A Health & Human Services Department advisory group has proposed broad steps that healthcare organizations should take in order to establish their corporate identities for the simple exchanges of patient information that will be required under the first stage of meaningful use.
All organizations involved in health data exchange should have digital credentials, such as electronic certificates, to assure that they are who they say, according to the privacy and security tiger team, which works under HHS's Health IT Policy Committee.
The team proposed authentication policies for the direct electronic exchange of health records between providers, where sender and receiver are most likely known to each other. Authentication, one of the guardrails of privacy and security, is critical when transactions involve any patient risk or the potential exposure personal health information, according to tiger team members.
The Office of the National Coordinator wants to build the public's confidence in simple organization-to-organization electronic health record exchanges using its NHIN Direct project, a streamlined version of nationwide health information network specifications. NHIN is a set of standards and services that enables providers to share data securely through the Internet.
The goal of authentication is to assure that computer systems link to the correct organization's gateway in such transactions, said Deven McGraw, chair of the tiger team and director of the health privacy project at the Center for Democracy and Technology.
"For the lightweight set of recommendations for stage one, there is an assumption that the organizations are more likely to know one another even if their computers don't know one another" said Deven McGraw, chair of the tiger team and director of the health privacy project at the Center for Democracy and Technology.
"That is likely to change in stages 2 and 3," she said at a Nov. 12 meeting of the tiger team to finalize recommendations that it plans to submit to the policy committee Nov. 19.
The group has tried to find a balance between an appropriate level of confidence in an identity and the cost and business burden to establish authentication of organizations. It has concentrated on steps for authenticating organization's only. The tiger team may consider authentication of individuals when it wrestles with more privacy and security issues next year, McGraw said.
"Electronic health records should be able to accommodate any authentication policies that organizations mandate," McGraw said, adding that "we have a lever in certification to make sure the systems have the capability to be authenticated and digitally credentialed."
Eventually, EHRs will have to support two-factor authentication as health information exchange becomes more complex.
To obtain digital certificates, organizations will have to demonstrate that they are a legitimate business, using a business license or financial account, and that they participate in healthcare transactions required for meaningful use.
Multiple categories of organizations, such as vendors and state agencies, will need to issue digital credentials in order to meet the demand for secure health information exchange, McGraw said.
Groups that perform credentialing should build on existing criteria or processes. "Issuers of digital certificates should bootstrap onto to existing processes as much as possible, and the national provider identifier would be one of them," McGraw said.
For example, the National Plan and Provider Enumeration System collects identifying information on healthcare providers and assigns each a unique identifier under the Health Insurance Portability and Accountability Act.
