Add to collection(s) Add to saved
  1. Social Science
  2. Law

Commonwealth Department of Human Services Community of

advertisement 
Short Form Certificate Policy
Commonwealth Department of Human
Services Community of Interest Certificate
Policy for the National Authentication
Service for Health PKI Certificate for
Healthcare Provider Organisations v 2.2
(2 year Duration)
November 2014
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
Ownership of intellectual property rights in this publication
Unless otherwise noted, copyright (and any other intellectual property rights, if any) in this
publication is owned by the Commonwealth of Australia (referred to below as the
Commonwealth).
Creative Commons licence
With the exception of the Coat of Arms, this publication is licensed under a Creative Commons
Attribution 3.0 Australia Licence.
Creative Commons Attribution 3.0 Australia Licence is a standard form license agreement that
allows you to copy, distribute, transmit and adapt this publication provided that you attribute the
work. A summary of the licence terms is available from
http://creativecommons.org/licenses/by/3.0/au/deed.en. The full licence terms are available
from http://creativecommons.org/licenses/by/3.0/au/legalcode.
The Commonwealth’s preference is that you attribute this publication (and any material sourced
from it) using the following wording:
Source: Licensed from the Commonwealth of Australia under a Creative Commons
Attribution 3.0 Australia Licence.
The Commonwealth of Australia does not necessarily endorse the content of this
publication.
Requests for information about this licence should be sent to:
The Manager
External Communication Branch
Human Services Portfolio Communication Division
PO Box 7788
Canberra BC, ACT, 2610
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are set out on the Department of the Prime
Minister and Cabinet website (see http://www.dpmc.gov.au/guidelines/).
Copyright © 2013 Commonwealth of Australia
2
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
Contact (for any matters concerning this document)
National Manager
eClaiming Branch
Health eBusiness Division
Department of Human Services
PO Box 7788, Canberra BC ACT 2610
Version History
Doc
Version
Status
Date of Issue
1.0
Initial
version
14 June 2012
1.0
Initial
version
28 June 2012
Correction made to Certificate Profile
2.0
First
update
10 December
2012
Amended to permit secure messaging between healthcare provider
organisations and to change certificate duration
2.1
Second
update
16 April 2013
Amended to clarify Certificate Uses, Disclaimer regarding identity,
and Indemnities
2.2
Revised November 2014 Updates to disclaimers regarding identity
version
Comments
This Document has been authorised by the Department of Human Services Policy Management
Authority:
_______________________
Date:
General Manager
Health Programs Division
Department of Human Services
Copyright © 2013 Commonwealth of Australia
3
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
Background
The Commonwealth Department of Human Services (Human Services) has implemented the Health
Sector Public Key Infrastructure (Health Sector PKI). Human Services wishes to provide a national
authentication framework for access by individual healthcare providers and healthcare provider
organisations to the eHealth Record system using the Health Sector PKI.
Under the Health Sector PKI Key pairs and Public Key Certificates are to be issued to End EntitySubscribers who are Individual Healthcare Providers and Healthcare Provider Organisations to
whom healthcare identifiers (Healthcare Provider Identifier – Individual (HPI-I) and Healthcare
Provider Identifier – Organisation (HPI-O)) have been assigned under the Healthcare Identifiers Act
2010.
The eHealth Record system is an electronic system for collecting, using and disclosing certain
information, including health information, using telecommunications services or other means. The
eHealth Record system is established under the Personally Controlled Electronic Health Records
Act 2012 (eHealth Record Act). The System Operator is appointed under section 14 of the eHealth
Record Act to perform various functions in relation to the eHealth Record system as set out in
section 15 of the eHealth Record Act.
The Public Key Certificates to be issued under the Health Sector PKI for accessing the eHealth
Record system are Relationship Certificates. The Root Certification Authority (RCA) and
Relationship Organisation (RO) is the Human Services.1 Subscribers for Certificates issued under
this Certificate Policy are the Healthcare Provider Organisations, to whom HPI-Os have been
assigned under the Healthcare Identifiers Act 2010.
