...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Kantara Initiative Health Identity Assurance WG Teleconference

...

Date and Time

Date: Thursday, 6 June 2013 
Time: 10:00 PT | 12:00 CT | 13:00 ET
Dial in: TurboBridge Conferencing

• • Skype: +99051000000481
  • North American Dial-In: +1-805-309-2350
  • Room Code: 613-2898
  • For more dial-in information, see: http://kantarainitiative.org/confluence/display/GI/Telco+Bridge+Info 

Health Identity Assurance Working Group Home Page

HIAWG Wiki Home

Agenda

1. Administration:
   
   1. Roll Call
   2. Agenda Confirmation
   3. Leadership Nominations / Election
   4. Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw
   5. Report out from latest LC meeting
2. Discussion
   
   1. New Mission Statement for the Group
   2. WG Charter 
   3. Aligning efforts with DirectTrust.org, EHNAC, and IDESG 
   4. Deliverables for on-boarding healthcare worker digital identities
3. Presentation on “A Privacy Strategy for the United States Healthcare Industry” (see attached)  - Barry Hieb
4. AOB
   1. (proposed for next meeting) Presentation on conducting risk assessments for apps dealing with PHI - Linda Goettler
5. Adjourn

 Attendees

...

Voting

• Barry Hieb
• Laurie Tull
• Pete Palmer
• Andrew Hughes
• Minze Chien
• Rick Moore

Non-Voting

• Bill Braithwaite 
• Nathan Faut

Staff

...

• None 

Administration 

...

• Discussion

Feedback to the Government of Canada on "Guidelines on Identity Assurance"

• Call for verbal comments or discussion prior to written response
• Due to day-job time commitments, little progress
• Ken offered to extend the deadline for comments to June 13 2013
• Question: how does the Canadian document relate to similar docs from US or UK? Answer: the material was reviewed during document development. NZ & UK gov has provided comments so far.

RP Guidelines

• Myisha notified that a draft call for participation has been sent out to the list 
• Please send feedback

Ad Hoc Team Updates

Alignment with SP 800-63

• Richard Wilsher provided a join.me 
• Work to date has been distributed to IAWG list
• Has restructured 800-63-2 to make analysis easier
• Kantara talks about Subscriber and Subjects - NIST does not differentiate: they only use Subscriber - check the glossary section
• 5.3 6.3 7.3 8.3 9.3 have been mapped - has skipped overviews and tutorial sections
• Has added sub-numbering to enable more specific discussion
• 5.3 section: the way 800-63-2 treats different LOAs is a bit mixed. RGW has re-sorted them into sections by LOA
• Has broken down distinct requirements even if they originally appeared in single statements
  
  • then mapped each to the existing KI IAF item
  • there is a Many:Many relationship
• In the KI SAC - has inserted indexes back into the modified 800-63
  
  • Note that there are SAC criteria that do not have an equivalent 
• Comment: for those extra items, they originally came from Good Practice - Kantara's aim is to determine if the organization is sound. NIST assumes that Government Agencies are sound and following GSA guidance
• Comment: Some of the items that are not specifically 800-63 criteria might actually be Privacy criteria
  
  • To create a Privacy profile, just go through the SAC and annotate them
• There are some puzzling items
  
  • e.g. 5.3.1.2.5 question about item c) - it reads as if the bullets apply to all LOAs - it is difficult to disentangle the statements - is this a change request to NIST? RGW needs feedback.
• Red Text to indicate where there might be the opportunity to define a US Profile:
  
  • 800-63-2 becomes very specific - there may be other options that could meet the criteria. 
  • There might be options that work outside of the US. 
  • These might be criteria that could be less specific in the SAC and use the US profile to include the more prescriptive material
  • There are items that do not currently exist in the SAC - question is do they need to be added?
• Requested comments by 20 June 2013
  
  • RGW will send out a formal request for comment with a formal comments form
• Intent with this work is
  
  • Result will be a Kantara owned publication
  • The mapping document will remain publicly viewable
  • Will be provided to NIST as suggestions for updates
• The Comments back to RGW should eventually be posted to the wiki to enable future understanding of rationale
• Comment: once the work is done, should schedule a IAWG F2F in DC area to discuss the approach and documents to update NIST and seek feedback

AOB

...

