ASTM_E_2212_-_02a_2010.pdf

Designation:E221202a(Reapproved 2010)An American National StandardStandard Practice forHealthcare Certificate Policy1This standard is issued under the fixed designation E2212;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope1.1 This practice covers a policy(“the policy”)for digitalcertificates that support the authentication,authorization,con-fidentiality,integrity,and nonrepudiation requirements of per-sons and organizations that electronically create,disclose,receive,or otherwise transact health information.1.2 This practice defines a policy for three classes ofcertificates:(1)entity certificates issued to computing compo-nents such as servers,devices,applications,processes,oraccounts reflecting role assignment;(2)basic individual cer-tificates issued to natural persons involved in the exchange ofhealth information used for healthcare provisioning;and(3)clinical individual certificates issued to natural persons andused for authentication of prescriptive orders relating to theclinical treatment of patients.1.3 The policy defined by this practice covers:(1)definitionof healthcare certificates,healthcare certification authorities,healthcare subscribers,and healthcare relying parties;(2)appropriate use of healthcare certificates;(3)general condi-tions for the issuance of healthcare certificates;(4)healthcarecertificate formats and profile;and(5)requirements for theprotection of key material.1.4 The policy establishes minimum responsibilities forhealthcare certification authorities,relying parties,and certifi-cate subscribers.2.Referenced Documents2.1 ASTM Standards:2E2084 Specification for Authentication of Healthcare Infor-mation Using Digital Signatures(Withdrawn 2009)3E2086 Guide for Internet and Intranet Healthcare Security(Withdrawn 2009)32.2 Other Documents:Public Law 104-191,Aug.21,1996,Health Insurance Por-tability and Accountability Act of 19964RFC 2527Internet X.509 Public Key Infrastructure Cer-tificate Policy and Certification Practices Frame-work,PKIX Working Group Internet Draft,January 3,20025RFC 2560Internet X.509 Public Key Infrastructure OnlineCertificate Status Protocol,OCSP,June 199963.Terminology3.1 Certificate and Related TermsA certificate,also re-ferred to as a digital certificate or public key certificate,bindsa public key value to information identifying the entityassociated with the use of a corresponding private key.Anentity may be an individual,organization,account,role,computer process,or device.The entity identified within thecertificate is referred to as the certificate subject.The certificateis typically used to verify the digital signature of the certificatesubject or to encrypt information for that subject.The reliabil-ity of the binding of a public key to a certificate subject isasserted by the certification authority(CA)that creates,issues,and distributes certificates.Certification authority is synony-mous with certificate authority.Parties that depend on theaccuracy of information in the certificate are referred to asrelying parties.Certificate users are the collective relyingparties and subscribers.3.2 Certificate Policy:3.2.1 The X.509 standard defines a certificate policy(CP)as“a named set of rules that indicates the applicability of acertificate to a particular community and/or class of applicationwith common security requirements.”For example,a particularcertificate policy might indicate the type of certificate appli-cable for authenticating electronic data interchange transac-tions for the trading of goods within a specified price range.Incontrast,Practice E2212 addresses rules for certificates thatsupport the authentication,authorization,confidentiality,integ-rity,and nonrepudiation requirements of persons and organi-zations that electronically create,disclose,receive,or other-wise transact health information.1This practice is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics,and is the direct responsibility of Subcommittee E31.25 on HealthcareData Management,Security,Confidentiality,and Privacy.Current edition approved March 1,2010.Published August 2010.Originallyapproved in 2002.Last previous edition approved in 2002 as E221202a.DOI:10.1520/E2212-02AR10.2For referenced ASTM standards,visit the ASTM website,www.astm.org,orcontact ASTM Customer Service at serviceastm.org.For Annual Book of ASTMStandards volume information,refer to the standards Document Summary page onthe ASTM website.3The last approved version of this historical standard is referenced onwww.astm.org.4Available at http:/aspe.hhs.gov/admnsimp/pl104191.htm.5Available at www.ietf.org/html.charters/pkix-charter.html.6Available at http:/www.ietf.org/rfc/rfc2560.txt.Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Consh