The Certificates issued to Healthcare Provider Organisations under this Certificate Policy can be
used to access the eHealth Record system and to authenticate or protect confidentiality and integrity
of electronic communications with Relying Parties (other than the eHealth Record System Operator)
that are recognised under this Certificate Policy.
For the purpose of Certificates issued under this Certificate Policy, Human Services does not verify
that a Healthcare Provider Organisation issued with a Certificate under the Health Sector PKI is a
particular organisation. More information about the process undertaken by Human Services for the
verification of HPI-Os is set out in clause 2 of this Certificate Policy. The process used to identify
and authenticate Subscribers only verifies that the Subscriber is recorded as having been assigned
a HPI-O by the Healthcare Identifiers service operator and does not include any independent
verification.
The following are Relying Parties:
 the System Operator of the eHealth Record system appointed under section 14 of the
eHealth Record Act. The responsibilities of the System Operator are set out in the eHealth
Record Act;
1
Medicare Australia is now integrated into the Department of Human Services by virtue of the
Human Services Legislation Amendment Act 2011. The effect of item 99 of Schedule 1 to the
Human Services Legislation Amendment Act 2011 is to provide that where there is a reference to
"Medicare Australia" in the Health Sector PKI documents, that reference is read as a reference to
the Department of Human Services.
Copyright © 2013 Commonwealth of Australia
4
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
 Subscribers under this Certificate Policy (i.e. Healthcare Provider Organisations to which a
Certificate has been issued); and
 information technology providers that are Subscribers under another Commonwealth
Department of Human Services Community of Interest Certificate Policy for the NASH, and
that are engaged by Subscribers under this Certificate Policy for sending and receiving
secure messages.
For the purpose of Certificates issued under this Certificate Policy, the Community of Interest (CoI)
comprises Human Services, the Healthcare Identifiers service operator under the Healthcare
Identifiers Act 2010, the System Operator of the eHealth Record system and the End EntitySubscribers.
This is the Certificate Policy (CP) for organisation Certificates to be issued to Healthcare Provider
Organisations to which HPI-Os have been assigned under the Healthcare Identifiers Act 2010
(NASH PKI Certificate for Healthcare Provider Organisations).
The NASH PKI is a set of hardware, software, policies and procedures that let the recipient of an
electronic communication know that:
 the sender of the communication was recorded as being registered with the HI Service at
the time they were issued with a Certificate, and information related to the sender’s
registration can be reliably represented to the recipient for verification (authentication)
 the communication content has not been changed in transit between the sender and the
recipient (integrity)
 only the intended recipient is able to open the communication (confidentiality).
This CP should be read in conjunction with the:

Medicare Australia Root Certification Authority Certification Practice Statement (Medicare
Australia RCA CPS)

Medicare Australia Root Certification Authority Certificate Policy (Medicare Australia RCA
CP).

Medicare Australia Organisation Certification Authority Certification Practice Statement
(Medicare Australia OCA CPS)
Terminology
Clinical means anything that relates to the examination, diagnosis or treatment of individual patients
by healthcare providers who are duly qualified, registered, recognised or trusted as performing those
actions.
NASH is an acronym for National Authentication Service for Health.
NASH PKI has the meaning provided in the Background above.
NASH PKI Certificate for Healthcare Provider Organisations means an organisation
Certificate issued under this CP to a Healthcare Provider Organisation to which a HPI-O has
been assigned under the Healthcare Identifiers Act 2010.
Copyright © 2013 Commonwealth of Australia
5
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
Healthcare Provider Organisations will, on application to Human Services for a NASH PKI
Certificate for Healthcare Provider Organisations, have their information provided to the Chief
Executive Medicare as service operator of the Healthcare Identifiers service under the
Healthcare Identifiers Act 2010 for verification of their HPI-Os to enable Human Services
Relationship Organisation Unit Operators to confirm the Healthcare Provider Organisation
Applicant has a relationship within the CoI defined in this CP by virtue of the assignment of their
HPI-O.
