HIT Standards Meeting June 2010

8/9/2019 HIT Standards Meeting June 2010

1/60

Top of Form

/w EPDwUKMTg4

/w EWAw Kqg5jn

Event ID: 1551284Event Started: 6/30/2010 8:38:07 AM ET

Please stand by for real time captions.

Good morning and welcome everybody to the 14th meeting of theHIT Standards committee .Remember this is a federal committee which means that it is open to the public. The summarywill be posted on the website. A reminder again for the committee members to please identifyyourself when speaking. Let's go around the table and introduce ourselves starting am I left withKaren Trudell.

Good morning Karen Trudell with Medicare and Medicaid.

Chris Roth.

Stenhouse -- Stan House.

Warren House

Jimmy Karas and -- Jamie Harrison.

John --

Dixie Baker

Chris chute, Mayo Clinic.

Linda society -- but this study -- Ficsceti.

Nanci Orvis.

Walter --

Sharon Kerry.

On the phone I believe we have Rick Stevens.

Good morning I'm here.

I will turn it over to Dr. Perlin. Thank you surety and good morning everyone.

They -- thank you for your continuing heard work. During the summer it looked like it would bea quiet period but as we look at the agenda it is anything but quiet. I think this is going to be oneof our richest discussions. There are are areas that are potentially going to elicit some strongerfeelings and passions. This is a meeting where we will dive into the broader expectations of


2/60

many of the services that are necessary for privacy and security as well is moving to theinteroperability of health care information. We will spend our time today considering thestandards to support those. -- Comes together when we make the same -- of evolution as we didwith computers to the Internet. Of course the need for privacy and security at Kurz wheninformation is changed from different points. That is why today's discussion is so terriblyimportant and so rich. Just working backward through the agenda, I know that within the clinicaloperations we really begin to involve. One is the means by which we convey the richness of theclinical encounter with physicians and patients. Where are all appropriate operators users canexchange information and know they have the of content and the reliability of information in away that serves the health need. As we move further toward the morning, in fact just after lunch,we will have -- privacy and security. This strikes me as parallel to one of the nuances that hasbeen very much a part of our discussion. As we have fought and contributed to the work andconsidered meaningful use, there has been this discussion as to how we actually get enoughactivity that we get toward creating request -- robust health information. There is also thecadence that allows people to keep up. Do you -- the Spirit of adoption, is it too slow or too fast?Look at the final responses on the two regulations that are out. We applaud the temporarycertification process that has brought clarification. It is sort of one of those dynamics that has to

do with speed of adoption. This group has been particularly articulate on the balance between thelack of structure and highly structured. This is particularly important because in the absence ofsignal we do not know where to go. Yet, to highly specify the signal may suppress the adoption.This security needs a firm set of underpinnings that are really the components of tools that all to-- that all players in the exchange of health information can use to exchange 21st-centuryinformation. The clinical services, the patients information on the security around that. To be lessoblique, we need to have a set of criteria that help lead us with a set is criteria that allow us tocreate the security in a health information network. [ Indiscernible - low volume ] I know thatpeople have been watching the indirect and watching -- the responses to the RFPs that have cometogether to create the components of the environment. This is very exciting, because this createsthe Internet and enables connected -- enables connected world. -- The architecture to exist withthe specification and standards to allow the electronic commerce in the interest of healthinformation. I very much look forward to that discussion. I am tremendously excited about thismeeting. I think that it is interesting work and I know that all who have come to today's meetingknow that it is difficult work and requires a great deal of salt -- thought. We need to thinkcollectively about how we can contribute ideas to help serve as an architecture so that as many aspossible can participate. That ranges not only from -- organizations, but to the patients. After, theopening comments we will come to the minutes of the minute. -- Meeting. Let me -- the go inand see group -- ONC group. Let me turn to John.

I think that this is going to be a very interesting meeting and there will be some rich discussion.One of the things that I talk about is that everything is a process. When I talk about a project,what is the process? Generally I define the policy that is the breakdown for the project --

background for the project. Then, you create a set of requirements based on what the businessusers need, you develop specifications and look at the specifications in relation to the policy andcriteria success. That make sure that you are all lines the whole way. As we talked about theindirect activity, the framework, the Tiger team, there are some gaps. All of us have exchangedmany e-mails and phone calls regarding getting the projects done. Do we have clarity on thegovernance? -- What is it? When we talk about the framework, that has a number of RFPs.Where are we with the RFPs and how does the committee articulate with the RFPs? As we goforward with questions, hot -- how are we going to have a harmonized approach with all of the


3/60

various flavors. Who decided and what -- and what is the process? Presumably we will hear fromDoug about how we will plug into that. Then, with the privacy and security Tiger team. Thereare a set of services that may be offered in a health information exchange, but we want to makesure that the services appropriately protect privacy, but do not overly protect. Do we have astrong description of our objective, do we have governance is in place for all of the projects?Hopefully at the end of today we will understand broadly how everyone will plug in and how togo forward. Knowing all of you, this will not be a quiet meeting.

Thank you John. Let me welcome Janet who has joined. Is there anyone else who is joined thatwe have not acknowledged? I trust that everyone has had a had to look through the minutes. Letme ask if there are any amendments or alterations that you see the need for? Okay, hearing none,we will do squat -- declare consensus. Let me thank the staff for putting that together. This is thefirst meeting with Jody Daniel who is a new mother and we wish her our very best. Let's turn toour first order of business. I don't know if you want to make any opening remarks introducing --?

I'm having a bite of breakfast here. Is -- going to be joining us as well.

Arien Is the great voice from above is what you are telling me.

We know that the project has been proceeding at a brisk pace over the last couple of months.Typically the way that standards development organizations work in this country is byconsensus. You get a number of people coming together and they decide on the best pathforward. That does work and they achieve results. Sometimes there are other ways that one cando development such as actual software development. You come up with the requirements, youcreate code, you try it and test it and then you move fast. Today, what we will hear is where theyare in their attempt to run fast and be agile and come up with creative ways to transmit data. Ithink the process over the last couple of months, Arien has worked extraordinary hard. Therehave been some political and governmental challenges. There have and proposals on gettingconvergence of multiple proposals. We want to hear from him as to where he is and how we can

be helpful in where governance can get a good result. Hopefully a role will be defined for thestandards committee and reviewing a convergence that comes out of that activity. Againstobjective criteria from ONC, and then our feedback can be considered by ONC. Remember theconcept of operations document is supposed to explain clearly how all of this will work. So, inthe past we have had a small number of organizations that did all of those standardsharmonization, specification, writing, test scripts. Now, it has been divided into multiple RFPs.How will all of the RFPs work together? As Mary Jo mentioned, that desire -- what is the scope.Does that include indirect governance and does that include advising of ONC?

With -- thank you very much John. I want to thank you for coming out participating in this. WhatI want to do is a couple of things today. I want to give a brief reminding -- reminder that -- andthen I'm going to give you one level down in terms of what we were thinking about of -- about interms of organization and communication. I have not viewed up a whole bunch of questionsbecause I found that this group does not need that. So, I am going to present the information on Iwill assume that we will have discussion. At the end, we will also have Arien talk about some ofthe work that is going on there. Is Arien on the phone?

I am here.


4/60

I don't have to challenge -- channel you. I want to keep is where we are thinking about principlesand how to keep this at an organization. Not so much at the down and dirty level. I want to beable to get some describe use of the principles and the things that we have missed in the thingsthat we need to include. We have include -- we've talked about this before and that is that wereally want to create an ability to manage the lifecycle of the standards. So, we need to be able totake things then at the level at which people are describing in paragraph form the problems thatthey want to solve and the stories that represent they use cases. Then, create a way that thestories going from paragraph 2 more computational ways of describing those problems so thatwe can then describe solutions and describe the data and services and policies that that areneeded -- that are needed for operability. I think we also want to be able to route remove thingsso that if someone creates a service or a case, we want to create the ability that is someone -- forthe exchange of information that we can then reuse that information for stakeholders andbusinesses. At the end, just as you do with software development you want to have requirementsfeasibility so that you can say that the requirements are met by this piece of code. We want tohave cemented feasibility. -- Symantec feasibility. That the definition of the data element isbeing carried all the way through so that when systems are developed, we know that the data inthe database or the information being exchanged can have its -- traced back to the definition.

