The stage 2 meaningful use rules include a number of provisions that require physicians to make data available electronically to patients. But how do doctors know that they are giving access to patients and caregivers, rather than other parties that have no legitimate reason to access the information?
The Health IT Policy Committee's privacy and security work group tackled this question in a November 29 meeting. While there are a number of models policymakers could base ID verification guidance on, there are issues that make implementing these models challenging.
More patient engagement news and analysis
Patient engagement is the clinician's job
AHIMA pushes patient engagement initiative
Patients enthusiastic about becoming more involved
Under the stage 2 meaningful use rules, physicians must provide at least 50% of their patients with electronic access to their health records, while ensuring at least 5% actually go online to access their records. Additionally, the rules say physicians must send electronic reminders for follow-up care to at least 10% of their patients. However, the rules do not set standards of ID verification to spell out how physicians can ensure patients are, in fact, the ones accessing their records.
"Stage 2 meaningful use is a significant step forward in empowering patients to play an active role as part of their health care team," said Dixie Baker, senior partner at Alexandria, Va.-based Martin Blanck and Associates, and member of the policy committee's privacy and security work group. "So for stage 2, identity proofing for consumers becomes very important."
The privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) do provide broad guidance on the issue of ID verification. David Holtzman, a health information privacy specialist at the Office of Civil Rights, said the privacy rule requires providers to verify the identity and authority of any person requesting protected health information. This verification can occur either written or orally.
Furthermore, the security rule states that covered entities should have written policies in place for verifying the credentials of people requesting access to protected health information. However, neither rule specifies precise methods providers should use.
Online credentialing not a foolproof solution
In some cases, in-person single-factor authentication could be sufficient. This could involve the physician providing patients with a username and password that would grant them access to already-established patient portal profiles. Since the physician already knows the patient and has a relationship with the person, it is reasonable to assume the doctor is capable of issuing credentials to appropriate individuals.
Stage 2 meaningful use is a significant step forward in empowering patients to play an active role as part of their health care team. So for stage 2, identity proofing for consumers becomes very important.
member, Health IT Policy Committee
But Jonathan Hare, chairman and founder of online identity management company Resilient Network Systems, and who testified before the work group meeting, said this system is not foolproof. For one thing, the front desk staff primarily responsible for issuing online credentials typically has no training in ID verification. Furthermore, this process relies too heavily on single-factor authentication, which is not the most secure approach.
"If you want to have high assurance you should be using multiple, independent ways to verify identity," Hare said.
Multifactor authentication may be more secure, but it has its drawbacks. Elizabeth Franchi, data quality program director at the Veterans Health Administration, said adding more steps to the verification process typically causes users to drop out of the system before completing verification. This leads to low utilization of patient portals and other online services.
There are many different ways physicians' offices can do multifactor authentication. For example, the doctor may issue a username and password during a patient visit, and then call the patient's personal phone number to make sure the patient was in fact the person who entered the account before allowing full access. But Franchi, who has worked on the VA's Blue Button initiatives, said patients often find this type of process onerous, making them less likely to follow it through to the end.
"Our biggest lesson learned is that burden has to be lessened for the patient. In order to facilitate this, we need to streamline this," Franchi said.
ID verification requires a multi-strategy approach
Ultimately, a single approach to patient ID verification may not work for all providers. Kevin Manemann, vice president of ambulatory solutions and strategy at St. Joseph Health System in San Diego, said users have different preferences for proving their identity to online systems. Therefore, medical facilities may need to support a broad number of authentication processes, including providing in-person proofing, sending links to portal credentials via email, following up on portal registrations with an email, or a combination of all these.
"What we've experienced is that we have so many different types of consumers and so many requirements that they have, it seems like you have to have a solution that's pretty nimble," Manemann said.
Wes Rishel, analyst with Stamford, Conn.-based Gartner Inc. and a member of the privacy and security workgroup, said determining how best to conduct patient ID verification could have major implications for the health system. He said he sees participation in patient portals as an important way to engage patients, which ultimately could lead to lower health care costs. Making portal registration easy and secure is necessary to getting patients to participate.
"If we can make this whole process of ID proofing easier for patients, they will use it and we can lower health care costs," Rishel said.