“Digital certificates are essential to achieving a high level of assurance that organizations participating in electronic healthcare information exchange are who they say they are,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “In our view, provider entities and organizations should take note of this proposed ruling and go even further; digital certificates should also be the basis for identifying and authenticating all individual health professionals, including administrative staff, who have access to electronic health information records.”
Individual health professionals were outside the scope of the Tiger Team discussions; however, in making their recommendations, they noted that HIPAA security rules already require organizations to develop and implement policies to identity proof and authenticate their individual users.
“HIPAA is very clear that if someone accesses personal health information that they are not authorized to see, that constitutes a breach. And now health information breaches must be disclosed and carry penalties. With the usage, storage and transmission of electronic health records, the risk of breach is magnified, putting a clear burden on all organizations participating in the healthcare industry to make sure they know who can access healthcare records, and which parts of those records they can see. The safest way to protect the exchange and use of healthcare information by individuals in healthcare provider organizations is with a digital credential securely stored on a smart card,” said Vanderhoof.
Smart cards are an effective and user friendly way to distribute and use digital credentials, and are already widely used worldwide in both government and the private sector, for example, in the defense, aerospace, healthcare and pharmaceutical industries. Credentials on cards stay with the owner, enable PIN or biometric-based security for credential use and provide a second authentication factor in transactions. This approach ensures that only the right people have access to information, and protects individual healthcare data records as required by HIPAA.
More healthcare identity management related information is available at the Smart Card Alliance website including white papers, webinars and executive briefs.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.