Patient IDs: Weighing the OptionsFederal Advisers Seek Input on Credentialing
Two federal advisory groups that will hold a Nov. 29 web hearing on the issue of how best to confirm the identities of patients seeking online access to their electronic health records are reaching out to the public for ideas.
The groups eventually will help draft guidance on patient credentialing for hospitals, physician groups and other healthcare organizations (see: Patient Credentialing Now a Hot Topic)..
In a blog that describes how to submit comments, Deven McGraw, chair of the Privacy and Security Tiger Team, poses two critical questions about patient credentialing:
- What steps should we be taking to make sure that the person who is remotely accessing the record is the actual patient, or that patient's authorized representative?
- How can we reliably issue these digital credentials without making it too hard or too expensive for patients?
The Privacy and Security Tiger Team of the Health IT Policy Committee will co-host the Nov. 29 web hearing with the Privacy and Security Working Group of the Health IT Standards Committee. These panels advise the Office of the National Coordinator of Health IT on various issues, including rules for the HITECH Act electronic health record incentive program.
The hearing was postponed last month because of Superstorm Sandy.
EHR Incentive Program
A final rule for Stage 2 of the EHR incentive program, which begins in 2014, call for hospitals and physicians to begin providing patients with online access to their records, such as through a portal. The rule also requires physicians to start using secure e-mail to communicate with patients. "We want to make sure we facilitate electronic data access and e-mail in a way that protects the privacy, confidentiality and security of that information," McGraw says in her blog.
Congress has prohibited creation of a national patient ID, as required under HIPAA, citing privacy concerns. So alternative measures are needed to validate patient identity.
In an earlier interview with HealthcareInfoSecurity, McGraw noted: "The HIPAA Security Rule requires providers to credential individuals who have access to protected health information. And it's in the interest of both patients and healthcare providers to have guidelines about how to do this in a way that helps ensure that any access to patient health information is authorized but that doesn't set the bar so high that patients have difficulty obtaining credentials and accessing their information."