Decisions
The SWG reviewed the Identity Proofing White Paper. The following edits and discussions were made and organized by section. Additions are underlined and deletions are stricken-through.
Action items are bolded.
The following document-wide changes were made throughout the editing of the document during the meeting, but will need to be reviewed:
- Ensure consistency of use of acronyms
- Indicate calendar year when referring to quarters (Q1, Q2, etc.)
- Capitalize “medium assurance” throughout document
- Ensure consistency of use of the Level of Assurance (LOA) acronym
1.0 Summary
- “To meet the requirements of FBCA Medium Assurance, the individuals and organizations entities must present proof of their identities in person.” o The use of “organizations” in place of “entities” should be made consistent throughout the document.
- Line added, (need to verify IdP of organizations and the relationship to group certificates). o Bob will follow up on this.
- Edited the last bullet point of section 1.0, “Federation of the identity proofing process and creation of credentialing accreditation policies to permit incorporation of identity proofing as part of individual and organizational credentialing or accreditation in healthcare (see
8.4-8.9).
2.0 Statement of Problem and Background
- The second paragraph was clarified: “There is a need on CMS’s part to ensure authenticity of the documents produced and to 1) verify the identification of the individual or organization (contained in the eMDR) and 2) to ensure authenticity of the documents submitted to respond to the eMDR.
”
- Since the issuer of a certificate may be the root, or be subordinate to root, this may need to be clarify throughout the paper.
3.0 requirements
- Addition made to 1.c: “minimize the operational impact required to establish, maintain or use a digital identity and digital signatures .”
4.0 Assumptions
- Addition made to the second bullet point: “…(identified in the subject of the eMDR transaction) …”
5.0 Review of Standards
- The following rows were deleted from the standards reference section: o FDA (participation in drug trials) o Kantara Initiative 0 Healthcare Identity Assurance Workgroup o GSA
- Added to E-Prescribing: “[Expand reference]” o E-Prescribing will need to be expanded.
6.0 Industry Examples
- Under the first section (DEA):
o Under the “Identity Proofing” bullet point, added note: “SWG Note: this requirement for an Individual (other than the provider) to authenticate the provider as part of the DEA process effectively makes the IdP requirement equivalent to FBCA Medium Assurance or NIST 800- 63-1 LOA4.
” o Changed bullet point: “Under the Interim Final Rule IFR…”
- Under the DIRECT Project section: o Under the 5 th bullet point: “The same X509v3 certificate…”
- Title of section changed: “PIV – Personal Identity Verification (PIV) of Federal Employees and Contractors ” o Bob will add information to reflect that we are creating an environment that the equivalent processes today are acceptable to whatever is ultimately establish for esMD. o Changed second-to-last bullet: “...process shall adheres to the principle…” o Changed last bullet: “The PIV identity proofing and registration process used when verifying the identity of the applicant is shall be accredited by the department…”
7.0 Evaluation of Alternate Solutions
- Added to the end of the first line: [add evaluation and comment on industry solutions above]
8.1 Recommended Standards
- Moved the “Separation of Registration Authority (RA) and Credential Service Provider functions (CSP)” section below the “Registration Authority Requirements” section.
- Under the “Registration Authority Requirements” section, made a change to the bullet:
“Oversee Identity Issues related to (addition by SWG).”
- Under the section “Separation of Registration Authority (RA) and Credential Service
Provider functions (CSP) ,” removed: “See Section 5.3.5 for procedures when the derived credential is issued by a different CSP.) ”
8.2 Identity Proofing of Individuals
- On item 1, change made: “Individual provider fills out application for Identity Proofing
- On item 3.b.
v, change made: “Private companies such as DAON”
- On item 3.c., change made: “Notary Public (may require additional training) [request review and comment during end-end and consensus process] ”
- On item 6, change made: “…(e.g., verify name, address and other demographic information …)”
- Under the tables for this section, all red text was changed to black.
- A question to address is: If we’re going to use an antecedent process, can the credentials be used be used, and how recent must it have been done for it to be acceptable?
8.3 Identity Proofing of Entities
- Change made to item 3 : “Authorized representative with prior identity proofing and valid digital credentials submits documents…”
- All sub-bullets removed from under item 3.
- Under item 7, “Issues verification to address of record for Organization”
- Copied and pasted the following over item 6: “Verification of NPI or other Payer
Identification (e.g. verify name, address and other demographic information associated with NPI or other Payer Identification) (Note: demographics/address must be maintained/ updated prior to identity proofing as part of this process) .”
9.0 Gaps
- Changed the first line: Satisfying these gaps is work that should be undertaken during
2013 to support the Individual and Organizational Identity Proofing required for expansion
of the esMD Program and users of Author of Record implementation guides. These gaps include
- Added to the end of item A, “(e.g. for NPI or other Payer ID).
- Added to the end of item E, “of entities”
Action Items
Name
Bob
Task
Made editing changes to document as discussed during the meeting, including:
- Ensure consistency of use of acronyms.
- Indicate calendar year when referring to quarters (Q1, Q2, etc.).
- Capitalize “medium assurance”
- Ensure consistency of use of the Level of Assurance (LOA) acronym.
- Ensure consistent use of “organizations” in place of “entities.”
- Follow up on verifying identity proofing of organizations and the relationship to group certificates.
- Clarify issue of a certificate issuer being a root, or being subordinate to a root.
- Expand on e Prescribing within the reference section.
- Add information to reflect that we are creating an environment that the equivalent processes today are acceptable to whatever is ultimately establish for esMD.
- Address use of antecedent process.
Review White Paper and provide comments for end-to-end review.
Due Date
12/4/12
12/4/12 SWG
Community