That allows us to make sure -- it does not give us an are operability for free, but it does give us amap of by which we can simplify the process. Because, not everyone is starting with a blanksheet of paper. We are creating an environment where we can build on other peoples work.When we think about how to organize, there is a whole series of things. We have put up fiveprinciples that we think all be important or we how we structure this. The first is representativeparticipation. It is important that when we think about standards and interoperability that wehave good representation from all of the people that care about the work. Now, exactly how thatall is going to work and what the structure of that is is part of ongoing discussion. I am notpresenting a final plan, these are just the principles we are thinking about. We know that withevery step away talk about developing use cases and developing the standards and unambiguousrepresentations of the data. We talk about implementation specifications and how they will beused and tested, we know there will be a spectrum of people that need to be put into that process.It is important that it is transparent and open. So, I firmly believe that what we do has to be outthere in the public and we need to have working documents that people do not get upset aboutand freak out about. We need to share what is under review. That means things like leveragingwiki's. We can say that this is in draft form and that we do not like it. We also need to beresponsive. This is a challenging and we see this and other projects. We need to quickly developthings that solve problems, but also provide enough time for deliberative thought to get adequateuse an input. We need to make sure that we do not create an environment in which we becomeburdened by our ability to get that responsiveness. So, we need to have points in which there aredecisions that need to be made and in which there are responsibilities. At the same time, we needto have people who can get their work done so we can develop tools and resources. There needsto be accountability so different people have different responsibilities for different parts of the

process. So, as we think about putting the pieces together, there is a coordinating role in largepart. There need to be people who can be stewards who can shepherd things through the processand take accountability. We also want to be able to have milestones and matrix in which we canpredictably have processes that we can follow and improve. There is always a tension if what wedo is produce a new thing every two or three weeks, it is very disruptive to people who are tryingto develop the systems. If we wait three years, it is also disruptive because we do not actuallywork together. It is important to think about how to organize the process so we can getmeasurable planned results as we go through. So, I you guys have -- so, you guys have all seen


5/60

the framework before. Each of these boxes represent an important tax -- tax that we have withinthe framework. Just to review, we have -- development in which we engage the community andtry to get the business scenarios. Those things go from paragraph description to you and Almodels that we can -- UNL that we can manipulate. -- That is used then to development areference implementation to be tested in the real world and then to serve as a foundation forcertification and testing. Now, we have the snake down below there. We have sort of an iconicview of things. I have taken out the color talks is an act have put them under the S&I framework.It seems kind of waterfall edge that you are going to do one thing and move it over to the other. Ihave extracted out that I believe that this is going to have to be incremental. There is going to bethe need to take small pieces and to rapidly reiterate this process. If you think about thequalifications -- that will be a portion of the work that needs to happen. The activities of mappingand Molly be -- mapping and modeling in building and developing. -- The exchange packages.We are going to make sure that those things map in or extend them some way. All of those thingsneed to be assembled, documented and published. All of those tasks can be mapped into the S&Iframework. I had another slide that put this into the rational unified process in different phases,but I thought having three slides all of the same thing would be confusing. The important thing torecognize is that we do not see this as being a sequential set of tasks, although we will have to do

that, but that there will be a lot of reiteration. What is missing from the mean process is that -- istwo things.. It emphasizes data and we need to be able to describe not only the data but theservices and behaviors of the exchange. Remember what we think about -- we think about theservices of the standard and the policy. A lot of the S&I framework is going to be to helpdocuments and articulate the framework and what those services are. The other piece that ismissing from the framework is the notion of implementation testing and certification. Thatbecomes another piece and one of the reasons that we have been working very closely with --around the certification progress -- process is that the further up in the process with NIFT -- wecan write clearly enough that they can be articulated and go with the flow of certification. So, itis important how we think about the staples of the folks that need to be involved in theframework. NIFT And the certification needs to be involved. The NIFT folks need to beinvolved in the very beginning of this. As we are thinking about this and the people that need tobe involved, we realized that if we end page -- and -- if we engage in something that throws itover the transom to the next group and have the people down the strain be participating up front.I have another slide, remember I said there would be two. If you take a lake at that use casedevelopment, we have a scenario planning. That is all going to happen in some of our use casedevelopment. Harmonization is really going to be -- as we map the requirements and the dataelements that are described. There is going to be interplay with this as well. Implementationspecifications is really about assembling, documenting and validating. That is where we willgenerate the IEPDs. We have already gone through some iterations just to explore how we wouldpackage. Finally, we will have a merchant pilot testing and the need to publish these things intoour repository. So, we have to think if we want this to be something that is responsive and can bedone in the open and that people can actually see our working code and what we are working on.

It means that we are going to have to designate things as being draft or working. It also meansthat we will have to have some way to say that this is been reviewed and testing -- test it and thatthere has been a body or some group that has put their stamp of approval on it. There needs to befeedback on whether or not that this should he finalize -- be finalized or approved. We have tothink these things through. As I said, this is not meant to be a waterfall process. It is hard withoutproducing thousands of arrows to describe the coordination that needs to occur. We do needstructure coordination and one of the things that we are working on now is tried to decide whatare the artifacts that we need for coordination. At each stage there are kinds of art attack --


6/60

artifacts that needs to be produced. What are the roles? Who owns the artifacts or activities sothat they can be assigned and that there is not coordination -- that there is coordination and notduplication. One of the things that we have been thinking about is that although we haveessentially vertical responsibility, there can be a group in the contracting world. We will havegroups that will be responsible for responsible use. There will be a group for coordinating theprocess. So there would be somebody who says that this is their case. It could be an organizationor a group of people. They say that this will be processed through the -- Sheppard -- shepherdedthrough the process. The steward being able to process this through is an important part of theprocess. That is one of the ways that we can make sure that we are not getting off track ordelayed or lack of coordination. There would be certain places in the process where we say thatwe need to stop to make sure that we are on the right track. So, we are trying to articulate wherethose control points are in the process so we can have a smooth running process. I tried to makethis into a -- slide, but it was a giant graphic. I am going to step through this by workinghorizontally and then down through the slide. You will have to track through me as best you can-- track through with me as best you can. There is this notion of core artifacts that will bemanaged too kooky -- to keep the coordination. They would be used to generate use cases. Wehave implementation guides dazed on the use cases. You might then have test cases and testing

infrastructure based on those artifacts. And, each of those artifacts have to be packaged uptogether. So user stories might have a series of capabilities. It might be the exchange of them at it-- information from an organization -- verify eligibility for insurance or there is -- eligibility forinsurance. With the IEP is we need to take standards and operability's and processes anddescriptions of services and those need to be packaged into a IEPD. There also has to bereference implementation that is released and package. Those take the implementation packagesfrom the IEPDs an error built into a reference package that people kept lookout. -- Look at. Ifyou think about the nationwide health information network, one of the ways that you test is thatpeople can have -- exchange information. You set up a gateway and you say does your gatewaycommunicate with the reference implementation that we have? There is a need to save that hereis software that we have ilk and we want to make sure that -- built and we want to make sure thatyou can communicate with the. -- With it. We want to make sure that we have those kind of toolsthat people can test against. Each artifact should have a responsible person that people can testagainst. With in the S&I framework we will have a director who can manage the framework.They will eat responsible -- be responsible for the over arching process. It provides the ability tohave someone who is committed to make sure that this gets through the process. Remember thatwe talked about making sure that the S&I framework was built around driving real needs andreal issues and getting them solved. By having that person, and make sure that we are notmessing up in terms of developing things and getting off track. Maybe we are adding all sorts ofthings that are not in the spirit of what we want. We will have to have someone help usdetermine the specifications and the ability to generate the specifications. We have aspecification group that is doing some of this work and we have participation by some of themembers as well. That group has to develop artifacts. There is a reference group. It is important

to know that there is a divergence between the software and the specifications, the right way todo this is to make sure that you change the software unless there is a problem with theimplementation. If you run into a problem and you say that it does not quite work and you aregoing to tweak it. If you do not feed that back to the implementation specification, you end upcreating problems downstream for the next person. It maybe solves the same problem, but in adifferent way. Finally, we will have testing teams to manage that as well. Finally, we tried toidentify where we could have control points. One of the control point is that if we have all to pullbusiness America owes and use cases coming in, we need to prioritize. If we have resources to


