Patient Credentialing Now a Hot TopicFederal Advisers to Make Recommendations
Two groups of federal advisers are tackling the issue of how best to confirm the identities of patients seeking online access to their electronic health records.
See Also: HIPAA Audits: A Revised Game Plan
The issue is becoming critical because the meaningful use rule for Stage 2 of the HITECH Act's electronic health record incentive program, which begins in 2014, requires hospitals and physicians to begin providing patients with electronic access to their health records, such as through a portal.
Congress has prohibited creation of a national patient ID, as required under HIPAA, citing privacy concerns. So alternative measures are needed to validate patient identity.
Web Hearing Slated
On Oct. 29, the Privacy and Security Tiger Team of the Health IT Policy Committee and the Privacy and Security Working Group of the Health IT Standards Committee will host a web hearing on credentialing patients. The groups advise the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services that's coordinating the HITECH incentive program.
Eventually, ONC/HHS hopes to provide guidance to healthcare providers about facilitating patient access to health data in a way that protects the privacy and security of that information.
In preparation for the meeting, the advisory groups are soliciting feedback from patients and their caregivers who access health records online. While those comments won't be discussed during the Oct. 29 hearing, "they will be part of our deliberations on recommendations," Deven McGraw, Tiger Team chair, tells HealthcareInfoSecurity. McGraw is director of the health privacy project at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization.
HIPAA and HITECH
"The HIPAA Security Rule requires providers to credential individuals who have access to protected health information," McGraw says. "And it's in the interest of both patients and healthcare providers to have guidelines about how to do this in a way that helps ensure that any access to patient health information is authorized but that doesn't set the bar so high that patients have difficulty obtaining credentials and accessing their information."
The patient engagement objectives for HITECH Stage 2 are "an important step forward in efforts to make healthcare more patient-centered," McGraw says. "Ensuring that patients can access their health information through the new view, download and transmit capabilities that certified EHR technology will offer beginning no later than 2014 will require that providers establish ways of credentialing patients -and their caregivers - to access information."
In a blog posted on the ONC website, McGraw explains the joint meeting later this month will tackle critical issues, including:
- What steps should be taken to make sure that the person who is remotely accessing the record is the actual patient, or that patient's authorized representative?
- How can healthcare organizations reliably issue "digital credentials" without making it too difficult or expensive for patients?
Tackling Credentialing Issues
The work by the advisory groups on patient credentialing comes on the heels of Tiger Team recommendations for trusted IDs of healthcare providers in cyberspace that were endorsed this summer by the HIT Policy Committee (see: Multi-Factor Authentication Gets a Boost.) Those recommendations, for example, include requiring multi-factor authentication in certain cases involving clinicians remotely accessing patient information.
Dixie Baker, the chair of the HIT Standards Committee workgroup that's co-sponsoring the patient credentialing hearing, hopes advisers will quickly make recommendations so they'll be available before future stages of the HITECH incentive program.
In addition to verifying the identities of patients when providing online access to records, patient credentialing could be used to help support "bi-directional, secure e-mail between providers and patients," another Stage 2 requirement, says Baker, who is senior partner at the consulting firm Martin, Blanck and Associates.
"The meaningful use measures, standards, and certification criteria are already there for 2014 [HITECH Stage 2]," Baker notes. "However, implementation guidance will be needed, and there's also the potential to strengthen requirements for the 2016 Edition [Stage 3]."
McGraw would rather not wait until HITECH Stage 3 to complete patient credentialing recommendations. "Meaningful use Stage 2 already includes objectives and measures for patient on-line access to health information," she notes. "It will be key to provide policy guidance to assure providers that they can do this in compliance with the law."
But patient credentialing's importance extends beyond the HITECH program, Baker stresses "Assuring the correct identity of patients is a very important and broad topic that touches on subjects from identity theft, to obtaining medical services using another person's insurance, to providers' falsifying claims for medical services," she says.
A Delicate Balance
As the advisers tackle patient credentialing they need to be mindful of the delicate balance between ease-of-use and security. If the process of accessing e-health records data is too difficult, the fear is patients won't bother trying.
"Ease-of-use is always important because even the strongest security mechanisms can be undermined by creative people attempting to make life easier for themselves," Baker says. "For example, a smartcard that provides hardware protection of digital certificates and is accessed only by using a very long, complex password loses its effectiveness when the user writes the password on a sticky label attached to the card."
Credentialing of patients needs to be different than credentialing for physicians, Baker says, "because risk profiles for physicians vs. patients are quite different. Providers access multiple patients' information, perform actions that affect the health and safety of many people, and their legal liability is quite significant."