• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Summary of Recommendations on Provider and Patient Identity Management
 

Summary of Recommendations on Provider and Patient Identity Management

on

  • 909 views

Deven McGraw, Center for Democracy & Technology (Co-Chair, Tiger Team) ...

Deven McGraw, Center for Democracy & Technology (Co-Chair, Tiger Team)
Walter Suarez, Kaiser Permanente, (Co-Chair, Privacy & Security Working Group, HITSC)
Peter Tippett, Chief Medical Officer, Verizon
Elizabeth Franchi, Director, Veterans Health Administration Data Quality Program
Paul Uhrig, Chief Administrative, Legal & Privacy Officer, Surescripts

Statistics

Views

Total Views
909
Views on SlideShare
577
Embed Views
332

Actions

Likes
0
Downloads
3
Comments
0

18 Embeds 332

http://www.ahier.net 138
http://ahier.blogspot.com 117
http://newsblur.com 21
http://www.ahier.blogspot.com 21
http://www.newsblur.com 11
http://medicalhealthplan.org 9
http://ahier.blogspot.nl 3
http://www.ahier.blogspot.ru 2
http://cloud.feedly.com 1
http://webcache.googleusercontent.com 1
http://www.ahier.blogspot.ca 1
http://www.ahier.blogspot.fi 1
http://ahier.blogspot.in 1
http://plus.url.google.com 1
http://www.wellsphere.com 1
http://ahier.blogspot.co.uk 1
http://ahier.blogspot.ca 1
http://reitbok4.rssing.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Summary of Recommendations on Provider and Patient Identity Management Summary of Recommendations on Provider and Patient Identity Management Presentation Transcript

    • Privacy and Security Tiger TeamSummary of Recommendations on Provider andPatient Identity ManagementMay 21, 2013Deven McGraw, Center for Democracy & Technology (Co-Chair, Tiger Team)Walter Suarez, Kaiser Permanente, (Co-Chair, Privacy & Security Working Group, HITSC)Peter Tippett, Chief Medical Officer, VerizonElizabeth Franchi, Director, Veterans Health Administration Data Quality ProgramPaul Uhrig, Chief Administrative, Legal & Privacy Officer, Surescripts
    • Providers (September 26, 2012)1. Providers should continue to ID proof professional &staff per HIPAA.2. By Meaningful Use Stage 3, ONC should movetoward requiring multi-factor authentication(meeting NIST Level of Assurance (LOA) 3) for remoteaccess to protected health information; entities canidentify other access environments necessitatinghigher authentication levels.3. ONC’s work to implement these recommendationsshould continue to be informed by NSTIC andtechnology developments, and appropriatelyaccount for provider workflow needs whileestablishing a secure environment.2
    • Patients (May 3, 2013)• ONC should develop and disseminate best practices onpatient ID management; such best practices should beeasy for patients to use, leverage solutions in othersectors (like banking), provide protectionscommensurate with risk.• Patients should be able to ID proof both in person andremotely (ideally)• Authentication should be more than user name andpassword but not set the bar too high (“Level 2.5”).• Solutions should evolve with technology and beinformed by NSTIC developments.3
    • HIT Standards CommitteePatient Identity Management• Need to uniquely identify patients for various purposes– Query of patient data, linking data from multiple sources,authorize patient access to data, other• Lack of reliable means to identify patients continues to beseen broadly as a significant challenge to care delivery,continuity of care, and health care quality• Multiple efforts currently underway to adopt/use ‘voluntary’patient identifiers within secure systems• No formal recommendations developed yet– Important that regulations allow progress and innovationto occur in this arena4
    • HIT Standards CommitteeProvider Identity Management• Per policy direction, the overall expectation is to followNIST criteria for LOA using SP-800-63-2.• EHR technology should be configurable to enable anorganization to require different levels of authenticationand identity proofing, based on role within organization• For example– Physicians and other providers with full access andwrite/edit capabilities should have IDP to at leastNIST Level 3– Non-clinical staff without write/edit capabilitiesmight more appropriately have IDP to NIST Level 25
    • HIT Standards CommitteeProvider Identity Management (cont.)• NSTIC offers benefits for authenticating both consumers andproviders• For MU Stage 3, EHR certification can require EHRs to support 2-factor authentication and permit one of the factors to be a third-party solution, in anticipation of NSTIC credentials becomingavailable• We also may see consumers presenting NSTIC credentials beforeNSTIC has been broadly adopted by providers• Not sure that a fully operational NSTIC approach will be ready intime for MU stage 36
    • Roundtable DiscussionDeven McGrawWalter SuarezPeter TippettElizabeth FranchiPaul Uhrig