All Applicants for a Certificate issued under the Health Sector PKI for accessing the eHealth Record
system and to authenticate or protect confidentiality and integrity of electronic communications
between Healthcare Provider Organisations are to have a HPI-O assigned in accordance with the
Healthcare Identifiers Act 2010.
Please refer to the documents listed below for definitions relevant to this CP.
In this CP, the order of priority for determining the meaning of a specific term is:
1.
Healthcare Identifiers Act 2010 (Cth) (http://www.comlaw.gov.au)
2.
Healthcare Identifiers Regulations 2010 (Cth) (http://www.comlaw.gov.au)
4.
National Partnership Agreement 2009 (the COAG agreement)
5.
the Healthcare Identifiers Service Glossary of Terms and Conditions
(http://www.nehta.gov.au/connecting-australia/healthcare-identifiers)
6.
Medicare Australia PKI Gatekeeper documents, including the Medicare Australia Health
Sector PKI Glossary (http://www.medicareaustralia.gov.au/provider/vendors/pki/policy.jsp)
More information about the process undertaken by Human Services for the verification of HPI-Os is
set out in clause 2 of this Certificate Policy.
Certificate Policy Clauses
CP Identification
Certificates issued under this CP shall bear the Policy OID:
1.2.36.174030967.1.10.1.1
1. Introduction
This is the Certificate Policy for organisation Certificates to be issued to Healthcare Provider
Organisations to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010 and
that wish to use the Certificate in accordance with the acceptable uses outlined in section 1.2.
The Certificates are provided on a CD to Subscribers who are responsible for uploading the
Certificates onto the Subscribers’ client operating system.
The Relationship Organisation (RO) for this CP is Human Services.
The Relationship Organisation Unit (ROU) is the program area in Human Services responsible
Copyright © 2013 Commonwealth of Australia
6
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
for undertaking the Application registration.
The Relationship Organisation Unit Operators (ROUOs) are Human Services personnel working
in the ROU.
1.1
PKI Participants
1.1.1 Certification Authority
All Certificates issued under this CP shall be produced by the Medicare Australia Organisation
Certification Authority (Medicare Australia OCA).
Refer to the Medicare Australia Organisation Certification Authority Certification Practice Statement
(Medicare Australia OCA CPS) for further information on applicable practices and procedures for
Certificates issued under this CP, located at www.humanservices.gov.au.
1.1.2 Relationship Organisation
Human Services is the Relationship Organisation (RO) for the CoI defined in this Certificate
Policy.
1.1.3 Relationship Organisation Unit
There is a separately identified ROU within the Health Sector PKI for the CoI defined in this CP.
The ROU at Human Services has responsibilities in the CoI in managing the Subscribers in the
CoI.
1.1.4 Certificate Controllers
Certificate Controllers are RO personnel with responsibilities for management of Certificates.
All Certificate Controllers operating under this CP are duly authorised representatives of Human
Services.
1.1.5 Relationship Organisation Unit Operators
Relationship Organisation Unit Operators (ROUOs) are Human Services personnel within the ROU.
ROUOs within the ROU are not Certificate Controllers.
ROUOs operate in accordance with the processes and procedures set out in the Medicare Australia
OCA CPS and this CP.
Copyright © 2013 Commonwealth of Australia
7
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
1.1.6 Subscribers
Subscribers under this CP are Healthcare Provider Organisations to which a HPI-O has been
assigned under the Healthcare Identifiers Act 2010.
The meaning of a NASH PKI Certificate for Healthcare Provider Organisations issued under this CP
is nothing more and nothing less than a statement expressed in a digital format of the fact that the
Subscriber (the Healthcare Provider Organisation) is recorded as having a particular HPI-O in the
record maintained by the Healthcare Identifiers service operator under the Healthcare Identifiers Act
2010 at the time of Certificate issuance.
