Short Form Certificate Policy
Commonwealth Department of Human Services Community of Interest Certificate Policy for eHealth Record Organisation PKI Certificate v 1.0
(1 year Duration)
June 2012
Ownership of intellectual property rights in this publication
Unless otherwise noted, copyright (and any other intellectual property rights, if any) in this publication is owned by the Commonwealth of Australia (referred to below as the Commonwealth).
Creative Commons licence
With the exception of the Coat of Arms, this publication is licensed under a Creative Commons Attribution 3.0 Australia Licence.
Creative Commons Attribution 3.0 Australia Licence is a standard form license agreement that allows you to copy, distribute, transmit and adapt this publication provided that you attribute the work. A summary of the licence terms is available from http://creativecommons.org/licenses/by/3.0/au/deed.en. The full licence terms are available from http://creativecommons.org/licenses/by/3.0/au/legalcode.
The Commonwealth’s preference is that you attribute this publication (and any material sourced from it) using the following wording:
Source: Licensed from the Commonwealth of Australia under a Creative Commons Attribution 3.0 Australia Licence.
The Commonwealth of Australia does not necessarily endorse the content of this publication.
Requests for information about this licence should be sent to:
The Manager
External Communication Branch
Human Services Portfolio Communication Division
PO Box 7788
Canberra BC, ACT, 2610
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are set out on the Department of the Prime Minister and Cabinet website (see http://www.dpmc.gov.au/guidelines/).
Contact (for any matters concerning this document)
National Manager
eClaiming Branch
Health eBusiness Division
Department of Human Services
PO Box 7788, Canberra BC ACT 2610
Version History
This Document has been authorised by the Department of Human Services Policy Management Authority:
______Date: ______
General Manager,
Health eBusiness Division
Department of Human Services
Background
The Commonwealth Department of Human Services has implemented the Health Sector Public Key Infrastructure (Health Sector PKI). The Commonwealth Department of Human Services wishes to provide a national authentication framework for access by individual healthcare providers and healthcare provider organisations to the eHealth Record system using the Health Sector PKI.
Under the Health Sector PKI Key pairs and Public Key Certificates are to be issued to End Entity-Subscribers who are Individual Healthcare Providers and Healthcare Provider Organisations to whom healthcare identifiers (Healthcare Provider Identifier – Individual (HPI-I) and Healthcare Provider Identifier – Organisation (HPI-O)) have been assigned under the Healthcare Identifiers Act 2010.
The eHealth Record system is an electronic system for collecting, using and disclosing certain information, including health information, using telecommunications services or other means. The eHealth Record system is established under the Personally Controlled Electronic Health Records Act 2012 (eHealth Record Act). The System Operator is appointed under section 14 of the eHealth Record Act to perform various functions in relation to the eHealth Record system as set out in section 15 of the eHealth Record Act.
The Public Key Certificates to be issued under the Health Sector PKI for accessing the eHealth Record system are Relationship Certificates. The Root Certification Authority (RCA) and Relationship Organisation (RO) is the Department of Human Services.1 Subscribers for Certificates issued under this Certificate Policy are the Healthcare Provider Organisations, to whom HPI-Os have been assigned under the Healthcare Identifiers Act 2010.
The Certificates issued to Healthcare Provider Organisations under this Certificate Policy can be used to access the eHealth Record system. The Certificates are not intended to be used to authenticate or protect confidentiality of electronic communications between Healthcare Provider Organisations or between them and Individual Healthcare Providers.
For the purpose of Certificates issued under this Certificate Policy, the Department of Human Services does not verify that a Healthcare Provider Organisation issued with a Certificate under the Health Sector PKI is a particular organisation. More information about the process undertaken by the Department of Human Services for the verification of HPI-Os is set out in clause 2 of this Certificate Policy.
There is one Relying Party. The Relying Party is the System Operator of the eHealth Record system appointed under section 14 of the eHealth Record Act. The responsibilities of the System Operator are set out in the eHealth Record Act.
For the purpose of Certificates issued under this Certificate Policy, the Community of Interest (CoI) comprises the Department of Human Services, the Healthcare Identifiers service operator under the Healthcare Identifiers Act 2010, the System Operator of the eHealth Record system and the End Entity-Subscribers.
1 Medicare Australia is now integrated into the Department of Human Services by virtue of the Human Services Legislation Amendment Act 2011. The effect of item 99 of Schedule 1 to the Human Services Legislation Amendment Act 2011 is to provide that where there is a reference to "Medicare Australia" in the Health Sector PKI documents, that reference is read as a reference to the Department of Human Services.
