Electronic Submission of Medical Documentation (esMD) Digital Identity and Author of Record Sub-Workgroups September 19, 2012.

Slides:



Advertisements
Similar presentations
Author of Record Digital Identity Management Sub-Workgroup December 5, 2012.
Advertisements

Electronic Submission of Medical Documentation (esMD) AoR L2 Harmonization April 24, 2013.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
EsMD Author of Record L1 Use Case Meeting Friday, August 3, 2012.
Electronic Submission of Medical Documentation (esMD) for Medicare FFS Presentation to HITSC Provenance Workgroup January 16, 2015.
Electronic Submission of Medical Documentation (esMD) to DirectTrust.org December 3, 2014.
Electronic Submission of Medical Documentation (esMD) Author of Record Recap and Harmonization of UC 1&2 Workgroup Friday, November 2,
Electronic Submission of Medical Documentation (esMD) AoR L2 Harmonization June 19, 2013.
EsMD Background Phase I of esMD was implemented in September of It enabled Providers to send Medical Documentation electronically Review Contractor.
Author of Record Digital Identity Management Sub-Workgroup October 24, 2012.
Electronic Submission of Medical Documentation (esMD) AoR L2 Harmonization April 17, 2013.
Electronic Submission of Medical Documentation (esMD) Digital Signature and Author of Record Pre-Discovery Wednesday May 2,
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday June 20,
Electronic Submission of Medical Documentation (esMD) Identity Proofing Sub-Workgroup October 17, 2012.
Electronic Submission of Medical Documentation (esMD) Digital Signature and Author of Record Pre-Discovery Wednesday May 9,
Automate Blue Button Initiative Push Workgroup Meeting January 7, 2013.
EsMD Structured Content Use Case 2 WG Meeting Wednesday, April 25 th, 2012.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Structured Data Sub-Workgroup August 16, 2013.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Home Health User Story February 4, 2015.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday, July 18,
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Home Health User Story January 28, 2015.
Electronic Submission of Medical Documentation (esMD) Complete Documentation Templates IG Ballot Reconciliation April 2, 2014.
Data Access Framework (DAF) All Community Meeting September 4th, 2013.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup and Harmonization of UC 1&2 Workgroup Friday, September 21,
EsMD PPA Use Case 2 WG Meeting Wednesday, March 21 st, 2012.
Electronic submission of Medical Documentation (esMD) Author of Record Presentation to LCC August 8, 2013 ROBERT DIETERLE esMD Initiative Coordinator 1.
EHR-S Functional Requirements IG: Lab Results Interface Laboratory Initiative.
Data Access Framework All Hands Community Meeting February 5, 2014.
Electronic Submission of Medical Documentation (esMD) eDoC eClinical Templates on FHIR using Structured Data Capture Use Case May 13, 2015.
Electronic Submission of Medical Documentation (esMD) Identity Proofing Sub-Workgroup October 31, 2012.
Data Provenance Community Meeting September 25 th, 2014.
EsMD Structured Content Use Case 2 WG Meeting Friday, April 20 th, 2012.
PDMP & HITI IG Development Workgroup Session August 21, 2014.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Friday, September 7 th,
Electronic Submission of Medical Documentation (esMD) Sub-Workgroup October 10, 2012.
EsMD PPA Use Case 2 WG Meeting Wednesday, April 18 th, 2012.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday June 13,
Electronic Submission of Medical Documentation (esMD) AoR L2 Harmonization July 3, 2013.
Electronic Submission of Medical Documentation (esMD) AoR L2 Harmonization July 17 th, 2013.
Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.
Electronic Submission of Medical Documentation (esMD) eDoC eClinical Templates on FHIR using Structured Data Capture Use Case May 13, 2015.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Workgroup June 26, 2013.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Workgroup August 21, 2013.
Electronic Submission of Medical Documentation (esMD) eDoC Workgroup November 4, 2015.
EsMD Pilots Workgroup December 12 th, Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call.
Electronic Submission of Medical Documentation (esMD) Digital Signatures, and Delegation of Rights Sub-Workgroup December 21, 2012.
Data Access Framework All Hands Community Meeting April 2, 2014.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage PMD User Story & Harmonization August 7, 2013.
Electronic Submission of Medical Documentation (esMD)
EsMD PPA Use Case 2 WG Meeting Wednesday, April 4 th, 2012.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Friday, June 22,
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Friday, June 29,
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Friday, July 13,
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup April 3, 2013.
Electronic Submission of Medical Documentation (esMD) eDoC Home Health April 9, 2014.
EsMD Author of Record L1 Use Case Meeting Wednesday, August 1, 2012.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage Harmonization August 14, 2013.
Electronic Submission of Medical Documentation (esMD) eDoC Harmonization December 16, 2015.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Workgroup & SD SWG October 9, 2013.
EsMD Author of Record L1 Use Case Kick-Off Meeting Friday, July 20, 2012.
EsMD Author of Record L1 Use Case Meeting Wednesday, July 25, 2012.
Data Provenance All Hands Community Meeting February 26, 2015.
Electronic Submission of Medical Documentation (esMD) eDoC eClinical Templates on FHIR using Structured Data Capture Use Case May 27, 2015.
Longitudinal Coordination of Care LCP SWG Thursday, July 11, 2013.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Workgroup July 10, 2013.
Electronic Submission of Medical Documentation (esMD) AoR L2 Harmonization July 31 st, 2013.
Electronic Submission of Medical Documentation (esMD) Author of Record L2 Harmonization March 26, 2014.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday, July 11,
Presentation transcript:

