Federal privacy work group wants EHRs to verify patient ID

To be certified for use in the federal electronic health-record incentive payment programs, EHRs should have to demonstrate that they can authenticate the identity of patients looking to view or download their medical records or have their records transmitted to someone else, according to a federal privacy work group.

The Privacy and Security Tiger Team of the federally chartered Health IT Policy Committee met Monday to go over a four-page draft of comments on a pair of proposed rules issued in February by the CMS and the Office of the National Coordinator for Health Information Technology. The proposed rules govern Stage 2 of the Medicare and Medicaid EHR incentive payment programs created under the American Recovery and Reinvestment Act of 2009. The Stage 2 rules are expected to come into use in 2014.

The work group compared privacy and security recommendations that the policy committee previously made to the federal rule writers with what actually showed up in the Stage 2 proposed rules.

Among several issues addressed in the letter were instances in which the policy committee's recommendations were not included in the proposed rules. One involved a security requirement for patient portals. The policy committee wanted a rule requiring providers to have "at least single-factor authentication for patients using view, download and transmit functionalities" when accessing their records via a patient portal.

The ONC-drafted proposed rule states that authentication should be required for secure messaging, such as sending a referral letter from one provider to another, but that "there is no comparable authentication requirement for patient access," according to the letter.

The policy committee also recommended that EHRs be certified "to ensure information can be securely downloaded" by the patient or a third party at the patient's request, the letter said.

In addition, certified EHRs should be able to append patient-supplied information in both free-text and scanned formats, according to the Tiger Team.

The work group's draft letter (DOC) is available on HHS' website

The next policy committee meeting is May 2. Various work groups are expected at that meeting to present their reviews of the proposed Stage 2 rules.