Patient ID Best Practices NeededPanel Will Urge Regulators to Issue Advice on Verifying IDs
A federal advisory panel will recommend that the Office of the National Coordinator for Health IT quickly develop and disseminate best practices for verifying the identify of patients who access their records through a provider's web portal.
The HIT Policy Committee's privacy and security tiger team will complete its recommendations for best practices at its Jan. 7 meeting. The full committee, which will review the recommendations Jan. 8, advises ONC on policy matters tied to the HITECH Act's electronic health record incentive program. Stage 2 of the program starts in 2014, and tiger team members will urge that best practices be distributed well before then.
The pending recommendations, as discussed at a Dec. 17 tiger team meeting, include these suggestions for patient authentication:
- ONC should strongly encourage providers to require that patients use more than a user ID and password to access a web portal and view their records. The idea is to drive healthcare toward protections similar to those used in online banking.
- At a minimum, ONC should disseminate to healthcare providers the latest best practices in password management.
- Because technology options for authentication continue to evolve, ONC should continue to monitor and update policies and best practices as appropriate to reflect improved technological capabilities.
Key Stage 2 Objective
Under the meaningful use rule for Stage 2 of the HITECH incentive program, a key objective for healthcare providers is to allow patients to securely view, download and transmit their health information.
"But you have to make sure when you give the portal account you know that person," says tiger team member David McCallie, vice president of medical informatics at software vendor Cerner Corp.
That is why the tiger team will recommend that ONC issue best practices for verifying patient IDs before Stage 2 of the HITECH Act program begins in 2014 so that hospitals and physicians have time to prepare.
The tiger team will recommend to the HIT Policy Committee that patient ID best practices be consistent with a few overarching principles.
For instance, the team will recommend that ID protections should be commensurate with risks and that any ID verification system be easy for patients to use, says Deven McGraw, tiger team chair.
While in-person verification of identity is preferred, the tiger team acknowledges that for some patients, such as the elderly or those in rural communities, remote ID verification might be necessary to allow those individuals to access, download and transmit their health data via a web portal.
"Remote proofing is needed to enable more patients to use these portal accounts," says McGraw, who is also director of the health privacy project at the Center for Democracy & Technology. Consequently, ONC should offer healthcare providers best practices for both remote and in-person ID proofing.
"There should be flexibility in methods offered; one size does not fit all,'" she stresses.
Tiger Team Efforts
The tiger team has been working on its recommendations for patient ID proofing and authentication for several months (see: Patient IDs: Weighing the Options.)
The recommendations by the tiger team reflect insights gathered at a recent joint hearing at which a number of healthcare industry and technology stakeholders testified about possible patient ID proposals (see: Feds Consider Patient Authentication).
At that Nov. 29 joint hearing, members of the security and privacy workgroups of the HIT policy and standards committees heard public testimony from a diverse group of leaders in healthcare, technology and other industries. Discussions focused on possible methods and technologies to be considered for authenticating the IDs of patients and their authorized representatives.
The tiger team has also been collecting public feedback about patient ID proofing and authentication via comments solicited by McGraw in a blog she wrote for the ONC site.
During the Dec. 17 meeting, tiger team members also discussed possibly recommending that the HIT Standards Committee's privacy and security workgroup consider whether there should be a requirement to use authentication that goes beyond username and password for Stage 3 of the HITECH EHR incentive program.