Electronic Submission of Medical Documentation (esMD) Digital Identity and Author of Record Sub-Workgroups September 19, 2012

Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your phone on mute Do not put your phone on hold – if you need to take a call, hang up and dial in again when finished with your other call –Hold = Elevator Music = very frustrated speakers and participants This meeting, like all of our meetings, is being recorded –Another reason to keep your phone on mute when not speaking! Feel free to use the “Chat” or “Q&A” feature for questions or comments NOTE: This meeting is being recorded and will be posted on the esMD Wiki page after the meeting From S&I Framework to Participants: Hi everyone: remember to keep your phone on mute 2

Agenda 3 TopicPresenter Announcements and Administrative itemsSweta AoR L1 UC Consensus ResultsSweta/Bob Overview and Introduction of Identity Proofing and Signature Artifact/Delegation of Rights Sub- Workgroup Bob Dieterle

Announcements Schedule this week: 4 Day/TimeMeeting Wednesday, September 19 at 10 AM ET AoR Digital Identity Management SWG Wednesday, September 19 at 1:00 PM ET (2 hour session) AoR Identity Proofing SWG (1-2 PM) AoR Signature Artifact/Delegation of Rights SWG (2-3 PM) Friday, September 21 at 2 PM ET AoR SWG Recap (10 Minutes) Harmonization of UC 1&2

September 2012 Proposed Schedule 5 SunMonTueWedThuFriSat September 2012* PM AoR WG AM - AoR SWG: Digital Identity Management 1 PM - AoR SWG: Identity Proofing 2 PM - AoR SWG: Signature Artifact/Delegation of Rights 13 Leads will review consensus votes and provide dispositions 14 2 PM – Joint AoR and Harmonization of UC 1& AM - AoR SWG: Digital Identity Management PM - AoR SWG: Identity Proofing 2 PM - AoR SWG: Signature Artifact/Delegation of Rights PM – Joint AoR and Harmonization of UC 1& AM - AoR SWG: Digital Identity Management PM - AoR SWG: Identity Proofing 2 PM - AoR SWG: Signature Artifact/Delegation of Rights PM – Joint AoR and Harmonization of UC 1& *This is a tentative schedule and subject to change AoR L1 UC E2E Review AoR L1 UC Consensus

