Health IT program needs ID management

Privacy becomes an issue with electronic health records

The Obama administration’s drive to implement electronic health records (EHRs) should have strong identity management tools to ensure privacy and security of the records, members of a panel of providers, vendors and policy experts said today.

The coming health information technology policies and standards are to include protections for patient privacy and security and  safeguards against medical identity theft. Achieving those goals could be advanced by identity management tools, such as strong authentication standards and smart cards, according to panelists at an event in Washington today organized by the Smart Card Alliance and the Secure ID Coalition. Both groups represent vendors of identity management programs.

For example, patients checking in to Mount Sinai Medical Center in New York City are assigned a smart card that contains their photograph and a digital summary of recent clinical information. By delivering the information to doctors providing care, the card helps improve care and reduce medical errors. The card also has proven to be critical in reducing fraud and identity theft, which in turn decreases errors in payments and in patient care, said Paul Contino, vice president of IT at Mount Sinai.

“If you don’t catch the errors at the registration desk, you will see dramatic effects downstream,” Contino said. “If you are going to spend money on health IT, you need the right identification standards.” Without strong ID management, care records are likely to have errors because of false identities, misspelled names, duplicative names and other problems. Even a single error, such as a wrong blood type listed on a patient’s record due to a mix-up with another person’s identity, can lead to catastrophic consequences for a patient, he said.

Congress approved spending $17 billion in incentives for doctors and hospitals that install and use health IT systems as part of the economic stimulus law. The Health and Human Services Department is drawing up standards and policies to distribute payments to providers who can show meaningful use of health IT. HHS also is setting up a framework for secure exchange of the health data and the department's national coordinator for health IT on May 15 released a road map for creating the standards and policies under the stimulus law.

One standards will involve controls on access to patient records. The leakage of private medical information can affect a patient’s employment, housing and insurance status, and because of that extreme sensitivity, medical information requires more than a password for secure handling, said Michael Magrath, director of business development for North America for Gemalto Inc.

“Health information exchanges and regional information exchanges will be targeted by hackers,” Magrath said. “I have strong concerns about the prospect of minimum standards," such as passwords alone. Identity authentication standards for receiving medical care and handling medical data should require a password and also use of some type of identity token or certificate issued by a third party, he said.

Ideally, patients would be in charge of -- and would have complete access to -- all of their health records, said William Yasnoff, managing partner of the National Health Information Infrastructure Advisors consulting firm.

“Who has your complete medical records? For most people, it’s no one,” Yasnoff said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

Reader comments

Thu, May 21, 2009 Bruce Stockinger

Privacy is an issue in HIPAA because providers and the government really don't believe that the patient has a right to privacy. The patient needs to have a significant and on-going say as to where and to whom their informtion is going. I know of cases where providers feel they have the right to track a patient's status 7 years after the patient severed their relationship with the provider. When that tracking includes name, SS#, address, and health status and is being slopped around via fax and email there is something very wrong with our privacy protections.

Thu, May 21, 2009 John Weiler

Privacy has been an issue since the signing of HIPAA back in 1998, and a cornerstone of the former EHR initiative called Govt Wide Computer Based Patient Record (GCPR). This is not new. The challenge has always been with HOW do you bake it into the architecture and acquisition process. We need tight SLAs so our contractors don't sell us ECPs to deliver what should have been in the contract day 1. The technology has been in place for years to establish an interoperable EHR. What is missing is the effective processes and mgt resolve. Senior leadership needs to stay engaged which is normally not the case. The Feds have already spent over $8 Billion on EHR, but we still lack a functioning system. Improve the architecture and acquisition processes first. Make sure that the innovators of the market who have already developed these technical capabilities are engaged up front. We seem to pander to the big 10 contractors who never deliver. Maybe its time to give some of the Bush era approaches that outsourced inherently governmental and public service functions to the SIs, and take back control.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above