A Certificate does not verify or represent that the Subscriber is a particular organisation.
A Certificate does not verify or represent that the Subscriber is registered with the PCEHR system
under the Personally Controlled Electronic Health Records Act 2012 (Cth). This registration is a
separate process that may only be taken by those Healthcare Provider Organisations that are
eligible for that registration.
The NASH PKI protects the confidentiality of the electronic communication, and lets the recipient of
the communication know that the communication content has not been changed in transit between
the sender and the recipient. A Certificate does not make any other assertions about the content of
an electronic communication (including any Clinical content) either prior to the communication being
sent by the Subscriber or after the communication is received by the Relying Party.
There is a Subscriber agreement under this CP, known as the National Authentication Service
for Health Public Key Infrastructure Certificate for Healthcare Provider Organisations Terms
and Conditions of Use.
The Subscriber is bound by these terms and conditions.
1.1.7 Relying Party
The following are Relying Parties:
 the System Operator of the eHealth Record system appointed under section 14 of the
eHealth Record Act. The responsibilities of the System Operator are set out in the eHealth
Record Act;
 Subscribers under this Certificate Policy (i.e. Healthcare Provider Organisations to which a
Certificate has been issued); and
 information technology providers that are Subscribers under another Commonwealth
Department of Human Services Community of Interest Certificate Policy for the NASH, and
that are engaged by Subscribers under this Certificate Policy for sending and receiving
secure messages.
Relying Parties must not use a Certificate by itself, and must use means other than reliance on the
NASH PKI, to determine whether they will rely on the content of an electronic communication
(including any Clinical statement or representation).
There are no other Relying Parties.
There is a Relying Party Agreement under this CP. It is published at www.humanservices.gov.au.
Where you rely on a Certificate issued under this CP and you do not have a written agreement
Copyright © 2013 Commonwealth of Australia
8
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
with Human Services or authorisation or approval via a notice published at
www.humanservices.gov.au/pki http:///(specifying an allowable usage), then you rely on the
Certificate at your own risk.
1.2
Certificate Use
1.2.1 Allowable Certificate Uses
Key Pairs and Certificates issued under this CP must only be used by Healthcare Provider
Organisations for:
a)
accessing electronic records on the eHealth Record system as authorised by the
eHealth Record System Operator; or
b)
to authenticate or protect the confidentiality and integrity of electronic communications
with Relying Parties (other than the eHealth Record System Operator) that are
recognised under this Certificate Policy (see section 1.1.7).
1.2.2 Prohibited Certificate Uses
A NASH PKI Certificate for Healthcare Provider Organisations is only permitted to be used for
purposes outlined in section 1.2.1 above.
Parties using a NASH PKI Certificate for Healthcare Provider Organisations for any other
purpose, do so at their own risk.
1.3
Definitions and Acronyms
Definitions and Acronyms are in the:
 Medicare Australia Health Sector PKI Glossary at
(http://www.medicareaustralia.gov.au/provider/vendors/pki/policy.jsp).

Healthcare Identifiers Act 2010

Healthcare Identifiers Regulations 2010

Healthcare Identifiers Glossary

Personally Controlled Electronic Health Records Act 2012
2.
Identification and Authentication of Users
2.1
Naming of Subscribers
Subscribers (termed ‘Certificate Subjects’ in the x.509 definition) under this CP shall be named
according to Human Services application and registration processes for Healthcare Provider
Organisations in the CoI described in this CP.
2.2
Identification and authentication of the Subscriber at registration
Subscribers (Healthcare Provider Organisations) under this CP will be identified and authenticated
at the time of their application for registration (however described) as a Healthcare Provider
Organisation by verifying with the Healthcare Identifiers service operator established under the
Healthcare Identifiers Act 2010 that a HPI-O has been assigned to an entity matching the details
in the application for a NASH PKI Certificate for Healthcare Provider Organisations.
