Short Form Certificate Policy
Commonwealth Department of Human Services Community of Interest Certificate Policy for the National Authentication Service for Health PKI Certificate for Healthcare Provider Organisations v 2.1
(2 year Duration)
April 2013
Copyright © 2013 Commonwealth of Australia2
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH PKI Certificate for Healthcare Provider Organisations v2.1Ownership of intellectual property rights in this publication
Unless otherwise noted, copyright (and any other intellectual property rights, if any) in this publication is owned by the Commonwealth of Australia (referred to below as the Commonwealth).
Creative Commons licence
With the exception of the Coat of Arms, this publication is licensed under a Creative Commons Attribution 3.0 Australia Licence.
Creative Commons Attribution 3.0 Australia Licence is a standard form license agreement that allows you to copy, distribute, transmit and adapt this publication provided that you attribute the work. A summary of the licence terms is available from http://creativecommons.org/licenses/by/3.0/au/deed.en. The full licence terms are available from http://creativecommons.org/licenses/by/3.0/au/legalcode.
The Commonwealth’s preference is that you attribute this publication (and any material sourced from it) using the following wording:
Source: Licensed from the Commonwealth of Australia under a Creative Commons Attribution 3.0 Australia Licence.
The Commonwealth of Australia does not necessarily endorse the content of this publication.
Requests for information about this licence should be sent to:
The Manager
External Communication Branch
Human Services Portfolio Communication Division
PO Box 7788
Canberra BC, ACT, 2610
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are set out on the Department of the Prime Minister and Cabinet website (see http://www.dpmc.gov.au/guidelines/).
Contact (for any matters concerning this document)
National Manager
eClaiming Branch
Health eBusiness Division
Department of Human Services
PO Box 7788, Canberra BC ACT 2610
Version History
DocVersion / Status / Date of Issue / Comments
1.0 / Initial version / 14 June 2012
1.0 / Initial version / 28 June 2012 / Correction made to Certificate Profile
2.0 / First update / 10 December 2012 / Amended to permit secure messaging between healthcare provider organisations and to change certificate duration
2.1 / Second update / 17 April 2013 / Amended to clarify Certificate Uses, Disclaimer regarding identity, and Indemnities
This Document has been authorised by the Department of Human Services Policy Management Authority:
Copyright © 2013 Commonwealth of Australia2
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH PKI Certificate for Healthcare Provider Organisations v2.1______
General Manager,
Health eBusiness Division
Department of Human Services
Date:
2
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH PKI Certificate for Healthcare Provider Organisations v2.1Copyright © 2013 Commonwealth of Australia
2
Commonwealth Department of Human Services Community of Interest Certificate Policy for NASH PKI Certificate for Healthcare Provider Organisations v2.1Background
The Commonwealth Department of Human Services (Human Services) has implemented the Health Sector Public Key Infrastructure (Health Sector PKI). Human Services wishes to provide a national authentication framework for access by individual healthcare providers and healthcare provider organisations to the eHealth Record system using the Health Sector PKI.
Under the Health Sector PKI Key pairs and Public Key Certificates are to be issued to End Entity-Subscribers who are Individual Healthcare Providers and Healthcare Provider Organisations to whom healthcare identifiers (Healthcare Provider Identifier – Individual (HPI-I) and Healthcare Provider Identifier – Organisation (HPI-O)) have been assigned under the Healthcare Identifiers Act 2010.
The eHealth Record system is an electronic system for collecting, using and disclosing certain information, including health information, using telecommunications services or other means. The eHealth Record system is established under the Personally Controlled Electronic Health Records Act 2012 (eHealth Record Act). The System Operator is appointed under section 14 of the eHealth Record Act to perform various functions in relation to the eHealth Record system as set out in section 15 of the eHealth Record Act.
The Public Key Certificates to be issued under the Health Sector PKI for accessing the eHealth Record system are Relationship Certificates. The Root Certification Authority (RCA) and Relationship Organisation (RO) is the Human Services.[1] Subscribers for Certificates issued under this Certificate Policy are the Healthcare Provider Organisations, to whom HPI-Os have been assigned under the Healthcare Identifiers Act 2010.
The Certificates issued to Healthcare Provider Organisations under this Certificate Policy can be used to access the eHealth Record system and to authenticate or protect confidentiality and integrity of electronic communications with Relying Parties (other than the eHealth Record System Operator) that are recognised under this Certificate Policy.