AoR L1 UC Consensus Voting Results 9 Yes Votes 2 Abstain Votes 6

Consensus Voting Round Robin for Committed Members Yes –A Yes vote does not necessarily mean that the deliverable is the ideal one from the perspective of the Initiative Member, but that it is better to move forward than to block the deliverable Yes with comments –If a Consensus Process attracts significant comments (through Yes with comment votes), it is expected that the comments be addressed in a future revision of the deliverable. Formal Objection- with comments –Indicating a path to address the objection in a way that meets the known concerns of other members of the Community of Interest. "Formal Objection" vote without such comments will be considered Abstain votes. Formal Objection –Should a Consensus Process attract even one "Formal Objection" vote with comments from an Initiative Member, the deliverable must be revised to address the "Formal Objection" vote (unless an exceptional process is declared). Abstain (decline to vote) 7

Provider Entity Payer Entity esMD Initiative Overview Payer Provider (Individual or Organization) Provider (Individual or Organization) Contractors / Intermediaries Agent Payer Internal System Gateway esMD UC 2: Secure eMDR Transmission esMD UC 1: Provider Registration esMD AoR Level 1 Digital Identities Bundle Signatures Certificate Authority Registration Authority Provider Directories

AoR -- Phased Scope of Work 9 Level 1 – Current Focus Level 2 - TBD Level 3 - TBD Digital signature on aggregated documents (bundle) Digital signature to allow traceability of individual contributions to a document Digital signature on an individual document Focus is on signing a bundle of documents prior to transmission to satisfy an eMDR Define requirements for esMD UC 1 and UC 2 Signature Artifacts May assist with EHR Certification criteria in the future Focus is on signing an individual document prior to sending or at the point of creation by providers Will inform EHR Certification criteria for signatures on patient documentation Focus is on signing documents and individual contributions at the point of creation by providers Will inform EHR Certification criteria for one or multiple signatures on patient documentation

Topics for Digital Identities and AoR Workgroup Effort 1.Identity proofing 2.Digital identity management 3.Encryption 4.Digital signatures and artifacts 5.Delegation of Rights 6.Author of Record 10

Definitions Identity (NIST) A set of attributes that uniquely describe a person within a given context. Identity (Proposed) A set of attributes that uniquely describe a person or legal entity within a given context. Identity Proofing (NIST) The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person. Identity Proofing (Proposed) The process by which a CSP and a Registration Authority (RA) collect and verify information about a person or legal entity for the purpose of issuing credentials to that person or legal entity. 11

Definitions Digital Signature (NIST) The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity and signatory non-repudiation. Data Integrity (NIST) Data integrity is a property whereby data has not been altered in an unauthorized manner since it was created, transmitted or stored. Alteration includes the insertion, deletion and substitution of data. Non-repudiation (NIST) Non-repudiation is a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party. This service prevents an entity from successfully denying involvement in a previous action. Delegation of Rights The ability to delegate rights or authority to another to act in a specific capacity on behalf of the grantor of the right. Must include the digital identity of the grantor, the digital identity of the grantee, the rights granted, duration of grant in a format that is usable in transaction and AoR signature events and is verifiable by a third party for non-repudiation purposes.

Initiative Requirement Summary InitiativeIdentify Proofing Digital Identity Management Signing (Exchange Artifact) Encryption Delegation of Rights Author of Record DS4POrg/IndividualYes Direct ProjectAddress/ServerYes No esMDOrg/IndividualYes Healthcare Directories Org/IndividualYes No LCCOrg/IndividualYes Query HealthOrg/IndividualYes No Transitions of Care Org/IndividualYes 13 Mandatory Optional with consequences Optional Future Uses

esMD Requirements TopicsUC1: RegistrationUC2: eMDRAoR L1 Bundle Identity ProofingRequired Digital Credential Management Required Digital Signatures & Signature Artifacts Required Delegation of Rights*Required Other Characteristics of solution Non-Repudiation Required Characteristics of solution Data Integrity Required * Required if the action of the responsible party is being represented by a third party

