practices
- Technology system specifications
- Additional information
○ 9-10 HISPs expressed an interest in participating
○ ATP is not a contractual document
- There will be a separate contractual process.
- This is to whittle the list.
○ Opportunities to reuse documents
- Happy to share ATP, scoring tool
● Vendors that expressed interest
● Timeline
○ Middle of May - REC runs HIT expo. Vendor fair where providers can ask questions
○ HISP vendors will come to this HIT expo
Presentation 2, Fred Richards, OHIP
● Both the REC and HIE
○ REC has helped us to build a preferred vendor list.
○ Vendors are true partners.
○ Speaking with vendors on how they think Direct will be a part of their products.
● Seven regional partners
○ Working with them on marketing, outreach
○ Helpful in the rural communities
○ Rural area providers are looking forward to using Direct
● Working with multiple states
○ Speaking with MI about their experiences
- Patients cross state borders between MI and OH frequently
○ Workgroup with NY, NJ, MA, and CA
● Phased strategy
○ Technology is easy; how do you roll it out to providers?
○ Big surprise about how many different EHRs are out there.
- Utilization rates are low
○ Next step is longitudinal record
- Direct will help in getting data in.
○ OH has made many broadband advancements.
● Contracted services
○ Providers need to be verified. Using the REC to ensure that we are bringing in verified providers.
○ Working with state Licensure Bureau to coordinate processes for provider authentication.
○ OHIP is working with local AAFP.
● Related costs
○ Privacy and security
- OH has some of the most stringent privacy rules in the country.
- Costs to support consent management layer.
○ Costs to providers
- EHR or HISP vendor purchases or upgrades to support framework
● Challenges
○ Consent requirements
○ How do you scale?
○ Required conversion between SMTP and XDR/XDM messages
○ Liability issues from conversion and delivery
Presentation 3, Chris Henkenius, NeHII
● NeHII - statewide HIE. Participation from:
○ 500 physicians
○ 19 hospitals
● There is a demand for state-level shared services.
● Talking about sharing services with other states.
○ Started an organization called HIO Shared Services
○ Collaborative of HIOs
○ Service provider for NeHII and external clients
○ Listed as a subsidiary of NeHII
○ Already have an established product road map
- Shared provider directory
- One of the services is being a HISP
● All inclusive
● Trust - Policy HISP Service
○ The criticality of managing trust
○ Interoperability of transport
○ Transparency in operational policies
○ Certificates and identify management
○ Evaluate and assess trust in other exchanges
- Behavioral health
- HIOs in nearby states
● CO, SD, KS, MN
○ Direct enabling
○ Certificate discoverability (via provider directory)
● Questions worth asking
○ What is the primary component of a HISP?
○ What did Nebraska consider for the HISP model?
○ Will I be able to communicate with other entities with separate HISP providers?
- Each organization will have a different set of requirements. Provide options for you to work with us on building your HISP
○ What are considerations for working with a HISP?
○ Am I going to be able to exchange secure messages to HIEs, HIE participants, and other providers?
● Business Model
○ Fee for Service Business Model
○ Provider directory
- Working with NeHII on entity level data
- Will be the eventual trust source
- Looking at different business models to use
○ Certificate authority
○ Direct messaging
○ Cost Models – ROI Based
○ Subscription model
○ Transaction model
○ HIE-based model
○ Someone was also talking about a “cell phone” based model
FAQ Session
● Holly Miller (MedAllies): Echo David Kibbe’s comment on HISP-to-HISP communication and actively engaging in supported regulations as they become available.
● Urge ONC to include requirements for all EHRs to be certified before Stage 2 and must include Direct protocols. It would solve so many problems. Question to Dr. Miller: One of the few provider organzations to start their own HISP, what did the panelists miss?
○ Holly Miller - MedAllies runs a HIE for the state, not a provider organization.
● Is Surescripts planning to be a HISP?
○ Yes.
● Claudia: states have an opportunity to take a different approach than RHIOs and HIE work. We need to tackle how states communicate with each other at the get go. If you build a state HISP and wait to decide your approach to connect to other HISPs, that is a risk.
● Taylor Cook (TX): To clarify, Texas doesn’t have a HISP strategy; we have a white space strategy. HISPs, RECs, HIOs, venders can all respond to the RFP.
