Patient IDs: Weighing the Options

Federal Advisers Seek Input on Credentialing
Patient IDs: Weighing the Options

Two federal advisory groups that will hold a Nov. 29 web hearing on the issue of how best to confirm the identities of patients seeking online access to their electronic health records are reaching out to the public for ideas.

See Also: The State of Organizations' Security Posture as of Q1 2018

The groups eventually will help draft guidance on patient credentialing for hospitals, physician groups and other healthcare organizations (see: Patient Credentialing Now a Hot Topic).


In a blog that describes how to submit comments, Deven McGraw, chair of the Privacy and Security Tiger Team, poses two critical questions about patient credentialing:

  • What steps should we be taking to make sure that the person who is remotely accessing the record is the actual patient, or that patient's authorized representative?
  • How can we reliably issue these digital credentials without making it too hard or too expensive for patients?

The Privacy and Security Tiger Team of the Health IT Policy Committee will co-host the Nov. 29 web hearing with the Privacy and Security Working Group of the Health IT Standards Committee. These panels advise the Office of the National Coordinator of Health IT on various issues, including rules for the HITECH Act electronic health record incentive program.

The hearing was postponed last month because of Superstorm Sandy.

EHR Incentive Program

A final rule for Stage 2 of the EHR incentive program, which begins in 2014, call for hospitals and physicians to begin providing patients with online access to their records, such as through a portal. The rule also requires physicians to start using secure e-mail to communicate with patients. "We want to make sure we facilitate electronic data access and e-mail in a way that protects the privacy, confidentiality and security of that information," McGraw says in her blog.

Congress has prohibited creation of a national patient ID, as required under HIPAA, citing privacy concerns. So alternative measures are needed to validate patient identity.

In an earlier interview with HealthcareInfoSecurity, McGraw noted: "The HIPAA Security Rule requires providers to credential individuals who have access to protected health information. And it's in the interest of both patients and healthcare providers to have guidelines about how to do this in a way that helps ensure that any access to patient health information is authorized but that doesn't set the bar so high that patients have difficulty obtaining credentials and accessing their information."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.