It is intended that the Certificates issued under this Certificate Policy will be terminated when the Health Sector PKI ceases to be used for accessing the eHealth Record system and is replaced by the National Authentication Service for Health (NASH), to be operated by E-Health Authentication Services Pty Ltd (EHAS).
This is the Certificate Policy (CP) for organisation Certificates to be issued to Healthcare Provider Organisations to which HPI-Os have been assigned under the Healthcare Identifiers Act 2010 (Department of Human Services eHealth Record Organisation PKI Certificate). The Department of Human Services eHealth Record Organisation PKI Certificate enables the Healthcare Provider Organisations to conduct secure transactions with the System Operator of the eHealth Record system established by the eHealth Record Act.
This CP should be read in conjunction with the:
· Medicare Australia Root Certification Authority Certification Practice Statement (Medicare Australia RCA CPS)
· Medicare Australia Root Certification Authority Certificate Policy (Medicare Australia RCA CP).
· Medicare Australia Organisation Certification Authority Certification Practice Statement (Medicare Australia OCA CPS)
Terminology
Department of Human Services eHealth Record Organisation PKI Certificate means an organisation Certificate issued under this CP to a Healthcare Provider Organisation to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010.
Healthcare Provider Organisations will, on application to the Department of Human Services for a Department of Human Services eHealth Record Organisation PKI Certificate, have their information provided to the Chief Executive Medicare as service operator of the Healthcare Identifiers service under the Healthcare Identifiers Act 2010 for verification of their HPI-Os to enable the Department of Human Services Relationship Organisation Unit Operators to confirm the Healthcare Provider Organisation Applicant has a relationship within the CoI defined in this CP by virtue of the assignment of their HPI-O.
All Applicants for a Certificate issued under the Health Sector PKI for accessing the eHealth Record system are to have a HPI-O assigned in accordance with the Healthcare Identifiers Act 2010.
Please refer to the documents listed below for definitions relevant to this CP.
In this CP, the order of priority for determining the meaning of a specific term is:
1. Healthcare Identifiers Act 2010 (Cth) (http://www.comlaw.gov.au)
2. Healthcare Identifiers Regulations 2010 (Cth) (http://www.comlaw.gov.au)
3. National Partnership Agreement 2009 (the COAG agreement)
4. the Healthcare Identifiers Service Glossary of Terms and Conditions (http://www.nehta.gov.au/connecting-australia/healthcare-identifiers)
5. Medicare Australia PKI Gatekeeper documents, including the Medicare Australia Health Sector PKI Glossary (http://www.medicareaustralia.gov.au/provider/vendors/pki/policy.jsp)
More information about the process undertaken by the Department of Human Services for the verification of HPI-Os is set out in clause 2 of this Certificate Policy.
Certificate Policy Clauses
CP Identification
Certificates issued under this CP shall bear the Policy OID:
1.2.36.174030967.1.10.1.1
1. Introduction
This is the Certificate Policy for organisation Certificates to be issued to Healthcare Provider Organisations to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010 and that wish to conduct secure transactions with the System Operator of the eHealth Record system established by the eHealth Record Act.
The Certificates are provided on a CD to Subscribers who are responsible for uploading the Certificates onto the Subscribers’ client operating system.
The Relationship Organisation (RO) for this CP is the Department of Human Services.
The Relationship Organisation Unit (ROU) is the program area in the Department of Human Services responsible for undertaking the Application registration.
The Relationship Organisation Unit Operators (ROUOs) are Department of Human Services personnel working in the ROU.
1.1 PKI Participants
1.1.1 Certification Authority
All Certificates issued under this CP shall be produced by the Medicare Australia Organisation Certification Authority (Medicare Australia OCA).
Refer to the Medicare Australia Organisation Certification Authority Certification Practice Statement (Medicare Australia OCA CPS) for further information on applicable practices and procedures for Certificates issued under this CP, located at www.medicareaustralia.gov.au.
1.1.2 Relationship Organisation
The Department of Human Services is the Relationship Organisation (RO) for the CoI defined in this Certificate Policy.
1.1.3 Relationship Organisation Unit
There is a separately identified ROU within the Health Sector PKI for the CoI defined in this CP. The ROU at the Department of Human Services has responsibilities in the CoI in managing the Subscribers in the CoI.
