HARRIS CORPORATION
HEALTHCARE SOLUTIONS
Privacy &
Security
Technical
Adoption &
Outreach
Legal
Finance &
Sustainability
Policy
Florida
FHIE
HIE
Florida Health Information Exchange
Direct Secure Messaging Readiness Questionnaire for
Health Information Service Providers
12/07/2012
Florida HIE Readiness Questionnaire for Health Information Service Providers
Table of Contents
Introduction.................................................................................................................................................... 3
Health Information Service Provider (HISP) Network General Information .................................................. 4
Primary Points of Contact Information ................................................................................................... 4
Organization Information ....................................................................................................................... 5
Logistics Information .............................................................................................................................. 6
Florida HIE Direct Secure Messaging Readiness Questionnaire ................................................................. 7
Health Information Exchange (HIE) System Questions ............................................................................ 7
Security Implementation Questions ........................................................................................................... 9
Privacy Implementation Questions .......................................................................................................... 10
General System Implementation Questions ............................................................................................ 11
Attachment A ............................................................................................................................................... 13
Estimated Implementation Work Effort ................................................................................................ 13
Attachment B ............................................................................................................................................... 14
HISP Implementation Steps ................................................................................................................. 14
December 7, 2012
Page 2
Florida HIE Readiness Questionnaire for Health Information Service Providers
Introduction
The Harris Team is currently in the process of identifying health information service provider (HISP)
networks to be early participants in the Florida Health Information Exchange (HIE) Direct Secure
Messaging (DSM) service. The DSM service enables an authorized health care provider and other
authorized participants to send messages about a patient’s clinical data to other network participants
for treatment, payment, and other permitted purposes. There are other HIE services that are offered
through the Florida HIE (e.g., patient look-up), however, this Readiness Questionnaire is focused on
prospective HISP networks who wish to participate in the Florida HIE DSM service. Examples of HISP
networks include operational Regional Health Information Organizations (RHIOs), integrated delivery
networks (IDNs) or other health systems, clinical HIEs, electronic health records and personal (patientcontrolled) health records (PHRs).
The Harris Team recognizes that provider networks and healthcare organizations are at varying levels
of adoption and use of health information technology. Therefore, the Florida HIE is designed to be
flexible to accommodate and leverage existing healthcare information systems and processes. The
Florida HIE deploys a model consistent with the Direct project protocols of the Nationwide Health
Information Network (NwHIN). The Florida model provides a centralized messaging service which
includes a participant vetting and agreements establishing the responsibilities of DSM users. It offers
participants a Participant Directory to search for DSM email addresses. It uses a common DSM
organizational certificate to establish trust when data is transmitted over the Internet.
Participation in the Florida HIE includes a commitment from your organization to provide the resources
for enabling a HISP to HISP connection with the Florida HIE, to understand and agree to meet the
terms of an agreement (i.e. SERCH (Southeast Regional HIT-HIE Collaborative)/Florida agreement)
establishing the responsibilities of uses sending or receiving messages from DSM users, and to conduct
other key implementation activities. It is important that prospective participants demonstrate both
technical readiness and a willingness and ability to commit resources to the implementation process.
To assist the Harris Team in assessing your organization’s readiness and willingness to connect and
enable mutual exchange of messages among participants, please complete and submit this Florida HIE
DSM Readiness Questionnaire and e-mail it to FloridaHIE@harris.com. A Harris Team representative
will then contact you for follow-up information. Please note that this questionnaire is not intended to
imply minimum criteria for HISP connecting to the Florida HIE DSM service. The responses received will
be used to help assess current and/or future readiness of your organization.
Answers to this questionnaire are subject to Florida public records law. If your organization will be
disclosing trade secret information, you will need to designate which sections are considered trade
secrets by marking each page “Trade Secret as defined in Section 812.081, Florida Statutes” upon
which such information appears. Information specifically identified as a trade secret under Section
812.081, Florida Statutes, will be kept confidential to the extent provided by law. Designating material
simply as “proprietary” will not necessarily protect it from disclosure under Chapter 119, Florida
Statutes.
December 7, 2012
Page 3
Florida HIE Readiness Questionnaire for Health Information Service Providers
Health Information Service Provider (HISP) Network
General Information
Organization Name: Click here to enter name ______________________________________________
Address: Click here to enter address. ____________________________________________________
Primary Points of Contact Information
1. Who is your Program Management Point of Contact? (This person will be responsible for ensuring
agreements are signed and determining implementation vision.)
Name:
Click here to enter name
Title:
Click here to enter title.
Phone Numbers (office and cell):
Click here to enter phone.
Email:
Click here to enter e-mail.
Mailing address:
Click here to enter address.
2. Who is your Technical Point of Contact? (This person will be responsible for setting up the servers.)
Name:
Click here to enter name.
Title:
Click here to enter title
Phone Numbers (office and cell):
Click here to enter phone.