7/60

work on can and we have 12 use cases, how do we determine which two need to wait. How dowe manage that? There needs to be communication so people have an idea where that is? Thereneeds to be at approval or a stamp of her reprove rule -- of approval that this needs the standards.We need to have a really structure and finally we need to release. This will take some time and itis not something that we can do in six weeks. But, I hope it is not something that will take 18months to go through the whole cycle. The thing is that as we look at the indirect project, we aretrying to accelerate that through and we are trying to do that in about 9 to 12 weeks. We aretrying to get as much as we can forward. But I think, part of it idea of open transparency is toidentify the way we are going even if we are not quite there yet. A couple of other things and thatwe will turn it over to Arien. As we think about the priorities and organizing no work -- thoughwork, there needs to be a group that can organize the high-level capabilities. That is like sayingwe have the 12 use cases and only resources for 10. Maybe we need to get more resources for theextra two or maybe we need to prioritize. There needs to be a strategic Oddi that needs toorganize these things. We need to have the ability to operational a prioritize what gets worked onas well. So, this may be some thing a little lower down, but that is how we manage a backlog ofuse cases or a backlog of specifications. The various teams that might be working. The challengethat we have is that at some point we need to have an operational organization that has principles

that will allow us to operate within those boundaries and get the work done. The other is that weneed to have broad and -- impact with committees. It would be the difference between having theboard of directors running the day to day operation. At what point do we have strategic input,operational input and day-to-day function as well. This is not by any means meant to -- the wayin which I perceive these things to work. I want to do give people a sense of what I deal with inthe sense of the standards and specifications that we currently have to manage within the officeof the national coordinator and the national health information network. So, we have prioritiescoming from meeting old use,from the HIT committee . We need to develop specifications asneeded and then potentially we won't be approvedby the HIT Standards committee. -- Hasdesignated ONC to produce standards and this committee is -- we also have work that has gone-- going on with VLER. They have needs that specifications need to change and that there arethings that need to happen to help support their operational mission that they have with in VLER.We get requests that say that they need to change a specification or that they have problems andwe need to incorporate that as well. The coordinating committee -- the NHIN coordinatingcommittee gives them a framework to sort of prioritize those things they also have a technicalcommittee that reviews the specification. Finally we have the Federal health architecture. Justbeyond -- we have FF a -- would have to coordinate in a cohesive way. So, I envision that wewill have input from one side of the equation from a variety of --. We all have a process todevelop the specifications based on the principles that we have articulated. We will try to makesomething that is not waterfall but is incremental and from that will come our certification andtesting criteria. And the policies that we need to help take this work. With that, I am going tostop. The next slide, Arien, is your first slide. We can continue or we can stop your for questions.

You use the term board of directors. Let's assume that this process has many moving parts andthat RFPs are going to be defined. Who is overseeing that this process is working and who isevaluating?

We have been working very closely with the other teams that have essentially coordinated --coordination processes. Some of the folks use of federal advisory committee to provide very highlevel input, but not necessarily detailed day-to-day operation. They are coordinating group whoare down one level in terms of their technical expertise. I have not put in the slide the specifics


8/60

about how the mean process currently works in the other organizations. In large part because Iwant to present to you more of a blank slate and get some discussions so that we can go back andfill that in. The big tension that we have is that if every change to the model has to come back totheHIT standards committee we will cripple our ability do become transparent. It is importantthat we have as broad as input as we can and that we can leverage that. So, exactly how about allwere as -- and think I -- in fact I think that -- has a high-level ways for strategic implementation.It is not really as subcommittee, but a group of concerned individuals who are part of thatprioritization process. It may be similar to the things that you would see with -- in terms ofhaving the ability to court made that.

The reason that I asked that is that supposed all of us look at -- and say overly complex, hard touse. I'm not saying that that would happen, but you want to say that there is external oversight tosay that the work product is appropriate to the purpose. You have articulated that it is open andtransparent, but to make sure that that is actually being done as we go forward with this. Thegovernance with the committee, plugs in here.

Yes.

We have many many comments. Walter.

This is Walter, great to presentation. -- Great presentation. I will start with the organizingprinciple. I am following up on John's comment. I did not see a principle of consensus indecision-making. It seems like there is a lot of pointing about representative participation, but Ithink that the critical element is consensus in decision-making. As a principle ever decide -- of adefined process. Whatever the structure is, I think that is for those of who were -- of us whoworked on the -- project that was the most critical element. A particular recommendation from aparticular workgroup -- so I point to that. Another comment that I have is that I have read that 10of the 11 RFPs, or whatever you call them, the first one represented participation in the ability toparticipate. I was gladly noticing that pretty much all of them had the intent that the entity will

have the responsibility to convene stakeholders and subject matter experts. The challenge ofcourse is going to be that before we had one entity and all of us can't participate. Now, we willhave to -- all of us could participate. Now we have a number that we are going to have to findresources and identify subject matter experts to participate. I am just pointing out the fact thatthis is going to be more challenging to have organizations be able to participate in the activities.Before, it was primarily one major activity. I understand the interest in making sure thedeliberate process is defined in the overall framework. I just want to point out the challenge thatwe will have to ensure representative participation within the structure of the framework into 10or 11 different points of participation. The last comment that I want to make is that if I learnedsomething about history, is education is paramount. I did not see necessarily any specificdescription pointing to the education component that we will need across the board to help theindustry understand all of these products that are going to come out. I know that there is apublish and implement element, but I think it is going to be very important to deliver it leaddefine -- deliberately define the element of knowledge. And, to assign the resources to it. We dohave extension centers and educational elements that assist around that, but it will be importantto develop an educational outreach as one element.

Those are very important comments. And it is making notes -- Nick is making notes. It really ismeant to have 10 different organizations supporting one process. My goal is to have it continue


9/60

to have that kind of participation that you would not have to have -- folks participating. Theeducation is an excellent suggestion, thank you.

This is Nancy. First I want to commend you for holding the framework -- building theframework. It is a very good start on standards and operability. One of the things that I agreewith is that once organizations are faced with the need to exchange information, the lightbulbgoes off that they are not in their own little world and what they develop internally is not theirown thing. That to me -- there are two aspects of development that I am concerned about. Thisdoes focus on exchange, but there will still be a need to develop content and medicine andbiology. That process, whether through semantics with the national Cancer institute or the newthings being done and medicine need to be addressed in the development cycle. Not everythingthat is going to be done is going to be a -- for exchange through the framework. There will stillneed to be some standards and the folks that need to work on that kind of information with thenew areas of ethical knowledge. I don't know if you call that the front end of development, butwe still need to have those folks engaged in that work. The second point is, I am not sure wherethe group is developing ideas. I also agree with the steward. With a use case components, thereare operational groups that collect the data and then there is an IT steward. So, that you have

somebody who really cares about what the end point is. That would be very effective. You wouldassign components for each use case. The private industry and group practices may have usecases. Long-term care may have a certain use case. That is all that I wanted to say. I think thatthere are many of us who would like to helping agent developing the framework more. I wantedto mention that.

