DTAAP Beta Accreditation
Experience
Sharon Wentz, RN
Business Development Coordinator
September 6, 2013
• Administered by the Oregon Health Authority
• Contracted with Harris to provide a comprehensive
Direct-based service offering.
• CareAccord DTAAP Accreditation: HISP, CA, RA
• Vendors:
 Harris Corporation in Melbourne, Florida is the consulting
service provider.
 Mirth Corporation is the software application provider.
 Easy Street in Beaverton, Oregon is hosting, managed
services, local interface with CareAccord staff, and a
liaison with Harris Corporation.
Beyond “simple” HISP services
Collaborative of multiple organizations filling separate
roles, which was envisioned and memorialized in the
Direct Project Specifications.
• CareAccord: Registration Authority duties for
Organizations.
• Harris Corporation: Certificate Authority, Registration
Authority duties for sub-organizations, individuals
and delegates. Providing a Provider Directory using
the Mirth PD solutions.
• Mirth: Harris is using Mirth software to provide HISP
functions.
Reasons for seeking DTAAP Accreditation
• Value in a third party assessment that we are doing the
right thing.
• Validation of processes and safeguards for secure HIE.
• We should be held to the “highest bar” for internet
transport of patient health information.
• We support scalable trust and not “one-off”
agreements.
ACCREDITATION TEAM
 CareAccord:
Sharon Wentz, RN, Business Development Coordinator
Mary Kukowski & Emily Martinez-Ortiz, Engagement Specialists
Stacey Weight, Policy Analyst
Jane Toliver, Grants Coordinator
 Harris Corporation:
Tricia Hess, Program Manager
Roy Tharpe, Chief Systems Engineer, Product Manager
Nicole Parker, Registration Authority/Configuration Management
 EasyStreet:
Scott Seaton, Director of Business Development
Breanne Antonious, Senior Account Executive
Self Assessment period
June 5- July 30, 2013
•
•
•
•
•
•
•
Team: 10+ people
Working meetings: 28
Phone conferencing hours: 44
Total man hours attributed to formalized meetings: 328
Meeting lengths: 1-3hr calls, 1-2 x/day
Self-assessment prep work = 40 hours.
Lots of hours outside of formalized meetings: estimate
3 FTE’s
Pearls of Wisdom and Lessons Learned
•
•
•
•
-
Become a Direct Trust member.
Seek Administrative approval and awareness.
Have discussions with your vendors up front.
Choose team carefully:
Security expert familiar with host infrastructure
RA/CA in the trenches staff
Staff that hold the technical knowledge around
the policies/procedures/processes
- Support staff to assist with the self-assessment
“document management” process
- Consider a technical writer?
•
•
•
•
•
Wasted one week prior to the first formal meeting!
Pacific time --- Eastern time, 4th of July holiday
Take meticulous meeting minutes with action items.
Building self-assessment document from scratch…
Additions/modifications will be needed to some of your
policies and procedure.
• Costs considerations: Direct Trust membership fee,
Accreditation fees for HISP, RA, CA, annual 3rd party
penetration testing cost, and staff/vendor time
attributed to the process.
“Dividing and conquering the sections did not work well.”
“Criteria built on each other.”
“Do RA section first?”
“Learned something new every day.”
“ Have a technology architect cheerleader that knows the
big picture, the inside and outs.”
“There were no bottle-necks, everyone worked together,
great project management.”
“We experienced superb collaborative partnership with
our vendors.”
“Greater confidence and trust gained as a team going
through this together!”
Conclusion
“The rigorous work required to complete the
accreditation process is directly proportional to
the level of trust and security needed to protect
personal health information being transported
via Direct Secure Messaging.”
Sharon Wentz RN
Sharon.l.wentz@state.or.us
Cell: 503-983-4226