Goal is to get right data to right patient

WASHINGTON  -  As providers and hospitals drive toward meaningful use of certified EHRs, the ONC is at work on how the identity of individuals should be verified when they electronically access their health records. 

The privacy and security panels that advise the ONC gathered public comments last month.

The intent is to ensure that patients "are who they say they are" so they can take advantage of Web tools, said Deven McGraw, chair of ONC's Privacy and Security Tiger Team and director of health privacy at the Center for Democracy and Technology

To meet the requirements of meaningful use Stage 2, healthcare providers will need to more actively engage patients by enabling them to electronically view, download, and transmit relevant information from their EHRs. This could include lab test results, a list of current medications and hospital discharge instructions. Patient engagement also includes bi-directional, secure email with patients.

"We want to make sure we facilitate electronic data access and email in a way that protects the privacy, confidentiality and security of that information," McGraw said in an Oct. 8 online post. 

The National Institute of Standards and Technology (NIST) is also at work on patient credentialing. Last September NIST awarded $9 million in grants to five collaborative groups to demonstrate how online transactions can be secure and private as part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative to work with the private sector, advocacy groups and government agencies to develop identity credentials that are easy to use and interoperable.

"These five pilots take the vision and principles embodied in the NSTIC and translate them directly into solutions that will be deployed into the marketplace," said Jeremy Grant, senior executive advisor for identity management and head of the NSTIC National Program Office, which is led by NIST.

The ability to access health information online is quite similar to accessing a bank account online, said Dixie Baker, chair of the Health IT Standards Committee privacy and security work group and senior partner at Martin, Blanck, and Associates.

 As such, it could be useful to consider the process and information required to get online access to bank accounts, she suggested.

"I feel comfortable that my bank takes my personal privacy, and the security of my information, very seriously," Baker said. "I would expect no less from my healthcare providers because my health information is at least as sensitive as my financial information," 

In addition to verifying the identity of a patient who is remotely accessing a health record, the panel, made up of representatives from healthcare, technology, consumer and government organizations, are exploring how to issue "digital credentials" without making it too difficult or expensive for patients.