Scope for AoR (L1) In Scope Identify Proofing as part of Non-Repudiation of Actor Identity Digital Credential Management required for Non- Repudiation Actions (Signing and Delegation), Data Integrity and Encryption Digital Signatures and Signature Artifacts for Identity and Non-Repudiation Digital Credentials and Artifacts for Non- Repudiation of Delegation as required by UC1 and AoR L1 Data Integrity requirement actions and artifacts Encryption of PHI requirements Interactions with External Provider Directories Out of Scope Interactions between: Payer and Payer Contractors Provider and Agent Payer or Payer Contractor and Gateway Transaction level encryption Document level signatures and individual contribution signatures Defining delegation of rights within and between Providers and other authors

User Story / Workflow Overall User Story Components 1)All Actors obtain and maintain a non-repudiation digital identity 2)Provider registers for esMD (see UC1)* 3)Payer requests documentation (see UC2)* 4)Provider submits digitally signed document (bundle) to address request by payer 5)Payer validates the digital credentials, signature artifacts and, where appropriate, delegation of rights *User Stories for UC 1 and 2 have already been defined. Workgroup will help define bullets 1) and 4)

Sub-Workgroups 1. Identity Proofing Wednesday 1-2 pm Robert Dieterle (Lead) Proof of identity requirements Allowed proofing processes 2. Digital Credentials Wednesday am Debbie Bucci (Lead) Credential Life Cycle (issuance, maintenance and revocation) Credential uses (Identity, Signing, Proxy, Encryption, Data Integrity) Specific use credentials (e.g. Direct) 3. Signing and Delegation Wednesday 2-3 pm Robert Dieterle (Lead) Signature and Delegation artifacts Workflow issues Delegation process

General Requirements  Solution must  be implementable for pilot in Q1/Q  scale to all providers and payers  minimize the operational impact required to establish, maintain or use a digital identity  provide for non-repudiation without resorting to audit logs or validation of system configuration  Standards -- required  NIST Level 3 (December 2011)  NIST Part 1 (Revision 3 July 2012)  Federal Bridge Certification Authority Medium Level  X.509v3+ Digital Certificates

Sub Workgroup: Identity Proofing Type: Sub workgroup Goal –Define required process for identity proofing of healthcare individuals and organizations for esMD Requirements –NIST SP Level 3 authentication (December 2011) –FBCA Medium Level In-Scope –RA qualifications and certification –Combining RA process with other healthcare identity proofing (e.g. credentialing) –Policy issues regarding identity proofing Out-of-Scope –Digital Credential Management –Digital Signatures –Proxy or Delegation Deliverable: “Summary White Paper” –Assumptions –Statement of Problem –Recommended Solution(s) Review of Standards (e.g. NIST, FICAM) Certification requirements for RAs Proof of identity requirements for –Entities –Individuals Allowed proofing processes (e.g. as part of credentialing?) Frequency of Identity review Appeals process for denial Variation based on specific credentials/use? Revocation (triggers and process) –Identify gaps in current policy impacting Identity Proofing –References 19

Identity Proofing (Session 1) Standards to Review NIST (SP ) FBCA Medium Assurance FICAM NSTIC IETF Standards (RFC 3647) FIPS 201 Individuals Should identity proofing of Individuals vary by role? (i.e. Physicians, allied health, etc.) Discussion of RA process FBCA Medium Level Assurance Registration Authorities Trusted Agents Notary Public Use of Hospitals credentialing process

Identity Proofing (Session 1) Reference examples DEA (Electronic Ordering of Controlled Substances) DirectTrust.org FDA (Participation in Drug Trials) State-level efforts for communities in practice (Oregon, Washington, California, Maine) I-9 (Validation for Employment) SAFE-BioPharma GSA E-Prescribing Experts to invite to this session (SMEs) John Hall (Direct) David Kibbe (DirectTrust and NSTIC) DEA Representative Peter Alterman (SAFE-BioPharma) Federal PKI Representative (Wendy Brown)