● Gary Parker: AL is starting from the bottom. Direct in the short-term will contradict the use of our statewide HIE. How can we protect adoption of our HIE? AL doesn’t want to compete against the market
○ Arien: One of the hardest things is getting providers connected. It doesn't so much matter whether you own the end pipe or someone else does. Encourage states to flip the problem inside out: what can you do to build services on top of connectivity in the states?
● Bill Behighe – We run an HIO that would be considered mature. When Direct came around, we were excited. We thought our HIO would evolve to meet requirements. This feels like the early days of cell phones and roaming. How do we avoid the mess of those early days? We will be dealing with different HISPs across commercial and proprietary areas.
○ Holly Miller: Important for Direct to go from EHR to EHR.
○ Arien: First, notion of HISP-to HISP communication has always been at heart of what we want to do with Direct. This should be a key part of what you are trying to do.
● Ryan Sommers (AZ): Would states that have tools today to share (especially RI), share them?
● Brian - Key question to ask vendors: are you offering services directly to patients?
● Greg Farnum: Established strategies for building out RFPs
○ Worst possible situation: Get close to selecting and have to start over because you didn’t ask the right questions
○ Plan for worst, hope for best
○ Ask tough questions early
○ Start “competition” early
○ Reuse RFP so that it can be rolled right into the contract for scope of work
● Dave Perry (NM): Will the connection to the HISP be separate from the internet connection? Confused about HISP-to-provider connection - Is it the internet or private point-to-point?
○ Brian - It’s the internet. If you have an Internet connection, that is what you need. As for where encryption takes place? It depends.
○ Arien - Establish an electronic connection that is integrated with the clinical workflow and ideally integrated with clinical health records. In terms of the “last mile pipeline”, answer is “it depends”. You can use SMTP standards over secure connections. You can use XDR as your last mile connection for EHRs that are sophisticated. Surescripts spoke about REST-based as did MedPlus. Best practice - for last mile transport, do a lot of them. The more available, the more success you may have. Make sure you have at least one way, but if there is more than one, make sure that they are all interoperable.
● Ross – I’m thinking about the MU scenario of that you can send either CDR/CCD, but you have to be able to read both. Would it be fair to say that the HISP is the SMTP provider, but we can receive anything and convert? Can they do this while keeping messages encrypted?
○ Arien - If you are re-wrapping services, you are exposing PHI and must have a BAA. Want to de-crypt and then send it . To be a HISP, you have to do basic SMTP and S/MIME. There are, however, other translation services offered.
● Ross - Regarding the re-wrapping transport layer stuff - is it light-weight enough that you could do it all over dial-up if the message is small?
○ Arien - It’s definitely possible. But it’s far preferable to do it over wifi.
Closing Comments:
● Some of you were starting off thinking one way, now you are changing
● Whatever the thinking, there are common threads.
● Closing panelists comments:
○ Greg: There are technical challenges in being the HISP. That’s why we chose the strategy we did. RIQI will be the entity to help providers judge who meets min. bar and making it easy for providers.
○ Fred: Services” work with REC to explain so provider is making educated choice. They need to understand resources and functions to participate
○ Chris: Continuing process to evaluation. What options we have. What are providers demanding? Reaching out to vendors to see what is out there. To see how technology fits into our business model.
○ One of the key problems - how do you make connections with providers?
- How do you leverage REC and existing connections?
○ Two states are HIE/REC. NE is working closely with REC. Including REC in planning process is going to be helpful.
Session 7: Contracting with HISP Vendors
4/13/11: 8:30 --10:15AM
Session Objectives
● Discuss state perspectives around approaches, learnings, and best practices around contracting with HISP vendors
Presenters/Panelists
● Greg Chittim, Director of Provider Services, Arcadia Solutions
● Christopher M. Henkenius, Program Director, NeHII, Inc.
