Greetings, I think the discussion was not centered around the need for 3rd party certification, most people that I talk to believe that it is an essential part of the testing process and will save much time and money during trading partner testing. This comes with a caveat, that unless all the various software vendors involved in the certification process interpret the element-by-element rules the same way interoperability will not be achieved during trading partner testing the way it should. A covered entity will think they are compliant based on a company X interpretation of the rules only to find out that the community they will be testing with uses a company Y interpretation. This will cause rework on behalf of the covered entities. The same holds true when the trading partner then tries to test with a company Z interpretation and so on, and so on. I don't think it is right to push the interoperability problem to the covered entities, unless of course each certification company lets them know up front that even though they will get a certification, it won't mean much when the covered entity participates in a different trading partner community that may have different interpretations. To my knowledge, no vendor currently agrees with any other vendor assessment of transaction readiness. There are many covered entities dealing with this exact problem today.
I believe that what people were saying is that without a "standard" certification that is PORTABLE across infrastructures, the use of the term certification should be used with caution. Just using the word certification denotes to the covered entity a certain expectation that will not be able to be met. If you look at any other IT vertical outside of healthcare, you will see that certification is used in a much more stringent context that all vendors must comply to the same set of conformance tests to be called certified. For instance, If you were going to create a third party product compatible with Windows XP, you must meet Microsoft's criteria prior to receiving a "seal of approval", you cannot use another other interpretation of Microsoft implementation rules to certify. Otherwise a consumer will buy a version of say QuickBooks only to find out that it doesn't work with Windows XP because it was tested by a third party that believed it interpreted the rules set forth by Microsoft when it was really just their best guess of what Microsoft meant. Do you see where this will lead the entire industry astray. I don't think covered entities have the extra time nor extra money, much less the patience to deal with these problems. Another issue on this note is the subject of test files, you cannot run just one file or a small sample through a certification process. There is very little education going on right now to let covered entities know just how many test files need to be created to prove compliance and the need to retain these files for regression testing going forward. We are dealing with billions of dollars worth of revenue, comprehensive testing solutions should be the norm not the exception. I have a white paper written by a large and well-known certification company (that certifies much of the desktop software everyone uses today) clearly detailing the process of certification to a standard, it's stringent and detailed nature and purpose and will gladly share it with anyone that asks. You stated "There are a few ambiguous exceptions, which have been discussed tirelessly, and we'll all maintain flexibility on those items in testing, so that trading partners can work it out." Why push the problems to the covered entities, when the software vendors can work it out among themselves and save the trading partner communities all the headaches? This is not that difficult to do, it just entails cooperation from all interested parties on behalf of covered entities to ensure they have as smooth a transition as possible in October 2003, after all, the vendors will be making quite a bit of money from HIPAA transaction remediation efforts. Another point is the separation of testing types from internal testing phases. Wouldn't an entity have to test all these requirements during unit, system, and user acceptance testing phases? The process is integral throughout all the testing phases. One of the major goals during software development is to achieve what is called phase containment, which means finding and correcting errors or ambiguities prior to the next phase starting. Ideally, you don't want to find unit test errors during user acceptance testing, etc. If you waited until after internal testing is believed to be complete to get an assessment you would be guaranteed much rework and miss the project timelines. These topics should be seen as complimentary not separate. To me, the word certification should mean that you can be certified that types 1-6 testing is complete and portable. If it is not then just say partially certified or use a different term instead, at least that way the covered entity will know to allocate more time, resources and budget for further testing and rework down the road. A certification can and should be used to denote that an entire organization, or even system, is entirely compliant with a given set of standards. I believe the end goal should always be to achieve interoperability between trading partner communities and given the current climate this does not exist. Some comments hit the nail on the head. First; the time is now to get something done and I believe there is a significant group of concerned individuals and organizations (HCCO) trying to assist