Authorized Certification Body

From IDESG Wiki
Jump to navigation Jump to search

Full Title

This description of an Authorized Certification Body applies solely to the evaluation of applications used by Patients or authorized users to access Electronic Health Information (EHI) and upload of data to providers.

Goals

  1. Put the user in control of the capability of using their own personal devices for access to their own data like personal health information. See wiki page on Patient Choice.
  2. Allow certified mobile apps to assert its own assurance level to web sites on the internet.
  3. Align with the evolving mobile driver’s license effort as source of identity proofing with minimal personal data disclosure (in cooperation with the Kantara PIMDL work group).

Context

  • The 21st Century Cures Act (see references) requires "seamless and secure access, exchange, and use of electronic health information" by the patient or their authorized proxies.
    • It also addresses the interchange of data among health care providers, which is not covered in this proposal.
  • Much of the language used in the Cures Act is directled towards Health IT Modules running in provider's web sites. It is adapted here to the case of Health IT for patients and their proxies.

Problems

In a Kantara work group report on Patient Choice it is shown that applications running on user’s device have not been able to secure user data. In order for records to be downloaded to user’s devices, it is known that some level of certification of the apps, or at least the developers of the apps, some structure must be in place that can report that the app will be sufficiently responsive to patient needs for security and privacy. This is a proposal to seek funding from the US HHS ONC to build out and create a long-term funding plan for a testing assurance program as well as an online registry that can be queried in real-time to validate apps prior to downloading patient information onto them.

Solutions

This solution for user apps is based on existing requirements of the ONC for EHR. Since that EHR solution required a trust infrastructure, it is proposed to take a similar approach to user apps.

  1. Basis and Scope - while it does not appear to be clearly stated, the intent of 45 CFR seems to apply to programmers of Health ID systems that reside in EHR's.
    1. It is the intent of this effort to extend the certificate of compliance (CoC) to native apps running on smartphones with a Authorized Certification Body to include the Kantara Initiative.
  2. Information Blocking - there must be no action that constitutes information blocking. But this only applies to apps that are from certified developers.
  3. The following communications must be provided for Health IT apps.
    1. The user ability of the app.
    2. The interoperability of the apis used by the app.
    3. The security of the app.
    4. User experiences when patients or delegates use the app.
    5. Business practices of the app developers.
    6. The manner in which the technologies in the app have been used in health IT.
  4. Application Programming Interfaces (APIs) that are used for communications with:
    1. Electronic Health Records Providers (EHR) or Health Information Exchanges (HIE).
    2. OpenID Providers of Identity Services
    3. Credential Services Providers for both (1) Patient Identity Proofing and (2) patient authentication using 2 factors both communicated directly for the patient's device.
    4. Medical Record Locator Services
    5. Trust Registries of providers of authorized certification.
  5. Real World Testing
    1. Set up of a test EHR or HIE
    2. User Experience test program for users in as many categories as time allows.
  6. Attestations - will be established by the formation of Device Assessment criteria that can be used by test labs to certify app developers.

Disclaimer

  • from 42 CFR 170.523 (k)(1) (i)

“This Health IT Module is [specify Edition of health IT certification criteria] compliant and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.”

References