● Fred Richards, COO/CIO, Ohio Health Information Partnership LLC
Introduction, Ross Martin and Brian Ahier
● Four approaches to offering HISP services
○ Set the playing field - let the market drive
○ Designate a HISP of last resort
○ Provide core services to HISPs
○ Be the HISP
○ There are impacts to all of these in costs and revenue options
● Set the playing field
○ State can play governance role – certifying and qualifying HISP
○ Create a market where states can facilitate vendors coming into the marketplace
○ Set minimum requirements
- For example, dictate that HISPs must connect to other HISPs
○ Advertise who is out there that meets approval
○ Serve as a matchmaker - make sure providers know who vendors are
○ Costs
- Governance operations
- Certification/qualifying process
- Fewer customers, limited revenue model
● Designate a HISP of last resort
○ Contract with one or several HISP vendors so that they can accept any willing provider
○ Identify eligible providers that you want to target (provider vouchers to help cover the costs for providing HISP services to underserved areas where market drivers don't justify investment)
○ Costs
- Add in providing vouchers
○ Revenue options
- Registration/certification fees for HISP vendors
- Sponsoring state agency where current process is replaced by Direct-mediated service
● Provide core services to HISPs
○ State augments what HISPs are providing with state-level services:
- Provider directory - serve as “source of truth”
- Certificate authority - can be a certificate authority, set levels
- Customers are HISP vendors
● Be the HISP
○ Environment may be HIT “limited” (geographically distributed, many providers/data sources, etc. with limited HIT capacity)
○ Contract with single vendor to provide statewide services
○ Provide HISP services directly
● Key issues:
○ Establishing trust
○ Contractual and legal agreements
○ Compliance with HIPAA
○ Risk assessment and mitigation
○ Encryption
○ Certificate issuance, management, discovery
○ Transparency
- People understand what your role is, what is being offered
- What are you promising with Direct?
○ Minimum necessary
- Clear that you are using minimum necessary information to make transactions happen
○ Separation of functions
● Questions for you?
○ Ross : How are you thinking about providing HISP services?
- Illinois: Leaning towards not being the HISP and setting the playing field instead. Don’t have a handle on where the marketplace is. Expect that there is enough coverage in the state
● Survey HISP availability
● Work with REC to determine what the availability is
● Want to set the standards, certification for HISPs
● We’ll be able to attract HISP vendors because of the size of the state and the size of the market
- Oregon is working on setting up a HISP of last resort.
○ Arien: Work with the federal government to every extent possible. Think about national regulatory timeframes. NPRM will likely be in the summertime. When national regulation comes out, states should try to align with it or be flexible with your regulatory approach to adapt.
○ Comment: Nothing local about being a HISP. HISPs can serve disparate geographies.
- HISP services do not need to be geographically located.
- David Kibbe: It’s the health internet. The real issue is to assure that if you have HISPs operating in your state are not “walled gardens.” Make sure that HISPs will accept any message from a provider with a valid Direct address. No closed networks. Want to make sure that you have maximum interoperability.
○ OK: State plan has not been approved. We do not mention HISPs, we mention HIOs. Are HISPs and HIOs the same thing?
- Brian: There is a clear distinction. HIO may act as a HISP, but not necessarily be a HISP.
○ Claudia: If you are planning to launch a HISP, there are some key questions:
- If you determine that there is a white space, you need a strategy to enable messages to flow to and from multiple HISPs.
- Role of ensuring trust and interoperability in a state might extend to setting standards for HISPs in a state
● This fits in nicely with the concept of qualified entities that many states were already considering.
- Key question: no matter what your approach, how do you ensure that HISPs do not become walled gardens?
● What goes into a RFP?
○ General terms and conditions
- These will not typically change from one RFP to another.
○ Special terms and conditions
- Assuming that states build their RFPs off of a shared template, states will be able to select the options that work for them from a set of special terms and conditions.
○ Scope of work/services
- These are typically completed by the contract monitor or state point of contact.
○ Texas has its RFQ posted right now.
○ Specifications based on extensive input from stakeholders
○ A clear vision of the tasks the HIE entity will perform
○ Well-defined technical expectations
○ Maintenance and upgrade needs
○ Vendor must be cooperative and flexible to adapt to technological and administrative changes
- Things will continue to change. Maintain flexibility so that you can adapt. As rule making process moves forward, flexibility is key.
○ Build performance metrics and milestones into contracts
○ Include general timeframes and costs
● Key questions:
○ Describe your applicable credentials, certifications and experience
○ Are you on the state's preferred vendor list?
- Rhode Island is developing a preferred vendor list
● Make sure that the vendor does not have a walled garden approach
● HISP-to-HISP connectivity
● Does your solution/service meet all applicable state and federal laws?
● How does your solution/service accommodate our particular state requirements?
● Describe your existing privacy, security safeguards, including your security plan.
● Does your solution describe your approach to connecting to other HISPs?
● Are you a participant in the Direct project?
