[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: HL7 Standards Process (was RE: EDIINT and HIPAA)
- To: "Kepa Zubeldia" <Kepa.Zubeldia@xxxxxxxxxxx>
- Subject: RE: HL7 Standards Process (was RE: EDIINT and HIPAA)
- From: "Dick Brooks" <dick@xxxxxxxx>
- Date: Tue, 21 Nov 2000 18:02:55 -0600
- Cc: "Rishel,Wes" <wes.rishel@xxxxxxxxxxx>, "'Gunther Schadow'" <gunther@xxxxxxxxxxxxxxxxxxxxxx>, "Rik Drummond" <rvd2@xxxxxxxxxxxxxxxx>, "CLEM" <clem@xxxxxxxxxxxxxxxxxx>, "Gary Crough" <gcrough@xxxxxxxxxxxxxxxxxxx>, "Beth Morrow" <Beth@xxxxxxxxxxxxxxxxx>, "David@Drummondgroup. Com" <david@xxxxxxxxxxxxxxxxx>, <GISB1@xxxxxxx>, <ietf-ediint@xxxxxxx>, <dick@xxxxxxxx>
- Importance: Normal
- In-reply-to: <>
- List-archive: <http://www.imc.org/ietf-ediint/mail-archive/>
- List-id: <ietf-ediint.imc.org>
- List-unsubscribe: <mailto:ietf-ediint-request@imc.org?body=unsubscribe>
- Reply-to: <dick@xxxxxxxx>
- Sender: owner-ietf-ediint@xxxxxxxxxxxx
Kepa,
>Does this shed some light ?
Thank you, your framing of the issues regarding digital signatures and HIPAA
helped me a great deal.
>Do you want EDIINT to be adopted by the Secretary as the HIPAA digital
>signature standard ? Then, I think you know what to do.
The ideal solution is an ANSI approved digital signature standard. In lieu
of such an ANSI standard would HHS "seriously" consider a standard that has
been adopted by another government department (e.g Department of Energy) IF
it met HIPAA's requirements? How about a standard created by a non-ANSI SDO
(e.g. IETF, GISB)?
If HHS wouldn't seriously consider anything that is non-ANSI standard then
the path ahead is quite clear; an ANSI standard is needed, ASAP.
> However, if we let the scope creep to cover other topics, such as PKI or
> "trust" issues, then the wheels could slow down.
I agree, there are still many issues plaguing PKI, both technical and
business related. Given the scale, visibility and criticality of HIPAA
deployments I think it would be best to leverage a "trust" approach that is
easy to implement, widely deployed and has proven to be scalable and
interoperable (for example PGP).
> I hope that having a "HIPAA Signature Implementation Guide" does not
> preclude other "implementation guides" for things like encryption,
> consent form signature, multiple signatures, counter signatures, etc.
> that are also necessary but not "mandated" by HIPAA at this time.
I think this should be specified as a core requirement.
Very helpful..
Thanks,
Dick Brooks
Group 8760
110 12th Street North
Birmingham, AL 35203
dick@xxxxxxxx
205-250-8053
Fax: 205-250-8057
http://www.8760.com/
InsideAgent - Empowering e-commerce solutions
> -----Original Message-----
> From: Kepa Zubeldia [mailto:Kepa.Zubeldia@xxxxxxxxxxx]
> Sent: Monday, November 20, 2000 7:15 PM
> To: Dick Brooks
> Cc: Rishel,Wes; 'Gunther Schadow'; Rik Drummond; CLEM; Gary Crough; Beth
> Morrow; David@Drummondgroup. Com; GISB1@xxxxxxx; ietf-ediint@xxxxxxx
> Subject: Re: HL7 Standards Process (was RE: EDIINT and HIPAA)
>
>
> Dick, Wes,
>
> Now I need to throw in my $.02
>
> Under HIPAA, the Secretary of HHS is required to adopt a standard for
> electronic signatures of the HIPAA transactions. Simple and reduced
> scope.
>
> The Secretary is required to adopt Standards (with capital S) developed
> by a SDO from the American National Standards Institute. If no such
> standard is available, the Secretary can create her own standards.
>
> The HIPAA Security Final Rule will reflect security standards created by
> HHS because there are no other security standards for healthcare
> developed by an ANSI SDO that meet the security requirements expressed
> in the HIPAA Law. However, the security final rule will NOT have a
> standard for electronic signatures, and this standard will come out in a
> later final rule.
