Earlier this week, the HIT Policy Committee approved the recommendations of the Privacy and Security Tiger Team for provider authentication. The purpose is to support the exchange of clinical information among providers, especially in connection with meaningful use. The goal is to establish a trust framework for information exchange between the clinical systems of each provider. This is accomplished through digital credentials at an organization level, not at a person level.
The Tiger Team recommended that all organizations that exchange health information should have digital certificates. This includes: "covered entities, business associates, PHR providers, public health entities, PBMs, retail pharmacies, DME suppliers, labs, imaging centers and non-providers including payers, claims clearinghouses and HIOs". The Tiger Team outlined at a high level the requirements for credentialing and the process which will involve multiple credentialing agencies nationally. It was recommended that the HIT Standards Committee establish standards for digital certificates.
EHR's should be certified based on the ability to "retrieve, validate, use, and revoke digital certificates that comply with standards". Authentication would be required for the exchange of personally identifiable health information and when the sending and/or receiving identities must be verified.
Provider Authentication Recommendations - Privacy and Security Tiger Team - 2010-11-19