● Would want a vendor that has helped from the beginning?
● What is their outreach strategy to stakeholders?
Presentation 1, Greg Chittim, RIQI
● RIQI is taking a setting the “playing field” approach.
○ There is a lot of security and regulatory implications that come with being a HISP that we wanted to avoid.
○ We are focused on connecting providers with pre-qualified HISPs.
● RIQI has interesting opportunities from wearing multiple hats (Beacon, HIE, REC).
○ Want to be HISP-agnostic; pre-qualifying HISPs (probably around 4-6 and may expand)
○ Choose HISPs that best match providers’ needs.
○ Some HISPs may only provide core services.
○ Some will provide value-added services.
● Application to participate (ATP) is due in a few hours
○ Several evaluation categories
- Business info
● Complementary business lines
- REC requirements
● Discounts, robust support processes
- Financial info
● Must be financial viable
- Direct project contribution
● Everyone that intended to respond has been pretty involved
- Minimum HISP specifications
● Compliance with best practices
- Technology system specifications
- Additional information
○ 9-10 HISPs expressed an interest in participating
○ ATP is not a contractual document
- There will be a separate contractual process.
- This is to whittle the list.
○ Opportunities to reuse documents
- Happy to share ATP, scoring tool
● Vendors that expressed interest
● Timeline
○ Middle of May - REC runs HIT expo. Vendor fair where providers can ask questions
○ HISP vendors will come to this HIT expo
Presentation 2, Fred Richards, OHIP
● Both the REC and HIE
○ REC has helped us to build a preferred vendor list.
○ Vendors are true partners.
○ Speaking with vendors on how they think Direct will be a part of their products.
● Seven regional partners
○ Working with them on marketing, outreach
○ Helpful in the rural communities
○ Rural area providers are looking forward to using Direct
● Working with multiple states
○ Speaking with MI about their experiences
- Patients cross state borders between MI and OH frequently
○ Workgroup with NY, NJ, MA, and CA
● Phased strategy
○ Technology is easy; how do you roll it out to providers?
○ Big surprise about how many different EHRs are out there.
- Utilization rates are low
○ Next step is longitudinal record
- Direct will help in getting data in.
○ OH has made many broadband advancements.
● Contracted services
○ Providers need to be verified. Using the REC to ensure that we are bringing in verified providers.
○ Working with state Licensure Bureau to coordinate processes for provider authentication.
○ OHIP is working with local AAFP.
● Related costs
○ Privacy and security
- OH has some of the most stringent privacy rules in the country.
- Costs to support consent management layer.
○ Costs to providers
- EHR or HISP vendor purchases or upgrades to support framework
● Challenges
○ Consent requirements
○ How do you scale?
○ Required conversion between SMTP and XDR/XDM messages
○ Liability issues from conversion and delivery
Presentation 3, Chris Henkenius, NeHII
● NeHII - statewide HIE. Participation from:
○ 500 physicians
○ 19 hospitals
● There is a demand for state-level shared services.
● Talking about sharing services with other states.
○ Started an organization called HIO Shared Services
○ Collaborative of HIOs
○ Service provider for NeHII and external clients
○ Listed as a subsidiary of NeHII
○ Already have an established product road map
- Shared provider directory
- One of the services is being a HISP
● All inclusive
● Trust - Policy HISP Service
○ The criticality of managing trust
○ Interoperability of transport
○ Transparency in operational policies
○ Certificates and identify management
○ Evaluate and assess trust in other exchanges
- Behavioral health
- HIOs in nearby states
● CO, SD, KS, MN
○ Direct enabling
○ Certificate discoverability (via provider directory)
● Questions worth asking
○ What is the primary component of a HISP?
○ What did Nebraska consider for the HISP model?
○ Will I be able to communicate with other entities with separate HISP providers?
- Each organization will have a different set of requirements. Provide options for you to work with us on building your HISP
○ What are considerations for working with a HISP?
○ Am I going to be able to exchange secure messages to HIEs, HIE participants, and other providers?
● Business Model
○ Fee for Service Business Model
○ Provider directory
- Working with NeHII on entity level data
- Will be the eventual trust source
- Looking at different business models to use
○ Certificate authority
○ Direct messaging
○ Cost Models – ROI Based
○ Subscription model
○ Transaction model
○ HIE-based model
○ Someone was also talking about a “cell phone” based model
FAQ Session
● Holly Miller (MedAllies): Echo David Kibbe’s comment on HISP-to-HISP communication and actively engaging in supported regulations as they become available.
