Health IT program needs ID management

The Obama administration’s drive to implement electronic health records (EHRs) should have strong identity management tools to ensure privacy and security of the records, members of a panel of providers, vendors and policy experts said today.

The coming health information technology policies and standards are to include protections for patient privacy and security and  safeguards against medical identity theft. Achieving those goals could be advanced by identity management tools, such as strong authentication standards and smart cards, according to panelists at an event in Washington today organized by the Smart Card Alliance and the Secure ID Coalition. Both groups represent vendors of identity management programs.

For example, patients checking in to Mount Sinai Medical Center in New York City are assigned a smart card that contains their photograph and a digital summary of recent clinical information. By delivering the information to doctors providing care, the card helps improve care and reduce medical errors. The card also has proven to be critical in reducing fraud and identity theft, which in turn decreases errors in payments and in patient care, said Paul Contino, vice president of IT at Mount Sinai.

“If you don’t catch the errors at the registration desk, you will see dramatic effects downstream,” Contino said. “If you are going to spend money on health IT, you need the right identification standards.” Without strong ID management, care records are likely to have errors because of false identities, misspelled names, duplicative names and other problems. Even a single error, such as a wrong blood type listed on a patient’s record due to a mix-up with another person’s identity, can lead to catastrophic consequences for a patient, he said.

Congress approved spending $17 billion in incentives for doctors and hospitals that install and use health IT systems as part of the economic stimulus law. The Health and Human Services Department is drawing up standards and policies to distribute payments to providers who can show meaningful use of health IT. HHS also is setting up a framework for secure exchange of the health data and the department's national coordinator for health IT on May 15 released a road map for creating the standards and policies under the stimulus law.

One standards will involve controls on access to patient records. The leakage of private medical information can affect a patient’s employment, housing and insurance status, and because of that extreme sensitivity, medical information requires more than a password for secure handling, said Michael Magrath, director of business development for North America for Gemalto Inc.

“Health information exchanges and regional information exchanges will be targeted by hackers,” Magrath said. “I have strong concerns about the prospect of minimum standards," such as passwords alone. Identity authentication standards for receiving medical care and handling medical data should require a password and also use of some type of identity token or certificate issued by a third party, he said.

Ideally, patients would be in charge of -- and would have complete access to -- all of their health records, said William Yasnoff, managing partner of the National Health Information Infrastructure Advisors consulting firm.

“Who has your complete medical records? For most people, it’s no one,” Yasnoff said.