Best Practices for Individual Involvement
Overview
The Direct Project specification describes a workflow and content neutral method of secure health information in transit for directed messages. The involvement of the individual (patient, consumer) is identified in various direct message use cases and is highly desirable. For individuals, there are some considerations related to identity management. This document describes the identity assurance considerations and makes recommendations regarding individual involvement.
Considerations
Level of Identity Assurance
Many personally controlled health records (PCHRs) or other systems allowing individuals to receive data via Direct can make only basic levels of identity assurance regarding the identity of individuals. That means that they can provide a degree of assurance that the identity refers to the same person across multiple uses, but not that who the person is who he or she purports to be. (This level of identity assurance generally corresponds with "FBCA Rudimentary" or "NIST Level 1" forms of identity assurance.) While such a degree of level of assurance is appropriate for individuals who are managing their own data, it does not provide an appropriate degree of assurance for organizations that wish to provide information to or receive information from individuals.
Organizational Identity
Organizational identity is used in the Direct Project specifications and utilization to improve the efficiency of certificate management for individuals or other addressed endpoints. This approach assumes that the organization can offer relying parties the same degree of assurance about endpoint identity that they have for the organization itself. In PCHRs, by contrast, there will often be a high degree of assurance in the organization, but only basic assurance about the individual endpoints.
Recommendations
Sending Information to Individuals
When sending data to individuals, the combination of identity proofing (by the provider or provider office based on an in-person visit, or based on a the identity provider performing higher levels of identity verification) coupled with an individual supplying a Direct Address to which the individual wishes data sent should be a sufficient combination allowing for appropriate levels of assurance for the provider. Providers and staff should establish local policy to ensure this level of assurance and should address, for example, the risks of phone-based identity proofing, or of mis-entry of a Direct Address. Providers and staff should consider verification of the Direct Address by sending a message without PHI and requesting out-of-band confirmation from the patient, before sending PHI.
Receiving Information from Individuals
Because the initiation of the individual message to a provider is not under the control of the provider, providers and staff should establish local policy for how to handle inbound individual communication in general. The same identity assurance considerations apply as for the sending case; to ensure that information is received only from individuals with strong identity assurance, providers may wish to establish whitelists of known patients, and to populate such whitelists automatically when sending. Providers should consider establishing different Direct addresses for receiving (and for initiating) patient communications, to facilitate appropriate handling of patient messages.
Organizational Identity
PCHRs should use individual certificates, where the certificate makes an identity claim that is appropriate to the level of assurance that has been performed. If the PCHR wishes to use an organizational certificate, the certificate should not make a strong identity claim or should be provisioned in such a way that it can not be confused with an organizational certificate from a provider organization that is making strong identity assurance claims on behalf of the endpoints it exposes.