Email:
Click here to enter e-mail.
Mailing address:
Click here to enter address.
3. Who is your Computer Security/Chief Security Officer Point of Contact?
Name:
Click here to enter name.
Title:
Click here to enter title.
Phone Numbers (office and cell):
Click here to enter phone.
Email:
Click here to enter e-mail.
Mailing address:
Click here to enter address.
December 7, 2012
Page 4
Florida HIE Readiness Questionnaire for Health Information Service Providers
Organization Information
1. Please indicate your Legal Entity type (C corporation, S corporation, LLC, limited partnership,
general partnership)?
Click here to enter type. ___________________________________________________________
2. Please describe what type of industry organization you are (e.g., clinical HIE, electronic health
record, health system, regional health information organization, or personally controlled health
record):
Click here to enter type. ___________________________________________________________
3. Is your organization licensed by the Florida Department of Health or the Agency for Health Care
Administration? Yes/No.
4. Are you considered a covered entity under HIPAA? Yes/No.
5. Are you considered a business associate of one or more covered entities under HIPAA and have
written business associate agreements with those covered entities? Yes/No.
6. Are you a state designated entity under the federal State Health Information Exchange
Cooperative Agreement Program? Yes/No. Note: The SERCH/Florida agreement is optional for
state designated entities during the period of the Cooperative Agreement Program.
December 7, 2012
Page 5
Florida HIE Readiness Questionnaire for Health Information Service Providers
Click here to enter Page Marking (optional).
Logistics Information
1. When would you prefer the Harris Team to target your organization’s connection to the Florida HIE
DSM service? (e.g., As soon as possible, within 6 months, within 1 year, within 18 months, or
within 2 years) Click here to enter timeframe.
2. Are you willing to dedicate time and resources to enable interfacing between your organization’s
information system and the Florida HIE? This will likely include a system administrator and a
clinical analyst (please see Estimated Implementation Work Effort checklist in Attachment A and
Implementation Steps in Attachment B of this Readiness Questionnaire for a list of the tasks that
are expected to be accomplished by your organization). Please explain any constraints.
Click here to enter constraints. ______________________________________________________
_______________________________________________________________________________
3. Do you have any upcoming relevant system migrations or upgrades that the Florida HIE should be
aware of? Yes/No.
If yes, please detail: Click here to enter text. ____________________________________________
_______________________________________________________________________________
4. Please identify the individual or position who will be signing the SERCH/Florida agreement for your
organization. The agreement is posted at: https://www.florida-hie.net/.
Please detail possible options if TBD: Click here to enter text. ______________________________
_______________________________________________________________________________
Click here to enter Page Marking (optional).
December 7, 2012
Page 6
Florida HIE Readiness Questionnaire for Health Information Service Providers
Florida HIE Direct Secure Messaging Readiness
Questionnaire
The Florida HIE DSM Readiness Questionnaire is used to help assess an organization’s overall readiness
to connect to the Florida HIE for the DSM service. Areas covered in the Readiness Questionnaire
include information about your Direct implementation and current status as well as privacy and
security policies and implementation. Please answer the following questions to the best of your ability.
If a specific section or question is not applicable to your organization, please leave it blank.
Health Information Exchange (HIE) System Questions
Item
Information Systems Question
Please identify what HISP system you are
using. Please include vendor, the
1.
version/release of the system application,
and specific vendor contact information.
Is your HISP network currently Direct
project compliant? Please indicate the
2.
version and detail if there are any
exceptions.
Are the certificates used within your HISP
compliant with the DirectTrust Ecosystem
Community X.509 Certificate Policy?
3. (http://wiki.directproject.org/Direct+Ecos
ystem+Community+X.509+Certificate+Poli
cy)
Response and Discussion
Enter response here.
Please indicate what type or certificate
structure you have implemented. Do you
4. use one common organizational security
certificate, multiple organizational
certificates or individual certificates?
Please indicate the method your HISP uses
to publish your certificate(s) – DNS or
5. LDAP (See section 5.0 of the Direct
Applicability Statement for Secure Health
Transport version 1.1).
December 7, 2012
Page 7
Florida HIE Readiness Questionnaire for Health Information Service Providers
Item
Information Systems Question
How many physicians have a Direct email
address within your network?
Response and Discussion
Enter response here.
6. Note: DSM registration and utilization
information is available on the Florida HIE
dashboard. Please visit, http://floridahieeval.fiu.edu
7.
How many participants have a Direct
email address within your network?
8.
How many transactions do you process
monthly within your network?
Does your HISP exchange or have the
9. capability to generate structured CCD that
can be read by the recipient?
What other types of data formats do you
support that could potentially be used to
10.
generate a payload (e.g., PDF, .doc, .rtf,
TIFF, JPEG, ebXML, HL7, etc.)?
Do you currently interface with third party
11. EHRs? If yes, what are the products and
what tool do you use to interface?