the industry in this regard and we could use all the help we can get to complete this ambitious initiative. Secondly, I agree that 3rd party certification is extremely important and very needed, it can and should be used as a means to relieve much of the testing burden of covered entities and that of their trading partner testing readiness and will provide a significant ROI for those covered entities that utilize such a service. Mark A Lott President & CEO HIPAA Testing, Inc. www.hipaatesting.com Executive Co-Chair HCCO - Transactions Group HIPAA Conformance Certification Organization www.hipaacertification.org Office: 480-946-7200 Cell: 480-580-4415 Fax: 877-825-8309 CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message -----Original Message----- From: Larry Watkins [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 05, 2002 9:04 PM To: Julie Thompson; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Certifications Many seem to be concerned about the differences of interpretation and implementation for testing vendors. Some seem to be convinced that entities are better off NOT obtaining 3rd party certification than obtaining it, because detailed element-by-element rules haven't been established, creating a single meaning for the term 'compliant'. I went through the 837P just to see how many 'interpretations' there are. For most elements -- there is ONE. Even the should vs. must issue doesn't add that much ambiguity. There are a few exceptions, which have been discussed tirelessly, and we'll all maintain flexibility on those items in testing, so that trading partners can work it out. The bar has already been set -- it is the X12N Implementation Guides. Fact is, TRANSACTIONS can be systematically evaluated to see if they comply with the implementation guides, barring the ambiguities I already mentioned. Granted, some vendors will do this better than others, and there are some ambiguities. However, the value of transaction certification from a credible 3rd party, as the paper indicates, still has significant value. This value is in 3 key areas (and probably more): 1) Assistance in identifying problems or issues within one's implementation, in order to significantly reduce the number of issues or problems found when exchanging with trading partners. 2) Removing the bottleneck of testing, where everyone has to wait until everyone else is ready to begin external testing. 3) The use of a trusted 3rd party solution by a trading partner as a way of scrutinizing their trading partners prior to exchanging transactions with them. This limits the amount of 'debugging' of each other's systems that trading partners have to do. I do think that we're caught in a bit of a semantic problem here as well. The WEDI SNIP white paper simply uses the term 'certification' to indicate that an independent 3rd party is willing to make a public statement about an entity's transactions. The credibility and openness of that 3rd party's methods is crucial to this. The only difference between this concept and that of testing is that it is done by a 3rd party. Perhaps this needs to be made clearer in the paper. Finally, Ramakrishna Pidaparti mentioned that there are some things missing from the WEDI SNIP Transaction Compliance and Certification white paper: "the traditional Software Testing aspects of unit, system, integration, beta, acceptance, stress, load, performance and automated testing." These are very important to the testing process, but actually come chronologically BEFORE this white paper, which deals with the external testing/certification that occurs once an entity has reason to believe they are compliant. I believe it has been suggested that a separate white paper addressing Internal Testing (which occurs before external testing) be written. I think this would serve the industry well, as these are critical issues. However, the time is NOW to get it done. April 16, 2003 is not far away. Any volunteers? Regards, Larry Watkins Vice President & COO Claredi Corporation Office: (801) 444-0339 x204 Fax: (770) 419-5295 Mobile: (770) 331-1898 e-Mail: [EMAIL PROTECTED] -----Original Message----- From: Julie Thompson [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 05, 2002 1:02 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Certifications Of course, there are exhaustive testing plans in progress. The covered entitites have millions of dollars in revenue at risk. While some vendors are available to assist them, many of their IT departments are talented and very capable of handling these requirements. Where the "bar" is set for acceptance is one of the challenges and will vary from one entity to another according to there business needs. That level of acceptance must be left to each overed entity and is not the issue here. Comparison of one entitiies concept of HIPAA compliance .vs. another is the key issue here. Thus, the need for an industry wide acceptance of what defines HIPAA compliant. Julie A. Thompson VP EDI Solutions http://www.concio.com From: "Miriam Paramore" <[EMAIL PROTECTED]> Reply-To: "Miriam Paramore" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: Certifications Date: Wed, 4 Sep 2002 22:41:18 -0400 My 2 cents on this topic. The undeniable reality is that every single trading partner in healthcare today accepts the "good enough" testing method. There are no exhaustive test plans on either side. Until now, via third parties, there has been no attempt at certification against a standard. We are making progress and it should be encouraged. Perfection is a goal. To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