So, I have colleagues who do what I do, but for the government in general and for state and localgovernment. They are pretty impressed. They think that you did the job in a substantial time.Their measure is how much operation you got. I think that -- has some extraordinary thingsgoing for it. It was doing Greenfield standards. Three, it came with money in the sense that theadoption of those standards -- money available to the state and local --. I don't think that we getthe same advantages. We do not have a 9/11 like event. We have a much more rolling and slow

acting phenomenon that we are dealing with. The first thing that I think is implicit in thisprogram that will be an improvement is that in performing this process, the government willassure that all of the written artifacts develop -- developed are available publicly at no charge andwill be able to be edited into cohesive document instead of pointers to documents and pointers topointers which is what we have had to be satisfied with. Is that true? I see you making a note likemaybe it will be true.

Much of the intellectual property has to be licensed. Then you get a pointer to a pointer to apointer. If you look at what they did, it is just a document. Here it is, it is everything that isneeded in one simple document. It is just right there. It would be great.

I guess we have no choice because the artifacts that it was building from were produced byorganizations that funded their work by selling those documents. So, it was not a mistake in anysense. It was the limitations of the process given. I have developed a new philosophy onconsensus. I am against it.

We all agree.

Laughter Mac -- [ Laughter ]


10/60

I think that consensus works best when it is achieved by a small group of people over a period oftime. Just looking at the interesting set of meetings that we have had over the last month, therewere people who said things about the -- to defend what they were doing. But, I honestly thinkthat most of the issues was that people do not understand the need for anything different andtherefore had a hard time drawing a conclusion. I do not think you can bring 100 people to aconsensus. I think you can bring 100 people to a decision, but it is a different thing. In theimplementation work group, we talked about what had worked in getting standards to beeffective. A lot of it, I'm going to rephrase now, a lot of it was an evolution of small groupconsensus ideas. So, there was not the dig impetus around we are going to make a decision that isgoing to affect the future of the nation and the welfare of dozens. We are going to make thedecision that we will get it out there at people will flock to it or they won't. I recognize that wework in a world where our fundamental time frames are driven by the election cycle and the spanof attention of Congress. As such, we have to attend to specific time frames in order to create thecredibility to carry a program over transition -- transitions. So, I actually do not have specificadvice to give here except let's try to do this in as small as steps as possible and let stiffer megacourt nation -- and let steep for mega coordination of the whole thing.

Thanks Wes. Just one comment. We did not talk about the big loop box at the bottom with toolsand infrastructure -- big Lou -- blue box at the bottom where we talked about tools andinfrastructure. In -- innovate and do it in a framework where it can be repurposed and sharedwith others who are doing the same. That would be a good outcome. Walter, you read all of theRF tease -- RFPs, but one thing that is in every one of them is for contractors to work to developtools. I wrote that in every single contract so that I would have flexibility to redirect to thingsthat would be up for structure building. -- Infrastructure building.

If I could just add one other comment. We, a consensus operations, what I have learned over 30years is that it is hard to build a consensus between those who are expecting to get somethingdone within a timeframe and those who have more of an interest in the technology or theconceptual. I do not want to say that you are avoiding consensus, but in managing how you get

consensus, I hope that this committee will not be isolated from those who are in the frame ofmind who are date certain and know what is needed.

Well said. So in some ways a platypus is a Duckett designed by consensus -- is a duck designedby consensus.

David McAuley. The slide that you put up with state court were -- stakeholder coordination washelpful to me because it described entities that are doing new things. That is helpful. What isunclear to me is how does what you are describing relate to ongoing existing groups? We haveno shortage of groups that are doing things in parallel that will intersect with these things goingforward. How do you intend to engage stakeholders who are already doing the same thing orvery similar things?

As you can see, I did not address that issue right up front. There are a lot of ways that that canhappen. There is a clear recognition that we need to have engagement of those groups atparticipants. If I think about and implementation specification for electronic prescribing. I mayneed expertise from various groups and maybe if we decide to do this with billing and that it --one of the challenges is that as John articulated, that piece of paper or document -- I would ratherhave a downloadable or executive the -- executable file that you can ingest. You have to be ableto engage each one of those -- in some fashion. It is a challenge that is unsolved at this point.


11/60


12/60

some way with respectto HIT standards or is there an interest in having a generally interestingcollaboration with other countries?

A large park I think that David has framed the question that the charge of the office is to meet --.That becomes buried focusing and helps to meet the practical work that we do. That having beensaid, there is a lot of existing work that is out there. To the extent that that can help us acceleratethe process, I think that they have to be incorporated and included in what we do. I think verypractically about things like the standards that have been adopted by the IFR that has alreadybeen published. There is existing work out there that represents the standards. Those are the firstthings that need to be incorporated. I also think that -- one would hope that at the end we haverepresentational constructs that are consistent with some of the things that are out there as well. Itmay not be that the implementation specification is internationalized, but part of what we aredoing within the framework is to make sure that the framework conforms to the ISO framework.That is part of the reason that we have started conversations internationally. But, to make surethat we stay focused on getting the work done that we need to do with an eye towards the otheractivities as well.

Thank you, this is Dixie Baker. This is tiny print and tiny pictures so I may be -- particularlyrecent experience has shown me and some of my colleagues what can happen when you followthis process without appropriate policy and place. -- Ben plays in place --. I don't think policyexists going into the whole process of mapping and modeling. You will find instances wherepolicy exists and other instances where it does not. I do not think it should be made up on the flybecause you end up on the end with a mismatch between what you have created and what needsto be there. I would encourage you to look at these and incorporates to make sure the policies arethere.

Thank you.

Just to give the group some concrete interpretation. Imagine that a policy committee like the

Tiger team -- Tiger Team said that it may not be incorporated when a package is trans portedfrom point a to point B. That would be a technical solution that violates the policy principle. Aslong as one can constrain by stating policy up front, that would be best.

Thanks, it was a great presentation and it looks like you have made a lot of progress thinkingthrough all of this. A few comments.. -- Comments. Running a consistent space into see which Ido -- consistent-based entity which I do, consensus means that you have defined a process whichallows all voices to be heard and considered. It is essentially a process with checks and balancesalong each step of the way. It is incredibly transparent and allows people to bring issues forwardto be resolved or trends -- or transposed word discard it. -- Or discarded. -- It is important tothink about this term of consensus and that people use it in different ways. Perhaps an thinking ofother processes. Along with the issue of the process, the one issue I had with your diagram withthis stakeholder coordination. A point of caution. It is important to clearly and crisply define theroles of the various groups. You already have 10 or 15 groups at one point or another. If there isa group that does not like a decision that they can appeal or take to another level, they will do it.It is important to be really clear where you need to have an appeal or complaint mechanism.There needs to be one there because sometimes mistakes and errors are made. Also, clearlydefine the responsibilities of the groups. If there is going to be a separate group set up to considerthe individual standards, you want to define the responsibilities of this group to have oversight ofthe integrity of the process. Maybe you have another group to do that. But, to not allow a


13/60

subsequent group to redo the were because that is how you get into really long -- the workbecause that is how you get into really long time frames. It is also -- it also undermines theauthority of a group to have their decisions second-guessed. Third, I want to go back to the pointraised by David. What do you do when there are gaps in standards that have not been put inplace? I think that it is really important that the government have both the authority and theresources of the process in place so that when you see that there is a gap that has not been filledby a private standards setting organization to your status best -- satisfaction that you can fill it.You can turn around and hand the standards to the private-sector group for ongoing maintenance,but have a process in place to fill the gap.

Jimmy.

I have just become a believer in telepathy because Janet just made the same point that I wasgoing to make. I think that consisted -- consistent -- consensus has been mystified. There needsto be a process for prompt consideration. This is how you define that open transparent process.

Casper.

Did you call me?

Yes.

This is and Castro. I want to talk about use case. I really like the idea and we use it. Similar tothe concept of a chief surgeon. The one thing that I want to stress that it is probably already inyour plans. That role is useless without accountability and authority. In order to dive into a lot ofdifferent parts of the organization on that continuum from the beginning to the end. It is almostlet matrix like physician that is difficult to be in that position. A person has to haveaccountability and authority to make the changes necessary. Groups are listening to other voicesthat have to be brought back to center. Of coarse, there is an escalation process and that should

be mediated fairly. I just wanted to put in that point to. We found that in our organization.

