(1) WG NAME: Healthcare Identity Assurance
The Healthcare Identity Assurance Work Group shall design, implement and test reference applications for secure access to health information. Two use cases are proposed that would be developed and supported as part of the work group. One is for consumers to be able to access their health records with a standardized login system, and secondly, a way for healthcare workers to access secure health information.
The goal of this activity is to engage the broadest community participation to facilitate the adoption of the reference implementations and specifications by the healthcare industry, worldwide.Specific goals of this group are to:
2.1 Develop a reference implementation for consumer access, using open source solutions.
2.2 Develop a reference implementation for healthcare workers access to critical health information using open source solutions.
2.3 Review and endorse an identity assurance framework to support secure information sharing between authenticated individuals and systems to support HIEs and NHIN.
2.4 Recommend all or parts of these systems to be integrated with the emerging US Nationwide Health Information Network (NHIN) being developed by the US Department of Health and Human Services and the Offices of the National Coordinator.
2.5 Educate the community on how the system should operate and how such a system should function.
2.6 Work with the vendor community to ensure interoperability between systems.
The Healthcare Identity Assurance WG is chartered to:
3.1 Work with US and international groups including but not limited to: NHS-UK, National Healthcare Systems (Potentially within the following countries: Sweden, Denmark, Japan and South Korea), Health Information Exchanges (HIEs) and similar US groups to recruit them into these discussions to provide the broadest possible input. Also coordinate with US federal agencies involved with health care exchanges for example Veterans Administration, Indian Health Service, Department of Defense, Centers for Disease Control, Centers for Medicare and Medicaid and Social Security Administration.
3.2 Provide input to US federal health information standards, for example HITSP and CCHIT, to ensure alignment with emerging federal standards.
3.3 Consumer health records access:
3.3.1 Reach out to other appropriate groups to invite participation, including organizations that already "vet" large groups of consumers, like banks, insurance companies, AAA, etc.
3.3.2 Discuss and identify the many different ways consumers are likely to access health information, including Personal Health Record systems, web-based, cell phone, Instant Messaging and social networking services.
3.3.3 Discuss and recommend how healthcare enterprises will deliver this functionality while meeting all regulatory obligations as set by various bodies worldwide, including the issues of patient privacy, security and patient consent issues.
3.3.4 Educate the healthcare community on the principles of consumer identity management.
3.3.5 Coordinate with Identity Assurance and Accreditation Work Group (IAA WG).
3.3.6 Discuss and identify feasible, reliable and economic methods for consumer authentication and identification.
3.3.7 Review appropriate ASTM and similar standards surrounding patient identification and incorporate patient identification services in the discussions.
3.4 Healthcare worker health records access:
3.4.1 Develop standardized use cases for healthcare worker access to health information
3.4.2 Develop standardized use cases for healthcare worker access to healthcare information during emergencies and for natural disaster
3.4.3 Develop standards for this exchange for countries beyond the US.
3.4.4 Discuss, identify and/or develop a set of "Trust Roles" that can be exchanged between systems.
3.5 General Goals:
3.5.1 To act as an information gathering body within Kantara Initiative that tracks significant trends in regulation affecting Healthcare IT worldwide and to feed this information back to the appropriate groups within Kantara Initiative, and where appropriate, with recommended actions (e.g. to respond to the US Government Request for Information)
3.5.2 To provide Kantara Initiative with spokespersons on healthcare identity assurance related topics.
3.5.3 Provide Kantara Initiative with subject matter expertise regarding the unique identity management and regulatory challenges facing the healthcare industry.
3.5.4 To provide inputs for external communications, such as collateral materials and contributed articles.
3.5.5 Where appropriate, take part in the identification and planning of healthcare industry events.
(4) DRAFT TECHNICAL SPECIFICATIONS:
No technical specifications will be developed in this WG.
(5) OTHER DRAFT RECOMMENDATIONS:
Develop appropriate White Papers and Technical Reports.