Copyright © 2013 Commonwealth of Australia
9
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
For the purpose of issuing Certificates under this CP, the RO relies on the verification process
provided by the Healthcare Identifiers service operator which in turn relies on its record of
information maintained under section 10 of the Healthcare Identifiers Act 2010.
The RO does not undertake any separate action to verify or confirm the information provided by a
Healthcare Provider Organisation in its application for a NASH PKI Certificate for Healthcare
Provider Organisations or by the Healthcare Identifiers service operator through the Healthcare
Identifiers service operator's verification process.
Human Services may, in accordance with trusted practices, but will not be limited to:
a)
receive an application for a NASH PKI Certificate for Healthcare Provider
Organisations;
b)
request information from the Healthcare Identifiers service operator established under
the Healthcare Identifiers Act 2010 that verifies that a HPI-O has been assigned to an
entity matching the details in the application.
Where a Healthcare Provider Organisation wishes to access electronic health records in the
eHealth Record system using its Certificate, the System Operator under the eHealth Record
Act reserves the right to require that the Healthcare Provider Organisation enters into terms
and conditions for accessing those records.
Any such program terms and conditions are separate from the National Authentication Service
for Health Public Key Infrastructure Certificate for Healthcare Provider Organisations Terms and
Conditions of Use.
2.3
Identification and authentication of the Subscriber at renewal
Subscribers (Healthcare Provider Organisations) under this CP may have their Certificate
issued under this CP renewed provided the RO is satisfied that the Subscriber’s status within
the Healthcare Identifiers Service remains active.
2.4
Identification and authentication of revocation request
Revocation of Certificates under this CP shall only be requested in writing by:

ROUOs in the event that the Subscriber becomes ineligible to remain as a
Healthcare Provider Organisation for the purpose of the CoI described in this CP;
or

the Subscriber; or

Certificate Controllers.
3.
Certificate Life Cycle Operational Requirements
3.1.
Certificate creation
3.1.1 Enrolment process and responsibilities
Human Services may consider that the Healthcare Provider Organisation be enrolled for a
NASH PKI Certificate for Healthcare Provider Organisations by Certificate Controllers on the
basis of:
Copyright © 2013 Commonwealth of Australia
10
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
a)
receipt of an application for a NASH PKI Certificate for Healthcare Provider
Organisations together with any documentations required as part of the Health Sector
PKI requirements;
b)
consent by the applicant to collect, disclose and use information with, from and to the
service operator established under the Healthcare Identifiers Act 2010;
c)
verification from the Healthcare Identifiers service operator established under the
Healthcare Identifiers Act 2010 that a HPI-O has been assigned to an entity matching
the details in the application.
Human Services may, in accordance with trusted practices provide information to Verizon
Australia Pty Ltd (or another service provider) as the RCA's agent so as to enable a NASH PKI
Certificate for Healthcare Provider Organisations to be issued.
3.1.2. Publication of the Certificate
Certificates issued under this CP will be published in the NASH Directory. The NASH Directory will
be accessible by Relying Parties under this CP and under other NASH Certificate Policies. The
department may choose, at its discretion, to change who can access the NASH Directory, including
choosing what, if anything, is permitted to be accessed. A Healthcare Provider Organisation's HPIO, which is contained in its Certificate, will be disclosed in the NASH Directory.
Revocation status of Certificates issued under this CP will be published in the Healthcare Public
Directory. The HPI-O will not appear in the Certificate Revocation List.
3.2.
Key pair and Certificate Usage
3.2.1 Key pair generation and installation
All Subscriber Key Pairs and Certificates issued under this CP shall be generated by a
Certificate Controller using accredited software.
The signing and encryption Key shall be stored in a password protected PKCS#12 file separate
from the encryption Key and Certificate. These PKCS#12 files are stored in electronic medium
and distributed as instructed by the ROUO.
