Miriam, I agree with you that argumentative discussions are not healthy but educated analysis and debate certainly is beneficial to the covered entity community. I think it just requires the correct definitions to be explained as I think a lot of the confusion stems from various individual backgrounds and experience in the QA, testing and certification worlds.
>From one perspective, we have the term certification which is loosely defined as meaning a review by any third party using any methodology, tool or process to determine compliance to the IG's. The other perspective is conformance certification which is a well defined, mature process that has been used for many years as a methodology to prove conformance with any specification. Conformance certification has clear requirements, clear methods of delivery and above all else is vendor neutral, tool independent and sponsored by an overseeing organization. These processes are required for ANSI, NIST, ISO, UL, UCC and NIST accreditation and the reason for that is that they have been proven to work and these organizations will not allow their trademarks to be used by any ad hoc company or process that doesn't have a firm grasp of software testing procedures. Conformance certification can be easily explained by the following scenario. We have five translator companies who want to be tested for conformance. The process does not start by saying Translator A is correct and the other four must agree. Instead the process develops a suite of conformance tests that is designed as a baseline to flush out the errors in all five translators. The best example I can think of is the vendor consortium that was discussed on previous threads in relation to testing all the EDI validation tools on the market. This type of test could only be performed in a vendor neutral environment and using conformance test suites to designed to flush out all the errors and clearly label the ambiguities. Also, the conformance test effort must incorporate defect tracking, change controls and configuration management in order to be successful otherwise the environments would be corrupted and the test effort would be for naught. That is just one aspect of what we are planning to do, it benefits the various vendors and the ultimate benefit is to the covered entities who receive a much better product from which to implement their HIPAA solutions. So I think for discussion purposes we have two terms, certification and conformance certification and based on which one is used in a discussion will denote its context. That should eliminate any further semantic discussions over the word usage and allow for more constructive discussions and initiatives to be undertaken. Mark A Lott President/CEO HIPAA Testing, Inc. www.hipaatesting.com Executive Co-Chair HCCO - Transactions Group HIPAA Conformance Certification Organization www.hcco.us Office: 480-946-7200 Cell: 480-580-4415 Fax: 877-825-8309 CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message -----Original Message----- From: Miriam Paramore [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 7:30 AM To: WEDI SNIP Testing Subworkgroup List Subject: RE: Testing, VALIDATION, and Conformance CERTIFICATION I love debate. What I find fascinating is that one group with a business plan would bash any other group with a business plan over the use of one word. Especially when the second group created their business plan around the use that word. Everybody has a business plan -- even not-for-profits. It is also a testament to the power of WEDI SNIP that one small work product could stir up such a hornet's nest. Which again, is great. Because at least people are trying to figure it out. I don't think we need competition between industry support groups / trade groups. We already have competition in the for-profit side. What we need are focused, streamlined groups -- that already work, that people have paid years and dollars to establish and make work -- to take on new issues as they come up and resolve them. MHO Best Regards, Miriam J. Paramore President & CEO PCI: e-commerce for healthcare 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555 www.hipaasurvival.com =========================================== This email contains confidential information intended only for the named addressee(s). Any use, distribution, copying or disclosure by any other person is strictly prohibited. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 8:18 AM To: WEDI SNIP Testing Subworkgroup List Subject: Testing, VALIDATION, and Conformance CERTIFICATION I'll try to articulate and summarize the many views expressed on this topic till now since I first wrote on this topic after I got back from the WEDI/SNIP HIPAA summit in Phoenix. First some listserver issues: 1. Thanks to everybody who participated in the on-going debate (with different but similar words in the Subject) for proving that we can all buy alcohol and tobacco and firearms on our own ;) and don't need adult-supervision of the co-chairs who are people like us ! ;) This list serv has a higher purpose than to post conference calls agenda before and minutes after ;). 2. What's up with that REPLY BUTTON ;) 3. Why do I get two copies of all the emails sent to the testing and other listservs? Now to the topic at hand... First and foremost: Thanks to all those who participated in this debate very professionally. Most important: CERTIFICATION IS NOT REQUIRED under HIPAA by law for Transactions, Code-Sets and Privacy, is required only for security. Like Privacy and Security are about 'Use and Disclosure", when it comes to Transactions testing, one VALIDATES TRANSACTIONS/TESTS and CERTIFIES a PROCESS/PRACTICE. Testing for HIPAA compliance does NOT have to involve validating business logic. The analogy I can think of is, HIPAA compliance testing is like trying to catch compile time errors and trying to catch business logic errors is like trying to catch run-time errors using a debugger. The other analogy I used before is that of ANSI C (programming language) is a standard set by ta da... ANSI. All the native compilers of different vendors HAVE to stick to the standard. Another analogy is that of GL (Graphics Language) becoming Open GL after vendor consortium. So... it is important for all the vendors to agree on same errors and similar warnings when offering validation-testing tools/services for HIPAA compliance and not necessarily biz logic. Biz logic testing is extra and a nice FREE-BEE from a vendor. And dicing and slicing a transaction in many ways still is NOT CERTIFICATION but does provide very useful information that lends to CERTIFICATION. Coming to the need to define the word Certification properly and help the HealthCare Industry.... It is now more than obvious from the on going debate, the popular perception out there is, that the word Certification was arbitrarily chosen and mis/ab-used ever since by WEDI/SNIP recommendations through the Transaction Testing and Certification white paper (and is more aligned with some business plan). It is also obvious that WEDI/SNIP did not and could not come up with the proper usage of the word Certification till now. CERETIFICATION is a well defined word and widely used concept in the industry in other walks of life and can be and should be adopted and adapted from existing things into the healthcare industry as well and we need not come up with some arbitrary definitions that suits some. In that sense, HCCO can and should offer assistance to properly define Conformance/Practice/Process Certification. Many people, like myself, are members of HCCO and write to this listserv regularly. So assistance or participation... same thing. A little competition between HCCO and WEDI/SNIP is also healthy. Competition from competent people only helps Covered Entities. The accpetable error rate is a mutually accpetable biz decision and depends on the errors' severity and not just the error itself... from bug-tracking approving software by QA guys 101. Vendors need CEs and CEs need vendors. There is a tremendous value in third party testing tools/service for VALIDATION. CERTIFICATION? It's different ballgame... talking of which I'll end this note with "Take me to the Ball Game...." Thanks for reading till now. Please debate on... Best Regards, --Rama. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [email protected] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
