Patient ID Best Practices Coming Soon?Advisers Call for Guidance in Time for HITECH Stage 2
Federal regulators are one step closer to issuing guidance on best practices for how healthcare organizations should authenticate the identities of patients when they want to view, download or transmit their health records online.
The Health IT Policy Committee on Jan. 8 approved recommendations from its Privacy and Security Tiger Team regarding patient IDs in cyberspace. The committee advises the Office for the National Coordinator for Health IT on policy issues related to the HITECH Act electronic health record incentive program.
The tiger team recommended that ONC make the guidelines available in advance of the 2014 start of Stage 2 of the EHR incentive program. To qualify for a second stage of incentive payments, hospitals and physicians must enable patients to view, download and transmit their electronic health records, such as through a web portal (see: Patient ID Best Practices Needed.)
In endorsing the tiger team's recommendations, the committee is asking ONC to provide guidance that, among other things, strongly encourages healthcare providers to require that patients use more than a username and password to access a web portal and view their records. The idea is to drive healthcare toward protections similar to those used in online banking.
For example, while online banking sites require consumers to enter usernames and passwords, they often also authenticate users with additional steps, such as recognizing the user's computing device or asking knowledge-based questions, such as their father's middle-name, notes Deven McGraw, tiger team chair.
"So many consumers are familiar with online banking and do it regularly," she says. "The intent is to make viewing, downloading and transmission of electronic health information secure yet easy for patients."
McGraw, director of the health privacy project at the Center for Democracy & Technology, a Washington-based civil liberties organization, says federal regulators need to guard against making patient ID credentialing and authentication recommendations that would prove too difficult for patients and providers to follow. "An overarching principle in the recommendations is that the protections should be commensurate with risks," she says.
Among the other recommendations approved by the HIT Policy Committee are:
- ONC should also disseminate to healthcare providers, at a minimum, the latest best practices in password management;
- As technology options for authentication continue to evolve, ONC should continue to monitor and update policies as appropriate to reflect improved technological capabilities;
- Patient ID verification in-person is preferred, but remote verification should be allowed to enable patients, such as the elderly and those in rural communities, to establish online user accounts.
The Tiger Team had been working on patient ID credentialing and authentication for several months after making recommendations last summer on ID verification for healthcare providers. Those suggestions included using multi-factor authentication in certain cases involving clinicians seeking remote access to patient information (see: Multi-Factor Authentication Gets a Boost).
The patient ID recommendations reflect public and industry feedback that the HIT Policy Committee received online and during a joint hearing with the HIT Standards Committee Nov. 29 (see: Feds Consider Patient Authentication).