The requirements for physicians to offer patients online access to their records are among the most talked-about additions to the stage 2 meaningful use rules. But they could also carry the mother of all unintended consequences – HIPAA violations and their seven-figure average fines – unless doctors figure out how to confirm patients’ identities before releasing information.
The stage 2 meaningful use rules require that physicians allow patients to view, download and transmit information electronically. Doctors must also offer online communication options. But how will doctors know they are actually chatting with their patient and not someone who has simply assumed the identity of one of their patients?
Deven McGraw, director of the health privacy project at the Center for Democracy and Technology and chair of the Office of the National Coordinator for Health IT’s Privacy and Security Tiger Team, recently wrote on the ONC’s Health IT Buzz blog that this question will need to be answered.
Toward that end, the Health IT Policy Committee will host a hearing at the end of the month to discuss patient credentialing. McGraw wrote that this meeting will go over the steps health care professionals should take to make sure the person who is remotely accessing a record is, in fact, the patient they say they are, and how to issue digital credentials.
The patient engagement provisions of the stage 2 rules were widely considered to be a boon to patient empowerment. But it will be interesting to see how empowered patients feel when hackers start exploiting these provisions to make off with personal health information.
It is encouraging that regulators are starting to discuss ways physicians can offer their patients access to data while limiting vulnerabilities. But methods of secure credentialing should be clearly defined before any of the patient engagement provisions go into effect. Otherwise, the situation could place physicians in the sticky situation of complying with rules that create security vulnerabilities, potentially leading to HIPAA compliance problems.
Just about any new regulation — particularly major rules — has the potential to carry unintended consequences. However, in this case, the potential problem is already identified and understood. Now it is up to the regulators to help doctors understand how they can deal with it.