Thanks to the patience of the people as we are going counter clockwise.

There it -- the good news is that there is a lot of consensus about consensus. I want to correct therecord, Doug. One of the things that you said is that there are two things that are missing in theframework. The services and the behaviors. Then he went on to say that we still need to work onthe behaviors and standards. I think what you meant to say, correct me if you are wrong was thatthe services on the policies. With that, I want to reiterate --

Let me just say that policies are a really critical piece of all of this, but the harmonization of theconcept and the process needs to be formed as it is tension -- as it was mentioned by those

policies. We have had some discussions about how does that fit into the framework and tanks. --Things? So, when I speak about things that we need to work on. -- Does not have it. I do notknow quite how to package a policy.

Right, so I appreciate that. I also appreciate that when you were talking about certification -- forall the reasons that were stated. I think John gave a good example. If there is no way to create abasic set of expectations on the front end there is no way to guarantee that you are not going tobe able to -- policy on the backend. It is pretty much guaranteed. A technical decision alwaysmakes policy. They just do. That is the way it works. I would encourage, and maybe this is part


14/60

of the governance question, I would encourage a process that incorporates not every last detailpolicy, but a high level set up policy requirements -- set of policy requirements for specificationsfor how technology is working. That, those two things be brought together. Processes that movetogether through the process. As you move through a set of specifications that you encounter aproblem, the marriage of the processes. Policy can go off the rails too. I would really encouragethinking about that. The other thing that I would say is that even for this committee, while we tryto achieve consensus and make recommendation, we are not ultimately the decision makers forwhat the government does. Dr. Blumenthal and the government takes input from us and makesdecisions. I think the same expect patient has to be best expectation has to be factored into thework that you are participating in now. The last point that I will make is that one critical thing toconsider is that there is the need to think about the role of the government. The what is your rolein that process -- what is your role in that process and what role should you play? One of yourexpectations was that the government would make sure that all of the artifacts were publiclyavailable. Those are the kind of things and objectives that need to be factored into your role inthis process. I will tell you that I love Janet comment that those are good examples where thosekind of comments can over ride trying to get to unanimity or a majority. Without those, you endup with getting backed into corners that can be uncomfortable. All of those need to be strongly

factored into the process. Thank you.

Crisscross -- Chris Ross.

This is Chris Ross. I still at couple of questions around governance. A quick critique when wehave gotten down to the last common denominator? There are two things going on there. Thereis a software development process and then there is also the process of standards and policies.My question is really around governance? Internal governance I get. It seems to make sense tome that the framework can push things forward in a better way, that

In terms of who will decide who and when it use cases to take on. Who will decide when there isan important issue that should just -- best be addressed by generating working code or pilot --

pilots. Basically saying this is what the policy is for the government sector and the private sectorto take action. In some ways, we are doing a new thing. Working code becomes policy. To somedegree Thomas pilot they come -- to some degree, pilot -- pilots become standards.

How do you decide when to go and how far to go?

I think we will have to have some or presentations from Mary Jo talking about the broaderexternal governance. You may want to hold it until after Mary Jo --

I could answer it and get it off the table. If this is something that you would like to include it? Idon't have an answer for you but we are here to ask you what the questions are that we should beasking.

That is the case, I would like to either way to bring that dialogue back into this process. It looksfrom an external standpoint that it makes sense. The question is I could imagine standards wherethis apply to certain set of questions and that could be problematic. If there is a conditionmechanism around what use cases -- for several, when does the policy come first and when doesthe pilot come first. Those kind of things.


15/60

I just want to say, we live in a governed universe. You all were established a Congress toestablish and advise the national coordinator. Who ports to the secretary who reports to thepresident. And he works with Congress. We will come up with a regulation they found the inputthat we have and we will try to focus on the things that we think it again, -- that we think need tobe done, to move information for a patient's benefit. People to like it, they can complain to thecongressman and the president and they will hold me successful -- accountable and mysuccessor.

We will be making these decisions within that framework of government that supersedes whatwe do in this room and in my office. But, one thing we cannot do is fail to proceed towardinteroperability. That is just a given.

John -- I wanted to make a, -- eight comment -- a comment.

Thanks, John. This is a drug discussion. I think them -- this is a terrific discussion. I couldn'tagree more with Janet, -- Janet's comment. So that we can have a responsible and not the --response about them. -- and a responsive outcome. David, you have a mandate. High-tech is not

an option but it is a mandate. It is clear what those requirements are. Doug, you have broughtforward a standard that I of what. -- that I applaud.

You have a challenge. You have to get to a production system that delivers the policies andstandards. And a business frame. It is very reminiscent of an organization -- a serviceorganization that is building a working operation. You have to bring the things together. Youroperating system is health information system on a nationwide level. You have to translate thatShetty into a series of operational tactical operations. It is very wise to use the relationship andthe board and its governance response ability -- responsibilities.

There is the responsibility for execution. That is in principle and in fact, as the mandate that isgiven to your office. I think that metaphor is very well advised. We talked about the aspect of the

senses and the prospect -- process. There are a couple of other things that cancer. One is a threadthat I heard from a number of people. That process of translating strategy into operationalactivities and deliverables products is that predicated on policy driven criteria. That, in and ofitself, can help warm the relationship of the governance board role. To it here to beresponsibilities of your office. -- To adhere to the responsibilities of your office. I think that isconsistent with Janet liberating -- Janet's delivering -- deliberating and achieving consensus.

Not only what there is broad agreement around but also come a given a rational process, foraddressing an understanding those occasions when there is a different viewpoint. The otherthread is we are not starting with a complete clean slate. I think brings forth a degree ofmechanisms for considering past products. There is a lot of resisting work that can beincorporated. Pre-existing conditions. To differentiate. This is a predicate for discussion that

discusses the difference between the board role and their events and the relationship to policydriven criteria to help inform them on the relationship to the management to execute on thosedeliverables.

As it relates to policy and services. I think you for that. -- I thank you for that. I think that is agood segue --

Give us the update on IHIN Direxct -- Direct.


16/60

Thank you and I appreciative all the comments on this. The project that we are running on IHINDirect. Let me describe where we on -- where we are and how it fits into my process. We want totouch on the key points with the various policy and standards advisory boards, and the process. --in the process. We have been working since March to work on specifications and drafting thosethings that are motivating factors. Transitioning now into working on a reference and limitation-- reference implementation and taking that into pilot and limitation -- implementation. Andworking parallel with these processes on developing all of the key artifacts in a process.

We do have a set of checks and balances on the work that we are doing in this project itself,eating a more formalized process that Doug is putting together. Are using the IHIN Directproject -- And using the IHIN Direct project.

I have been really pleased to see the level of policy coordinations that we have had with thepolicy committee, particularly with the Tiger team, and defining the standards committee review,and defining the key policy specifications that we are looking at. We are bringing these intoconstraining the definition which relates to the point that was made earlier regarding transporting

the package of information some point A to point B.

Where is the transport level being blinded to what content is actually being transported. We aretaking that to heart and we are making sure the specifications we are working on are constrainedby this policy consideration. That Tiger team is getting this work done and we need to see this inorder to move toward pilot and limitation -- implementation. To make sure it is partly within thepolicy framework that is being worked on within the Tiger team.

In addition, there was an initial standards committee review of the specifications that we areworking on. I sure narrowly appreciated it -- I sure narrowly -- extraordinarily appreciated that.Public, as the Tiger team gets further along and policy work, to make sure we are saying andthink with a policy guidance of recognitions -- are staying in think -- in sync with the policy

guidance and recommendations.

We are working on the standards to -- and recommendations to HISS. As we move into -- wewill also come back to this body and present the findings from pilot implementation. Every youback to the standards committee for review and possible recognition. -- possiblerecommendation.

