Authentication for Health Data Exchange

Panel Calls for Digital Certificates for Organizations
Authentication for Health Data Exchange
All organizations involved in any type of health information exchange should be required to have digital certificates to authenticate their identities, a panel advising federal regulators on policy issues recommends.

The Healthcare IT Policy Committee approved the recommendation, prepared by the Privacy and Security Tiger Team.

Next, the Office of the National Coordinator for Health Information Technology, a unit of the Department of Health and Human Services that's better known as ONC, will consider whether to incorporate the recommendation into new federal rules guiding health information exchanges.

The Role of Digital Certificates

The digital certificate requirement is for identifying organizations, and not individuals, exchanging electronic health records and other health information through HIEs or other networks. In other words, it addresses the "handshake" connection between EHR systems or computers at two organizations, explains Deven McGraw, co-chair of the tiger team. She's director of the health privacy project at the Center for Democracy & Technology.

The authentication requirement is part of a broader effort to build public trust in the exchange of EHRs and other health information. It's designed to ensure no one can assume the identity of an organization to inappropriately access sensitive patient information.

The HITECH Act provided funding to the states for creating statewide HIEs to ease the sharing of information. It also called for standards and guidelines, now in development, to enable the national exchange of data among HIEs and others.

Hospitals, clinics, personal health record providers, business associates, pharmacies, labs and others would need to get a digital certificate to exchange patient information, if federal regulators adopt the recommendation the committee approved Nov. 19.

Accrediting Digital Certificate Issurers

The tiger team recommendations, approved by the HIT Policy Committee, also call for:

  • Having ONC create an accreditation program for designating multiple certificate issuers. Multiple issuers will be needed because so many healthcare organizations will need the certificates, McGraw says. Issuers could include, for example, state or federal agencies, HIEs or even certain technology vendors, she adds.
  • Including in the stage 2 requirements for the HITECH Act's EHR incentive program that certified EHR software must have the capability to retrieve, validate, use and revoke digital certificates and comply with certificate standards that ONC will develop. The stage 1 software certification requirements for the program, which begins next year, have already been completed.

Digital certificates contain a public encryption key that, when used in combination with its paired private key, can authenticate the identity holder. The certificates also contain information about the organization.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.