I encourage everyone to take a look at the website for the HIPAA Conformance Certification Organization (HCCO) at www.hcco.us. You will see that this new organization has undertaken the monumental task that you describe, Rachel - defining the criteria by which conformance with HIPAA may be measured and certified. It is HCCO's mission to establish such criteria for TCS, Privacy and Security.
Currently the HCCO membership includes a fair cross-section of the industry but additional participation is vital if we are to meet our goals. Please consider joining this very worthwhile effort. Contact and membership information is available on the website. Cheri Huber County Privacy Officer County of Napa 1195 Third Street, Room 301 Napa, CA 94559 707-253-4523 -----Original Message----- From: Rachel Foerster [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 8:04 AM To: WEDI SNIP Testing Subworkgroup List Subject: HIPAA Certification & Conformance Rules These are precisely the issues that need to be debated, argued, and agreement reached here on what constitutes "certification." Thus, I believe that this group can provide immense value to the industry by not only defining "certification" but then providing the criteria on which "certification" will be based. This certification criteria then becomes the "conformance" rules that are openly developed by the industry for the industry and then which any vendor can provide services. Right now it's the wild wild west with each vendor offering "certification" but with no set of rules that the industry can use to evaluate the claims. I applaud Kepa for disclosing in such detail what Claredi's rules are. How about other vendors also disclosing the rules they use - beyond just saying "compliance against the IG" so that we can then normalize these rules, document them and make them available to the industry. So, for starters, let's change the subject line. How's this for a starting vision: (which, quite frankly, I adapted from the ASC X12 Compliance with X12 report) "Compliance with the HIPAA electronic transaction technical specifications as set forth in the implementation guides will constitute the basis for deciding conformance with the HIPAA standards for three functional levels of semantics, syntax & interchange in terms of a business perspective and a standards perspective." I know some might say that we already know this, and while this may be true to a point, we must now develop conformance metrics against which any consumer can measure the product, solution, or services under consideration. >From a Standards Perspective Compliance with X12 means conformance with the rules, i.e., . . . to be in agreement with the rules X12 provides the rules. The Current term: conformance/conformity: To meet the requirements of a standard or specification Conformance testing is intended to verify compliance Why Conformance is important: 80% of problems in an open system occur due to non-compliant products and resulting interoperability issues Interoperability includes conformance . . . and more: Conformity to the standard Software vendors collaborating by agreeing to work together HIPAA critical success factors: Conformity to: Base X12 standards HIPAA Implementation Guide specifications Trading partner-specific specifications to achieve successful internal application requirements Our Challenges: Standards are not enough to ensure interoperability. Standards are only meaningful if implemented in a consistent way. There is a need to ensure that implementations adhere to the standard: What is expected of implementations in order to claim conformance - i.e., what are the requirements? How will we know if an implementation conforms? test suites, test tools - Different ideas of what conformance is . . . Past experience may have affected view of conformance Now, if you've stayed with me this far, I propose that rather than arguing about testing versus certification, that this group initiate an effort with the goal of developing a Conformance with HIPAA Electronic Transactions Implementation Guides document. The ASC X12 Compliance document (which by the way, was developed in the early 1990's) could be a very useful template. Rachel Foerster --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [email protected] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