For the purpose of Certificates issued under this Certificate Policy, Human Services does not verify that a Healthcare Provider Organisation issued with a Certificate under the Health Sector PKI is a particular organisation. More information about the process undertaken by Human Services for the verification of HPI-Os is set out in clause2 of this Certificate Policy.
The following are Relying Parties:
· the System Operator of the eHealth Record system appointed under section 14 of the eHealth Record Act. The responsibilities of the System Operator are set out in the eHealth Record Act;
· Subscribers under this Certificate Policy (i.e. Healthcare Provider Organisations to which a Certificate has been issued); and
· information technology providers that are Subscribers under another Commonwealth Department of Human Services Community of Interest Certificate Policy for the NASH, and that are engaged by Subscribers under this Certificate Policy for sending and receiving secure messages.
For the purpose of Certificates issued under this Certificate Policy, the Community of Interest (CoI) comprises Human Services, the Healthcare Identifiers service operator under the Healthcare Identifiers Act 2010, the System Operator of the eHealth Record system and the End Entity-Subscribers.
This is the Certificate Policy (CP) for organisation Certificates to be issued to Healthcare Provider Organisations to which HPI-Os have been assigned under the Healthcare Identifiers Act 2010 (NASH PKI Certificate for Healthcare Provider Organisations).
The NASH PKI is a set of hardware, software, policies and procedures that let the recipient of an electronic communication know that:
· the sender of the communication was recorded as being registered with the HI Service at the time they were issued with a Certificate, and information related to the sender’s registration can be reliably represented to the recipient for verification (authentication)
· the communication content has not been changed in transit between the sender and the recipient (integrity)
· only the intended recipient is able to open the communication (confidentiality).
This CP should be read in conjunction with the:
· Medicare Australia Root Certification Authority Certification Practice Statement (Medicare Australia RCA CPS)
· Medicare Australia Root Certification Authority Certificate Policy (Medicare Australia RCA CP).
· Medicare Australia Organisation Certification Authority Certification Practice Statement (Medicare Australia OCA CPS)
Terminology
Clinical means anything that relates to the examination, diagnosis or treatment of individual patients by healthcare providers who are duly qualified, registered, recognised or trusted as performing those actions.
NASH is an acronym for National Authentication Service for Health.
NASH PKI has the meaning provided in the Background above.
NASH PKI Certificate for Healthcare Provider Organisations means an organisation Certificate issued under this CP to a Healthcare Provider Organisation to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010.
Healthcare Provider Organisations will, on application to Human Services for a NASH PKI Certificate for Healthcare Provider Organisations, have their information provided to the Chief Executive Medicare as service operator of the Healthcare Identifiers service under the Healthcare Identifiers Act 2010 for verification of their HPI-Os to enable Human Services Relationship Organisation Unit Operators to confirm the Healthcare Provider Organisation Applicant has a relationship within the CoI defined in this CP by virtue of the assignment of their HPI-O.
All Applicants for a Certificate issued under the Health Sector PKI for accessing the eHealth Record system and to authenticate or protect confidentiality and integrity of electronic communications between Healthcare Provider Organisations are to have a HPI-O assigned in accordance with the Healthcare Identifiers Act 2010.
Please refer to the documents listed below for definitions relevant to this CP.
In this CP, the order of priority for determining the meaning of a specific term is:
1. Healthcare Identifiers Act 2010 (Cth) (http://www.comlaw.gov.au)
2. Healthcare Identifiers Regulations 2010 (Cth) (http://www.comlaw.gov.au)
4. National Partnership Agreement 2009 (the COAG agreement)
5. the Healthcare Identifiers Service Glossary of Terms and Conditions (http://www.nehta.gov.au/connecting-australia/healthcare-identifiers)
6. Medicare Australia PKI Gatekeeper documents, including the Medicare Australia Health Sector PKI Glossary (http://www.medicareaustralia.gov.au/provider/vendors/pki/policy.jsp)
More information about the process undertaken by Human Services for the verification of HPI-Os is set out in clause 2 of this Certificate Policy.
Certificate Policy Clauses
CP Identification
Certificates issued under this CP shall bear the Policy OID:
1.2.36.174030967.1.10.1.1
1. Introduction
This is the Certificate Policy for organisation Certificates to be issued to Healthcare Provider Organisations to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010 and that wish to use the Certificate in accordance with the acceptable uses outlined in section 1.2.
