Patient ID proofing for EHR access must be easy, HIT policy committees say

By Mary Mosquera
09:39 AM

Some healthcare organizations are already verifying the identity of patients and other authorized users to access their information, even though privacy and security experts are still wrestling with which methods may be the most effective and easy to use so they will be widely adopted.

For example, the Veterans Affairs Department uses the Defense Department service member enrollment system to conduct identity verification for the MyHealtheVet portal, the VA’s personal health record system. When a veteran logs on to MyHealtheVet, it automatically links to the DOD system, according to Elizabeth Franchi, director of the Veterans Health Administration data quality program.

“Patients have to be able to do that identity proofing remotely and easily. We defer that to the Defense system because veterans have had a prior relationship with DOD and are known by the system that is going to authenticate them and provide that level of credential assurance,” she said at a Nov. 29 hearing hosted by the privacy and security panels of the federal advisory Health IT Policy and Standards Committees.

To meet the requirements of Meaningful Use Stage 2, healthcare providers will need to more actively engage patients by enabling them to electronically view, download, and transmit information from their electronic health records (EHRs).

Identity proofing is a process of verifying who a person is, either in person or online, before they create an account or are issued a digital credential. It may mean providing a driver’s license, passport, birth certificate, or a biometric, according to Dixie Baker, chair of the Health IT Standards Committee privacy and security workgroup.

“Authentication, which happens after the person has been granted an account or issued a digital certificate, establishes confidence in the identity of the individual,” she said.

[See also: CMS readies IT, analytics for waves of health reform data]

The Indiana State Department of Health has created the MyVaxIndiana, an immunization portal which enables a parent or legal guardian to access their own or their child’s vaccine record from the registry. A registered Indiana provider creates a patient ID number, which gives a person access to the record they have requested, according to Chris Mickens, director of HIPAA Compliance at Indiana State Department of Health.

“It was better for us to partner with current providers statewide on identity authentication and identity proofing because they were the ones who had already established relationships,” she said. Providers understand better that “the relationship and legal right of a parent or legal guardian to access a child’s information is constantly changing through separation, divorce, and court order,” she said.

Within MyVaxIndiana, the parent or guardian checks boxes that verify their legal right to the child’s information that they are requesting. For its part, Indiana has a separate system that logs all the records that have been accessed and the persons requesting them.

Indiana also has included as part of MyVaxIndiana the Blue Button functionality to download personal health information in a simple text format to a computer or personal health record (PHR) system or application.

Michael Magrath, director of business development for Gemalto, an identity card maker, and chairman of the Smart Card Alliance’s Healthcare Council, described how smart cards containing biometrics could assure protection as health information is increasingly shared.

“Some hospitals are beginning to use it for point-of-care identity purposes, but not online for patient record access,” he said.

Employees and contractors of federal agencies use a personal verification identification card as part of the Homeland Security Presidential Directive - 12 (HSPD-12) for accessing federal buildings and information systems to increase security, protect privacy and reduce identity fraud.

The federal government is in the very early stage of moving the credential into mobile devices for use in smart phones and tablets to assure a higher level of security, Magrath said. The National Institute of Standards and Technology would have to augment its Federal Information Processing Standard 201 for smart cards, “but it’s a couple of years off,” he said.

The policy committee’s Privacy and Security Tiger Team, meanwhile, has recommended these authentication and identity proofing steps for providers, according to Deven McGraw, tiger team chair:

• Require a user name and password, at a minimum. If providers want to offer additional levels of security, there ought to be the option to do that.

• Avoid setting requirements so high that patients are discouraged from accessing their electronic medical records online and can’t participate meaningfully because it is too difficult or requires too many steps.

• ONC should work with NIST to provide guidance to providers on trusted identification methods and updates to reflect federal de-identification efforts and other methods for Trusted Identity in Cyberspace for consumers.