A PIC (personal identification code) to access the Keys and Certificates will also be generated
and dispatched separately.
3.3.
Certificate renewal
Certificates issued under this CP may be renewed automatically by the
Certificate Controllers. This is at the discretion of Human Services. Refer to clause 2.3 for details
of identification and authentication.
3.4.
Certificate revocation
Certificates issued under this CP may be revoked by Human Services in its absolute
discretion, including but not limited to:
a)
after loss, destruction or theft of the Certificate;
Copyright © 2013 Commonwealth of Australia
11
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
3.5
b)
in the event of Healthcare Provider Organisation’s de- registration (however
described);
c)
in the event the Healthcare Identifiers service operator established under the
Healthcare Identifiers Act 2010 cancels the HPI-O of the Healthcare Provider
Organisation;
d)
in the event that the Healthcare Provider Organisation revokes any consent given
under section 24A of the Healthcare Identifiers Act 2010 or alters any limitations
regarding the consent.
Certificate status services
3.5.1 Operational characteristics
Refer to Section 4.10.1 of the Medicare Australia RCA CP.
3.5.2 Service availability
Service availability for the Certificate Revocation List (CRL) is substantially 24x7 at www.certificatesaustralia.com.au.
3.5.3 Optional features
Not applicable
4.
Registration Operational Controls
4.1
Personnel controls
All Certificate Controllers under this CP shall be authorised representatives of Human Services.
4.2
Logical and Technological controls
Certificate requests will be processed by the authorised Certificate Controllers of Human
Services in accordance with the security provisions of the Medicare Australia OCA CPS.
4.3
Physical controls
Certificate requests will be processed by Human Services Certificate Controllers in accordance
with the security provisions of the Medicare Australia OCA CPS.
4.4
Business continuity of the Relationship Organisation
Human Services (the Relationship Organisation under this CP) is a department of state of the
Commonwealth of Australia and forms part of the Commonwealth.
Changes in legislation or government policy will provide for business continuity of RO in
accordance with policy as determined by the government and implemented in accordance with
Commonwealth Machinery of Government (MOG) requirements.
4.5
Relationship Organisation termination
Changes in legislation or government policy will provide for termination of Human Services as
Copyright © 2013 Commonwealth of Australia
12
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
the RO under this CP and for a replacement agency as the successor RO in accordance with
policy as determined by the government, if required.
4.6
eHealth Record System Operator termination
The System Operator of the eHealth Record system is established under section 14 of the
Personally Controlled Electronic Health Records Act 2012 (eHealth Record Act). A change of
status of the System Operator can only be through amendment to the eHealth Record Act or by
other Acts of the Commonwealth Parliament made pursuant to changes in government policy.
5.
Other Business and Legal Matters
5.1
Other Business
For information on other business (for example fees, confidentiality, privacy, intellectual
property, representations and warranties and disclaimers of warranties), refer to section 9
and subsections 9.1 - 9.7 of the Medicare Australia Root Certification Authority (RCA)
Certificate Policy (CP) at www.humanservices.gov.au.
5.2
Legal Matters
For information on legal matters, refer to section 9 (Other Business and Legal Matters) of the
Medicare Australia RCA CP at www.humanservices.gov.au.
The following provisions apply in addition and without prejudice to those set out in section 9 (Other
Business and Legal Matters) of the Medicare Australia RCA CP.
Termination
In addition and without prejudice to any other right to terminate or revoke a Certificate, Human
Services may terminate a Certificate issued under this CP at any time to facilitate a transition to
another Public Key Infrastructure for the National Authentication Service for Health, if any.
Disclaimer regarding identity
A Certificate does not verify or represent that the Subscriber is a particular organisation
The meaning of a Certificate issued under this CP is nothing more and nothing less than a statement
expressed in a digital format of the fact that the Subscriber is recorded as being registered with the
HI Service. A Certificate does not represent or verify that:
•
the Subscriber has a particular identity (ie, is a particular organisation or individual);
•
the Subscriber or any of its personnel have particular qualifications or registrations other
than with the HI Service; or
•
the Subscriber is registered with the eHealth Record system.