>
> If the healthcare SDOs were to agree on an ANSI standard for digital
> signatures that could be used for the HIPAA transactions, and a very
> specific "implementation guide" on how to use this standard to sign the
> HIPAA transactions, the Secretary would have a much easier job in
> adopting such standard. Until this happens, the digital signature final
> rule may have to be put on hold, as the DHHS does not want to create
> standards in this area in an ivory tower (i.e. in a vacuum).
>
> In addition, the HIPAA electronic signature standard must be adopted in
> conjunction with the Department of Commerce.
>
> Does this shed some light ?
>
> Do you want EDIINT to be adopted by the Secretary as the HIPAA digital
> signature standard ? Then, I think you know what to do.
>
> Please understand that I am not making any promises here. I am stating
> something that will make easier for the NCVHS to recommend a standard
> for the Secretary to adopt. This is a self-serving request as I am one
> of the NCVHS members. The NCVHS looked at the possible standards last
> month, and as a result, I have sent invitations to the affected SDOs to
> work under HISB in coming up with something "adoptable". I think that
> if the group of experts on this list was to work on such task with the
> ANSI SDOs, then we could have something that benefits the entire
> healthcare industry.
>
> However, if we let the scope creep to cover other topics, such as PKI or
> "trust" issues, then the wheels could slow down.
>
> I hope that having a "HIPAA Signature Implementation Guide" does not
> preclude other "implementation guides" for things like encryption,
> consent form signature, multiple signatures, counter signatures, etc.
> that are also necessary but not "mandated" by HIPAA at this time.
>
> Keep up the good work.
>
> Kepa
>
> Dick Brooks wrote:
> >
> > Wes,
> >
> > You make some excellent points, I want to focus on a few that I
> believe are
> > critical in moving forward.
> >
> > >a) there is interest in having a healthcare group give its
> imprimatur to
> > >AS2, since it "rounds out" the Internet protocols to make a complete
> > package
> > >for HIPAA-compliant, B2B messaging based on ubiquitous
> Internet protocols
> > >such as HTTP, FTP and SNMP.
> >
> > Many people (not specifically in healthcare) are confused by
> the number of
> > "B2B standards" that exist, for example:
> > - Vendor initiated (BizTalk and SOAP)
> > - Consortia initiated (ebXML by OASIS and UN/CEFACT, XML
> Protocols Activity
> > by the World Wide Web Consortium )
> > - Internet related standards bodies initiated (IETF - EDIINT ASx, IETF -
> > BEEP)
> > - Industry specific standards bodies initiated (HL7, GISB, UIG,
> AIAG, etc.)
> >
> > Not to mention all the proprietary initiatives.
> >
> > They look at all these "standards" and they're afraid they'll choose the
> > "wrong standard". I believe industry organizations, like HL7, play a
> > critical role in helping people choose a B2B standard that's
> appropriate for
> > their needs.
> >
> > >b) there is some despair at seeing AS2 get out of IETF before quantum
> > >computers pretty much obsolete everything based on computers with
> > >deterministic states (this last was an attempt at humor)
> >
> > Actually this is an excellent point. The IETF is very particular when it
> > comes to designing/endorsing standards, as it should be. Some
> of the recent
> > concerns with AS1 (see Ned Freed's comments attached) raise the
> > probabilities of a longer delay for AS2, because the non-GISB
> portion of AS2
> > depends on AS1. I'm not aware of any issues with the GISB
> portion of AS2.
> >
> > >c) there is a sense that being an ANSI Standard is a requirement if one
> > >desires to get the government to mandate its use.
> >
> > The Department of Energy, via the Federal Energy Regulatory Commission,
> > mandated use of the GISB standard and I don't believe it is an ANSI
> > standard. Perhaps Rae McQuade, Executive Director of GISB
> (gisb1@xxxxxxx),
> > can comment on this.
> >
> > I certainly don't understand many of the idiosyncrasies of HL7 Standards
> > versus Recommendations so I'll listen and learn as this
> discussion evolves.
> > I have been an active participant in many of the initiatives
> mentioned above
> > including: ebXML, GISB, UIG, W3C XP, and of course IETF EDIINT. I look
> > forward to working with the HL7 organization on this very
> important decision
> > during the coming months.
