Ron, I would agree with William on not comparing medical 'credentialing' with some type of trading partner authentication. Medical credentialing is a very paper intensive and expensive endeavor. It is meant to be a big hurdle to prevent those who might casually think of committing fraud and endangering public health. Look at this link for more info: http://www.managedcaregroup.com/mcrmm08.htm
Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 425-260-5030 -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Monday, August 26, 2002 9:49 AM To: WEDi/SNIP ID & Routing Subject: Re: The "Mao Zedong" PKI Model "Credentialing" of medical professionals, institutions and payers is a different matter than simply having some assurance that the guy at the other end of the digital dial-tone is who he purports to be. When CPPs are distributed "out-of-band," as when a payer and a provider exchange them as part of a manual EDI enrollment process, the CPPs themselves and any included digital certificates can automatically be "trusted" - the certificates can be self-signed as there's no need for a certificate authority. This model works today: after all, people send EDI data to their partners based on manual setup processes. When an intermediary like a Clearinghouse or VAN is involved, trust can be delegated. If my big respectable clearinghouse says I can reach payer so-and-so by using a particular payer ID in the ISA, there's no reason to distrust them - I assume they've done at least as much due diligence as I would have done. I can safely send PHI within 837s to the clearinghouse addressed to the payer with reasonable assurance that only the payer (and perhaps the CH itself) will be able to see the data. In this case, it's sufficient when sending over the public internet to the CH to rely on the CH's digital certificate, which I may obtain "out-of-band." Encryption (and digital IDs) aren't even necessary when using direct dialing or leased lines with the clearinghouse. Only when we're relying on the Healthcare CPP Registry to obtain information do we really have to depend on digital certificates for authentication - otherwise we have no idea whether some scofflaw has inserted a "counterfeit" CPP in there (which would fool a provider into sending PHI-laden 837s to what he thought was a real insurance company). In short, authentication becomes a critical problem only when using the Registry. Merely using the CPP itself, exchanged "out-of-band" between known trading partners or obtained from a trusted intermediary like a clearinghouse, does not require the use of CA-signed certificates. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Ronald Bowron" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, 12 August, 2002 06:22 PM Subject: Re: The "Mao Zedong" PKI Model William, Credentials are to me something that are a must for business to trust one another, I find it interesting that everyone wants trustworthy credentials, but know one wants the responsibility. And while it's not a specific goal or issue for the routing group to resolve, without proper digital credentials, we most likely will fail to gain sufficient momentum from the industry to support our efforts for a CPP model. So, I'll through my two cents into the discussion. When we look at the business model for "Credentialing" that has been sustained for years in the medical industry, I find it difficult to believe that we must somehow come up with a new entity for digital credentialing. I'm not an expert in Provider Credentialing, but other organizations are, and it is my understanding that all "Medical Providers" must register with the State and be "Licensed" to provide specific services. Therefore, it seems to me that the obvious choice for a CA would be the Licensing authority. If they can issue a paper license, why can't they also issue and maintain digital certificates? I would presume that the technology and infrastructure to support such efforts would be contracted out to some other organization (Verisign, Entrust, Digital Trust, etc.) but if a Provider chooses to do healthcare business electronically, why can't the licensing organization provide a digital certificate? Same with a Payor organizations, it is my understanding that each payor must be licensed to provide insurance in a particular state and therefore should be able to receive both a paper license and digital certificate. I know several states are attempting to create services that provide this type of trusted environment. I'm specifically aware of the ACES program sponsored by the GSA at the federal level and "Transact Washington" a state based certificate service to conduct electronic transactions with the State agencies. Because the healthcare industry provides a social service and in many cases conduct business with the state, can we suggest that these certificates be used to conduct private business transactions between Covered Entities as well as public services transactions with state agencies? If so, it's seems it would be possible to include in the CPP which certificates an organizations has obtained, and allow business partners the opportunity to validate such certificate to determine the level of trust they wish to associate with an entity. Then the question becomes, will businesses accept a Federal certificate or a State certificate of a certain class of entity (individual, business representative, etc.) as a means to determine level of trust? Ronald Bowron >>> "William J. Kammerer" <[EMAIL PROTECTED]> 08/07/02 08:02AM >>> Payers are not necessarily the best entities to serve as Certificate Authorities (CA), for various technical reasons that I can get into later. But payers identifying providers for the purposes of signing X.509 certificates is a completely separate issue from payers "credentialing" participating providers. I can certainly see how provider malpractice sewage can back up into a payer's basement: after all, the payer is the one who published the directory of participating providers passed out to subscribers, and in effect forced patients to go to one of those providers (because the patient wouldn't have been compensated as much if he chose a non-participating provider). That's a completely different matter, I believe, than serving as a CA for identity purposes in e-commerce. More likely, a payer would not want to serve as a CA simply because other payers, trusting the first payer's judgement, would rely on the certificate without any real benefit accruing to the signing payer. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.