The Tiger Team, comprised of members from the Office of the National Coordinator (ONC) for Health Information Technology (HIT) Policy Committee and the HIT Standards Committee, as well as the National Committee on Vital and Health Statistics, was appointed in June 2010 to address privacy and security issues under the Health Information Technology for Economic and Clinical Health (HITECH) Act, including health information exchanges (HIEs). The Tiger Team is also charged with making recommendations to the HIT Policy Committee on privacy and security policies and practices that will help build public trust in health information technology and electronic HIEs, and enable their appropriate use to improve healthcare quality and efficiency.
In an effort to develop policy recommendations to ensure that authentication rules are in place for information exchange between provider-entities of an HIE at an organizational level, the Tiger Team requested that the public provide comments by November 5, 2010, on provider-entity authentication. On November 19, 2010, the Tiger Team presented its recommendations on provider-entity authentication to the HIT Policy Committee after review of the 62 comments it received from the public.
For purposes of information exchange between provider-entities, the Tiger Team defines “authentication” as the verification of the identity of a provider entity (such as a hospital or physician practice) seeking access to electronic protected health information, and the “level of assurance” is the degree of confidence in the results of an authentication attempt. The recommendations, approved by the HIT Policy Committee, are part of the Tiger Team’s broader effort to build public trust in the exchange of electronic health records and other health information. The recommendations are designed to ensure that no one can assume the identity of an organization to inappropriately access sensitive patient information.
The Tiger Team recommendations on provider-entity authentication include the following:
- All entities involved in health data exchange should be required to have digital certificates. This includes covered entities, business associates, personal health records providers, public health entities, pharmacy benefit managers, retail pharmacies, durable medical equipment suppliers, labs, imaging centers and non-providers including payers, claims clearinghouses and health information organizations.
- Organizations seeking digital certificates must demonstrate that: 1) the entity exists as a legitimate business (or a valid business entity); and 2) the entity participates in the types of health care transactions required for meaningful use.
- Credentialing organizations/certificate issuers should rely on existing criteria and processes when applicable.
- Multiple credentialing entities will be needed to support the issuance of digital certificates given the number of healthcare entities that will require them (e.g., vendors and state agencies might be authorized to issue certificates).
- Digital certificates should contain an expiration date requiring renewal at least yearly or when there is a material change in the evidence originally submitted. Any entity willing to assume attendant risks (i.e., be held accountable for achieving a high level of accuracy/assurance) and meet established standards can issue digital certificates.
- ONC should establish an accreditation program for reviewing and authorizing certificate issuers. The Tiger Team notes that annual credentialing of entities is not enough.
- ONC, through the Standards Committee, should select or specify standards for digital certificates (including data fields) to promote interoperability among health care organizations.
- Electronic health records certification should include criteria that tests capabilities to retrieve, validate, use, and revoke digital certificates that comply with standards.
Notably, the Tiger Team’s recommendations require entities participating in HIEs to have the technical capability to implement and use digital certificates. As such, hospitals, clinics, personal health record providers, business associates, pharmacies, labs and others would need to obtain and maintain digital certificates to exchange patient information if the recommendations are adopted in federal regulations.
Further, if adopted in federal regulations, a formal process will need to be established to validate would-be participants to ensure they are legitimate organizations and to issue credentials to approved entities. The ONC will consider whether to incorporate the recommendation into federal regulations guiding HIEs.
To view the complete recommendations click here.1 For more information on other Tiger Team privacy and security recommendations, including but not limited to, recommendations applying to electronic exchange of patient identifiable health information among known entities to meet Stage I of meaningful use, fair information practices, and patient consent, please click here.2