Excellent comments, Sunny! Julie
From: Sunny Singh <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, "David W. Loewy" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], "'Meyer, Perry'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: Certifications Date: Sun, 1 Sep 2002 10:54:02 -0700 I have some observations here: POINT # 1: "However, if the sample size is sufficiently large and representative of the business of the provider or payer that generates these transactions, then you could establish a level of confidence that future transactions will also be compliant." This is a very subjective comment 1. A covered entity taking comfort in the fact that their sample data files were compliant is a dangerous proposition. 2. The sample size varies not only for any covered entity but for such entities will change over time - and I am not evening talking about a covered entities internal operations/ requirements changing/ growing. The very fact that the HIPAA guidelines are going to evolve and change quite a bit (given the newness of the Imp. Guides) will lend itself to any kind of one-off certification without general consensus in the market an in-effective proposition. 3. I see no value other than "it is a nice to have and do" and "it provides a certain degree of rigor and discipline" for a covered entity to at least do some self-testing before involving a trading partner in the certification concept as discussed in the HIPAA community today. Will a payer or any entity receiving data be happy with the fact that the data they received is "good enough". No. They want the data to be 100% accurate or they will and should reject it. POINT # 2: "For this reason it is important that the certification of transactions as compliant be well documented and publicly disclosed." This is a very good point - but the fact that this has not been done to date is discomforting. We have folks toughting certification, we have a white paper recommending certification yet there is no one who has published and documented the rules of certification. What tickles me is that we are asking covered entities to get certified yet there is no one who has come forward and say what it means. In the white paper discussions I raised the same problem/ issue and therefore we changed the context and meaning of CERTIFICATION to be ENTERPRISE-CENTRIC and not INDUSTRY-CENTRIC. An enterprise can dictate what their rules of certification are - just like in EDI. A Walmart or a HUB will tell its trading partners, this is how I will send and receive data (done through information in the implementation guideline). At that point the rules of certification are clear and concise. The partners know that if they send data conforming to that IG - is will be correct and there are no interpretations or combinatorial mathematics they have to engage in to send valid data. POINT # 4 "but we can prove their TRANSACTIONS are or are not compliant." I agree here that we can prove that A TRANSACTION is compliant. But given no deterministic definition/explanation of the rules of certification we cannot confirm that TRANSACTIONS WILL BE COMPLIANT or NOT COMPLIANT. An entitiy can be certified as being talked about in the HIPAA circles today but that does not mean that they will always send COMPLIANT TRANSACTIONS - and that totally destroys the notion of certification as being positioned today. The only way that CERTIFICATION will make any sense is if the rules and critieria of certification are CLEAR, CONCISE AND AGREED UPON BY A CONSORTIUM. In that regard I applaud the HCCO's efforts and I hope that WEDI/SNIP & HCCO will work together to clear the confusion. Lets agree to the base line set of rules that are interpreted the same way (and folks this is not that difficult a task - most of the rules are VERY CLEAR and some are ambigious - we know it because we have gone through this exercise extensively) through a consortium of thought leaders, vendors etc and then make it public. You simply cannot promote a CONCEPT when people are simply not clear what does it take to implement that CONCEPT. We simply cannot say "JUST DO IT". Just telling them to go to a certain service provider and get CERTIFIED is non-sense. In my discussions with lots of folks in the HIPAA community not 1 person has been able to clearly articulate the rules & criteria of certification and they have expressed frustration at the inability to get to that state of clarity. Thanks Sunny Edifecs www.HIPAADesk.com www.edifecs.com -----Original Message----- From: Kepa Zubeldia [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 10:39 PM To: David W. Loewy; [EMAIL PROTECTED]; 'Meyer, Perry'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Certifications David, Tim, Before you keep going too far on that line, there is a significant difference between "certifying" an entity or a product to "be" HIPAA compliant (personally I don't see how this would happen) and certifying that a specific set of transactions is in compliance with the HIPAA transaction implementation guides. To verify whether a transaction is in compliance with the HIPAA Implementation Guide is a process that is totally deterministic and objective, and can be verified and validated by a number of third parties. In any case, the process must be disclosed and verifiable by third parties and by the relying parties. An entity relying on the certification of a transaction as being compliant should be able to know what was the exact content of the transaction that was certified. And the certification of a transaction as compliant does not