The American Medical Association may have missed a "window of opportunity" by delaying rollout of plans to protect health information exchanged over the Internet.
The AMA and Intel Corp. announced last fall they would combine expertise to equip individual physicians with a "digital credential." At the time, officials of the two organizations said their effort would kick off this spring. But now the rollout won't happen until sometime this summer, postponing the march toward supplying the nation's doctors with the electronic evidence they need to verify their identities before handling confidential health information.
By waiting until summer to issue the first credentials, the AMA has missed securing a role that other players are now stepping into, says Jim Klein, research director with Gartner Group's healthcare information technology advisory service.
The delay is partly caused by new features added during development to resolve practical considerations -- such as the ability of physicians to grant certain office staffers enough authority under their credentials to conduct transactions such as claims processing.
The additional features holding up the rollout may be useful to physicians, but the pace of the Internet world demands faster execution, Klein says.
The AMA/Intel partnership, which brings together the nation's largest professional medical society and one of the world's leading technology vendors, seeks to safely streamline routine medical transactions and improve the quality of care through secure online exchanges.
Wide-ranging protection. Digital credentials form the basis for the authentication service AMA and Intel will jointly offer, which applies to everything from securing electronic prescription orders to safeguarding Internet communications among caregivers, patients and health-portal Web sites.
What powers the AMA's ability to achieve broad-based adoption of electronic credentials is its master file, says Donald Palmisano, M.D., a vascular surgeon in New Orleans who serves on the AMA's board of trustees.
The master file aggregates information from state licensing boards to create a comprehensive list of physicians authorized to practice medicine, including those who are not AMA members.
Authentication systems without the master file as a data source have less of a chance to succeed, Palmisano contends, because they will have a tougher time verifying the credentials of a particular physician.
Part of a master file's value is the ability to keep up with changes in an individual physician's practice status. However, one feature missing from the AMA's authentication service at the outset is the ability to monitor licensing issues in real time.
For instance, if a physician is sanctioned on Monday and attempts to send an electronic prescription on Tuesday, the system may not catch up fast enough to stop him.
Intel has been working with the AMA to add the real-time monitoring capability, because the endgame is to provide the most timely information possible, says Mariah Scott, general manager for Internet authentication services at Intel.
Also contributing to the delay in issuing the credentials has been the task of building a network of software and Web vendors that accept the AMA's credential as a security standard, Scott says.
The goal is to foster adoption by encouraging the participation of online hubs through which healthcare transactions flow. Healthcare Web portal companies such as Atlanta-based Healtheon/WebMD are being signed up to facilitate the AMA authentication service.
Without this "managed network," as Scott and others call it, physicians would have nowhere to use their credentials. "We want our managed network to facilitate as many transactions as possible," Scott says.
Gartner Group's Klein agrees that the involvement of Web destinations for doctors is critical if the AMA/Intel service is to work.
"As soon as you get something that starts looking like critical mass, then you can start to market that you have critical mass, and then you get an avalanche effect of people who are going to support (the credential)," Klein says. "We are not there yet by any means."
With or without the critical mass of vendors required to garner broad-based adoption, distributing the credentials to physicians is another job still facing the AMA. "One of the battlegrounds will be to convince integrated delivery systems and hospitals to use the (authentication service)," Klein says.
The steps required to obtain credentials depend on the level of information a physician seeks to access, according to the AMA and Intel.
For instance, the credential may be available via the Web if the physician uses it only to access online medical journals. But if the physician intends to use his credential for viewing patients' clinical data, the process is a longer one that requires off-line documentation such as a certified copy of the medical license and an affidavit confirming identity.
Docs like it. Most feedback from the first round of tests has been positive, says Tom Sullivan, M.D., chairman of the AMA's Online Oversight Panel and a physician at Partners HealthCare System's 228-bed Salem (Mass.) Hospital. Sullivan participated in the first round of tests and reviewed comments from physicians involved in the testing.
The most frequently cited concern, he says, came from physicians who were unsure where and when they would be able to actually use their credentials.
Sullivan, who used a commercial product for digital certification prior to working on the AMA project, says signing up through the AMA was somewhat more complex. But the AMA's authentication service, which will be free to physicians, is a good alternative to commercial products that don't have the AMA's resources and reputation behind them, he says.
From the standpoint of one commercial security vendor, the AMA initiative doesn't go far enough because security entails more than identity authentication.
"True security, which is the cornerstone of privacy, is much broader than identification," says Sheila Schweitzer, chief executive officer of Presideo, a Sebastian, Fla.-based vendor of healthcare data security systems.
In addition to authenticating identities, Presideo's services enable healthcare organizations to manage access privileges and review reports of user activity, Schweitzer says. These features, she adds, are not available through the AMA/Intel service alone.
The question yet to be answered is whether or not the AMA's reputation will be enough to achieve broad adoption and surpass alternative authentication efforts under way in the industry.
Because privacy provisions of the Health Insurance Portability and Accountability Act of 1996 have yet to be finalized, the security coalition that comes closest to meeting HIPAA's final regulations will be the winner in the end, says Simmi Singh, vice president of global insurance and health industry services for the health industry business practice of SeraNova, an Edison, N.J.-based information management company.
"The AMA effort is a good step, but it's a mistake to say that it will be the endgame," Singh says.
Singh advises the healthcare community not to wait for the AMA or any other coalition to come out with a security standard before implementing both electronic and policy-based controls.
She also cautions those implementing security systems to be wary of proprietary approaches that don't stand a good chance of becoming widely used in the industry.
Jeff Tieman is a staff writer for Modern Healthcare.