Tiger team proposes authentication policies for data exchange

Deven McGraw, chair of the tiger team and director of the health privacy project at the Center for Democracy and Technology

A Department of Health and Human Services advisory group has proposed broad steps that healthcare organizations should take in order to establish their corporate identities for the simple exchanges of patient information that will be required under the first stage of meaningful use.

All organizations involved in health data exchange should have digital credentials, such as electronic certificates, to assure they are who they say they are, according to the privacy and security tiger team, which works under HHS's Health IT Policy Committee.

The team proposed authentication policies for the direct electronic exchange of health records between providers, where sender and receiver are most likely known to each other. Authentication, one of the guardrails of privacy and security, is critical when transactions involve any patient risk or the potential exposure personal health information, according to tiger team members.

The Office of the National Coordinator wants to build the public's confidence in simple organization-to-organization electronic health record exchanges using its NHIN Direct project, a streamlined version of nationwide health information network specifications.

The goal of authentication is to assure that computer systems link to the correct organization's gateway in such transactions, said Deven McGraw, chair of the tiger team and director of the health privacy project at the Center for Democracy and Technology.

"For the lightweight set of recommendations for stage one, there is an assumption that the organizations are more likely to know one another even if their computers don't know one another" said McGraw.

"That is likely to change in stages two and three," she said at a Nov. 12 meeting of the tiger team to finalize recommendations that it plans to submit to the policy committee Nov. 19.

Looking for balance

The group has tried to find a balance between an appropriate level of confidence in an identity and the cost and business burden to establish authentication of organizations. It has concentrated on steps for authenticating organizations only. The tiger team may consider authentication of individuals when it wrestles with more privacy and security issues next year, McGraw said.

"Electronic health records should be able to accommodate any authentication policies that organizations mandate," McGraw said, adding "we have a lever in certification to make sure the systems have the capability to be authenticated and digitally credentialed."

Eventually, EHRs will have to support two-factor authentication as health information exchange becomes more complex.