In addition, there is the possibility of including the HIHN standards. There are other standardsgovernment evaluations that we want to see. The main purpose of this slide is to say that we havea were strained that is focused on getting to pilot and limitation -- and limitation --implementation that has been advised to us.

For sample, this might include the inclusion of the IHIN. The work we're doing fits within alarger set of activities and has a set of processes checkpoint within those -- checkpoints, withinthose processes to make sure we are doing our job well. And all of the considerations have beenraised. By this organization and the policy committee. To make sure they are properly addressed.

We have talked about the consensus oriented process and the present consul that process. -- andthe pros and cons of that process. I think it is reasonably adapted to the environment in Australia.


17/60

It does look a little funny. It remains to see -- to be seen if the work we are doing is a welladapted playtpus or -- platypus or maladapted platypus.

They are ready to do into mentation -- implementation in the real world. It is not a consensusprocess that takes consensus for consensus take. -- sake. It is organized around a group of peoplewho are willing and ready to do that. Honestly, I care less about, in this process, about saying wehave consensus then -- that is an important value -- then I do about actually providing theoutcomes to providers that we are seeking to achieve in enabling recommendation forcoordinations and transitions.

One of the most important aspects or outcomes of decision making that we are trying to seek inthis process and project is decision-making that leads to action. It leads to real world actions andoutcomes that we are try to achieve. It is both a blessing and curse to be doing this work in thetime in history that we have. When I went to the work, I isn't we would have eight 8 to 10organizations that would be willing to do this in 2010. Instead, we got 60 some organizations.The good thing is they represent a wide range of stakeholders, including her bite or organization-- provider organizations, large to small.

Many government stakeholders, including state and regional organizations. And a whole set ofHIT technology providers, that serve a variety of markets. Where they range from some of thelarger organizations, what your technology organizations in the country, to extort narrowly --extraordinarily small organizations. Our kids ranging from single practices up to the largest --and smaller practices running from -- ranging from a single practice up to the largest practices.Using both a set of calls and face-to-face meetings, as well as using technology that weredesigned to make sure we are hearing from the widest range of distance.

Out of that process, we learned quite a bit. We also learned some lessons, in terms of how to runa consensus process. We have heard about this in the earlier discussion and reactions from Doug.In terms of support for the direct use cases, that we are looking to achieve, we have heard a lot of

very strong support for the service providers are where they are. Direction that we got in thiscountry, we have arranged from adoption -- the need to support providers, starting from wherethey are, and one of the lessons that we learn from meaningful use is that the providers haveadopted certified technology.

The business processes and outcomes that we are desiring to achieve are limited to providers thathave certified HIT technology. They transition from care with certified HIT technology whichmay occur with a provider who does not have certified HIT technology. The support we need toprovide should not be constrained around the need for providers with the most sophisticated HITsystem. At the same time, we need an upward migration path to help.

We learned that the work that government has done it has facilitated public or private partner

organizations, in HISB and the development work, this has been quite successful. We saw arange of technology vendors who has strong support for the HIT services. And how they desirethis to be a core part of the fabric of direct transitions and care transport, going forward.

We also learned in this was the theme of the discussion to have these standards -- it needs to bepolicy neutral. A number of people have mentioned that the core standards next the addressingmetadata with the content data, requiring the content to look into mitigated -- look into metadata,and those things he worked. -- need work.


18/60

The consensus proposal -- this didn't require unanimous approval from all the members -- itrequired listening to all of the key objections and key sources of input. It supports FMTP SIMPT-- in some ways, it is a back to the future. It relates back to the early work done in simple inop.For providers and patients across country. It gives us a framework for support -- secure transportof health information. It provides a strong information -- separation of information and metadatain a format that allows for the payload to be blinded from the exchange.

At the provider desires to operate in that capacity. This proposal endorses the does not requirethe strong use of metadata. That is Morten because we need providers where they are. Thoseassociated with the HIT technologies may be able to take advantage of the workflow that isenabled by strong content edited -- metadata. The providers that are sending the information to orfrom may not be capable of generating for processing sophisticated content metadata.

We need to meet providers where they are. And enable interoperability for those who cannot getto strong content metadata. And then scale up to that, over time. It supports be HIT SDR criticalthat is currently being used. It exchanges development and a modified SRT modification to

support a bridge to change. It needs to address the point that has been raised several times,regarding -- two issues. One is separation of addressing content from separate metadata. And thesecond is the ability to transport, even at the level of metadata you are getting, is to minimize --is minimize -- minimized.

The minimal specification that we are looking at is actually quite simple. It uses SMTP plusmime container at the edge, with the optional use of the packaging format. It will allow for -- thatis mode A. Mode B allows the sender to send and already encrypted payload. And make sure thatcontent may load -- payload is like to the organization that is doing the actual routing andtransport. It supports, and each of the connectivity point, it requires it to the connectivity pointand encrypted channel. So that no health information, and even know address information, isexposed over the open Internet.

A national specification itself is quite simple -- and the actual specification is quite simple. Tofigure where the content needs to go. To do, if necessary am a -- necessary, to a finding andencrypting step. Interpretation -- coverage of her transfer. In a way that guarantees that only thesender, and only the receiver, can participate in the change. That is to say that if I encrypt thepackage with the receivers information, I can make sure that only the receiver or authorized partyfor the receiver, are going to be able to view the content that is being transferred. In the proposal--

The proposal that we have put forth includes the trust consideration and policy considerations,following open, recognized standards. On the receiving side, it is encrypted. Even if they dovarious -- Even if a nefarious person wants to look into that information, they need to have the

key to look at that information. Optionally, you can require an encryption and verification step.At the receiving provider has delegated management of the keys for the exchange, it doessupport a mode where the receiving provider can receive the encrypted and signed consent.

And can do the encryption locally. And that provides a mentality -- a modality where, frombeginning to end, it is a point-to-point transfer. And it is blinded to the information beingtransferred. It does allow, if the provider allows, it allows for exchange to do things like standardand content translation and the like. At the receiving provider's choice.


19/60

Where we going next? We will continue to collaborate with the policy and standards committee.For the policy guidelines. I think it is a useful best practice to look at the technology constraintsand the policy constraints in parallel. Working on the privacy and security policy grammar, --policy framework, and technology -- it is instructive to both organizations. The project itself isgoing into high gear, working on Dr. mentation and testing. -- Working on documentation andtesting. Must abort like, it is working for providers in the real world for early and limitation --implementation.

HIT We are also working with to modify -- we are also working with HIT to modify thespecifications. The key usage needs have the ability to operate in the presence of middle contentMedicaid's -- packaging metadata. That is pretty much it. I don't we have time for, but wewelcome questions.

Great. If we could go back to the earlier slide that showed he worked -- that showed the work. --showed the framework. I like this light -- slide. We can review where we need input. We can beinformed by ONC as far as the objective criteria for its success and what you want to the sure

that you are achieving technically. As we get a couple of weeks ago, with the objectiveevaluation, at that time, we would like to weigh policy and objectives and give to ONC an HITstandards evaluation recommendation.

This governance that is taking into the process these checkpoints where we can ensure there is aBoard of Directors oversight. We will not meddle in your day-to-day but we want to have a senseof a Board of Directors checkpoint in the process. I very much like the fact that you have bakedthis in. Not only be HIT standards committee -- the HIT standards committee that othercommittees. It is a continuous process the goes from now until the end of your. -- of the year.

One other comment that I will open it up for discussion. What you really had was a tension that Iperceived in your process. On the one hand, you have a set of incumbents and you want to

engage them and get rapid implementation. Tissue had interested parties that were willing to goforward with technology solutions. On the other hand, and the wonderful greenfield, we wantedto approach high-tech and we had projected criteria, it could be that you would have a differentoutcome than trying to achieve consensus up incumbent -- incumbents.

I felt this very often. You would get consensus are those two joint meetings. And that -- joinedthe meetings. That seemed great that you didn't always achieve consensus for those who showedup at the meeting. I am sure you had that tension so, what am to my world. Any points on -- anycomments on checkpoints? Or tension?

