Skip to Content


Office of the National Coordinator for Health Information Technology; American Health Information Community Confidentiality, Privacy, and Security Workgroup Meeting

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Announcement of meeting.


This notice announces the second meeting of the American Health Information Community (“the Community”) Confidentiality, Privacy, and Security Workgroup in accordance with the Federal Advisory Committee Act (Pub. L. No. 92-463, 5 U.S.C., App.)


September 29, 2006 from 10 a.m. to 4:30 p.m.

Place: Hubert H. Humphrey Building (200 Independence Avenue, SW., Washington, DC 20201), Conference room 800 (you will need a photo ID to enter a Federal building).

Status: Open.

Purpose: At this meeting, the Community Confidentiality, Privacy, and Security Workgroup will receive information on identity proofing and user authentication as it relates to the breakthroughs currently being discussed by the Community's Consumer Empowerment, Chronic Care, and Electronic Health Record Workgroups.

The meeting will be conducted in hearing format, and the Workgroup will invite representatives who can provide information relevant to identity proofing and user authentication as it relates to the breakthroughs currently being discussed by the Community's Consumer Empowerment, Chronic Care, and Electronic Health Record Workgroups. The format for the meeting will include multiple invited panels and time for questions and discussion. The meeting will include a time period during which members of the public may deliver brief (3 minutes or less) oral public comment. Slots for oral comments by the public will be filled on the day of the meeting as time permits. To submit comments via e-mail, please send them to (to ensure that your e-mail is received and appropriately filed, we ask that your explicitly put “CPS Public Comment” in the subject line of your e-mail) or mail your comments to Michele Rollins, Office of the National Coordinator (ONC), 330 C Street, SW., Suite 4090, Washington, DC 20201.

End Preamble Start Supplemental Information


The Community's Confidentiality, Privacy, and Security (CPS) Workgroup will undertake steps to evaluate instances where health information technology (health IT) has shifted the CPS paradigm, as well as where policy (due to evolving technology) have become unclear or allow for varied interpretation.

The first two issues before the CPS workgroup (identity proofing and user authentication) were chosen because of their foundational importance to any security initiative. Inextricably linked, both issues need discussion in order to determine how authorized entry is governed to a new technology product, service, or infrastructure. In typical workflows, identity proofing and user authentication are the first of many processes completed in health care environments, followed shortly thereafter by other more complex activities such as access control, data management, information matching and transmission, and information assurance (data integrity, business continuity, etc.).

There is no one solution for identity proofing and user authentication. As health IT evolves, we expect that methods for identity proofing and user authentication will evolve as well. Certain types of health IT products may require more stringent methods while others may not, and understanding these tradeoffs will be critical to determining CPS policies. Deciding how to prove (with some degree of confidence) that someone is who they claim to be, followed by a repeatable authentication process, are necessary steps to ensure that an authorized person or entity can access a health IT product or service in a private and secure manner.

In an effort to inform members of the public responding to the questions posed for testimony, we are defining Start Printed Page 54284identity proofing and user authentication. For the purposes of the CPS hearing, identify proofing should be understood to mean the process of providing sufficient information (e.g., identity history, credentials, and documents) to correctly and accurately verify and establish an identity to be used in an electronic environment (e.g., over the Internet). For many everyday processes such as applying for a passport or driver's license, identity proofing takes place. To be granted the rights associated with a passport or driver's license, one first needs to provide documents to prove one's identity (e.g., birth certificate). This same principal exists to control access to electronic systems, and it is the intent of this hearing to discuss the types of identity proofing used or recommended to gain access to certain health IT products or services.

For the purposes of the CPS hearing, user authentication should be understood to mean the process of reliably verifying a claimed or presented identity, often used as way to grant authorized access to data, resources, and other network services. User authentication takes place after an identity has been successfully proofed (verified by the appropriate authority) and a credential representing that proofed identity has been assigned to an individual. This does not mean the assignment of a unique identifier, but rather it refers to the method any system uses (in a unique way) to differentiate its users (e.g., a separate username) and challenge the user's ability to prove that they are who they claim to be (e.g., knowledge of a password associated with the username).

