Authentication for Health Data ExchangePanel Calls for Digital Certificates for Organizations
The Healthcare IT Policy Committee approved the recommendation, prepared by the Privacy and Security Tiger Team.
Next, the Office of the National Coordinator for Health Information Technology, a unit of the Department of Health and Human Services that's better known as ONC, will consider whether to incorporate the recommendation into new federal rules guiding health information exchanges.
The Role of Digital CertificatesThe digital certificate requirement is for identifying organizations, and not individuals, exchanging electronic health records and other health information through HIEs or other networks. In other words, it addresses the "handshake" connection between EHR systems or computers at two organizations, explains Deven McGraw, co-chair of the tiger team. She's director of the health privacy project at the Center for Democracy & Technology.
The authentication requirement is part of a broader effort to build public trust in the exchange of EHRs and other health information. It's designed to ensure no one can assume the identity of an organization to inappropriately access sensitive patient information.
The HITECH Act provided funding to the states for creating statewide HIEs to ease the sharing of information. It also called for standards and guidelines, now in development, to enable the national exchange of data among HIEs and others.
Hospitals, clinics, personal health record providers, business associates, pharmacies, labs and others would need to get a digital certificate to exchange patient information, if federal regulators adopt the recommendation the committee approved Nov. 19.
Accrediting Digital Certificate IssurersThe tiger team recommendations, approved by the HIT Policy Committee, also call for:
- Having ONC create an accreditation program for designating multiple certificate issuers. Multiple issuers will be needed because so many healthcare organizations will need the certificates, McGraw says. Issuers could include, for example, state or federal agencies, HIEs or even certain technology vendors, she adds.
- Including in the stage 2 requirements for the HITECH Act's EHR incentive program that certified EHR software must have the capability to retrieve, validate, use and revoke digital certificates and comply with certificate standards that ONC will develop. The stage 1 software certification requirements for the program, which begins next year, have already been completed.
Digital certificates contain a public encryption key that, when used in combination with its paired private key, can authenticate the identity holder. The certificates also contain information about the organization.