Sub Workgroup: Digital Credentials Goal –Define required process for issuing and managing digital credentials for esMD Requirements –NIST SP Level 3 authentication (December 2011) –NIST SP Part 1 (Revision 3 July 2012) –Federal Bridge Certification Authority (FBCA) certified Medium Level –Digital Certificates must be X.509 V3+ based –Must be from CA cross-certified with FB –Must provide for non-repudiation as part of the credentials and artifacts In-Scope –Digital credential life cycle –Relevant standards –Policy issues regarding Digital Credentials Out-of-Scope –Identity Proofing –Digital Signatures Deliverable: “Summary White Paper” –Assumptions –Statement of Problem –Recommended Solution(s ) Review of standards (e.g. NIST, FBCA, FICAM) CA qualifications and list Issuance process Credential types and forms Credential uses (Identity, Signing, Proxy, Encryption, Data Integrity) Specific use credentials (e.g. Direct, DEA) Maintenance requirements Revocation process Trust anchor validation Non-repudiation assurance –Identify gaps in current policy impacting Digital Credentials –References 22

Sub Workgroup: Digital Signatures Goal –Define process, artifacts and standards for transaction and document bundle digital signatures for esMD Requirements –Must provide for non-repudiation as part of the credentials and artifacts –Must ensure data integrity In-Scope –Use Case 1 and 2 transactions –AoR L1 (Signature binding to aggregated document bundle) –Signature workflow –Signature artifacts –Identification of relevant standards Out-of-Scope –AoR L2 –AoR L3 Deliverable: “Summary White Paper” –Assumptions –Statement of Problem –Recommended Solution(s) Review of Standards (e.g. OASIS, IHE, HL7, …) Transaction signature process Transaction artifacts to meet Use Case 1 and 2 requirements Document Bundle signature process Artifacts to meet AoR L1 requirements Data Integrity requirements Non-repudiation assurance –Identify gaps in current policy impacting Digital Signatures –References 23

Digital Signature (Session 1) Standards IHE OASIS XML DigSig W3C FIPS 186 IETF RFCs IGTF (Proxy Certificates)

Digital Signatures (Session 1) Industry Experts (SMEs) Verisign/Symantec GeoTrust DigiCert (Scott Rea) Adobe Ping Identity

Digital Signatures(Session 1) Industry Examples DEA (Electronic Ordering of Controlled Substances) Drug Trials (SAFE-BioPharma) Validation of Trust and Non-Repudiation Level 3 Assurance IETF Rfc 5280, 2560, 5019, etc. LTANS (Long-Term Archive and Notary Services) American Bar Association (IDM Task Force) EU Qualified Signatures

Sub Workgroup: Delegation and Proxy Goal –Define credentials, artifacts and process for Delegation of Rights for esMD Requirements –Must provide for non-repudiation (NIST definition) as part of the credentials and artifacts –Revocable In-Scope –Use Case 1 and AoR L1 Delegation of Rights requirements –Delegation/Proxy workflow –Delegation/Proxy artifacts –Identification of relevant standards Out-of-Scope –AoR L2 –AoR L3 Deliverable: “Summary White Paper” –Assumptions –Statement of Problem –Recommended Solution(s) Review of Standards (e.g. OASIS, IHE, HL7, …) Proxy/Delegation Credential/Artifact(s) Operational consideration for Proxy/Delegation Creation Scope/Content of Proxy/Delegation Revocation of Proxy Credential Transaction proxy requirements Transaction artifacts to meet Use Case 1 requirements Document Bundle proxy signature process Artifacts to meet AoR L1 signature proxy requirements Data Integrity requirements Non-repudiation assurance –Identify gaps in current policy impacting Delegation & Proxy –References 27

Delegation of Rights (Session 1) Relevant Standards OASIS SAML Assertions TJC (Record of Care) IGTF Role-Based Access Control (RBAC) HIPAA Business Associate Agreement (BAA) Industry Experts (SMEs) Dr. Alan Sill (Physicist, Standards Coordinator within the Open Grid Forum)

Delegation of Rights (Session 1) Industry Examples HIPAA BAA AFIS (Automated Fingerprint Identification System, FBI) Daon, Inc. (Biometrics) Direct HISPs CLIA requirements for agents or authorized individuals FEMA First Responder Program Provider Outpatient and Therapeutics Power of Attorney/Limited Power of Attorney Artifacts for Delegation of Rights Proxy Certificate SAML Assertion (binding two certificates for a particular purpose)