Add HL7 Interoperable Digital Identity & Patient Matching IG

HL7's Interoperable Digital Identity & Patient Matching Implementation Guide is an Emerging Implementation Specification we recommend for inclusion in both the Patient Demographic Record Matching and Exchanging Patient Identification Within and Between Communities sections of the ISA due to its utility to both of these categories. Additionally, in the Limitations, Dependencies, and Preconditions for Consideration section of this page, we suggest removing the phrase "but more information related to this topic is below:...." as well as the sub-bullets listed beneath it. -HL7 Interoperable Digital Identity & Patient Matching workgroup

Patient Identity Proofing - Response to 2018-10-1 Post

MaxMD was contacted by DirectTrust on 9/23/2019 regarding a post to accompanied by a cover letter the Health Information Technology Advisory Committee asserting a “worrisome Identity Assurance Disconnect”.  MaxMD reviewed the post and associated letter and responded back to the leadership of DirectTrust within hours.  In the instance in question MaxMD correctly performed identity proofing to the NIST LoA 3 standard through a remote identity proofing workflow. Below is the NIST LoA 3 remote vetting requirements copied and pasted and annotated in-line in Bold with how MaxMD meets the standard for ease of tracking. RA verifies information provided by Applicant including ID number (Social Security Number) AND account number (mobile phone number) through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, DoB, address and other personal information in records are consistent with the application and sufficient to identify a unique individual (MaxMD confirms with LexisNexis that the applicant’s SSN matches the individuals first name, last name, date of birth, and home address.) (At the same time this verification of the ID number is taking place, MaxMD verifies the applicant’s utility account by checking if the mobile phone number matches the first name and last name of the account holder.) . At a minimum, the records check for both the ID number AND the account number should confirm the name (MaxMD matches both the Applicant’s ID and Account number with their first name and last name) and address of the Applicant (see Address confirmation below). For utility account numbers, confirmation shall be performed by verifying knowledge of recent account activity. (This technique may also be applied to some financial accounts.) • Address confirmation: a) CSP issues credentials in a manner that confirms the ability of the applicant to receive mail at a physical address associated with the Applicant in records; or b) If personal information in records includes both an electronic address and a physical address that are linked together with the Applicant’s name, and are consistent with the information provided by the applicant, then the CSP may issue credentials in a manner that confirms ability of the Applicant to receive messages (SMS, voice or e-mail) sent to the electronic address (If the applicant is verified as the account holder of the mobile phone then we have linked physical address from the ID with the electronic address of the Account holder. MaxMD then delivers a time-oriented one-time password to the mobile phone number. This allows the applicant to verify knowledge of recent activity by entering the one-time password they received). Any secret sent over an unprotected session shall be reset upon first use and shall be valid for a maximum lifetime of seven days (The one-time password delivered via SMS text message expires in 10 minutes). As to our process; MaxMD is a DirectTrust Accredited HISP, RA, and CA and as such we are thoroughly and routinely audited/evaluated with regards to Procedures, Infrastructure and compliance with HIPAA and DirectTrust established Standards contained in the DirectTrust Certificate Policy v1.4. This process involves a roughly 500 page submission and two days of onsite visits with evaluators.  And to be clear MaxMD made no assertion verbally or in writing that this remote proofing processes satisfies the IAL2 proposed standard. It should also be noted that even today almost 1 year after posting this flawed analysis IAL2 is not a requirement published into the DirectTrust Certificate Policy. Lastly at no time during the past year did the independent Subject Matter Experts reach out to me or any senior MaxMD personnel to discuss their analysis or their concerns.  Had they, we would have been happy to educate them.  Scott A. Finlay  CEO MaxMD

Patient Identity Proofing - Response to 2018-10-1 Post

We only just this week had the Monday 10/1/2018 post called to our attention in the process of reviewing the ISA for comments.  As the attachment on the above post asserted a compliance issue with a DirectTrust HISP, we immediately contacted the HISP in question.  In review of the processes that the HISP utilizes, it maps precisely to the remote proofing process as described in NIST 800-63-2.  Please see the post below from Scott Finley of MaxMD who outlines in detail how remote proofing is supported there.  DirectTrust at this time still conforms to LoA3 (remote) under 800-63-2.  Our workgroups are nearly completed with the updates to our CP and our accreditation criteria which will support IAL2 requirements.  We agree with the assertions of the group that moving to IAL2 is important and that all CSPs and RAs should migrate to the new standard.  We are in the process of doing so.  Our current processes conform with LoA3 for remote proofing or better.  Further questions about DirectTrust processes should be forwarded to me at DirectTrust.   Scott Stuewe President and CEO, DirectTrust

Patient Identity Proofing

Accurate patient identification is the absolute bedrock underlying interoperability.  This need is already critical and will only grow more important over time.  NIST 800-63-3 IAL2 is the minimum assurance level that should be accepted.  There should be NO exceptions such as "allowing Participant staff to act as trusted referees" because such exceptions make it impossible to trust ANY of the identities asserted by the system.  Both patients and providers need to be identified to at least IAL2.

The recent RAND report "Defining and Evaluating Patient-Empowered Approaches to Improving Record Matching" indicates that there is at least one currently available strategy which "If adopted and used as intended, this solution would match records used by the same individual perfectly" (p 25).  It appears appropriate to initiate a pilot study to determine whether this claim can be achieved in actual practice.

Finally, a group of healthcare identity experts have recently discovered a discrepancy in the implementation of NIST IAL2 that must be resolved in order to enable all healthcare information exchange to be trusted with respect to patient identity.  See the attached document for a description of this problem.


Pharmacy HIT Collaborative's Comments on ONC's Proposed 2018 ISA

The Pharmacy HIT Collaborative supports the name change.

Implementation Guide for Expressing Context in Direct Messaging

The Implementation Guide for Expressing Context in Direct Messaging, published by the Direct Project, was designed to facilitate inter-organizational patient demographic record matching by standardizing the inclusion of patient demographic metadata in Direct messages, and should be added to this category. This standard was successfully piloted by the Direct Project community at their October 2017 connect-a-thon. 

Luis Maas

CTO, EMR Direct

Patient Identity Assurance Level (IAL2)

I agree completely with the desire to identity proof patients to the level of IAL2.  However, I'm not understanding the last sentence of this consideration: "all collected PII collected by the Signatory shall be limited to the minimum necessary to resolve a unique identity and the Signatory shall not copy and retain such PII".  The Signatory should and in fact MUST be able to copy and retain PII to properly perform identity assurance. 

One of the elements necessary to perform strong identity proofing is to verify a strong or superior piece of identity evidence (like the patient's drivers license).  During the course of verification the image of the identity evidence may be imaged and sent to a 3rd party to "proof" the authenticity of the document.  Typically the image of the drivers license is kept on file by the Provider along with an image of the insurance card.  Would maintaining a copy or image of the driver's license and insurance card violate the language in this sentence?  It appears that it would.  Also the PII data gleaned from those documents (person's name, address, DOB, etc.) is also "retained".

This sentence should be revised to state "All collected PII collected by the Signatory shall be limited to the minimum necessary to resolve a unique identity."