automatically extend to the software that generated the transaction in a generic mode. While you can say that the software is capable of generating HIPAA compliant transaction(s), you cannot say that all the transactions generated by that software will always be compliant. However, if the sample size is sufficiently large and representative of the business of the provider or payer that generates these transactions, then you could establish a level of confidence that future transactions will also be compliant. But, again, this does not extend to the software or the entity in as generic way. For instance, the fact that you can generate compliant office visits does not mean much when you need to generate DME claims. For this reason it is important that the certification of transactions as compliant be well documented and publicly disclosed. So, lets qualify the statements. When organizations claim to "be" HIPAA Certified, or to offer "certified" training, or to have certified HIPAA transactions they should try to "prove it". I bet they will not be able to prove they "are" compliant, or that their software or training is certified, but we can prove their TRANSACTIONS are or are not compliant. The testing and certification of TRANSACTIONS for HIPAA compliance is documented in the SNIP white paper on that topic. There is a new version that has been approved for publication (version 3.0) that should be posted in the web site in the next few days. Please understand that it does not address certification of entities, software, systems or training programs, only certification of transactions. Kepa Zubeldia Claredi PS: cross posting of messages like this is spam. On Friday 30 August 2002 11:19 am, David W. Loewy wrote: From: "David W. Loewy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, "'Meyer, Perry'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > I agree as well, I am constantly amazed when I see organizations > referring to being either HIPAA Certified or offering HIPAA > Certification!! And there are more than a handful I've seen recently! > > > David W. Loewy > President > Health Providers Practice Management, LLC. > Publishers of The HIPAA Survival Kit for Providers 617.739.6665 > (voice) 601.415.0007 (mobile) > > > <http://www.hipaacertification.org/> > www.hipaacertification.org > NOTE: The information contained in this message is intended only for use > by the individual or entity to which it is addressed. This message may > contain information that is privileged, confidential, and exempt from > disclosure under applicable law. If you are not the intended recipient, > you are hereby notified that any dissemination, distribution, or copying > of this information strictly prohibited. If you have received this > communication in error, please notify us immediately and delete the > original message. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 30, 2002 12:58 PM > To: Meyer, Perry; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Certifications > > > Perry, your point is very valid! > > As stated by the agencies, it isn't the role of the government to > "Certify" a product, service, or process relating to HIPAA. > Certifications by their nature certifications require a process of > accreditation, credentialing, and ideally broad support. I have no > knowledge of what the vendor in question bases their "certification" > on, and without full disclosure of that basis I view its claim as > suspect, however there is at least one validly certified > training/education product in the market - certified/credentialed by a > State University System. > > However, this specific problem has resulted in the creation of a > separate body to address this issue of developing HIPAA conformance > certification standards. This activity is complementary to the work > of the other HIPAA bodies, and recognizing the urgency of this for > covered entities and industry alike, has begun and hopes to publish a > significant body of work rapidly. > > This also raises another important point - full disclosure. Some on > this listserv express offense at participants including their company > names in their replies and messages. Personally, I want to know who > it is that is expressing their opinions and who they represent, and in > what capacity. I appreciate a weblink also, making it easy to view > their context. Without this disclosure, we do not have the ability to > properly weight their credentials or perspective in these issues. > Each of us needs to be able to evaluate each posted statement and not > simply take everything said as fact or legal opinion - this one > included. So I would encourage all to be candid in their signatures > for these reasons and recognize the difference between spam > commercialism and simple honest disclosure. > > Tim McGuinness, Ph.D. > President, > HIPAA Help Now Inc. > [EMAIL PROTECTED] > www.hipaahelpnow.com > > Executive Co-Chairman for Privacy, > HIPAA Conformance Certification Organization (HCCO) > www.hipaacertification.org > > > > > -----Original Message----- > From: Meyer, Perry [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 27, 2002 8:24 AM > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: WEDI SNIP Forum to be Rescheduled!!! > > > Just curious, but does CMS or OCR recognize "certified" HIPAA > training? I see no mention of this in the regs. I think we need to be > very careful in promoting something as "certified" when it comes to > HIPAA. > > Perry Meyer > Senior Vice President > Iowa Hospital Association > To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
