Tiger team proposes authentication policies for data exchange
A Department of Health and Human Services advisory group has proposed broad steps that healthcare organizations should take in order to establish their corporate identities for the simple exchanges of patient information that will be required under the first stage of meaningful use.
All organizations involved in health data exchange should have digital credentials, such as electronic certificates, to assure they are who they say they are, according to the privacy and security tiger team, which works under HHS's Health IT Policy Committee.
The team proposed authentication policies for the direct electronic exchange of health records between providers, where sender and receiver are most likely known to each other. Authentication, one of the guardrails of privacy and security, is critical when transactions involve any patient risk or the potential exposure personal health information, according to tiger team members.
The Office of the National Coordinator wants to build the public's confidence in simple organization-to-organization electronic health record exchanges using its NHIN Direct project, a streamlined version of nationwide health information network specifications.
The goal of authentication is to assure that computer systems link to the correct organization's gateway in such transactions, said Deven McGraw, chair of the tiger team and director of the health privacy project at the Center for Democracy and Technology.
"For the lightweight set of recommendations for stage one, there is an assumption that the organizations are more likely to know one another even if their computers don't know one another" said McGraw.
"That is likely to change in stages two and three," she said at a Nov. 12 meeting of the tiger team to finalize recommendations that it plans to submit to the policy committee Nov. 19.
Looking for balance
The group has tried to find a balance between an appropriate level of confidence in an identity and the cost and business burden to establish authentication of organizations. It has concentrated on steps for authenticating organizations only. The tiger team may consider authentication of individuals when it wrestles with more privacy and security issues next year, McGraw said.
"Electronic health records should be able to accommodate any authentication policies that organizations mandate," McGraw said, adding "we have a lever in certification to make sure the systems have the capability to be authenticated and digitally credentialed."
Eventually, EHRs will have to support two-factor authentication as health information exchange becomes more complex.
To obtain digital certificates, organizations will have to demonstrate they are a legitimate business, using a business license or financial account, and that they participate in healthcare transactions required for meaningful use.
Multiple categories of organizations, such as vendors and state agencies, will need to issue digital credentials in order to meet the demand for secure health information exchange, McGraw said.
Groups that perform credentialing should build on existing criteria or processes. "Issuers of digital certificates should bootstrap onto existing processes as much as possible, and the national provider identifier would be one of them," McGraw said.
For example, the National Plan and Provider Enumeration System collects identifying information on healthcare providers and assigns each a unique identifier under the Health Insurance Portability and Accountability Act.