Direct Project HISP Registry – Survey Response
Instructions:
Please complete the following questionnaire as fully and accurately as possible. Items in bold are mandatory and
must be completed in order for the survey to be posted on the Direct Project wiki’s HISP Registry. Please submit
your completed survey to the Direct Project IG Workgroup Leader, currently Paul Tuten (paul.tuten@hhs.gov), for
posting on the registry.
HISP Summary:
Name of organization that
operates the HISP:
Name of sponsoring
organization, if different:
Address (Street, City, State, Zip):
Phone Number:
Website URL:
How long has your HISP service
been operational:
What is (are) the principal
geographic regions(s) served by
your HISP:
Is your HISP operating as a part
of one or more "Trust
Communities" which provide
governance and policies for
trusted transactions? If so,
please provide the Trust
Community name(s):
Point(s) of Contact:
Role
Name
Organization
Phone
E-mail
Primary:
Program Mgmt.:
Technical:
Security:
Respondent Information:
Name:
Title:
Organization:
Phone Number:
E-mail:
Page #1
HISP Registry Survey v1.0 -- 08/13
HISP Questionnaire
1
Please describe what kind of entity the HISP
operating organization is (e.g. - technology
vendor, health information exchange, Health
Information Organization, healthcare
organization, etc.):
2
Is the HISP operating organization considered
a covered entity under HIPAA (yes/no):
3
If the HISP operating organization is not a
covered entity, is it considered a business
associate of one or more covered entities
under HIPAA, and have written business
associate agreements with those covered
entities (yes/no):
4
Is the HISP operating organization a state
designated entity under the federal State
Health Information Exchange Cooperative
Agreement Program (yes/no):
5
Is the HISP sponsored for service by/within
the public sector or private sector (e.g. - is
the sponsoring entity in the public sector,
like a State government, or in the private
sector):
6
Does the HISP operate under any published
governance principals for security and trust?
If so list custodian of the policies and any
relevant links to those policy publications
(e.g. - HISP participation criteria, expected
common processes, etc.):
7
Who is the vendor or provider of the HISP
technology (i.e. implemented the HISP
software)? Please list the version/release of
the system application, and specific vendor
contact information:
8
Is your HISP currently compliant with the
Direct Project Applicability Statement? If so,
indicate what version (e.g. 1.1):
9
Are the certificates used within your HISP
compliant with the DirectTrust Ecosystem
Community X.509 Certificate Policy
(http://www.directtrust.org/digitalcertificate-policy/):
10 What is the name of your HISP's Certificate
Authority:
11 Are you currently compliant with the Federal
Trust Bridge (cross certified with the Federal
Bridge Certificate Authority)? If not, do you
intend to comply when required:
12 Are you operating with self-signed certificates
in the production environment (yes, no;
explain the relevant circumstances if yes):
Page #2
HISP Registry Survey v1.0 -- 08/13
13 Please indicate the method your HISP uses
to publish your certificate(s) – DNS or LDAP
(See section 5.0 of the Direct Applicability
Statement for Secure Health Transport
version 1.1). If other methods used, please
detail:
14 Please describe the types of Certificates
issued to support your HISP’s operation, and
the types of entities that may be associated
with those certificates. In your description,
please note your alignment with the
certificate types called out in the
Applicability Statement (i.e. – Address
Certificates, Organizational Certificates), as
well as if certificates are issued to entities in
order to cover multiple end-users of the
Direct service (e.g. – all users of a HISP under
one certificate, all users in a hospital under
one certificate, etc.):
15 Please describe the types of end users that
may be reached via a given Direct Address
issued by your HISP. In your description,
please note the type of entity that may have
a single Direct address (e.g. – an individual
person, a hospital, a department within a
hospital, etc.):
16 Does your HISP have restrictions or rules
governing the roles of the entities that are
issued Direct Addresses (e.g. – can Direct
addresses be issued to everyone, including
all clinicians, patients, ancillary service
providers like labs, support staff, etc.):
17 Does your organization fully comply with the
HIPAA Security Rule in the operation of the
HISP (yes/no):
18 Have you had an independent third-party
assessment performed of the current
potential security risks and vulnerabilities to
the confidentiality, integrity, and availability
of Electronic Protected Health Information
(EPHI) held by your organization and your
business associates, including a Direct risk
assessment? (yes/no):
19 Does your HISP comply with the
Implementation Guide for Delivery
Notification in Direct v1.0 (yes/no - found at
http://wiki.directproject.org/file/view/Imple
mentation+Guide+for+Delivery+Notification+i
n+Direct+v1.0.pdf)? Please explain any
nuances or compliance exceptions of your
implementation:
20 Does your HISP support HISP to HISP XD*, and
if so, in what way:
21 Does your HISP support the XDR/XDM For
Direct Messaging 1.0 specification:
Page #3
HISP Registry Survey v1.0 -- 08/13
22 Does your HISP support remote directory
access, and if so, by what standards (e.g.
HPD, HPD+, flat file exchange, proprietary,
etc.):
23 Does your HISP exchange or have the
capability to generate structured CCD that
can be read by the recipient:
24 What is the name of your HISP's Registration
Authority:
25 Please describe your system controls for user
authentication:
26 What level of assurance does your HISP
implement for identity verification, according
to the NIST Electronic Authentication
Guideline
(http://csrc.nist.gov/publications/nistpubs/80
0-63-1/SP-800-63-1.pdf)? If you implement
an authentication scheme not covered by the
NIST Guideline, please explain:
27 Does your HISP or other services extract or
decrypt payload content from Direct
Messages prior to access by the intended
recipient (e.g. - extract data to put into
database, or an HIE)? If yes, please describe:
28 Does your HISP or other services collect data
on referral patterns that are facilitated
through the HISP? If yes, please describe:
29 Does your HISP or other services release data
on audit trails related to messages trafficked
through the HISP? If yes, please describe:
30 Please describe, or reference through a link,
any privacy policies you have at your HISP
system level and any policies at the user level
(if any additional policies exist):
31 What service levels are supported for your
HISP services, and are they codified into a
service level agreement (e.g. - uptime
guarantee, maximum response time
guarantee, etc.)? If HISP SLAs are published,
please include link.
32 Do you have any requirements for
establishing a trust connection with your
HISP, and if so, please describe:
33 Does your organization require a contractual
agreement to be executed between HISP
operators in order to connect and transact
with your HISP:
34 Is your HISP currently connected to other
HISPs? If so, please list them:
35 May users be independently terminated (i.e. revocation of their direct address):
Page #4
HISP Registry Survey v1.0 -- 08/13
36 Are there restrictions on the types of uses
permitted for your HISP (e.g. - treatment,
payment, healthcare operations, public
health reporting, etc.)? If yes, please
describe:
37 Is there a principal set of audiences your HISP
serves (e.g. - providers, payers, government
agencies, patients, etc.)? If so, please
describe:
38 What types of payload data formats are
supported for messages trafficked through
your HISP (e.g. PDF, .doc, .rtf, TIFF, JPEG,
ebXML, HL7, CCDA, CCD, etc.):
39 What is your current message size limit (i.e. size of encrypted payload), including
attachments, for your HISP?
40 Do you currently interface with third party
EHRs? If yes, what are the products and what
tool do you use to interface:
Page #5
HISP Registry Survey v1.0 -- 08/13