Again, I go back to this is not about technology -- this is not about even about process. It isprimarily about achieving the clinical outcome and health outcomes for quality and access

outcomes. That we want to achieve for all of the people in the US. Having the right processcheckpoint and having the right by and -- buy-in, as well as from ONC, help ensure that we aregoing to -- that we may go a little bit slower upfront, because there is more process review andstandards review that we need. But it should help us go faster, where it counts.

Which is bringing the real-world benefits out to providers in the end stage. With regard to thesecond point, I actually don't see this primarily as around a incumbents versus new entrants.There are a set of decisions that we might want to make, from a pure technology perspective. If


20/60

we were sitting down and writing out specifications, in the basement. What is most important tome in this process is achieving the clinical outcomes. Achieving the outcomes for the country. Inthe set of HIT technology stakeholders that are in the process -- there is a strong desire to makethis work in the row world. -- in the real world.

That extend -- extends from the largest organizations serving the health systems in the country,all the way down to the stakeholders and organizations serving the one and two Dr. practices --two doctor practices. We are starting to see that large systems and small practices are starting tofeel themselves connected at the hip from both a business perspective, as well as from andoutcomes perspective.

Eating from a technical Thomas meaningful use perspective, you cannot meet the meaningful usecriteria, without participation from all of the providers in the community that you provide to andfrom. This is a long way of saying it the set of decisions that we make in this process we took theoutcome that we are looking for the real world, then they will be a good set of decisions,regardless of how individual people see them from a technology perspective. If they do not leadto the real-world outcome, then they were bad decisions.

Regardless of the technical merits and pros and cons. The process we try to work under and withhis really focused around achieving those business outcomes in clinical outcomes and efficiencyoutcomes in a row world -- in the real world. That is ultimately how I would like to be judged --like them to be judged. Which sets me up for failure if we do not achieve them. I do believe thatthe participation and energy that we have will get them there.

Thank you. Let us go clockwise. Carol?

This is Carolyn. I really appreciate the focus on the quality outcomes. I would just add that Ithink ultimately, whether we achieve quality outcomes or not, is less about agreement ontechnical specifications and their use and much more about whether we can in deed meet

providers where they are and whether he will trust the system. -- And whether people will trustthe system. Those are two different constructs. They really have to come together.

The question is on the next slide. I do -- the next what -- next one. I do have a specific question.You said that this notion that transporting and pay loading be separate or with the payload he --being blinded. I heard you say that you want to allow the content and payload to be blinded. Thatimplies to me that there is not an alley or choice -- that there is optionality or a choice. Is it anoption that people can exercise, pending on how they choose to have them it -- to ample meant --implement some of the policy standards?

I think some of the guidance that we have given from some of the technology perspective isconsistent to the recognition to the policy committee. That is a complex nonanswer. I knowledge

that. -- I acknowledge that. [ Laughter ]. If you received information that is payload encrypted, ifit is an exchange which receives payload that is encrypted, that it must accept it. It must deliver itwithout further modification.

Which means that if the provider chooses to send essentially the content which is blinded atexchange, the exchanger must be able to operate with that. On the receiving side, it also requiresthat if the destination has the capability of performing the PKI function of decrypting and


21/60

certification, it requires that the receiving exchange deliver that content to the provider, in theform that the provider so chooses.

How does the provider?

The other part of this is that we are limited right now with the PKI distribution to end providers.

We believed in the process that would be desirable to allow for the provider which is actuallyconsistent with the policy recommendations, the excepted recommend -- accepted recognitions --recommendations.

If the provider has the capability and the means to take on the PKI action, signing andencrypting, the exchange must essentially deliver the content sight unseen. At the providerchooses to delegate those luncheons, -- those functions, for any number of reasons like nothaving the technical means to do the work, as well as there are legitimate business interestswhere providers want to be able to, for example, get access to version translation services and thelike, at their request and that they are -- their explicit delegation, they are allowed to do that.

The exchange is required to operate light it to content. The provider is allowed to delegatefunctions to the exchange, at their explicit control. So that they can offload some of thetechnology work, as well as receive additional services in exchange.

Is the provider delicate thing -- delegating -- to the exchange or the edge system?

They could delegate to either. If they delegate to their EHR, then the exchange will be blinded tothe content. If there edge -- their edge system does not want to take on the PKI management,then they can be blinded.

Let's be clear. At the provider is blinded -- if they change the ever structure of the exchange andthat exposes the content, then they don't really have a choice on the edge -- in other words --

They absolutely do. If they had the means and capability of doing the work locally and managingyour certificate -- there -- their certificates locally, we may see more providers who have thetechnology and the operational means to do that. They can take on this auction themselves --they can take on those functions themselves.

So, it has been said, and meetings -- in meetings, the option is listening -- is not listening but justwaiting to speak. In some ways, I am guilty of that. I am responding to something Dixie that inthe last round -- said and the last range -- last round. I hope I am phrasing this and the way shemeant it. We are working to get the policy work done first before developing the specifications. Iwant to rephrase that it away that I don't know that Dixie would agree with but I want to make apoint.

She is actually asking Doug to create a waterfall situation to join policy and the requirementdefinitions and specifications. I just don't think that works. I think that a situation such as IHINDirect require -- requires revising the agenda of a policy group, in order to deal with a businessopportunity. So, there is a circularity that needs to be recognized.

Just to show that I was listening, I wanted to ask Aryan a question about a hypotheticalrelationship about it being HISB in a small practice. Tommy if it is covered. If you can put thediagram a -- up, as you go forward in this proposal -- that one. Right. Is it permissible, under this


22/60

approach, for an HISP to say to a Dr. -- doctor, "all you need is a web browser. You can't log inand connect over TLS as you do with Amazon.com and your favorite gaming site. And you cansee a list of messages coming to you and you can upload attachments that might be structuredinto -- data." Or is that rolled out -- rolled -- ruled out?

Yes, it is absolutely permissible to define the roles of essentially be EHR in the exchange -- theEHR exchange and content. You may well on to combine that function with the exchangeauction. I think -- exchange function. I think there are a number of organizations that willcombine these roles. The other point is that you can, if you do that, then you are, essentially, youare combining both technologies under the control of the provider. You may also want toseparate them out. This diagram shows them fully separated but you could have a mode whereessentially, the source and destination and the transport options are combined. There are reallyonly two actors in that role, for that model.

So, to sum up --

The short answer was to answer that as, "yes."

To summarize, every HISP must communicate with every HISP by TLS, at least.

At least.

Their communicate where it -- there can be no case where they cannot talk to each other.

Yes, any conformative can talk to another conformative.

There are option now these -- option nowadays -- optionalities for how they can package this tothe end user. It is correct?

Yes.

In a response -- I think I'm a in general, the waterfall model doesn't work -- I think, in general,the waterfall model doesn't work. In this particular case, we have four implementationsaddressed before policy was created. Forcing people to be reactive and assess some policyassumptions that were born -- built into the four and limitations -- implementations. And thatshouldn't happen. Some policy -- if all of the exist to begin with -- if some policy exists, to beginwith, along with the analysis requirements -- that is my answer to Wes.

Jumping onto Carol's comment, I have to concerns -- two concerns about the exposure. One is ofconfidentiality. The other is about manipulation of information. Which is more of a data integrityconcern than a privacy concern. On the one chart Tom a Aryan, -- on the one chart, Aryan, you

indoors the exchange of metadata -- you indoors -- you endorse the exchange of metadata.

If I want that to be an option -- it is not clear to me whether that is an option.

It absolutely is an option. In fact, there is no requirement for any manipulation of the content,beyond what is required for signing and encryption. Now, some of you could add on the servicesam a as you say, primarily around the needs of a more sophisticated organization that may wantto receive content metadata in a consistent format. But, we are not constraining or requiring theedge systems to do that work, in order to accommodate the needs of the larger organizations. We


23/60

are trying to strain -- to constrain around the needs of the least sophisticated providers, becausewe need all providers to be engaged in the coordinations of care.

