ONC Resource Center Identity Management Guide:

Review and Practical Application

Tuesday, May 23, 2017

Robert Cothren | ONC SIM HIT Resource Center Consultant

Agenda for Today

• Disclosure statement

• ONC Resource Center Identity Management Guide

• Q&A on the Guide

• Listening Session

2
The Issue for APMs

Traditionally segregated providers need to work together to

improve coordination, quality, effectiveness of health services

Stakeholders need to measure performance consistently across

settings and organizations

3
Purpose of the Identity Management Guide

Provide a high-level overview of identity management within

1 the health care domain

Support achievement of an operational and sustainable

2 identity management strategy that enables alternative
payment models

4
Health IT Modular Functions

Today’s Topic

5
Purpose of the Identity Management Guide

Provide a high-level overview of identity management within

1 the health care domain

Support achievement of an operational and sustainable

2 identity management strategy that enables alternative
payment models

6
What Is Identity Management?

Within the Information Technology Industry

Broad discipline that establishes the identity of individuals within a system

(an enterprise, a network, a device, or a software application) in order to
control access to resources based on the rights and restrictions associated
with that identity.

“Identity management systems store attributes associated with users and

employ these attributes to facilitate authorization.”

7
What Is Identity Management?

Within the Health Care Ecosystem

1. Establishes the identity of providers, patients, caregivers, and other

stakeholders in order to control access to health-related information and
meet regulatory requirements

2. Link health information with the correct individual to create a longitudinal

view of the individual’s health record or enable care coordination, including
notification of health events across and among health care delivery
enterprises

3. Link health outcomes with provider identities and care team definitions in
order to enable performance measurement and alternative payment
models

8
Challenges

• Issues with identifiers

» Issues with NPI as an identifiers for providers

» Identifiers for consumers in every health care setting

• Information inaccuracy
» Volatility of provider information and organizational affiliations

» Patient matching algorithms must address poor data quality

• Lack of uniform information standards

9
Interoperability Roadmap Call-to-Action

• Identifies identity management “as a privacy and security issue,” calls for:
» Verifiable identity and authentication of all participants
» Consistent representation of permission to collect, share, and use identifiable
health information
» Consistent representation of authorization to access health information
» Development of policies governing identity
» Harmonization of technical standards
» Identification of best practices in identity proofing
» Consistency in data elements used for identity matching
» Assessment of identity matching algorithms

• The Roadmap notes that “as a learning health system evolves, more than
individual/patient-specific information from health records will be matched
and linked, including provider identities, system identities, device identities
and others to support public health and clinical research”

10
Solutions and Standards

Technology Tools Technical Standards

• Provider directories and • PKI, OAuth, OpenID
registries
• For providers
• Patient indexes (MPIs)
» X12 274
• Attribution » HPD
• Big-data • For patients
» HL7 ADT
» PIX/PDQ
» XCPD

• FHIR (for both)

11
Purpose of the Identity Management Guide

Provide a high-level overview of identity management within

1 the health care domain

Support achievement of an operational and sustainable

2 identity management strategy that enables alternative
payment models

12
Process

Identify priority use cases that the

1 Identify Use Cases
identity management needs to address

13
Use Cases

• Health Information Access Management

» Health Information Access by Providers

» Health Information Access by Individuals, Family Members, Caregivers

• Associating Health Information or Care Delivery with an Individual or

Provider
» Care Coordination Management
Strong identity proofing
» Non-Repudiation and authentication are the
first line of security
» Attribution Management for Service defense and have the
Delivery and Payment potential to be the weakest
link in the security chain.
» Performance Measurement

14
Health IT Modular Functions

Today’s Topic

Related topic

Related topic
with its own IG

15
Process

1 Identify Use Cases

Identify requirements associated with

2 Derive Requirements
priority use cases

16
Business Requirements
Requirements for access management
1. Identity proofing for individual providers
2. Identification and management of
individual provider roles
3. Identity validation for organizations
4. Identity proofing for consumers
5. Identification and management of
consumer relationships to family
members and caregivers
6. Processes for issuing and managing
digital credentials for providers and
provider organizations
7. Processes for issuing and managing
digital credentials for consumers
Care coordination management
8. Identification and management of
patient/provider relationships
9. Processes for collecting, validating, and
storing provider information
Non-repudiation
10. Processes for issuing and managing
digital signatures for providers
11. Processes for issuing and managing
digital signatures for organizations
Attribution management
12. Processes for allocating patient
encounters to the appropriate APM
Performance measurement
13. Processes to associate processes and
outcomes with data sources
17
Technical Requirements

Access management Non-repudiation

1. Digital credentials for providers 9. Mechanisms for validating digital
2. Digital credentials for provider signatures
organizations 10. Mechanisms for tracking information
3. Digital credentials for consumers provenance

4. Strong access, authentication, and Attribution management

authorization mechanisms for providers
11. Mechanisms for representing and
5. Communication of access rights, communicating the members of care
including identity, role, and purpose teams

Care coordination management Performance measurement

6. Mechanisms for representing and 12. Mechanisms for communicating
communicating patient/provider information provenance
relationships
7. Robust algorithms to match patients
8. Directories of provider information

18
Identity Management Is Complex

The business and technical requirements for identity

management in the health care setting are complex

The requirements to support an alternative payment model go

far beyond the requirements of identity management in the
traditional IT setting

19
MyHealth Access Network

Question: How do you build a better MPI?

