Announced this week, the HIT Policy Committee's Privacy and Security Tiger Team is seeking public comment on issues of authentication "trust" rules for information exchange between provider-entities. The Tiger Team will be evaluating trust rules at the organizational level in consideration of policy recommendations that will be presented to the HIT Policy Committee and the Office of the National Coordinator for Health IT (ONC). It is important that you make your voice heard in order to inform the deliberations of this workgroup and its recommendations. In the announcement below are a series of questions that the Tiger Team has asked the public to consider. Please take a moment to share your opinions on the answers to these questions and submit them to the ONC FACA Blog no later than next Friday, October 29. Instructions for direct comment submission are included below, or you can just reply to this email and NeHC will submit your responses to ONC on your behalf.
We appreciate your attention to this important aspect in the development of a safe and secure nationwide health information system.
ONC FACA Blog
Privacy *Security "Tiger Team" Seeks Comments on Provider-Entity Authentication–Please comment by October 29, 2010
Tuesday, October 19th, 2010 | Posted by: Deven McGraw and Paul Egerman | Category: FACA
The Privacy and Security Tiger Team is currently considering policy recommendations to ensure that authentication "trust" rules are in place for information exchange between provider-entities (or organizations). We are currently evaluating these trust rules at the organizational level, and as such, our scope here does not include authentication of individual users of electronic health record (EHR) systems. For purposes of this discussion, authentication is the verification that a provider entity (such as a hospital or physician practice) seeking access to electronic protected health information is the one claimed, and the level of assurance is the degree of confidence in the results of an authentication attempt.
We hope that we can have a robust discussion on this blog that provides valuable input on this topic. All comments are welcome, but we particularly encourage you to consider the following questions:
- What strength of provider-entity authentication (level of assurance) might be recommended to ensure trust in health information exchange (regardless of what technology may be used to meet the strength requirement)?
- Which provider-entities can receive digital credentials, and what are the requirements to receive those credentials?
- What is the process for issuing digital credentials (e.g., certificates), including evaluating whether initial conditions are met and re-evaluation on a periodic basis?
- Who has the authority to issue digital credentials?
- Should ONC select an established technology standard for digital credentials and should EHR certification include criteria that tests capabilities to communicate using that standard for entity-level credentials?
- What type of transactions must be authenticated, and is it expected that all transactions will have a common level of assurance?
Please comment by October 29, 2010, and identify which question(s) you are responding to.
Deven McGraw and Paul Egerman
Privacy and Security Tiger Team Co-Chairs