Setting the Standard
Table of Contents
I take full cognizance of the conflict inherent in my writing about "who should write standards?" I am, after all, co-chair of a technical committee in an ANSI-accredited SDO (XML TC of Health Level 7). I am chair of the group charged by the TC to draft an XML document architecture for healthcare. Worse, I am under contract to HL7 working on one project and worse yet, in negotiations with them over another standards-writing project.
Chutzpah acknowledged, I can only say that my aspiration for this piece is that it be called a candid insider perspective. To the charge that my own view colors the picture, I confess a hearty mea culpa.
Setting the Standard
There is an anomaly about high-tech standards writing. To folks outside the industry, they are a high-potency soporific. To insiders, they have been described as the ultimate techie rush. This disparity is not such a bad thing. It has meant that some very bright people have quietly donated great chunks of time to making standards work, while the outside world has provided little in the way of either help or interference. But it is not at all clear that the system, or lack of system, will scale.
It is time to ask some fundamental questions: Who should write standards? What kind of organization, with what type of by-laws and membership, and who should pay for it? What makes for the greatest good and can sustain innovation, competition, and cooperation? What has produced good results in the past and what can we learn from this to guide the future? In his article, "The OASIS Process for Structured Information Standards," Jon Bosak lays out a strong case for firm, known, time-tested open committee processes with some adjustment for the composition of a sometimes-virtual technical committee. This article looks at the larger support framework for such processes and asks what kind of organization writes the best standards and how should this work be supported.
Well, how important is it where a railroad will be built? Where the stations be will located? The gauge of the tracks? This infrastructure will be with us for a long, long time. If we screw up this technical infrastructure, either the trains won't run or they will have YouKnowWhoSoft written on every car.
The code written on the backs of the DOM, SAX, and XML is still fresh, but how long will it be before the dependency on these specifications is as deeply embedded as the code for the two-digit year? At its simplest, Y2K was a failure of the standards writing process.
Another way to answer this question -- How important is standards writing? -- is to step outside of high tech and look at governance of comparable, non-technical processes. Controlling the specification linking electronic documents seems no less vital than setting the standards for materials, dimension, and durability regarding an interchange on the interstate highway system. Yet our much-touted information superhighway is in the hands of a scattering of private, member-driven consortia and de facto processes. Jurisdiction is anarchic, determined by professional politics, market force, and the law of first come, first served.
Personally, I'm not at all sure that this is all bad. I have grave doubts whether a government agency can be effective in directing the creation of a high tech standard or specification. Right now in healthcare, in the US, we have a mandate from Congress to the Department of Health and Human Services to create such standards. To its credit, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) advocates that the specifications themselves be developed and maintained under the care of a bona fide standards development organization (SDO). For the most part, the role of HHS has been to choose among existing standards, and to foster standards development where needed.
The Department has led an exceptionally open process, creating industry advisory groups and liaisons to standards organizations, and sifting millions of comments on proposed regulations. At the end of the day, however, HIPAA is bearing down on the industry as one more problem, rather than one more solution.
HIPAA carries the subtitle "Administrative Simplification" but, according to Health Data Management, "there is nothing simple about the administrative simplification provisions." The magazine reports that in February the American Medical Association said that "despite the best intentions of federal officials, the complexity of the proposed privacy rule unacceptably increases administrative burdens for physicians while inadequately protecting patient confidentiality." [HDM, April 2000, p.85 "The Dawn of HIPAA."] Modern Healthcare reports government claims that HIPAA will save $1.5 billion over five years, while sources in the industry debate how many multiples of the $8.5 billion spent on Y2K HIPAA will consume. [Modern Healthcare, January 31, 2000, p.5]
There is no doubt that standards are desperately needed. The legislation, lobbied for by industry, acknowledges a gross failure in self-regulation. The cost of HIPAA must be weighed against the cost of not doing it. The only thing that could be worse would be to try and to fail.
One catch-22 in the legislation states that HHS will write requirements using existing standards. This is a well-intentioned directive not to reinvent an American Standard Code for Information Interchange (ASCII). The effect, however, on a regulation process that takes two or more years and then is frozen for one year after issuance is to disallow the use of current and emerging technical specifications. The HIPAA regulations, in the works since 1996, will use proprietary EDI syntax well into this millennium.
Given the immense difficulty of adapting a civil service to rapid change and the general cyber distrust of government everywhere, I don't expect to see a wave of demand for direct government oversight of high tech standards. On the other hand, I think it is time to ask how the agencies of the common good (to avoid the "government" label) can support this work.
In the US, we have a National Institute of Standards and Technology (NIST), which is an agency of the US Department of Commerce, and is supported through tax dollars and fees for service. We also have the privately funded American National Standards Institute (ANSI). Certainly, they have the talent and expertise to understand the issues better than most career bureaucrats, but they have not projected themselves into the center of this activity.
NIST's mission, according to their web site, could be interpreted as creating standards. They are heavily involved in standards testing and have very little on-going in the origination of standards. NIST hosts the Interagency Committee on Standards Policy (ICSP), which ensures government adoption of standards. The list of current work products reflects a role as booster and enforcer of standards-based procurement, but it begs the question of who creates the standards that the ICSP supports.
Closer to the bone, the NIST Voluntary Products Standards Program will actually administer the development and publication of a standard, when approached by a qualifying group. One qualification is that the applicant provides the funds. The purpose of VPSP is "to establish nationally recognized requirements for products." In this capacity, NIST acts "as an unbiased coordinator in the development of these standards, provides editorial assistance in their preparation, supplies such assistance and review as is required to assure their technical soundness and to seek satisfactory adjustment of valid points of disagreement." Not a bad description of what is required for administrative support, but this facility has not been taken up by the high tech world. According to the NIST web site, current standards that mention "soft" did so in the context of "wood" -- as in plywood and softwood.
The American National Standards Institute (ANSI) is a private, nonprofit membership organization. It is not itself a standards body, but a vetter of standards bodies. It "facilitates [standards] development by establishing consensus among qualified groups. The Institute ensures that its guiding principles -- consensus, due process and openness -- are followed by the more than 175 distinct entities currently accredited." This is not a bad thing, but how well does it track and monitor the 175 entities and the 14,650 approved standards (a number that grew by five percent in 1999)? Certainly, any oversight by ANSI is better than none, but its role as accrediting organization cannot work without the existence and cooperation of the SDOs themselves.