1. Better to approach identity management as master data management
2. Too little emphasis is placed on data transparency and too much on
matching algorithms
Components of an
3. Location of care delivery important in attribution Attribution Determination
Person
determination Receiving
Care
4. Make matching decisions close to the source of Encounter Provider
Location Organization
the information Attribution
Method
5. Instill processes that will detect overlays
6. Organizations should create interfaces between registration systems and
the MPI
7. Create and analyze variance reports that identify mismatched identities
8. Don’t underestimate the need for processing performance in selection of an
MPI or master data management technology solution
20
Process

1 Identify Use Cases

2 Derive Requirements

Evaluate the maturity of information

3 Evaluate Maturity management processes within
collaborators and their systems

21
CMMI Data Management Maturity (DMM)

22
CMMI Data Management Maturity (DMM)

• Provides a common language and framework depicting what progress looks

like in all of the fundamental disciplines of data management

» Including identity management

• Can help develop a tailored path to improvement

23
CMMI Data Management Maturity (DMM)

24
Utah Community Solution for Identity Management

Question: How do you relieve the burden of identity management to

allow timely movement of health information?

• Issues were not a result of inconsistent matching algorithms, but poor data
quality within each institution’s MPI
» “No algorithm will work well community-wide with poor data quality”

• Created a constrained data template against which all MPIs need to perform
» Participants self-report on consumer demographic information they have,
consistent with the template, including data sets that may be incomplete for an
individual

• Matching performance could be significantly improved by improving data

quality through business process improvement, often associated with
patient registration

25
Process

1 Identify Use Cases

2 Derive Requirements

3 Evaluate Maturity

Determine the appropriate home for the

4 Identify a Home
solution

26
Where to Host a Solution

• Identity management must be addressed both within and across

organizations

• Important to determine the most efficient and logical place for services to
be organized and delivered

• Services become more effective and efficient when shared across

stakeholders

• Conduct surveys of existing capabilities and data maturity

» Existing MPIs of state or regional HIEs may be a good starting point

27
New York eHealth Collaborative

Question: How do you create a statewide MPI using existing capabilities?

• The SHIN-NY facilitates statewide

look-up of patient records as a service

• Part of this service is a federated

statewide MPI

1. Regional HIEs connect to a statewide MPI

2. Each HIE shares information from its regional
MPI with the statewide MPI
3. A statewide algorithm works to match
individual identities across regional HIEs
4. Records with low matching scores are entered
as separate identities
5. Records with high matching confidence are
evaluated manually to confirm a match
28
Process

1 Identify Use Cases

2 Derive Requirements

3 Evaluate Maturity

4 Identify a Home

Establish a transparent and inclusive data

5 Establish Governance governance structure to ensure data
quality

29
Data Governance

Processes and controls that ensure that the data meets precise technical and
quality standards, such as a business rule, a data definition, and data integrity
constraints in the data model

Establish a transparent and inclusive data governance structure

to ensure data quality, borrowing from master data management
concepts and approaches

Ensure that the solution is compatible with a network-of-

networks approach to avoid creating a silo of critical information
that cannot interoperate with neighboring states or nationally

30
CMMI Data Management Maturity (DMM)

31
Process

1 Identify Use Cases

2 Derive Requirements

3 Evaluate Maturity

4 Identify a Home

5 Establish Governance

Create policy levers that encourage

6 Implement Policy Levers
widespread participation

32
Policy Levers

Must encourage

1) widespread participation in identity management

2) good data quality

3) active involvement in governance

since its full potential can be realized only through the broadest
participation

33
MiHIN

Developed service combing their provider directory with care team definitions,
attribution, and the MPI into a overall service referred to as Active Care
Relationship Service (ACRS)

Key was to identity valuable use

cases that could leverage provider
and patient identity information
in core infrastructure

1. Care coordination, which in turn includes

a. Provider alerts for transitions of care
b. Patient-provider attribution

2. Quality measurement

34
Data Sharing Requirements Initiative (DSRI) Toolkit

The heart of data

aggregation

35
What We Covered…

1. What is identity management?

2. What are the challenges? Potential solutions?

3. What are the use cases?

4. What are the business and technical requirements?

5. What collaborations should be considered?

6. What are the policy considerations?

7. What have others done?

36
Q&A…

Questions?

37
Next…

Listening Session

Wednesday, May 24, 2017 4:00 PM - 5:00 PM EDT

Registration:
https://attendee.gotowebinar.com/register/3713819708336255234

38
 ONC Resource Center Identity
Management Guide: Review and
Practical Application
Robert M. Cothren, PhD
ONC SIM HIT Resource Center Consultant

rim@a-cunning-plan.com
925-934-2280

@ONC_HealthIT @HHSONC

39