Authorized Certification Body
Full Title
This description of an Authorized Certification Body applies solely to the evaluation of applications used by Patients or authorized users to access Personal Healthcare Information (PHI) and upload of data to providers.
Goal
Put the user in control of either own devices and personal health information. See wiki page on Patient Choice.
Context
- Much of the language used here is directled towards Health IT Modules running in provider's web sites. It is adapted here to the case of Health IT for patients and delegates.
Problems
In a Kantara work group report on Patient Choice it is shown that applications running on user’s device have not been able to secure user data. In order for records to be downloaded to user’s devices, it is known that some level of certification of the apps, or at least the developers of the apps, some structure must be in place that can report that the app will be sufficiently responsive to patient needs for security and privacy. This is a proposal to seek funding from the US HHS ONC to build out a testing assurance program as well as an online registry that can be queried in real-time to validate apps prior to downloading patient information onto them.
Solutions
This solution for user apps is based on existing requirements of the ONC for EHR. Since that EHR solution required a trust infrastructure, it is proposed to take a similar approach to user apps.
- See the documentation one What You Need to Know About the Conditions and Maintenance of Certification.
- It is assumed here that the most common patient device will be a smart phone but other devices like laptops and wearable or home medical devices will also be addressed in the future.
- Information Blocking - there must be no action that cconsititues information blocking. But this only applies to apps that are from certified developers.
- The following communications must be provided for Health IT apps.
- The user ability of the app.
- The interoperability of the apis used by the app.
- The security of the app.
- User experiences when patients or delegates use the app.
- Business practices of the app developers.
- The manner in which the technologies in the app have been used in health IT.
- Application Programming Interfaces (APIs) that are used for communications with:
- Electronic Health Records Providers (EHR) or Health Information Exchanges (HIE).
- OpenID Providers of Identity Services
- Credential Services Providers for both (1) Patient Identity Proofing and (2) patient authentication using 2 factors both communicated directly for the patient's device.
- Medical Record Locator Servcies
- Trust Registries of providers of authorized certification.
- Real World Testing
- Set up of a test EHR or HIE
- User Experience test program for users in as many categories as time allows.
- Attestations - will be established by the formation of Device Assessment criteria that can be used by test labs to certify app developers.