Disclaimers of Warranties
In addition and without prejudice to the disclaimers under section 9.7 that apply to the
Commonwealth and its agencies, the Chief Executive Medicare as the service operator under the
Healthcare Identifiers Act 2010 and Human Services disclaim all warranties, express or implied.
Copyright © 2013 Commonwealth of Australia
13
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
In addition and without prejudice to the limitation under section 9.7 that applies to the
Commonwealth and its agencies, if any warranties or conditions are implied by legislation, then the
liability of the Chief Executive Medicare as the service operator under the Healthcare Identifiers Act
2010 and Human Services (and of their contractors (including sub- contractors)), for any breach of
the condition or warranty is limited to:
a) re-performing the services to which the warranty
applied, or
b) paying the cost of re-performing those services.
Commonwealth, Agencies and Department of Human Services Liability
In addition and without prejudice to the limitation of liability under section 9.8 that applies to the
Commonwealth and its agencies, the aggregate liability of the Chief Executive Medicare as the
service operator under the Healthcare Identifiers Act 2010 and Human Services to any and all
persons concerning all Certificates shall be limited to an amount not to exceed $50,000 in aggregate
for all claims, arising in connection with the Health Sector PKI, including but not limited to:
a) an entity described in this CP carrying out, or omitting to carry out, any activity
described in, or contemplated by, the Documents, and
b) the carrying out or omitting to carry out, any activity related to the Gatekeeper
accreditation process.
5.2.2 Indemnities
No indemnity (contractual or otherwise) arises between Human Services, Chief Executive
Medicare, Subscribers and Relying Parties under the Health Sector PKI to which this CP applies.
5.2.3 Legislation
Section 26 of the Healthcare Identifiers Act 2010 prohibits a person from disclosing a healthcare
identifier except in specified circumstances, including where the person is authorised to disclose a
healthcare identifier under that Act.
Section 24A of the Healthcare Identifiers Act 2010 allows an entity to collect, use or disclose a
healthcare provider's healthcare identifier for a purpose relating to the provision of healthcare if the
healthcare provider has consented to such collection, use or disclosure.
Human Services is collecting the Healthcare Provider Organisation's HPI-O to enable authentication
via the Health Sector PKI of identities in electronic transmissions (in the manner and to the extent
described in this CP). This underpins the creation of a secure eHealth Record, which is a purpose
relating to the provision of healthcare.
Copyright © 2013 Commonwealth of Australia
14
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
6.
Certificate Profiles
6.1 NASH Healthcare Provider Organisation Certificate – Certificate
Profile
Field
1.
X.509v1 Field
1.1.
Version
1.2.
Serial Number
1.3.
Signature Algorithm
Issuer Distinguished Name
1.4.1.
Country (C)
1.4.2.
Organization (O)
1.4.3.
Organization Unit
(OU)
1.4.3
Common Name
(CN)
1.5.
Validity
1.5.1.
Not Before
Content
V3
A positive integer that uniquely identifies the
Certificate.
SHA-1 RSA,
SHA-1 hashing algorithm using the RSA signing
algorithm.
1.4.
1.5.2.
1.6.
1.7.
2.
Not After
Subject
1.6.1. Domain Component (dc)
1.6.2. Domain Component (dc)
1.6.3. Domain Component (dc)
1.6.4. Domain Component (dc)
1.6.5. Domain Component (dc)
1.6.6. Organisation (o)
1.6.7. Common Name (cn)
Subject Public Key Info
X.509v3 Extensions
2.1.
Authority Key Identifier
2.1.1.
Key Identifier
2.1.2.
AuthorityCertIssuer
2.1.3.
AuthorityCertSerialNumber
2.2.
Subject Key Identifier
2.3.
Key Usage
2.3.1.
Digital Signature
2.3.2.