The Certificates are provided on a CD to Subscribers who are responsible for uploading the Certificates onto the Subscribers’ client operating system.
The Relationship Organisation (RO) for this CP is Human Services.
The Relationship Organisation Unit (ROU) is the program area in Human Services responsible for undertaking the Application registration.
The Relationship Organisation Unit Operators (ROUOs) are Human Services personnel working in the ROU.
1.1 PKI Participants
1.1.1 Certification Authority
All Certificates issued under this CP shall be produced by the Medicare Australia Organisation Certification Authority (Medicare Australia OCA).
Refer to the Medicare Australia Organisation Certification Authority Certification Practice Statement (Medicare Australia OCA CPS) for further information on applicable practices and procedures for Certificates issued under this CP, located at www.humanservices.gov.au.
1.1.2 Relationship Organisation
Human Services is the Relationship Organisation (RO) for the CoI defined in this Certificate Policy.
1.1.3 Relationship Organisation Unit
There is a separately identified ROU within the Health Sector PKI for the CoI defined in this CP. The ROU at Human Services has responsibilities in the CoI in managing the Subscribers in the CoI.
1.1.4 Certificate Controllers
Certificate Controllers are RO personnel with responsibilities for management of Certificates.
All Certificate Controllers operating under this CP are duly authorised representatives of Human Services.
1.1.5 Relationship Organisation Unit Operators
Relationship Organisation Unit Operators (ROUOs) are Human Services personnel within the ROU.
ROUOs within the ROU are not Certificate Controllers.
ROUOs operate in accordance with the processes and procedures set out in the Medicare Australia OCA CPS and this CP.
1.1.6 Subscribers
Subscribers under this CP are Healthcare Provider Organisations to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010.
The meaning of a NASH PKI Certificate for Healthcare Provider Organisations issued under this CP is nothing more and nothing less than a statement expressed in a digital format of the fact that the Subscriber (the Healthcare Provider Organisation) is recorded as having a particular HPI-O in the record maintained by the Healthcare Identifiers service operator under the Healthcare Identifiers Act 2010 at the time of Certificate issuance.
A Certificate does not verify or represent that the Subscriber is a particular organisation.
A Certificate does not verify or represent that the Subscriber is registered with the PCEHR system under the Personally Controlled Electronic Health Records Act 2012 (Cth). This registration is a separate process that may only be taken by those Healthcare Provider Organisations that are eligible for that registration.
The NASH PKI protects the confidentiality of the electronic communication, and lets the recipient of the communication know that the communication content has not been changed in transit between the sender and the recipient. A Certificate does not make any other assertions about the content of an electronic communication (including any Clinical content) either prior to the communication being sent by the Subscriber or after the communication is received by the Relying Party.
There is a Subscriber agreement under this CP, known as the National Authentication Service for Health Public Key Infrastructure Certificate for Healthcare Provider Organisations Terms and Conditions of Use.
The Subscriber is bound by these terms and conditions.
1.1.7 Relying Party
The following are Relying Parties:
· the System Operator of the eHealth Record system appointed under section 14 of the eHealth Record Act. The responsibilities of the System Operator are set out in the eHealth Record Act;
· Subscribers under this Certificate Policy (i.e. Healthcare Provider Organisations to which a Certificate has been issued); and
· information technology providers that are Subscribers under another Commonwealth Department of Human Services Community of Interest Certificate Policy for the NASH, and that are engaged by Subscribers under this Certificate Policy for sending and receiving secure messages.
Relying Parties must not use a Certificate by itself, and must use means other than reliance on the NASH PKI, to determine whether they will rely on the content of an electronic communication (including any Clinical statement or representation).
There are no other Relying Parties.
There is a Relying Party Agreement under this CP. It is published at www.humanservices.gov.au.
Where you rely on a Certificate issued under this CP and you do not have a written agreement with Human Services or authorisation or approval via a notice published at www.humanservices.gov.au/pki Error! Hyperlink reference not valid.(specifying an allowable usage), then you rely on the Certificate at your own risk.
1.2 Certificate Use
1.2.1 Allowable Certificate Uses
Key Pairs and Certificates issued under this CP must only be used by Healthcare Provider Organisations for:
a) accessing electronic records on the eHealth Record system as authorised by the eHealth Record System Operator; or