December 7, 2012
Enter response here.
Enter response here.
Enter response here.
Enter response here.
Page 8
Florida HIE Readiness Questionnaire for Health Information Service Providers
Click here to enter Page Marking (optional).
Security Implementation Questions
Item
1.
Information Systems Question
Do you fully comply with the HIPAA
Security Rule?
Have you performed a thorough
assessment of the current potential
security risks and vulnerabilities to the
2. confidentiality, integrity, and availability
of Electronic Protected Health Information
(EPHI) held by your organization and your
business associates?
3.
Please describe your system controls for
user authentication?
4. 3
Do you monitor your security logs?
.
Do you have a documented computer
5. 4
security incident response plan? If yes, has
.
it been tested in the last 12 months?
Have you had any security breaches in the
last 5 years? If so, please describe the
6.
cause of the breach and what steps were
taken to address any issues.
What mechanisms are in place such as
contracts and employee policies to control
7.
access to mobile devices and ensure
mobile device security is maintained?
8. Additional comments?
December 7, 2012
Response and Discussion
Enter response here.
Enter response here.
Enter response here.
Enter response here.
Enter response here.
Enter response here.
Enter response here.
Page 9
Florida HIE Readiness Questionnaire for Health Information Service Providers
Click here to enter Page Marking (optional).
Privacy Implementation Questions
Item
Information Systems Question
Response and Discussion
Do you comply with NIST Level 3 (or
above) guideline for identity verification?
Enter response here.
Fully describe any privacy policies you
have at your HISP system level and any
2.
policies at the user level (if any additional
policies exist).
Do you have written contracts with
technology partners? Do they include
3.
HIPAA business associate language, when
applicable?
Enter response here.
1.
4. Additional comments?
December 7, 2012
Enter response here.
Enter response here.
Page 10
Florida HIE Readiness Questionnaire for Health Information Service Providers
Click here to enter Page Marking (optional).
General System Implementation Questions
Item
Information Systems Question
Response and Discussion
1.
What is your current message size limit,
including attachments, for your HISP?
Enter response here.
2.
Please describe the use of Read Receipts
and whether always on or optional.
Enter response here.
3. Additional comments?
December 7, 2012
Enter response here.
Page 11
Florida HIE Readiness Questionnaire for Health Information Service Providers
Thank you for completing the Florida HIE Direct Secure Messaging Readiness Questionnaire for Health
Information Service Providers. Please e-mail your responses to FloridaHIE@harris.com (e.g., use the
“send” option within Microsoft Word). A Harris Team representative may contact you for follow-up
information, as needed.
December 7, 2012
Page 12
Attachments – Implementation Requirements
Attachment A
Estimated Implementation Work Effort
To connect with the Florida HIE DSM service, your organization will be required to commit resources
and personnel to work alongside the Harris Team. Deployment activities will span over approximately
a five (5) day period, where various levels of support will be required from your technical personnel.
The table below identifies the tasks that will need to be accomplished by your organization’s staff in
support of the Harris deployment team activities.
Tasks
Organizational
Staff
Test Data and Review
Test Data – your organization identifies and provides sample de-identified
data to the Harris Team.
Clinical Analyst
Test Receipt – the Harris Team and your organization sends a test message for
review by the Harris Team and your organization.
Clinical Analyst
Deployment Support
Integration Support – as appropriate, provide access to and documentation
for existing system necessary for HISP implementation activities. Includes
providing support for deployment testing.
System
Administrator
Direct Certificates Exchange –your organization and the Harris team will
need to integrate certificate discovery, verification and exchange. This
would include error handling as appropriate.
System
Administrator
QA and Test Support
Error Detection and Reporting – the Harris Team identifies errors
preventing messages from being delivered and works with your
organization to resolve.
System
Administrator
Production QA review – process production results for final review
before making data available to physicians and other participants. Your
organization should run a QA test using live data that spans one to two
days.
Clinical Analyst
December 7, 2012
Page 13
Attachments – Implementation Requirements
Attachment B
HISP Implementation Steps
Typical step-by step HISP implementation activities to connect with the DSM HISP are listed below. It
is assumed that steps one and two are completed prior to initiation of HISP connection activities.
1. Instantiate Direct services
2. Publish public keys of HIE trust anchors in Domain Name System (DNS) or Lightweight
Directory Access Protocol (LDAP).
3. HISPs execute agreement, as applicable.
4. Add trust anchors of other HISP to test system (optional) or to production system
5. Validate access of public keys from other HISP
6. Validate access of public keys of participant users from other HISP, if applicable
7. Create test accounts to exchange messages
8. Create test message (digitally sign and encrypt) per Direct and send to other HISP for
verification
9. Receive messages from other HISP and verify decryption and digital signature of the external
HISP
10. If test system used in step 4, add trust anchors of other HISP to production and repeat steps 5
through 9 on the production system.
December 7, 2012
Page 14