|Type||Standard / Implementation Specification||Standards Process Maturity||Implementation Maturity||Adoption Level||Federally required||Cost||Test Tool Availability|
|Limitations, Dependencies, and Preconditions for Consideration||
Applicable Security Patterns for Consideration
Submitted by catherine.schu… on 2017-11-20
I agree completely with the desire to identity proof patients to the level of IAL2. However, I'm not understanding the last sentence of this consideration: "all collected PII collected by the Signatory shall be limited to the minimum necessary to resolve a unique identity and the Signatory shall not copy and retain such PII". The Signatory should and in fact MUST be able to copy and retain PII to properly perform identity assurance.
One of the elements necessary to perform strong identity proofing is to verify a strong or superior piece of identity evidence (like the patient's drivers license). During the course of verification the image of the identity evidence may be imaged and sent to a 3rd party to "proof" the authenticity of the document. Typically the image of the drivers license is kept on file by the Provider along with an image of the insurance card. Would maintaining a copy or image of the driver's license and insurance card violate the language in this sentence? It appears that it would. Also the PII data gleaned from those documents (person's name, address, DOB, etc.) is also "retained".
This sentence should be revised to state "All collected PII collected by the Signatory shall be limited to the minimum necessary to resolve a unique identity."
Submitted by juliemaas on 2017-11-20
The Implementation Guide for Expressing Context in Direct Messaging, published by the Direct Project, was designed to facilitate inter-organizational patient demographic record matching by standardizing the inclusion of patient demographic metadata in Direct messages, and should be added to this category. This standard was successfully piloted by the Direct Project community at their October 2017 connect-a-thon.
CTO, EMR Direct
Submitted by shellyspiro on 2018-10-01
The Pharmacy HIT Collaborative supports the name change.
Submitted by Barry Hieb on 2018-10-01
Accurate patient identification is the absolute bedrock underlying interoperability. This need is already critical and will only grow more important over time. NIST 800-63-3 IAL2 is the minimum assurance level that should be accepted. There should be NO exceptions such as "allowing Participant staff to act as trusted referees" because such exceptions make it impossible to trust ANY of the identities asserted by the system. Both patients and providers need to be identified to at least IAL2.
The recent RAND report "Defining and Evaluating Patient-Empowered Approaches to Improving Record Matching" indicates that there is at least one currently available strategy which "If adopted and used as intended, this solution would match records used by the same individual perfectly" (p 25). It appears appropriate to initiate a pilot study to determine whether this claim can be achieved in actual practice.
Finally, a group of healthcare identity experts have recently discovered a discrepancy in the implementation of NIST IAL2 that must be resolved in order to enable all healthcare information exchange to be trusted with respect to patient identity. See the attached document for a description of this problem.