● Urge ONC to include requirements for all EHRs to be certified before Stage 2 and must include Direct protocols. It would solve so many problems. Question to Dr. Miller: One of the few provider organzations to start their own HISP, what did the panelists miss?
○ Holly Miller - MedAllies runs a HIE for the state, not a provider organization.
● Is Surescripts planning to be a HISP?
○ Yes.
● Claudia: states have an opportunity to take a different approach than RHIOs and HIE work. We need to tackle how states communicate with each other at the get go. If you build a state HISP and wait to decide your approach to connect to other HISPs, that is a risk.
● Taylor Cook (TX): To clarify, Texas doesn’t have a HISP strategy; we have a white space strategy. HISPs, RECs, HIOs, venders can all respond to the RFP.
● Gary Parker: AL is starting from the bottom. Direct in the short-term will contradict the use of our statewide HIE. How can we protect adoption of our HIE? AL doesn’t want to compete against the market
○ Arien: One of the hardest things is getting providers connected. It doesn't so much matter whether you own the end pipe or someone else does. Encourage states to flip the problem inside out: what can you do to build services on top of connectivity in the states?
● Bill Behighe – We run an HIO that would be considered mature. When Direct came around, we were excited. We thought our HIO would evolve to meet requirements. This feels like the early days of cell phones and roaming. How do we avoid the mess of those early days? We will be dealing with different HISPs across commercial and proprietary areas.
○ Holly Miller: Important for Direct to go from EHR to EHR.
○ Arien: First, notion of HISP-to HISP communication has always been at heart of what we want to do with Direct. This should be a key part of what you are trying to do.
● Ryan Sommers (AZ): Would states that have tools today to share (especially RI), share them?
● Brian - Key question to ask vendors: are you offering services directly to patients?
● Greg Farnum: Established strategies for building out RFPs
○ Worst possible situation: Get close to selecting and have to start over because you didn’t ask the right questions
○ Plan for worst, hope for best
○ Ask tough questions early
○ Start “competition” early
○ Reuse RFP so that it can be rolled right into the contract for scope of work
● Dave Perry (NM): Will the connection to the HISP be separate from the internet connection? Confused about HISP-to-provider connection - Is it the internet or private point-to-point?
○ Brian - It’s the internet. If you have an Internet connection, that is what you need. As for where encryption takes place? It depends.
○ Arien - Establish an electronic connection that is integrated with the clinical workflow and ideally integrated with clinical health records. In terms of the “last mile pipeline”, answer is “it depends”. You can use SMTP standards over secure connections. You can use XDR as your last mile connection for EHRs that are sophisticated. Surescripts spoke about REST-based as did MedPlus. Best practice - for last mile transport, do a lot of them. The more available, the more success you may have. Make sure you have at least one way, but if there is more than one, make sure that they are all interoperable.
● Ross – I’m thinking about the MU scenario of that you can send either CDR/CCD, but you have to be able to read both. Would it be fair to say that the HISP is the SMTP provider, but we can receive anything and convert? Can they do this while keeping messages encrypted?
○ Arien - If you are re-wrapping services, you are exposing PHI and must have a BAA. Want to de-crypt and then send it . To be a HISP, you have to do basic SMTP and S/MIME. There are, however, other translation services offered.
● Ross - Regarding the re-wrapping transport layer stuff - is it light-weight enough that you could do it all over dial-up if the message is small?
○ Arien - It’s definitely possible. But it’s far preferable to do it over wifi.
Closing Comments:
● Some of you were starting off thinking one way, now you are changing
● Whatever the thinking, there are common threads.
● Closing panelists comments:
○ Greg: There are technical challenges in being the HISP. That’s why we chose the strategy we did. RIQI will be the entity to help providers judge who meets min. bar and making it easy for providers.
○ Fred: Services” work with REC to explain so provider is making educated choice. They need to understand resources and functions to participate
○ Chris: Continuing process to evaluation. What options we have. What are providers demanding? Reaching out to vendors to see what is out there. To see how technology fits into our business model.
○ One of the key problems - how do you make connections with providers?
- How do you leverage REC and existing connections?
○ Two states are HIE/REC. NE is working closely with REC. Including REC in planning process is going to be helpful.