from Elise Dieterich: A Conceptual Framework for DirectTrust.org
Greg Chittim
Via Elise Dieterich, our presenter, some content for today's meeting.
Best,
Greg
Presentation to Direct Project, Rules of the Road Workgroup
Re: A Conceptual Framework for
DirectTrust.org
Statutory Background
The American Recovery and Reinvestment Act of 2009 included the Health
Information Technology for Economic and Clinical Health (HITECH) Act,
which directed the Office of the National Coordinator for Health IT
(ONCHIT) within the Department of Health and Human Services to develop
a nationwide health information technology infrastructure that allows
for the electronic use and exchange of information, now known as the
Nationwide Health Information Network (NwHIN). The HITECH Act set as
a goal the utilization of an electronic health record for each person
in the United States by 2014. To that end, the ONCHIT in March 2010
launched the Direct Project.
The Direct Project – Facilitating Health Information Exchange
The Direct Project was created “to specify a simple, secure, scalable,
standards-based way for participants to send authenticated, encrypted
health information directly to known, trusted recipients over the
Internet.” Three communities of interest within Direct have been
identified: the Direct Federal Community; the Direct Ecosystem
Community; and, the Direct Citizen Community.
Governance of Health Information Exchange
The HITECH Act mandates that the ONCHIT establish a governance
mechanism for the NwHIN. The Federal Health IT Strategic Plan update
for 2011-2015 was released in September 2011, and has as one of its
five goals to “inspire confidence and trust in health IT,” focusing
“government efforts to update its approach to privacy and security
issues related to health IT and to build greater confidence and trust
in EHRs and health information exchange among providers and the
public.” Thus, governance rules for the NwHIN that the ONCHIT
reportedly will be proposing shortly should be expected to address
privacy, security, and public confidence in Direct and other
modalities for health information exchange.
Direct Rules of the Road Workgroup
Direct exchange of health information is facilitated by Health
Information Service Providers (HISPs) and Direct Health Identity
Providers (HIDPs, comprised of Certificate Authorities (CAs) and
Registration Authorities (RAs)). As Direct has begun to be
implemented, participants have become aware that clearly articulated
and universally enforced rules and best practices are needed to ensure
that HISPs will be able to assess the trustworthiness of others HISPs
and HIDPs. For this reason, a Direct Rules of the Road (RotR)
workgroup was established in April 2011. The RotR workgroup states in
its organizing document that it is expected that “industry
stakeholders will voluntarily agree to and attest that they are
following [the] rules and best practices [developed by the workgroup]
as a means of establishing trust communities, and that they may at
some time in the future wish to establish a governance entity to
maintain these rules and to perform certain roles and functions
required for growth and stability.”
The Role of DirectTrust.org
DirectTrust.org is envisioned as a non-profit, competitively neutral,
self-regulatory entity created by and for Direct community
stakeholders to develop, promote and, as necessary, enforce the rules
and best practices necessary to maintain trust within the Direct
community and foster public confidence in the Direct exchange of
health information.
DirectTrust.org will carry out its mission consistent with the
governance rules for the NwHIN promulgated by HHS and the mandates of
the HITECH Act.
There is considerable precedent for federal agency endorsement of self-
regulatory bodies created by market participants to govern marketplace
activities, particularly where it has been recognized by law that a
governance structure for the protection of consumers is required.
Examples of non-profit, private regulatory entities that have been
imbued with a prominent role by the relevant federal regulators
include ICANN and FINRA. In the privacy and data security arena, both
the Department of Commerce and the Federal Trade Commission have
recognized the potential role of self-regulatory bodies under federal
oversight. For example, The Department of Commerce Internet Policy
Task Force, in its December 2010 “Green Paper” on Commercial Data
Privacy and Innovation in the Internet Economy: A Dynamic Policy
Framework, encouraged the implementation of voluntary, enforceable
codes of conduct to address emerging technologies, and proposed that
the Administration encourage the development of such voluntary codes
through public statements of support, agency enforcement of the
baseline rules underlying such codes, and implementation of “safe
harbor” protections to incentivize companies that adhere to such
voluntary codes. The Federal Trade Commission in its 2010 staff
report, “Protecting Consumer Privacy in an Era Of Rapid Change,” also
promoted self-regulatory efforts to protect consumer privacy, giving
as an example the U.S. – E.U. Safe Harbor Framework, a self-regulatory
program whereby U.S. companies that agree to abide by certain privacy
principles are allowed to transfer personal data from the E.U. to the
U.S. in accordance with E.U. law.
