A federal policy advisory panel on privacy and security of electronic healthcare information spent a second consecutive session wrestling with the details of how to best identify patients, providers and others who might want access to patient data from electronic medical-records systems, personal health records and messaging systems.
The confidentiality, privacy and security work group of the American Health Information Community met for three hours via teleconference Monday, working mainly on honing a list of draft recommendations for "identity proofing," ways of verifying a person’s identity before giving access to electronic records systems or messages. Read more on the
draft recommendations.
Group members decided to focus their recommendations not on broad privacy policies but on the narrow demands of three other AHIC work groups. Those work groups are: looking to promote the use of electronic health-records systems by making it easier to import laboratory values into the systems; developing technologies to create medication histories and electronically provide basic patient registration information to electronic personal health records; aiming to accelerate the electronic transfer of anonymized patient data from ambulatory care and hospital emergency room environments to public health authorities.
Even so, the privacy work group tentatively approved the wording of some general statements -- that all data exchanged through an EHR, PHR or messaging systems it sensitive, and that the work group's identity-proofing recommendations were not intended to be a comprehensive list, but a set of guiding principles.
The group also reached a consensus on some specific recommendations, including: the Certification Commission for Healthcare Information Technology should incorporate criteria for identity proofing in its testing program for electronic healthcare information systems; physicians converting paper records to electronic in their own practices need not be required to identity-proof those records, but should use identity proofing techniques when moving that information electronically to patients from their EHRs; and that anyone moving patient information from a PHR to a patient should use the recommended identity-proofing techniques.
The group stuck, however, on specific identity-proofing techniques and their applicability to different providers. Generally speaking, the group reached consensus on the notion that when a face-to-face, personal relationship exists between a patient and a provider, identity proofing of medical records in person is the gold standard. But they hung up on the adequacy of identity proofing when there were lesser levels of a relationship between the recordkeeper and the person whose records were being kept, with much discussion centering on PHR systems being offered by insurance companies and other third-party payers.
The group put off deciding on a hierarchy of recommended lesser identity proofing techniques until a later meeting.
Work group member Thomas Wilder, vice president, private market regulation for America’s Health Insurance Plans, an insurance industry lobbying group, said the plans he is aware of that are offering PHRs use the insurance identification number on the member’s insurance card as the key data element requested for identity proofing.
"Typically that's all you might need," Wilder said, noting that will give members access to information such as who their physicians are, their medication histories and other information from medical claims. In some cases, Wilder said, plans have included in their PHRs clinical information such as lab results.
But several group members said that the work group needs to address broader privacy policy and should not get bogged down with issues such as identity proofing, which is more closely akin to standards-setting work than policy development. They noted that the progress of other work groups could be held up by the privacy work group not addressing these broader concerns.
Work group co-chairman Kirk Nahra said the committee took on the specialized subject of identity proofing because the co-chairmen and HHS staff believed they could handle the topic quickly and get a set of initial recommendations off to the AHIC promptly. Nahra said broader policy topics are harder and will take more time.
According to Nahra, the work group aims to have recommendations on identity proofing and authentication ready for the Dec. 12 AHIC meeting.
Nahra is a privacy lawyer who has worked with hospitals and insurance clients with the firm of Wiley Rein & Fielding, Washington. He is a member of the board of directors of the International Association of Privacy Professionals, a trade group for corporate privacy officers.
"This first group of topics was formed in a reactive mode," Nahra said, adding that while broader privacy issues will be much tougher and time-consuming, "We definitely know we need to (address) some of the privacy issues and we’ll do that fairly quickly."
Work group member Alison Rein, assistant director, food and health policy, National Consumer’s League, responded regarding broader policy issues that "if they were easy, they probably would have been done by now."
Rein also represents the National Consumer's League on the federally funded Health Information Technology Standards Panel, which is working on harmonizing healthcare data transmission standards around the three AHIC work group use cases. Rein said HITSP Chairman John Halamka is drafting a list of privacy issues that that group needs to have addressed. The list should be ready next month, she said.
"It's not only the security things that have held up the HITSP folks, it's also some broader issues of privacy," Rein said.
What do you think? Write us with your comments at hitsdaily@crain.com. Please include your name, title and hometown.
