Sending e-Referrals With or Without the Individual PKI
Medical-Objects would like to take this opportunity to let our customers know that you have the option to send e-Referrals with or without the individual PKI key. Medical-Objects understands there has been some confusion of late in regards to the validity of e-referrals sent through the system without a Medicare Individual PKI signature. Security for sending an e-Referral will not be compromised and Medical-Objects will clarify how we meet the requirements in regards to the transmission of electronic referrals.
NEHTA’s eReferral – Business Requirement Specification Version 1.1 was amended in February 2011, and it now states in Section 220.127.116.11. That in regard to electronic communications…
“after discussion with DoHA and Medicare Australia, it is accepted that the referrer can sign the referral with an organisational certificate with the ability to identify the individual through local audit logs for the purposes of auditing, and this was supported for the current and interim state”.
We will first of all address the first part of the requirements for an E-referral.
“The referrer can sign the referral with an organisational certificate”
All items sent through the Medical-Objects network are secured with PGP encryption using the public and private key infrastructure. Messages are encrypted using the recipient’s public key, meaning only the recipient can decrypt the incoming message. The messages are also signed with the sender’s private key, which is authenticated on the recipient end with the sender’s public key. In other words the sending organisation cannot be subject to repudiation, as Medical-Objects uses an explicit trust model.
The PGP Keys outlined above are the methods of signing with an ‘organisational certificate’. The certificate in these cases being the PGP keys which identify and validate the sending and receiving organisations, with Medical-Objects being the authority. In this respect, Medical-Objects are satisfied that we have fulfilled this criterion.
We are often asked if we can use HESA certificates to sign e-referrals. The answer is yes we can; however, this method is only effective if everyone has the HESA certificates installed. As not everyone meets this requirement, then sending would be restricted between only sites that have the HESA certificates installed, for this reason, it is not recommended.
For instructions on how to use the Trinity Referral client without a Medicare Individual PKI key, simply unplug your PKI key and follow the instructions at step 8 of the following link.
“with the ability to identify the individual through local audit logs for the purposes of auditing”
All messages sent or received through Medical-Objects are archived for auditing purposes. These messages are what we use to populate your delivery report, and allow delivery audits to be easily and immediately performed for 3 months on any given result. The delivery report uses specific fields in the archived message to identify the sending organisation, the patient name, the result type, the date received, and the Individual who has sent the report. The report body should also in most cases identify the sender.
After an archived message reaches 3 months old, the message is automatically ‘zipped’ to save storage space on your system. A basic text report is only around 1kb on average so the amount of space taken up should be negligible in most cases.
If an audit is performed after the 3 month period, and proof of transmission/receipt of messages is necessary. The zipped files can be ‘unzipped’ and the original message can be retrieved which will identify the sender/recipient etc. This allows an audit trail for all messages sent or received for as long as the Medical-Objects client has been installed, and for this reason we are satisfied that we meet the defined criteria for auditing. Please see the important note below to ensure that you do not lose your audit trail.
You are responsible for retaining the archived messages that are stored on your system for auditing purposes. If you are not already doing so, please ensure that this location is added to your current backup solution to prevent loss of the archive. For more information on doing so. Please visit the following links.