William,
I believe there should be certain information that should only be
released until both parties can establish some level of trust. I
presume a large majority of trading partners will require some form of
testing, so all the testing information could be released without many
of the concerns regarding live data.
Once a valid test is completed, then it's possible that credentials
could be passed to the partner that will provide them information
regarding submitting live data. And in between the testing and live
data submission, processes could be performed to verify the validity of
the business entity, thereby giving the receiver and sender some level
of trust regarding the transactions.
I saw a thread recently that covered some method of establishing a
certificate based, trust relationship, that may help address this as
well. Using a PKI or PGP model, the ability to obtain information on
sending live data could be based on an entities ability to pass the
testing phase. A certificate or key would then be given to them that
would allow them to obtain the live data submission information.
At first I thought this could be out of scope for the group, but then I
realized we haven't created a strong enough definition of the overall
business processes in use today. I'm sure most receiver's will require
some form of testing, or some form of trusted certification that they
are compliant before simply allowing data to be sent.
So, the CPP must have the ability to define testing criteria and
requirements. Then, it should allow define the conditions in which
testing be by-passed if the sending party already has been certified by
so many other receivers.
Just some food for thought.
-RB
>>> "William J. Kammerer" <[EMAIL PROTECTED]> 05/18/02 11:52AM >>>
A new spreadsheet for the design of the Healthcare CPP (Electronic
Partner Profile) - "Elements of the Healthcare Collaboration-Protocol
Profile (CPP)" - along with an updated graphic model ("CPP model
diagram"), are available at http://www.novannet.com/wedi/ . See
"Documents available for download" by scrolling past all the verbiage.
You may have to use the Internet Explorer "Expand to Regular Size"
button in order to read the graphic model, for otherwise the JPEG will
be fitted to the window making the text hard to make out.
Chris Feahr, our CPP spreadsheet editor, has not yet changed the "data
elements" page to correspond to the new graphic model. But he has added
more "worksheet" tabs: one is entitled "Requirements," which will be
well received by certain members of our team. Chris hopes the new
spreadsheet stuff will help you make sense of the model diagram.
Chris includes an interesting question in his "Issues" section of the
spreadsheet: "How much financial-routing information should be in a
public registry? Is it safe to publicly specify 'how to put money in my
bank account'?" I can certainly see how folks (providers) would be
queasy about letting just anyone on the web viewing the public
Healthcare CPP directory know where they bank, let alone what their
account number is.
But consider that everyone to whom I've ever written a check over the
last twenty years now has my bank's ABA routing code and my DDA number.
Though it would be puzzling if anyone deposited a large sum of money in
my account, it might not be cause of complaint: I do have anonymous
fans, after all. So I could be blessed like that Central Ohio couple
who were handed a quarter million; see "Bank error gives couple 250,000
reasons to praise God," in the Columbus Dispatch (December 15, 2001) at
http://www.dispatch.com/news/news01/dec01/987877.html . Praise the
Lord.
It probably stands to reason that this identification information (it
is
not authentication information, like secret PINs) is perfectly safe to
share with the world - which, indeed, a lot of companies do in order to
facilitate payment. The more pressing security problem to solve is how
to prevent an imposter from creating a CPP posing as a well known
provider, where the financial information points to the scofflaw's bank
account fooling payers into paying the wrong person. Some "liaisoning"
with X12F Finance and NACHA might be in order here.
Keep in mind that Kepa's directory has a lot of the demographic and
transaction fields that we will want in the Healthcare CPP; see
http://www.claredi.com/ and select "directory." A successful CPP design
will subsume all of Claredi's directory information.
William J. Kammerer
Novannet, LLC.
Columbus, US-OH 43221-3859
+1 (614) 487-0320