• Leadership Nominations / Election
  
  • Meeting is not quorate
• Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw
  
  • Send updates to staff@kantarainitiative.org
  • Noted that Allan Foster is speaking today at the Michigan HIE event
• Report out from latest LC meeting
  • Quarterly reports - HIAWG is waaaay behind
    
    • The quarterly report will be changed into a monthly survey to make it easier to provide information
  • Exec Director report - not much on this call
  • Election rounds happening soon
  • New work items: 
    
    • New Kantara Discussion Group - Identity of Things
  • Reached out to a University to see if interns can be sourced to help with secretary roles
  • WG Updates
  • Board of Trustees - 2 new orgs have been Approved as CSP - announcements soon
  • Will be a F2F LC meeting June 20-21 in Portland

Discussion

New Mission Statement for the Group

• • Discussed the need for refocusing and fixing the charter
  • ACH to post a draft of the goals and mission statement for discussion
  • Important to note that HIAWG is the only forum for recommending adjustments to the KI IAF 

Aligning efforts with DirectTrust.org, EHNAC, and IDESG 

• • There is a pilot project underway that is examining how Health Providers might be ID Proofed once in an environment.
  • This might be a very good proving ground for the Direct-Kantara MOU

Deliverables for on-boarding healthcare worker digital identities

• • Carried over to next meeting

Presentation - Barry Hiebe

NOTE: Link to the Privacy whitepaper here: http://kantarainitiative.org/confluence/download/attachments/64389330/privacywhitepaper5-21-13.pdf

• The Privacy white paper proposes an approach for privacy in the US Healthcare environment
  
  • Published a few weeks ago by Global Patient Identifiers Inc. (GPII)
  • Healthcare Privacy environment is very complex
  • Some design considerations:
    
    • each individual has requirements
    • the system must be voluntary - if, when, how to participate
    • must be very simple
    • must be flexible
    • must work with existing systems - this is very challenging - no existing commonality wrt security, privacy, data segregation
    • patients and physicians must be empowered
    • concern has been raised that if there is good privacy, then standard of care will suffer - false dichotomy
    • allow for exceptions - e.g. break the glass scenario & its reversibility
    • make it as hard as possible to make errors, but as easy as possible to recover from errors
    • must be inexpensive to implement and operate
  • Accurate Patient Identification is essential
  • Suggest creating 2 types of identifier: Public and Private - give these to the patient and have them apply them as appropriate
  • This design concept is inherently simple and easy to explain
  • Currently doing proof of concept deployments
• Questions
  
  • What path would be needed to standardize this in a way for vendors to implement?
    
    • Looking for ideas for best approach - engaging about 35 in the initial development stage of the whitepaper
    • This will have to be a grassroots approach - patient demand
    • e.g. if a patient pays for an encounter, then it must be segregateable from the data set & not reportable to the insurance company
  • Are there 'official' endorsements yet?
    
    • Looking to see if Kantara will endorse it
    • Would like to find some pilot sites to demonstrate how it works
  • Comment: Might be appropriate to send this out to the WG for comments, and possible sending to LC as a recommendation for approval/endorsement.
  • Most vendors have several identifiers in the system: external and internal. Is this approach similar? If so, the vendors would have to adopt this as the internal identifier, correct?
    
    • The whitepaper suggests methods that could be used to include the privacy identifiers into records for data segmentation
  • Have there been discussions with EHR vendors about what would be needed to implement this?
    
    • Yes, some
    • DS4P (Data Segmentation For Privacy) - is a complex approach that is also attempting this
      
      • http://wiki.siframework.org/Data+Segmentation+for+Privacy+Homepage
      • Some chatter online that this might be how Meaningful Use 3 will be done - but it is not settled
  • Comment: Perhaps look to Project VRM and similar initiatives for ideas around implementation
  • Comment: Perhaps reach out to Canada Health Infoway for ideas
  • Comment: Perhaps approaching EHNAC and Direct might help to get to vendors interested in working out some of the details
• Please send comments on the whitepaper and potential connections to Barry.

AOB

•  None raised

Action Items

Attachments

Guideline on Identity Assurance-Consultation Draft Apr 25 2013.pdf

Standard_on_Identity_and_Credential_Assurance.pdf

EZP-63-2 v0-1.docx

Kantara IAF-1400 SAC-63-2 v0-1.docx

privacywhitepaper5-21-13.pdf

Next Meeting

Date: Thursday,

...

20 June 2013 
Time:

...

 10:00 PT |

...

12:00

...

CT |

...

• Conference ID: 613-2898

...

13:00 ET
Dial in: TurboBridge Conferencing

• • Skype: +99051000000481
  • North American Dial-In: +1-805-309-2350
  • Room Code: 613-2898
  • For more dial-in information, see: http://kantarainitiative.org/confluence/display/GI/Telco+Bridge+Info