A federal workgroup studying privacy issues in health information technology on Nov. 15 released a preliminary set of recommendations for how health care providers and others should verify patients identity before transmitting medical information electronically to a patient. Though narrow in scope, the guidelines are expected to pave the way for broader policy recommendations.
The recommendations, which were drafted by the Confidentiality, Privacy & Security Workgroup of the American Health Information Community, or AHIC, say that health data should be considered sensitive if exchanged through secure messaging, or accessed through doctor-controlled EHRs (electronic health records) or patient-controlled electronic PHRs (personal health records). This designation means the information is protected under HIPAA (Health Insurance Portability and Accountability Act).
In addition, EHR systems should support "identify proofing" of patients to get a stamp of approval from the CCHIT (Certification Commission for Healthcare Information Technology).
According to AHIC, the recommendations will foster electronic messaging between patients and clinicians when appropriate, and also supply targeted populations with PHRs complete with a patients individual health information. This information could be provided by a health provider, insurer, or other entity. The recommendations also allow for authorized parties to view patients laboratory results electronically.
The recommendations describe three ways that providers and other suppliers offering patients access to their health information can verify that patients identity: patients can supply identifying documents or personal information that should be known only to that individual; providers can attest to the patients identity in person, over the telephone, or through some other means, such as a faxed signature; and a trusted third party such as a notary public or peer authorized to certify information can also be used.
Before moving to broader policy recommendations, AHIC is working out standard procedures for identity proofing and user authentication, since these two issues are expected to set the foundation for other security initiatives.