Privacy & Security “Tiger Team” Seeks Comments on Provider-Entity Authentication
Please comment by October 29, 2010
Tuesday, October 19th, 2010 | Posted by: Deven McGraw and Paul Egerman and reposted here by e-Healthcare Marketing.
The Privacy & Security Tiger Team is currently considering policy recommendations to ensure that authentication “trust” rules are in place for information exchange between provider-entities (or organizations). We are currently evaluating these trust rules at the organizational level, and as such, our scope here does not include authentication of individual users of electronic health record (EHR) systems. For purposes of this discussion, authentication is the verification that a provider entity (such as a hospital or physician practice) seeking access to electronic protected health information is the one claimed, and the level of assurance is the degree of confidence in the results of an authentication attempt.
We hope that we can have a robust discussion on this blog that provides valuable input on this topic. All comments are welcome, but we particularly encourage you to consider the following questions:
- What strength of provider-entity authentication (level of assurance) might be recommended to ensure trust in health information exchange (regardless of what technology may be used to meet the strength requirement)?
- Which provider-entities can receive digital credentials, and what are the requirements to receive those credentials?
- What is the process for issuing digital credentials (e.g., certificates), including evaluating whether initial conditions are met and re-evaluation on a periodic basis?
- Who has the authority to issue digital credentials?
- Should ONC select an established technology standard for digital credentials and should EHR certification include criteria that tests capabilities to communicate using that standard for entity-level credentials?
- What type of transactions must be authenticated, and is it expected that all transactions will have a common level of assurance?
Please comment by October 29, 2010, and identify which question(s) you are responding to.
Thank you,
Deven McGraw and Paul Egerman
Privacy & Security Tiger Team Co-Chairs
Please comment directly on ONC Health IT Buzz blog by clicking on this link.