1.1.4 Certificate Controllers
Certificate Controllers are RO personnel with responsibilities for management of Certificates.
All Certificate Controllers operating under this CP are duly authorised representatives of Department of Human Services.
1.1.5 Relationship Organisation Unit Operators
Relationship Organisation Unit Operators (ROUOs) are Department of Human Services personnel within the ROU.
ROUOs within the ROU are not Certificate Controllers.
ROUOs operate in accordance with the processes and procedures set out in the Medicare Australia OCA CPS and this CP.
1.1.6 Subscribers
Subscribers under this CP are Healthcare Provider Organisations to which a HPI-O has been assigned under the Healthcare Identifiers Act 2010 and that are authorised (however required) to access the eHealth Record system.
The meaning of a Department of Human Services eHealth Record Organisation PKI Certificate issued under this CP is nothing more and nothing less than a statement expressed in a digital format of the fact that the Subscriber (the Healthcare Provider Organisation) is recorded as having a particular HPI-O in the record maintained by the Healthcare Identifier service operator under the Healthcare Identifiers Act 2010.
A Certificate does not verify or represent that the Subscriber is a particular organisation.
There is a Subscriber agreement under this CP, known as the Department of Human Services eHealth Record Organisation PKI Certificate Terms and Conditions of Use.
The Subscriber is bound by these terms and conditions.
1.1.7 Relying Party
There is one Relying Party under this CP. The Relying Party is the System Operator of the eHealth Record system appointed under section 14 of the eHealth Record Act. There are no other Relying Parties.
There are no Relying Party Agreements under this CP.
Parties who rely on Certificates issued under this CP and who do not have a written agreement with Department of Human Services or authorisation via a notice published at www.medicareaustralia.gov.au (specifying authorised usage relating to a transaction type), and therefore undertake transactions that are not authorised or approved by the Department of Human Services acting under this CP, rely on such Certificates at their own risk.
1.2 Certificate Use
1.2.1 Appropriate Certificate Uses
Key Pairs and Certificates issued under this CP are only to be used by Healthcare Provider Organisations for accessing electronic records on the eHealth Record system as authorised by the eHealth Record System Operator.
1.2.2 Prohibited Certificate Uses
Department of Human Services eHealth Record Organisation PKI Certificates are only permitted to be used for accessing electronic records on the eHealth Record system.
Parties using Department of Human Services eHealth Record Organisation PKI Certificates for any transaction other than accessing electronic records on the eHealth Record system do so at their own risk.
1.3 Definitions and Acronyms
Definitions and Acronyms are in the:
· Medicare Australia Health Sector PKI Glossary at (http://www.medicareaustralia.gov.au/provider/vendors/pki/policy.jsp).
· Healthcare Identifiers Act 2010
· Healthcare Identifiers Regulations 2010
· Healthcare Identifiers Glossary
· Personally Controlled Electronic Health Records Act 2012
2. Identification and Authentication of Users
2.1 Naming of Subscribers
Subscribers (termed ‘Certificate Subjects’ in the x.509 definition) under this CP shall be named according to Department of Human Services application and registration processes for Healthcare Provider Organisations in the CoI described in this CP.
2.2 Identification and authentication of the Subscriber at registration
Subscribers (Healthcare Provider Organisations) under this CP will be identified and authenticated at the time of their application for registration (however described) as a Healthcare Provider Organisation by verifying with the Healthcare Identifier service operator established under the Healthcare Identifiers Act 2010 that a HPI-O has been assigned to an entity matching the details in the application for a Department of Human Services eHealth Record Organisation PKI Certificate.
For the purpose of issuing Certificates under this CP, the RO relies on the verification process provided by the Healthcare Identifier service operator which in turn relies on its record of information maintained under section 10 of the Healthcare Identifiers Act 2010.
The RO does not undertake any separate action to verify or confirm the information provided by a Healthcare Provider Organisation in its application for a Department of Human Services eHealth Record Organisation PKI Certificate or by the Healthcare Identifier service operator through the Healthcare Identifier service operator's verification process.
The Department of Human Services may, in accordance with trusted practices, but will not be limited to:
a) receive an application for Department of Human Services eHealth Record Organisation PKI Certificate;
b) request information from the Healthcare Identifier service operator established under the Healthcare Identifiers Act 2010 that verifies that a HPI-O has been assigned to an entity matching the details in the application.