5.1 PURPOSE
The purpose of this policy is to ensure that the identities of the individuals and entities interacting with the Saudi Health Information Exchange are assured to enable a data processing system to recognize entities.
5.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, and to all individuals and organizations that have access to Saudi Health Information Exchange managed health records, including
• Participating Healthcare Subscribers (PHCSs),
• Their business associates,
• Any subcontractors of business associates that perform functions or provide services involving the use and disclosure of personal health information,
• Any Saudi Health Information Exchange Infrastructure Service Provider, and
• Any other subcontractor of Saudi Health Information Exchange.
This policy applies to all personal health information provided to or retrieved from Saudi Health Information Exchange systems.
5.3 POLICY
1. Healthcare Organization [e.g. hospital] and Supporting Organization [e.g. supporting quality management Organization] systems connecting to the Saudi Health Information Exchange systems SHOULD be subject to Trusted Third Party Attestation for the issuance of organization system digital certificates. Self-signed certificates or those issued by another PKI MAY be used as a Direct Trust method for certificates of HIE nodes or applications at the node, with additional out-of-band verification of source identity as part of the onboarding process.
2. Individual users accessing the Saudi Health Information Exchange systems SHOULD be subject to Trusted Third Party Attestation for the issuance of identity credentials.
3. Digital certificates used for authentication or digital signatures SHALL be issued by the National Center for Digital Certification.
4. Federated identity providers MAY apply to authenticate users to the HIE on a case by case basis.
5. Requirements for Proof of Identity for individuals are as follows:
5.1. Identity proofing for all individuals SHALL require a valid government issued photographic identification (i.e. passport, driver’s license, military ID, national ID, or Residency Permit for Non-Saudi) and/or a government-recognized biometric identification.
5.1.1. For Subject of Care this same proofing SHOULD be required, but antecedent data MAY be used.
5.2. For Subject of Care agent, the proofing SHALL be provided by government issued Family Card or other legal document indicating authorization to act on behalf of the Subject of Care for medical decisions. Identity Proofing for all individuals SHALL include a face-to-face attestation of the individual’s identity.
5.2.1. For subjects of care, this same proofing SHOULD be required, but antecedent data MAY be used.
5.2.2. For other users, antecedent data MAY be used to provide limited access to the Saudi Health Information Exchange.
5.3. Identity Proofing for Regulated Health Professional SHALL require evidence of a current license issued by the Saudi Commission for Health Specialties in addition to the Identity Proofing requirements that apply to all individuals (as described in 5.1 and 5.2 above).
5.4. Identity Proofing for healthcare employees SHALL require verification of employee ID or letter from employer on employer letterhead indicating current employment status where the identifier is not issued directly by the employer in addition to the Identity Proofing requirements that apply to all individuals (as described in 5.1 and 5.2 above).
5.5. Identity Proofing of a Sponsored Healthcare Provider SHALL require a letter from a regulated healthcare professional or authorized representative of a sponsoring regulated health organization to establish that they are active in their healthcare community OR evidence of current credentials issued by the Saudi Commission for Health Specialties in addition to the Identity Proofing requirements that apply to all individuals (as described in 5.1 and 5.2 above).
6. Identity Proofing requirements for Organization systems are as follows:
6.1. Identity Proofing of an Organization’s secure node (HIE node) SHALL require attestation by an individual identified by the organization as authorized to provide such attestation.
6.1.1. A letter on the entity letterhead signed by a corporate officer SHALL identify a representative of the entity authorized to validate and request organization or device certificates on behalf of the entity that will be used to provision HIE node certificates.
6.2. The Organization responsible for the system SHALL provide proof of a current license to conduct the healthcare or healthcare associated business, a valid commercial registration document, or a nationally-recognized government entity.
7. Electronic identity credentials SHALL NOT be issued until an agreement addressing the credential holder’s requirements is completed and signed. This may for example include an agreement to terms and conditions for online registration processes for individual users.
8. Procedures for account revocation upon employee severance for any employee who was issued an individual identity credential to access the Saudi Health Information Exchange systems SHALL be implemented by the PHCS.
8.1. Notification to the Saudi Health Information Exchange SHOULD be issued within two business days.
8.2. Acknowledgment of receipt of notification SHOULD be issued upon receipt.
8.3. Account revocation by the PHCS and the Saudi Health Information Exchange SHOULD be implemented within two business days after notification.
9. Procedures for account update upon employee role modification for any employee who has been issued an individual identity credential to access the Saudi Health Information Exchange systems, SHALL be implemented by the PHCS.
9.1. Notification to the Saudi Health Information Exchange SHOULD be issued within two business days.
9.2. Acknowledgment of receipt of notification SHOULD be issued upon receipt.
9.3. Account update by the organization and the Saudi Health Information Exchange SHOULD be implemented within two business days after notification.
10. Subscribers [NIST 800-63-1] SHALL notify a Saudi Health Information Exchange authorized Registration Authority if their digital identity is lost, stolen, or otherwise known to be compromised. This SHALL result in a revocation request and request for a new digital identity.
11. Account subscriber [NIST 800-63-1] agreements SHALL include the requirement to protect the subscriber identity credential.
5.4 POLICY MAINTENANCE
The Ministry of Health (MOH)
|