5.1 Develop Implementation Guidelines with specific focus toward coverage of the Venn of Identity protocol including: ID-WSF, SAML 2.0, Infocard and OpenID. For each of these protocols, this WG will develop a mapping and accompanying guidelines to serve as a reference to Healthcare industry workers and consumer users explaining which protocol is appropriate in each Assurance Level context (where Assurance Levels are defined in the Liberty Identity Assurance Framework).
5.2 The WG will work to deliver these recommendations, reports and papers by the close of Q2 2010. This projected schedule may be amended from time to time as and needed and the work develops.
John Fraser, MEDNETWorld.com, co-equal co-chair
Pete Palmer, SureScripts, co-equal co-chair
Rick Moore, eHealth Ohio, co-equal co-chair
The audience for this work group include:
7.1 Developers and users of protocols including but not limited to: ID-WSF, SAML 2.0, InfoCard, OpenID, and open-source developers and industry vendors and similar groups.
7.2 Healthcare standards groups including: NHIN Committees, Health Information Exchanges (HIEs), HL7, HITSP
7.3 End users including consumers patients healthcare providers and public health groups
8.1 The Kantara Initiative Leadership Council charters the Healthcare Identity Assurance Work Group which is intended to be a standing WG to address work that is expected to be ongoing. This charter may be amended from time to time, with changes approved by the Leadership Council.
(9) IPR POLICY:
9.1 Kantara IPR Policy - Creative Commons Share Alike Option
(10) RELATED WORK AND LIAISONS:
10.1 Other national health care systems
10.1.1 Recommendations for a Unique Health Identifier for Individuals for Ireland
10.2 Liaisons with these Kantara Initiative Work Groups:
10.2.1 Identity Assurance WG - Liaise with Identity Assurance WG to be sure that deployment guidelines, papers and other deliverables of each WG are aligned with the needs of the Healthcare industry with particular attention to the Levels of Assurance and the various contexts that would requre Assurance needs.
10.2.2 Consumer Identity WG - Liaise with Consumer Identity WG to share a Healthcare Identity Assurance view and feedback where it would apply to the consumer.
10.2.3 Privacy and Public Policy WG - Liaise with P3WG to share a Healthcare Identity Assurance view and feedback where it would apply to business and government policy development.
10.3 Healthcare standards and projects
10.3.1 Nationwide Health Information Network (NHIN) - provide connectivity to the groups developing this system through the US Department of Health and Human Services.
10.3.2 HITSP General Information from June 27, 2008 Teleconference
10.3.3 HITSP 08 N 325 - 2008 06 09 AHIC-UC 2009 APPROVED Use Case Extensions and Gaps v3.0 from June 27, 2008 Teleconference
10.3.4 IDENTITY CRISIS - An Examination of the Costs and Benefits of a Unique Patient Identifier for the U.S. Health Care System - a new RAND Study
10.3.5 Patient Card Numbering Proposal Q&A from March 7, 2008 Teleconference
10.3.6 New SPI-TC Constructs and Updates to Existing Specifications with Authors from June 27, 2008 Teleconference
10.3.7 Identity Assurance Framework Presentation from July 11, 2008 Teleconference
SPI-TC Work Item Matrix from July 11, 2008 Teleconference
10.3.8 HITSP Security, Privacy and Infrastructure (SPI) definitions for Identity Assurance under the Technical Note 900 (TN900), individual Interoperability Specifications/Service Collaboration for C19 - Entity Identity Assertion, TP20 - Access Control, T17 - Secured Communication Channel and SC108 - Access Control (Revision 1.3, July 8, 2009) http://wiki.hitsp.org/docs/TN900/TN900-1.html
10.3.9 NIST SP 800-60 Rev. 1 Vol 1 & 2 - Guide for Mapping Types of Information and Information Systems to Security Categories August 2008
10.3.10 NIST IR 7497 Draft Security Architecture Design Process for Health Information Exchanges (HIEs) January 2009
10.3.11 NIST SP 800-122 DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) January 13,2009
(11) CONTRIBUTIONS (optional):
John Fraser, MEDNETWorld.com
Pete Palmer, SureScripts
Richard Moore, eHealth Ohio
August 19th, 2009
The Leadership Council ratifies this charter for operation.