A Conceptual Framework for the Creation of DirectTrust.org
• Kutak Rock, LLP to assist in the formation of a 501 (c) tax exempt
non-profit corporation, DirectTrust.org, which will acquire the
DirectTrust.org domain name
• Bylaws will establish a Board comprised of a representative cross-
section of Direct community stakeholders, the composition of which
shall be consistent with the HITECH Act’s requirements for the HIT
Policy and HIT Standards Committees
• The stated mission of DirectTrust.org shall be to develop, promote
and, as necessary, enforce the rules and best practices necessary to
maintain trust within the Direct community and foster public
confidence in the Direct exchange of health information
• DirectTrust.org shall have an institutional mandate to operate in an
open, transparent, and competitively neutral manner, consistent with
all applicable laws and regulations governing the NwHIN, including the
HITECH Act and HIPAA
• DirectTrust.org will need procedures to develop, disseminate and
over time update rules and best practices for participation in Direct
health information exchanges – these procedures can mirror the
consensus-building processes successfully used by the RotR Workgroup
and the HIT Policy and Standards Committees
• To be effective, DirectTrust.org also will need procedures to
monitor and enforce compliance with its rules and best practices,
which will require buy-in by the Direct community
• Ideally, voluntary compliance with DirectTrust.org’s rules and best
practices will be backstopped by federal enforcement pursuant to the
governance rules for the NwHIN promulgated by HHS, and HHS will
recognize voluntary compliance with DirectTrust.org’s rules and best
practices as indicative of compliance with formal HHS rules, whether
through granting of a “safe harbor” or enforcement forbearance
Key Prerequisites for the Success of DirectTrust.org
• Identification of an ample, stable, and neutral funding mechanism
• Stakeholder buy-in
Dieterich, L. Elise
Best, - Elise
L. Elise Dieterich, Esq.
Kutak Rock LLP
1101 Connecticut Avenue, 10th Floor
Washington, DC 20036-4374
(202) 828-2400
Elise.D...@KutakRock.com
-----Original Message-----
From: hisp-rules-...@googlegroups.com [mailto:hisp-rules-...@googlegroups.com] On Behalf Of Greg Chittim
Sent: Friday, October 21, 2011 3:03 PM
To: Direct Rules of the Road workgroup
Subject: from Elise Dieterich: A Conceptual Framework for DirectTrust.org
All -
Via Elise Dieterich, our presenter, some content for today's meeting.
Best,
Greg
Presentation to Direct Project, Rules of the Road Workgroup
Re: A Conceptual Framework for
DirectTrust.org
Statutory Background
The American Recovery and Reinvestment Act of 2009 included the Health
Information Technology for Economic and Clinical Health (HITECH) Act,
which directed the Office of the National Coordinator for Health IT
(ONCHIT) within the Department of Health and Human Services to develop
a nationwide health information technology infrastructure that allows
for the electronic use and exchange of information, now known as the
Nationwide Health Information Network (NwHIN). The HITECH Act set as
a goal the utilization of an electronic health record for each person
in the United States by 2014. To that end, the ONCHIT in March 2010
launched the Direct Project.
The Direct Project - Facilitating Health Information Exchange
as an example the U.S. - E.U. Safe Harbor Framework, a self-regulatory
program whereby U.S. companies that agree to abide by certain privacy
principles are allowed to transfer personal data from the E.U. to the
U.S. in accordance with E.U. law.
A Conceptual Framework for the Creation of DirectTrust.org
* Kutak Rock, LLP to assist in the formation of a 501 (c) tax exempt
non-profit corporation, DirectTrust.org, which will acquire the
DirectTrust.org domain name
* Bylaws will establish a Board comprised of a representative cross-
section of Direct community stakeholders, the composition of which
shall be consistent with the HITECH Act's requirements for the HIT
Policy and HIT Standards Committees
* The stated mission of DirectTrust.org shall be to develop, promote
and, as necessary, enforce the rules and best practices necessary to
maintain trust within the Direct community and foster public
confidence in the Direct exchange of health information
* DirectTrust.org shall have an institutional mandate to operate in an
open, transparent, and competitively neutral manner, consistent with
all applicable laws and regulations governing the NwHIN, including the
HITECH Act and HIPAA
* DirectTrust.org will need procedures to develop, disseminate and
over time update rules and best practices for participation in Direct
health information exchanges - these procedures can mirror the
consensus-building processes successfully used by the RotR Workgroup
and the HIT Policy and Standards Committees
* To be effective, DirectTrust.org also will need procedures to
monitor and enforce compliance with its rules and best practices,
which will require buy-in by the Direct community
* Ideally, voluntary compliance with DirectTrust.org's rules and best
practices will be backstopped by federal enforcement pursuant to the
governance rules for the NwHIN promulgated by HHS, and HHS will
recognize voluntary compliance with DirectTrust.org's rules and best
practices as indicative of compliance with formal HHS rules, whether
through granting of a "safe harbor" or enforcement forbearance
Key Prerequisites for the Success of DirectTrust.org
* Identification of an ample, stable, and neutral funding mechanism
* Stakeholder buy-in
#############################################################################################################
ANY FEDERAL TAX ADVICE CONTAINED IN THIS MESSAGE SHOULD NOT BE USED OR REFERRED TO IN THE PROMOTING, MARKETING OR
RECOMMENDING OF ANY ENTITY, INVESTMENT PLAN OR ARRANGEMENT, AND SUCH ADVICE IS NOT INTENDED OR WRITTEN TO BE USED,
AND CANNOT BE USED, BY A TAXPAYER FOR THE PURPOSE OF AVOIDING PENALTIES UNDER THE INTERNAL REVENUE CODE.
#############################################################################################################
This E-mail message is confidential, is intended only for the named recipient(s) above and may contain information
that is privileged, attorney work product or otherwise protected by applicable law. If you have received this
message in error, please notify the sender at 402-346-6000 and delete this E-mail message.
Thank you.
#############################################################################################################