HIA WG Concall 2011-04-14 Minutes
Kantara HIAWG Teleconference
Date and Time
- Date: Thursday, April 14, 2011
- Time: 10 am PDT | 1 pm EDT | 5 pm UTC | 7 pm CEST
Attendees
- Pete Palmer
- Bob Pinheiro
- Barry Hieb
- Lara Zimberoff
- Daniel Bennett
- Dazza Greenwood
- Rick Moore
- Dave Minch
- Anna Ticktin
Guests:
- Bill Metz (Director of Quality Operations, Sure Scripts)
- Linda Goettler (Security Lead on "Meaningful Use" Team, Sure Scripts)
Apologies
- John Fraser
- Laurie Tull
- Tony Goulding
- Myisha Frazier McElveen
Agenda
- Intro
- Roll Call
- Approval of Minutes
- HIAWG Leadership Election
- Meaningful Use Presentation and Discussion
- Other Business
- Adjourn
Minutes
1. Intro
2. Roll Call
See above.
3. Approval of Minutes
Call not in quorum - approval of minutes postponed to next call on 4/28/11.
4. HIAWG Leadership Election
Call not in quorum - Election postponed to next call on 4/28/11.
5. Meaningful Use Presentation and Discussion
Pete Palmer: Two special guests from SureScripts – Bill Metz, Director of Quality Operations & Linda Gettler, Security Lead on Meaningful Use Team
Is everyone familiar with what meaningful use is and why it is important for this project?
(no response)
Bill Metz: I’m a Six Sigma Master Blackbelt, have been in that game since about 1997, and my approach to quality improvement is from a quality management system approach. I got pulled into our application to become and ONC ATCB (accredited testing and cert body). We are accredited for Meaningful Use, in other words, we can accredit software for Meaningful Use use, but only for eprescribing software and the module for that software. So a vendor that has an eprescribing software and wants to become certified for meaningful use, we will test for accreditation, and then they can say they are certified. This is in order for them to get their incentive payments. The goal of this is to accelerate the pace of change in that world. I was pulled into that project from a quality management perspective. In order to become certified we had to prove that we met ISO standards, and now we can operate as an ATCB for ONC. Any questions on that overview?
(no questions)
We are accredited to certify only eprescribing and security modules. I believe we are the only ATCB for a single module. There are I believe four other ATCB that are accredited to certify a full EMR. EHRs have to pass a certain number of tests in order to become certified for meaningful use. There are a menu of tests to choose from, as well as tests they MUST become certified on. This is all for the temporary program. As we move into the permanent program, the requirements are going to increase. There is certification around actually using those modules in the exchange of health information technology.
Rick Moore: Is temporary program and permanent program defined as phase one and phase two?
Pete: They are distinct. What happened was there was too aggressive a timeline, so it was necessary to instate the temporary program.
Bill Metz: Again, our role is as an ATCB for eprescribing only. Anybody that does single module testing and certification also has to test for security, as does a full EMR.
Linda: That’s where the challenge really comes in. If this group could separate this so the security is a separate module, that would be a very good thing. Typically EMRs probably have some kind of access control built into each product, not just the application.
Pete: For the PIDS project – do you know if there is any pro bono accredited bodies that would do the testing and certification for free?
Bill Metz: We’re not charging for our ATCB vendor certification for the eprescribing module. The other ATCBs are charging.
Pete: Since this isn’t an eprescribing app per say, would surescripts be able to certify the security component?
Linda: Not unless you pulled it out of the app.
Pete: There is going to be a patient portal with the criteria applies to managing health records.
Rick Moore: Which criteria are you involved in testing?
Linda: I don’t have the numbers memorized, but it was the criteria under security and privacy.
Pete: It doesn’t look like Surescripts would be able to do the testing and provide the certification.
Dazza: Daniel and I are discussing having another dialogue to get the PIDS product output certified as a stand-alone security module.
Pete: Since we don’t have the software right now, I don’t know how we would answer that question.
Dazza: I’d like to propose that we continue the discussion.
Bill Metz: Does what you guys are in the process of developing fit within the module of an EHR? It seems it crosses a lot of the boundaries of the module.
Dazza: Our concept is being called a patient identification service, which is focused on authentication of identity, but we’re not trying to rebuild and overall EHR or HIE. We’re focused on the identity and maybe some authorizations that go along with that.
Bill Metz: The best way to do this would be to get ONC to require some sort of patient identity component as part of the requirement for meaningful use.
Pete: One of the things I’ve been thinking about is that the mission of this workgroup is to promote the Kantara HIA WG framework within the healthcare space. One sure sign of that success would be a requirement for the adoption of the framework. I don’t think they would be adverse to that. Maybe if we promote our framework as a stage two effort, we would reach the goals we’ve been discussing.
Daniel Bennett: We will open up this conversation with some of the main people on this matter.
Barry: It seems to me that if you’re going to do certification of a module from a security perspective, you have to also be able to certify that there aren’t “trap doors” in that security, because it could compromise the entire system. How do you test to avoid them?
Linda: That was not addressed by the testing. They tested very simple things like duplication, audit logging, integrity of messages, etc.
Barry: Isn’t that a large problem?
Bill Metz: The tests that were developed for eprescribing are very rudimentary.
Barry: This is a recurring problem for modular software approaches.
Pete: These are all items we should continue to discuss on the next call.
6. Other Business
Daniel Bennett: NSTIC is going to be made available to the world officially tomorrow. We are going to be there and have put together a website called nstic.us.
Dazza: The release will be tomorrow. eCitizen has created NSTIC.us to foster dialog about NSTIC. Kantara is a major partner in NSTIC.us, with CDT, idcommons and others (many more coming online soon). There will be a chance for the partner groups to include quotes re NSTIC on the site tomorrow to appear when the launch happens and - since we expect a surge in interest - there will be a many hits to the site. In addition, there will be a press call on Monday at 1pm eastern time at this Kantara and other partners will have a chance to provide more quotes and lead the media through a process of dialog and q&a on NSTIC and the views from each of their organizations. We are all excited about this milestone and look forward to working with the government to realize the opportunity of a national identity ecosystem that provides privacy and security.
7. Adjourn
Next Meeting
- Date: Thursday, April 28, 2011
- Time: 10 am PDT | 1 pm EDT | 5 pm UTC | 7 pm CEST
- Dial-In: +1-201-793-9022
- Code: 4630912