While responding to the questions below, it is recommended that each response identify (1) The risks and benefits associated with a particular identity proofing and/or user authentication method; (2) the potential costs and/or barriers associated with the method's implementation; and (3) if feasible, quantify the risks, benefits, costs, or barriers discussed in parts 1 and 2, with respect to a health care consumer, provider, other entity, or all. Responses should be particularly focused on the Community's breakthroughs (pre-populated and consumer-directed medication history and registration summary as part of a personal health record (PHR), access to current and historical laboratory results and interpretations in an electronic health record (EHR), and secure messages between patients and their clinicians). Where possible, please provide references to any peer reviewed literature that has informed your response.

1. Does an in-person identity proofing process provide greater benefit than automated, on-line processes, or vice-versa? Please explain.

2. Identify and particular concerns regarding the type of information collected for identity proofing or the storage of such information.

3. Should there be different identity proofing and user authentication processes for:

a. A patient versus a clinician. If yes, please explain and identify the scenario;

b. The primary user of a PHR versus a proxy for that user?

4. Are there other industry policies and practices related to identity proofing and user authentication and could be used successfully in any of the Community identified breakthroughs (see above)? If so, please described these policies and specify how these could be implemented in a way that would minimize the risks and maximize the benefits as well as how they would compare to alternative methods in terms of risks, benefits and feasibility of implementation.

5. What is the appropriate balance of access to medical information in electronic form (through the use of stronger identity proofing and user authentication) against the privacy concerns of the consumer/patient? If possible, please discuss comparable programs/efforts in the past that have been successful in doing this?

6. What/how do you see the HHS's role, if any, in establishing guidelines for the health care industry with respect to identity proofing and user authentication? Or should the industry self-police in this area?

7. If private industry EHR or PHR services were to import data from Federal agencies (who are required either by statute or policy to protect data in certain ways), would it be reasonable to expect that the EHR or PHR service provided would comply with Federal information security practices?

8. Should the health care industry adopt the concept of multiple assurance levels when performing identity proofing and user authentication functions, similar to what OMB has defined for the Federal Government in OMB Memorandum M-04-04? When responding to this question, please cite, if possible other models that may exist specifically for health care?

9. Based on your experience (personal/organizational) discuss how identity proofing and user authentication are currently addressed in the Personal Health Record (PHR) market from a technical, policy, and implementation perspective. Please ensure that your answers identify:

a. How the type of PHR (i.e., who provides/sponsors the PHR) could impact the identity proofing and user authentication method chosen;

b. Who is capable of providing data to the PHR;

c. The potential impact the type of data (which may vary in levels of perceived sensitivity, e.g., a medication history that lists a drug for an ear infection versus a drug for HIV) could have on the identity proofing and user authentication method chose; and

d. How data is entered into the PHR, for example, by a health care consumer, or from a provider through a “push model” where data is automatically sent to the PHR without a request by the consumer.

10. Based on your experience (personal/organizational) with EHR technology, that can at a minimum provide access to current and historical laboratory results and interpretations, should identify proofing and user authentication methodologies (technical, policy, and implementation) differentiate based upon:

a. The reception method of the data

i. For example: Accessing a laboratory's secure Web site for results and typing them into a patient's EHR vs. automatic population from the lab to the EHR; and

b. The interconnectivity of the EHR

i. For example: A doctor in a large health care system may be able to query another provider's EHR for data as opposed to querying the lab directly.

Written testimony submitted by the public is not required to address all of the questions listed above, and answers to any or all of the questions will be accepted so long as they comply with the following testimony guidelines. Persons wishing to submit written testimony (which should not exceed eight double-spaced typewritten pages) should endeavor to submit it by September 29, 2006.

If you have special needs for the meeting or require further assistance, please contact (202) 690-7151 and reference the CPS meeting.

The meeting will be available via Web cast at​cfmx/​ec/​login/​login1.cfm?​BID=​67 [Room Number: 8285166].

Start Signature

Judith Sparrow,

Director, American Health Information Community, Office of Programs and Coordination, Office of the National Coordinator for Health Information Technology.

End Signature End Supplemental Information

[FR Doc. 06-7657 Filed 9-13-06; 8:45 am]