Non Repudiation
2.3.3.
Key Encipherment
2.3.4.
Data Encipherment
Mandatory
M
M
M
AU
GOV
M
M
M
M
Medicare Australia
Medicare Australia Organisation Certification
Authority
M
The date that the Certificate is valid from (system
time at certificate issuance).
YYMMDDHHMMSSZ encoded as UTCTime for
dates up to 2049 and encoded as
GeneralizedTime for dates in 2050 or later.
M
The date that the Certificate is valid until. 2 years
from Start Validity, i.e. certificate issuance.
YYMMDDHHMMSSZ encoded as UTCTime for
dates up to 2049 and encoded as
GeneralizedTime for dates in 2050 or later
M
au
net
electronichealth
id
<Healthcare Identifier of Organisation>
<Organisation Name>
general.<Healthcare Identifier of
Organisation>.id.electronichealth.net.au
RSA Public Key of 2048 bits.
M
M
M
M
M
M
M
M
M
NonCritical
M
NonCritical
Critical
SHA-1 hash (60 bits) of the Issuer's public key.
Not present
Not present
SHA-1 hash (60 bits) of the Subject's public key.
Critical*
N/A
M
SET
NOT SET
SET
SET
Copyright © 2013 Commonwealth of Australia
15
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH
PKI Certificate for Healthcare Provider Organisations v2.2
Field
2.3.5.
2.3.6.
Key Agreement
Key Certificate
Signature
2.3.7.
CRL Signature
2.4.
Extended Key Usage
2.5.
Certificate Policies
2.5.1.
Policy Identifier
2.5.1.1.
Policy
Qualifier ID
2.5.1.2.
User
Notice
Content
NOT SET
Not Selected
Mandatory
Not Selected
Not applicable
Critical*
NonCritical
NonCritical
1.2.36.174030967.1.10.1.1
User Notice
Certificates issued under this CP must only be
relied on by entities within the Community of
Interest, unless otherwise agreed. Any use of or
reliance upon a certificate for purposes other than
those permitted by this CP is deemed to be at the
sole risk of the Subscribing and/or Relying Party.
This certificate contains a healthcare identifier.
The use and disclosure of healthcare identifiers is
regulated by the Healthcare Identifiers Act 2010. It
is important that your organisation ensures that
certificates are always used for a purpose related
to the provision of healthcare.
2.5.1.3.
Policy
Qualifier ID
2.5.1.4.
CPS
URI
2.6.
Subject Alternate Names
2.6.1.
rfc822Name
2.6.2. Uniform Resource
Identifier
CPS URI
http://www.humanservices.gov.au/
not present
URI for the Healthcare Identifier of Organisation
NonCritical
M
http://ns.electronichealth.net.au/id/hi/
<Organisation Type>/1.0/
<Healthcare Identifier of Organisation>
This URI does not point to a resource and should
not be followed as a reference.
2.7.
Basic Constraints
2.7.1.
Subject Type
2.7.2.
Path Length
Constraint
2.8.
Authority Information Access
2.8.1.
Access Description
2.8.1.1.
Access
Method
2.8.1.2.
Alternative Name
2.9 CRL Distribution Point
2.9.1 URL
3.0 Other Fields - Generic
3.0.1 Generic IA5 String:
RA Number
(OID=1.2.36.73665175.1
.10009)
Not CA
Not present
Critical
Not present
On-line Certificate Status Protocol
(1.3.6.1.5.5.7.48.1)
URL=http://ocsp.certificatesaustralia.com.au/maoca.pkx
NonCritical
http://www.certificatesaustralia.com.au/general/cert_search_health.shtml
< RA Number >
NonCritical
M
Copyright © 2013 Commonwealth of Australia
16
Related documents
Dislocated Worker Survey
Dislocated Worker Survey
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
CURRICULUM-VITAE - Rockland Hospital
CURRICULUM-VITAE - Rockland Hospital
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
Download
advertisement