The Health IT Policy Committee on June 8 accepted a recommendation that all organizations participating in the Nationwide Health Information Network initiative (NwHIN) should use digital certificates that meet the same authentication standards already required for federal agencies. Ultimate approval for the recommendation falls on the Department of Health and Human Services.

One of the main motivations for the digital certificate requirement is that most healthcare organizations, at some point, will have to exchange information with a federal agency, and that requires use of Federal Bridge standards.

The authentication recommendation, which came from the Privacy and Security Tiger Team, states, “all certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a certificate authority (or one of its authorized resellers) that is a member of the Federal Public Key Infrastructure Framework.”

Paul Egerman, tiger-team co-chair, told the committee that an electronic health records (EHR) vendor, for example, could serve as a certificate reseller. Plus, about six certificate authorities now offer the Federal Bridge certificates at prices of $100 or less per organization.

In addition to the authentication recommendations, the committee recommended that for stage two of the HITECH Act electronic health record incentive program participants should verify how they’re keeping stored data secure, such as through encryption.

HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year’s end, with a final rule due by mid-2012.

In light of that timeline, the HIT Policy Committee on June 8 recommended that HHS fine-tune the deadline for certain participants in the program to achieve stage two benchmarks. Under the revised plan, those that attest to qualifying for stage one in 2011 would have until 2014, instead of 2013, to demonstrate compliance with stage two requirements and earn additional incentive payments.
See original article at http://www.healthcareinfosecurity.com/articles.php?art_id=3722&pg=1.