Provider Directories Deliberations

NwHIN Power Team

May 29, 2014

2

Provider Directory Deliberation Points

• Limit certification requirement to focus on Direct messages to enable the exchange of patient information

• What to Certify– At a minimum, EHR technology would need to be able to query external provider directories

for the following information and electronically process the response returned in accordance with the Modular Specification Provider Directories Implementation Guide:

• Query for an individual provider’s Direct address;• Query for an organizational provider’s Direct address;• Query for relationships between individual providers and organizational providers

• Authentication required for certification– Authentication of the directory service – Basic TLS handshake does this– Does query of a directory service include any data elements that would necessitate

authentication of the client (queryer) as well? • Nothing sensitive in the data model beyond name and routing information ( address, email, fax, where

to send patient record information)

• Standards to recommend– TLS – basic server-only authentication or mutual authentication?– HPD+

3

Mod Spec of HPD+(ISO 21091, IHE HPD Base + CP 601)

• Endpoint addresses– include individual and organizational addresses– memberships between individuals and organizations– electronic service addresses, certificates associated with electronic services

• Query– Based onDSML v2– Supports “AND”, “OR”, “NOT”; “String” and “RegEX” match type

• Transport and Application Protocols– SOAP 1.2 over HTTP based on the Web Services for IHE Transactions Appendix V in ITI-TF

Vol2.– Synchronous Web Services– DSMLv2 with SOAP bindings over HTTP – Does not support REST at this time (on the current roadmap)

• Security– Mutual TLS to protect message– No additional security controls specified for query

• Limitations– No Discovery– No Incremental fetch

Blank

HITSC Tasking

HITSC Tasking

Original Order

Task Brief Description

2 Provider Directories • Search for provider• Respond to search

1 Query for a Patient Record • Search for patient information• Respond to searches for patient

information

3 Provider Data Migration and Patient Portability

• To enable patients who switch providers to have their care continue seamlessly (no repeat tests, missing key clinical information etc.).

• To enable providers switching EHR systems to continue providing seamless care to patients (coded data in old system is consumable by the new system so clinical decision support still works)

5

Functionality Recommended by HITPC IE WG

Functionality Recommended byHITPC IE WG

Search for provider: EHR systems have the ability to query external provider directories to discover and consume addressing and security credential information to support directed and query exchange Respond to search: EHR systems have the ability to expose a provider directory containing EPs and EH addressing and security credential information

6

HITPC IE WG Recommendations Guidelines

1. Scope: Standards must address PD transactions (query and response) as well as minimum acceptable PD content to enable directed and query exchange

2. Continuity: Build on Stage 1 and 2 approaches and infrastructure for directed exchange where possible and allow use of organized HIE or cross-entity PD infrastructures where applicable and available (ie, remain agnostic to architecture and implementation approaches)

3. Simplification: Set goal of having PD query and response happen in a single (or minimal) set of transactions 4. External EHR system: An EHR system of another distinct legal entity, regardless of vendor 5. Transactions:

a. Querying systems must have ability to: i. Present authenticating credentials of requesting entityii. Validate authenticating credentials of provider directory holding entityiii. Present provider-identifying informationiv. Securely transmit query message

b. Provider directory must have ability to:i. Validate authenticating credentials of requesting entityii. Present authenticating credentials to requesting entityiii. Match provideriv. Respond with unambiguous information necessary for message addressing and encryption or

acknowledgement of non-fulfillment of request c. Provider directories must have administrative capabilities to:

I. Submit updated provider directory information (additions, changes, deletions) to external provider directories

II. Receive and process provider directory updates from external provider directories 6. Transaction details:

a. Provider directories should contain minimum amount of information necessary on EPs and EHs to address and encrypt directed exchange and/or query for a patient record messages

HITPC IE WG RecommendationsGuidelines

7

8

Previous HITSC Recommendations Re Standards for Provider Directories

Previous HITSC Recommendations Re Standards for Provider Directories

May 12, 2011: Privacy & Security WG Recommendation for S&I Framework PD Activity

Requirement Standard Implementation Specification

Certification Criteria

Schema DSML IHE HPD subset Capability to securely send to an ELPD service a DSML

query for entities, and entities’ exchange services, and to

receive a response, as specified in the IHE HPD

profile.

Capability to enable a user or software to list and select from

ELPD responses.

Capability to retrieve the digital certificate for a selected entity.

Vocabulary LDAP + ISO IHE HPD subset

Transport REST or SOAP1 IHE HPD

Query Language LDAP IHE HPD + HPD Federation

Profile2

1 The Standards and Interoperability Framework team should select either REST or SOAP, as most appropriate within the context of the NwHIN standards currently being defined. 2 To support LDAP federation, a profile specifying a standardized way to federate LDAP directories is needed.

9

10

P&S WG Response to Provider Directory Tasking

June 22, 2011: Privacy & Security WG Response to Provider Directory Tasking

• Organizations create public web pages containing directory information they wish to expose for search

• Provider directory information is structured and encoded into the web page, using standard schema and vocabulary– Improves search engine indexing– Enables extraction of information into local systems (EHR, Exchange

gateway, Direct HISP, etc.)• Organizations can obtain Extended Validation certificates to provide

assurance of the authenticity of its web pages• Standard search engines provide a flexible and free Query Service• DNS is used to retrieve digital certificates for the published service

address names which have been embedded in the web pages

DNS + Structured & Encoded Web Content: Concept

11

June 22, 2011: Privacy & Security WG Response to Provider Directory Tasking (cont.)

• Benefits– Simple, widely available, and highly scalable web technology

• Three leading search engines (Google, Bing, Yahoo!) have launched Schema.org metadata project to provide tools for building common vocabulary for structuring web page data

– Organization maintains control over what information is exposed• Can start simple and build over time

– Allows discovery of services and certificates using familiar names, without requiring advance knowledge of formal identifier (e.g., OID used in NwHIN Exchange, Direct Address)

• Recommend that S&I Framework team consider this approach for meeting need for nationwide access to directory information without requiring “national provider directory”

DNS + Structured + Encoded Web Content: Recommendation

12

January, 2013: Response to Stage 3 RFC (PSWG + NwHIN PT)

Improving quality, safety, and reducing health disparities

IEWG102

New Certification criteria: The EHR must be able to query a Provider Directory external to the EHR to obtain entity-level addressing information (e.g. push or pull addresses).

Are there sufficiently mature standards in place to support this criteria? What implementation of these standards are in place and what has the experience been?

Primary- Privacy and Security WGSecondary- NwHIN PT

COMMENTS: Directories typically are integrated into other services, such as secure communications and enterprise security services, and not an independent capability. Indeed, the two existing EHR standards for secure communications (Direct and Exchange) each has its own integrated directory technology – each of which is supported by a very mature directory standard (DNS and UDDI respectively). Also, services sometimes change their directory solutions (for example, Exchange is considering changing from UDDI), and users of these services usually are unaware of what directory service is being used. We think it would be inappropriate to externalize directory services by creating a separate certification criterion. We therefore recommend that the proposed certification criterion be omitted from the final regulation.