While recognizing that more more providers will actually have access to more sophisticated HIT.We should be forward looking but recognizing that we are living are we are right now.

I agree with that.

David Blumenthal?

The point has been made repeatedly, and believe me, we have heard it, that policy needs toproceed technology. The other point is that there -- it is not always a sequential process. It is aninner of -- interactive feedback process. I want to make a point of defending our policycommittee which is not represented here. We did you policy -- we did do policy. It is in a norm isa step forward in policy related technology.

It continues to evolve. There are areas in that framework that are less developed than others. Andthe privacy security framework is one of them. That is an area of sensitivity and complexity. I

suspect it will take a long consensus process, before we actually have that ironed out. That is justa matter of fact. Not necessarily intent.

I do know we have the right to set this policy but I do know that this is something that has to bedone with a broad, complete, full involvement of the public. So we can prop -- so we can solvesome problems around this table or internally. A we cannot solve them all -- but, we cannot save-- solve them all. In the meantime, you all, members of this group and others, have been workingreally hard with us to define these areas.

In fact, we have been, as Aryan set -- said, in dialogue with the HIHN Direct group which hasmoved us along. We are aware of this issue. There is just extraordinarily sensitivity is --

sensitivities around policy that make it hard to drive it for conclusion before it is ready to bedriven to conclusion.

Thanks, David. I am really encouraged as to what has come out of HIHN Direct. I think -- IHINDirect. I think that it will he very profitable. I am hoping this isn't the only chance we will haveto look at IHIN Direct. I think it needs further kind of conversation that we were just talkingabout. Assuming it may be a limited time to comment on it, to comment -- two comments. One isin reading through the consensus proposal, one of the things that concerns me if I don't think itwas sufficiently clear on who bears the burden of the second he -- of this activity.

When we have the connection through exchange and direct, it wasn't clear who should bear thatresponse ability -- responsibility. Which side of the fence who should bear complete response

ability -- responsibility. To get the message across the network, from a practical and technical. --Technical aspect. The second is that the first bullet point says it is the minimal backbone article.As I read it, I read it as it should be the only backbone particle. -- Protocol. If I'm reading thisback correctly.

I am wondering about the word "minimal." And this is into a governance question. One of myconcerns is that the original users for the IHIN Direct art going to be -- aren't going to be theonly thing we want to do with IHIN Direct. There will be a requirement that will not besupported by SMTP.


24/60

Perhaps one of the orphans that did not get the nourishment it should have was the architecturethat with -- that would easily support that.

Are those comments -- they are intended to be helpful for proposing moving this forward, in away to be constructive, to not criticize the work. To advance the work. We need to be crystal

clear about who manages this. And be clear about what transport protocols are allowed, eithertoday or going forward. If we do not have a means to support this community a should, -- thiscommunity should -- this communication, we will have problems.

Let me first address what Dixie said. I agree that the more sophisticated side bears responsibilityof managing their need for additional content metadata. I am endorsing the position you arestating. Maybe it is not as clear as it could be. I do believe that the consensus proposal andknowledge is that sort of -- acknowledges that sort of thing.

As to the second thing, it is a minimal but required background. The proposal does for see thatthe organization may want to have additional means for getting additional policy guidelines frompoint to point. It endorses the evolution and innovation, while requiring a certain minimalstandards -- standard.

Aryan -- I know this may not be the right venue for it, but I explore further expiration -- but Iencourage further expiration -- exploration about how you do this. If we add "rest" as anadditional protocol, that will increase the questions which are solvable. We just need a processby which to do this. Rather than saying that in the future you will get to it. I know this is notwhat you're saying but it could be interpreted that this is the answer. I would like to understandhow the governance process of support that.

It down like a good topic for future discussion -- it sounds like a good topic for future discussion.

We have is your comments. -- We have a few more comments.

This is David. One comment is regarding the policy technology process. As a participant in IHINDirect, I was pleased to see that from the very beginning there was a constant awareness of thetechnology in that discussion of the policy issues. And an attempt to clearly delineate what thoseissues were. We were moving fast enough that we could necessarily stop and make a phone calland asked what the policy question -- answer was to the question. We did go to a lot of effort tohave those claiming identified. -- those cleanly identified.

Many of the participants in IHIN Direct are around the table today. A have wrestled -- they havewrestled with these issues for years. I think it has worked out well. The proof will be in thepudding. The second is to carol's -- Carol's question. It is highly analogous to the Mel questions

-- do that e-mail -- to the email questions. It is very well understood. It gives us a lot ofcompetence that we know what the issues are. That is one of the strong arguments for followingthat e-mail like model. I have a laptop computer in front of me. I am running a web browser,talking to one e-mail server -- I have a local client talking to Mike were pretty Mel client --talking to my corporate e-mail client.

I think that is a good analogy. IHIN Direct Would allow -- would allow this type of model. Soyou couldn't make the mistake of sending unencrypted or unprotected PHI. That is a strengthhave modeled that after.


25/60

Thanks am a this -- thanks, this is Walter. A couple of questions or comments on the process.The first one is that when I read the consensus proposal, I wasn't clear -- it wasn't clear to mehow it related to the standards that were adopted under the framework final rule for EHRs. Itgave me the mission that for -- it gave me the impression EHRs for -- for EHRs that thestandards for encryption that it would open the floodgates for HISPs somehow.

I may have read it wrongly or not understood correctly. I just want to get your reaction abouthow this consensus proposal, with respect to the adoption of FMTP and SMIM and SDR relate tothe standards that were adopted in the IFR. That is the first question.

I believe the intent and final product is consistent with the IFR, in terms of requiring all data togo over encrypted channels. And also requiring the technical requirements for hashing is listed inthe IFR. There is no Modell he -- modality that is perceived by which data can be transportedthat is in the clear. And it is consistent with me -- the IFR requirements for encryption.

I would recommend adding a statement with regard -- in the document am a so it makes aconnection back to the standards that were adopted in the IFR. Just to clarify. I don't know ifothers have had --

Great point.

The other question I have -- the proposal mentions that this SMTP is a stepping stone on theIHIN Direct exchange. How does it differ from the consensus proposal?

That is a little complex a question. Because IHIN Direct has no right to speak for the Exchange.For the final governance mechanism. We need to respect that governance process andmechanism. What we are recommending is that two things happen. One is that there is a changeto the technology specifications that IHIN Exchange uses two separate the exchange address

from the data. Right now they are mingled. The second thing is that we recommend their be anexplicit way of caring all of the content we are talking about over that native transaction forIHIN Exchange and participant use the transaction as their backup. -- backbone.

Again, we don't have the right in this project to dictate to say how the exchange should function.We would expect that we will make some proposals and go through the normal governanceprocesses for exchange, for accepting or rejecting the proposal.

Okay. Then my last comment is on the process part. I saw the consensus proposal, I think it cameup on Monday. The request for comment was do today. -- due today. It is a little bit of a shorttimeframe. With organizations lack hours -- like our's who are trying to come up with a quickresponse and feedback. Is that correct that today is the deadline for comments? And the

consensus agreement?

It is correct that the deadline is today. We have noted that organizations need additional time canrequest that. I would also say that this is a combination -- a culmination of a lot of work that isgone on for several months. The final words got into the final shape quite recently. The conceptthat we have been talking about -- concepts that we have been talking about has been going onfor quite a while. If you need more time, so free to let us know. As long as it is reasonable, wewill extend the timeframe were reviewed -- for review.


26/60

Okay, we do me more time. -- Need -- need more time.

David Louisville -- David the mental -- David Blumenthal?

I want to thank you for your time. It is absolutely our intent that there be a path of evolution fromthe direct -- Direct to Exchange. And that the processes that are built into Direct the compatible

-- be compatible with Exchange. Having said that, I cannot tell you how that will happen. If youwant policy, that is policy. That is what we want. Because, we are intent on supporting ourfederal orders -- partners and the other states and private organizations that

Documents

HIT Standards Meeting June 2010