> >
> > Regards,
> >
> > Dick Brooks
> > http://www.8760.com/
> >
> > -----Original Message-----
> > From: owner-ietf-ediint@xxxxxxxxxxxx
> > [mailto:owner-ietf-ediint@xxxxxxxxxxxx]On Behalf Of Rishel,Wes
> > Sent: Monday, November 20, 2000 12:07 AM
> > To: 'Gunther Schadow'; Dick Brooks
> > Cc: Rishel,Wes; Rik Drummond; Kepa Zubeldia; CLEM; Gary Crough; Beth
> > Morrow; David@Drummondgroup. Com; GISB1@xxxxxxx; ietf-ediint@xxxxxxx
> > Subject: RE: HL7 Standards Process (was RE: EDIINT and HIPAA)
> >
> > For many reasons it would be more desirable to be a Standard,
> but I am not
> > sure that there aren't some shades of gray, particularly if the
> difference
> > in the required time is important. I will wait to hear from
> Gunther about
> > the HIPAA issue, but I am suspecting that the following is true:
> >
> > a) there is interest in having a healthcare group give its imprimatur to
> > AS2, since it "rounds out" the Internet protocols to make a
> complete package
> > for HIPAA-compliant, B2B messaging based on ubiquitous Internet
> protocols
> > such as HTTP, FTP and SNMP.
> >
> > b) there is some despair at seeing AS2 get out of IETF before quantum
> > computers pretty much obsolete everything based on computers with
> > deterministic states (this last was an attempt at humor)
> >
> > c) there is a sense that being an ANSI Standard is a requirement if one
> > desires to get the government to mandate its use.
> >
> > I would take issue with item (c). It is surely helpful to be a
> standard, but
> > it is also helpful to be any sort of publication of an ANSI-accredited
> > standards development organization. Furthermore, unless someone knows
> > something specific, I would be skeptical that the current administration
> > would introduce another delay in the final rule on security by
> attempting to
> > add AS2 at this late date.
> >
> > Rather than a government mandate, I suspect that the benefit of an HL7
> > imprimatur, and perhaps a profile or two, would be to assist in
> promoting
> > the Internet and AS2 as means to exchange the HIPAA transactions without
> > reliance on value added networks. At the same time it would be
> very valuable
> > to HL7 to have ways to exchange standard (old syntax) HL7 messages and
> > HL7-XML messages over the Internet using the same infrastructure
> > (integration brokers and servers) as are being sold for other B2B
> > applications in healthcare, the power industry, etc.
> >
> > If this model is correct a Standard is better, but a Recommendation also
> > provides substantial benefit. One approach would be to create a
> > Recommendation first and follow it up with a Standard after
> some operational
> > experience has been obtained.
> >
> > > -----Original Message-----
> > > From: Gunther Schadow [mailto:gunther@xxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: Saturday, November 18, 2000 8:06 PM
> > > To: dick@xxxxxxxx
> > > Cc: Rishel,Wes; Rik Drummond; Kepa Zubeldia; CLEM; Gary Crough; Beth
> > > Morrow; David@Drummondgroup. Com; GISB1@xxxxxxx; ietf-ediint@xxxxxxx
> > > Subject: Re: HL7 Standards Process (was RE: EDIINT and HIPAA)
> > >
> > >
> > > Dick Brooks wrote:
> > > >
> > > > Thanks Wes.
> > > >
> > > > Based on your description I would anticipate the EDIINT AS2
> > > spec taking the
> > > > "Recommendation" route, IF the group decides to go forward.
> > > Do you see it
> > > > the same way?
> > >
> > > Dick, I actually do see it the other way. The EDIINT work in
> > > HL7 as we
> > > discussed it in relation to HIPAA is only useful if we end up
> > > with an ANSI
> > > approved standard. That must be a standard, not a recommendation.
> > >
> > > I'll fill in Wes on the HIPAA issue under separate cover. Glad you can
> > > make it for 1/8/2001. Thank you for your help.
> > >
> > > regards,
> > > -Gunther
> > >
> >
> >
> ------------------------------------------------------------------------
> >
> > Part 1.2 Type: Microsoft MHTML Document 5.0 (message/rfc822)
> > Encoding: 7bit
>
>