1

Privacy and Security Tiger Team MeetingDiscussion Materials

Topics• Patient Authentication Hearing• Questions for RFC on Meaningful Use

Stage 3

October 1, 2012

2

Overview

• Provide an update and obtain input on plans for the Oct. 29 hearing on Patient Authentication

• Obtain input from the Tiger Team on questions to include in the Request for Comment (RFC) on Meaningful Use (MU) Stage 3– Strawman questions are on slides 7 through 9– Tiger Team suggestions will be presented at the HITPC

meeting on Wednesday Oct. 3

3

Patient Authentication Hearing Overview

• October 29, 2012; 12pm – 4pm• Virtual hearing• Identify and explore issues related to patient

authentication, including– Misuse/Fraud– ID Proofing issues (attributes, in-person, delegated, etc.) – Authentication issues (two-factor, credentialing, third-party,

etc.)– Usability (complexity for patients, etc.)

• Broad variety of panelists representing both health care sector and other industries

• Using the FACA blog to get patient stories and potentially locate a good patient witness

4

Hearing Panel Descriptions

• Introduction – Frame issues, including implications for MU Stage 3

• Panel One – “About patient authentication”– Address why authentication is important– Explore patient/consumer perspectives as well as lay out the

key issues

• Panel Two – “Patient authentication now”– Learn what holders of patient health information are doing now

w/r/t authentication

• Panel Three – “Authentication solutions on the horizon”– Explore what solutions being developed, for patients (Blue

Button) as well as in other industries

5

Proposed Hearing Panelists

• Panel One – “About patient authentication”– LiveStrong - confirmed– Patient– Immunization Registry– NIST migrant project– Kantara - confirmed– Direct Trust - confirmed

• Panel Two – “Patient authentication now”– HealthVault - confirmed– ProHealth MD – VA, MyHealtheVet– Intuit Health - confirmed – Small provider– Quest diagnostics - confirmed

• Panel Three – “Authentication solutions on the horizon”– Automate Blue Button / Rhex - confirmed– Enroll UX 2014 / CMS– PayPal– Wells Fargo– DAON– USPS - confirmed

6

Proposed Hearing Agenda

• 12:00 p.m. Welcome and Roll Call - Mackenzie Robertson, ONC

 • 12:02 p.m. Opening Remarks/Framing Hearing - Farzad Mostashari 

• 12:15 p.m. Panel One – “About Patient Authentication “

5 Panelists (5 - 7 minutes each, 30 minute Q&A – 60 minutes total)

• 1:15 p.m. Panel Two – “Patient Authentication Now”

5 panelists (5 - 7 minutes each, 30 minute Q&A – 60 minutes total)

• 2:15 p.m. Break

 • 2:30 p.m. Panel Three – “Authentication Solutions on the Horizon”

5 panelists (5 – 7 minutes each, 30 minute Q&A – 60 minutes total)

•  3:30 p.m. Discussion

25 minutes for discussion of issues raised during panels

• 3:55 p.m. Public Comment

•4:00 p.m. Adjourn

Straw Questions: RFC on MU Stage 3 (1 of 3)

1. Should the next phase of certification criteria include capabilities to authenticate provider users at LoA 3 for remote access?  – If so, how would the criterion/criteria be described, given the

optionality permitted under NIST 800-63.1 for authenticating at LoA 3?  

– What impact (if any) would certification of EHRs for this functionality have on national efforts (through NSTIC) to establish portable, high level credentials that clinicians and other EHR users can use in multiple settings? 

7

Straw Questions: RFC on MU Stage 3 (2 of 3)

2. The requirement in Stage 1 that EPs/EHs/CAHs attest to completing a HIPAA security risk assessment has been successful in getting health care providers covered by HIPAA (and participating in the MU program) to make this a priority.  – The expectation is that the additional requirement in Stage 2 to

attest to addressing encryption of data at rest in CEHRT will have a similar positive impact.  

– The Tiger Team is considering whether to make other HIPAA security rule provisions subject to specific attestation as part of Meaningful Use.  

– Which provisions are candidates for prioritizing as part of Meaningful use?

8

Straw Questions: RFC on MU Stage 3 (3 of 3)

– For example, the requirement to make staff aware of the HIPAA Security Rule and to train staff on Security Rule provisions is one of the top 5 areas of noncompliance identified by the Office of Civil Rights over the past 5 years.  

• The Tiger Team initially proposes to require providers to attest to having conducted the required education and training of staff as part of Meaningful Use Stage 3.  

• We request your comments on this proposal.

9