Minutes for Kantara HIAWG Teleconference 12-20-2012

Kantara HIAWG Teleconference 12-20-2012

Date and Time

  • Date: Thursday, December 20, 2012
  • Time: 10 PDT | X EDT | X UTC

Attendees

  • Patrice Kuppe
  • Rick Moore
  • Barry Hieb
  • David Kibbe
  • Pete Palmer
  • Bill Braithwaite
  • Bob Pinheiro
  • Helen Hill
  • John Fraser

Apologies

  • None

Minutes

1. Approve 2012-11-08 Minutes
  1. Approved 2012-11-08 Minutes with edits. Final on website. http://kantara.atlassian.net/wiki/display/healthidassurance/Kantara+HIAWG+Teleconference+11-08-2012
2. NSTIC Update
  1. NSTIC Update - There was a vote last week to approve membership document. There is a plenary coming up in March in Phoenix. The health care group has a charter they will be reviewing. Two laws (Controlled Substance and MU) are drivers to get us to adopt one identity proofing methodology.

  2. It was agreed upon at Direct Trust meeting / ONC that health care needs three levels of certification. They are rewriting the certificate policy. Will be releasing accreditation criteria for HISPs and CAs for comment.
3. HITPC RFC

Health IT Policy Committee's Meaningful Use Request for Comment (RFC) - In September 2012, the HITPC recommended that EHRs should be able to accept two factor (or higher) authentication for provider users to remotely access protected health information (PHI) in stage 3.

This included recommending that organizations/entities, as part of their HIPAA security risk analysis, should identify any other access environments that may require multiple factors to authenticate an asserted identity, and that organizations/entities should continue to identity proof provider users in compliance with Health Insurance Portability and Accountability Act (HIPAA). The HITPC would like input on the following questions related to multi-factor provider authentication: ID #.

4. HITPC RFC Part 2
    • Question - PSTT01 - How can the HITPC’s recommendation be reconciled with the National Strategy for Trusted Identities in Cyberspace (NSTIC) approach to identification which strongly encourages the re-use of third party credentials?
      Discussion: Need business models that can sustain this.
      Response[KP1] : Need certification policy to be the same. Need common attributes. Suggest the Kantara model.
    • Question PSTT02 - How would ONC test the HITPC’s recommendation in certification criteria?
      Response: They don’t test. They approve the trust framework.
    • Question PSTT03 - Should ONC permit certification of an EHR as stand-alone and/or an EHR along with a third party authentication service provider?
      Response: Yes, but would prefer the latter and it will foster a new eco system of CSPs.

 .