DTAAP Beta Accreditation Experience Sharon Wentz, RN Business Development Coordinator September 6, 2013 • Administered by the Oregon Health Authority • Contracted with Harris to provide a comprehensive Direct-based service offering. • CareAccord DTAAP Accreditation: HISP, CA, RA • Vendors: Harris Corporation in Melbourne, Florida is the consulting service provider. Mirth Corporation is the software application provider. Easy Street in Beaverton, Oregon is hosting, managed services, local interface with CareAccord staff, and a liaison with Harris Corporation. Beyond “simple” HISP services Collaborative of multiple organizations filling separate roles, which was envisioned and memorialized in the Direct Project Specifications. • CareAccord: Registration Authority duties for Organizations. • Harris Corporation: Certificate Authority, Registration Authority duties for sub-organizations, individuals and delegates. Providing a Provider Directory using the Mirth PD solutions. • Mirth: Harris is using Mirth software to provide HISP functions. Reasons for seeking DTAAP Accreditation • Value in a third party assessment that we are doing the right thing. • Validation of processes and safeguards for secure HIE. • We should be held to the “highest bar” for internet transport of patient health information. • We support scalable trust and not “one-off” agreements. ACCREDITATION TEAM CareAccord: Sharon Wentz, RN, Business Development Coordinator Mary Kukowski & Emily Martinez-Ortiz, Engagement Specialists Stacey Weight, Policy Analyst Jane Toliver, Grants Coordinator Harris Corporation: Tricia Hess, Program Manager Roy Tharpe, Chief Systems Engineer, Product Manager Nicole Parker, Registration Authority/Configuration Management EasyStreet: Scott Seaton, Director of Business Development Breanne Antonious, Senior Account Executive Self Assessment period June 5- July 30, 2013 • • • • • • • Team: 10+ people Working meetings: 28 Phone conferencing hours: 44 Total man hours attributed to formalized meetings: 328 Meeting lengths: 1-3hr calls, 1-2 x/day Self-assessment prep work = 40 hours. Lots of hours outside of formalized meetings: estimate 3 FTE’s Pearls of Wisdom and Lessons Learned • • • • - Become a Direct Trust member. Seek Administrative approval and awareness. Have discussions with your vendors up front. Choose team carefully: Security expert familiar with host infrastructure RA/CA in the trenches staff Staff that hold the technical knowledge around the policies/procedures/processes - Support staff to assist with the self-assessment “document management” process - Consider a technical writer? • • • • • Wasted one week prior to the first formal meeting! Pacific time --- Eastern time, 4th of July holiday Take meticulous meeting minutes with action items. Building self-assessment document from scratch… Additions/modifications will be needed to some of your policies and procedure. • Costs considerations: Direct Trust membership fee, Accreditation fees for HISP, RA, CA, annual 3rd party penetration testing cost, and staff/vendor time attributed to the process. “Dividing and conquering the sections did not work well.” “Criteria built on each other.” “Do RA section first?” “Learned something new every day.” “ Have a technology architect cheerleader that knows the big picture, the inside and outs.” “There were no bottle-necks, everyone worked together, great project management.” “We experienced superb collaborative partnership with our vendors.” “Greater confidence and trust gained as a team going through this together!” Conclusion “The rigorous work required to complete the accreditation process is directly proportional to the level of trust and security needed to protect personal health information being transported via Direct Secure Messaging.” Sharon Wentz RN Sharon.l.wentz@state.or.us Cell: 503-983-4226