William, Credentials are to me something that are a must for business to trust one another, I find it interesting that everyone wants trustworthy credentials, but know one wants the responsibility. And while it's not a specific goal or issue for the routing group to resolve, without proper digital credentials, we most likely will fail to gain sufficient momentum from the industry to support our efforts for a CPP model.
So, I'll through my two cents into the discussion. When we look at the business model for "Credentialing" that has been sustained for years in the medical industry, I find it difficult to believe that we must somehow come up with a new entity for digital credentialing. I'm not an expert in Provider Credentialing, but other organizations are, and it is my understanding that all "Medical Providers" must register with the State and be "Licensed" to provide specific services. Therefore, it seems to me that the obvious choice for a CA would be the Licensing authority. If they can issue a paper license, why can't they also issue and maintain digital certificates? I would presume that the technology and infrastructure to support such efforts would be contracted out to some other organization (Verisign, Entrust, Digital Trust, etc.) but if a Provider chooses to do healthcare business electronically, why can't the licensing organization provide a digital certificate? Same with a Payor organizations, it is my understanding that each payor must be licensed to provide insurance in a particular state and therefore should be able to receive both a paper license and digital certificate. I know several states are attempting to create services that provide this type of trusted environment. I'm specifically aware of the ACES program sponsored by the GSA at the federal level and "Transact Washington" a state based certificate service to conduct electronic transactions with the State agencies. Because the healthcare industry provides a social service and in many cases conduct business with the state, can we suggest that these certificates be used to conduct private business transactions between Covered Entities as well as public services transactions with state agencies? If so, it's seems it would be possible to include in the CPP which certificates an organizations has obtained, and allow business partners the opportunity to validate such certificate to determine the level of trust they wish to associate with an entity. Then the question becomes, will businesses accept a Federal certificate or a State certificate of a certain class of entity (individual, business representative, etc.) as a means to determine level of trust? Ronald Bowron >>> "William J. Kammerer" <[EMAIL PROTECTED]> 08/07/02 08:02AM >>> Payers are not necessarily the best entities to serve as Certificate Authorities (CA), for various technical reasons that I can get into later. But payers identifying providers for the purposes of signing X.509 certificates is a completely separate issue from payers "credentialing" participating providers. I can certainly see how provider malpractice sewage can back up into a payer's basement: after all, the payer is the one who published the directory of participating providers passed out to subscribers, and in effect forced patients to go to one of those providers (because the patient wouldn't have been compensated as much if he chose a non-participating provider). That's a completely different matter, I believe, than serving as a CA for identity purposes in e-commerce. More likely, a payer would not want to serve as a CA simply because other payers, trusting the first payer's judgement, would rely on the certificate without any real benefit accruing to the signing payer. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Kathleen Connor" < [EMAIL PROTECTED] > To: "Christopher J. Feahr, OD" < [EMAIL PROTECTED] >; "William J. Kammerer" < [EMAIL PROTECTED] >; < [EMAIL PROTECTED] > Sent: Sunday, 28 July, 2002 01:08 AM Subject: RE: The "Mao Zedong" PKI Model The problem is health plan/payer liability for credentialing a provider who is involved in a malpractice controversy - it's been a huge barrier to any rationalization of the credentialing process and would spill over to "credentialing" e-commerce id as well if fraud were a possibility. This has been explored in other venues and the only cure that's come up so far is national legislation that would remove some of the liability. -----Original Message----- From: Christopher J. Feahr, OD [ mailto:[EMAIL PROTECTED]] Sent: Saturday, July 27, 2002 3:58 PM To: William J. Kammerer; [EMAIL PROTECTED] Subject: Re: The "Mao Zedong" PKI Model William, Thank you... this is the most lucid and understandable explanation I have read on this subject! It would seem that large payors are the ideal Certificate Authorities (CA) for providers in the context of not only the CPP registry, but of claims and payments. The due diligence undertaken by larger payors in their "provider credentialing" processes is legendary. This would seem to make them more trusted (to vouch for identity of providers in the context of the health care industry) than provider professional associations, who would have no other business purpose for being so thorough. Since payors have to perform this credentialing task anyway... and since they would themselves benefit from "certified" identity on claims, I would think that the providers could be given certificates for little or no cost. In fact, if all payors could agree on a universal (small) set of attributes they needed "certified" (e.g., some want to confirm malpractice liability coverage, levels of licensure, etc.) then one payor like CMS could perform this credentialing operation very efficiently for all payors. CMS would seem to be in a good position to certify the identities of payors, too. There would be ongoing administration, of course, and the more attributes that are certified, the more frequently the certificates will expire and need to be recredentialed. But this model would not expose anyone's "customer list", as it would if each payor (or CH, VAN, etc.) were to only certify his or her own customers. Does anyone know if CMS is contemplating this role in connection with the nat. Provider ID? -Chris Christopher J. Feahr, OD http://visiondatastandard.org [EMAIL PROTECTED] Cell/Pager: 707-529-2268 discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/ . Posting of advertisements or other commercial use of this listserv is specifically prohibited. discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
