A federal policy advisory panel on privacy and security of electronic healthcare information spent a second consecutive session wrestling with the details of how to best identify patients, providers and others who might want access to patient data from electronic medical-records systems, personal health records and messaging systems.
The confidentiality, privacy and security work group of the American Health Information Community met for three hours via teleconference Monday, working mainly on honing a list of draft recommendations for “identity proofing,” ways of verifying a person’s identity before giving access to electronic records systems or messages. Read more on the draft recommendations.
Group members decided to focus their recommendations not on broad privacy policies but on the narrow demands of three other AHIC work groups. Those work groups are: looking to promote the use of electronic health-records systems by making it easier to import laboratory values into the systems; developing technologies to create medication histories and electronically provide basic patient registration information to electronic personal health records; aiming to accelerate the electronic transfer of anonymized patient data from ambulatory care and hospital emergency room environments to public health authorities.
Even so, the privacy work group tentatively approved the wording of some general statements — that all data exchanged through an EHR, PHR or messaging systems it sensitive, and that the work group’s identity-proofing recommendations were not intended to be a comprehensive list, but a set of guiding principles.
The group also reached a consensus on some specific recommendations, including: the Certification Commission for Healthcare Information Technology should incorporate criteria for identity proofing in its testing program for electronic healthcare information systems; physicians converting paper records to electronic in their own practices need not be required to identity-proof those records, but should use identity proofing techniques when moving that information electronically to patients from their EHRs; and that anyone moving patient information from a PHR to a patient should use the recommended identity-proofing techniques.
The group stuck, however, on specific identity-proofing techniques and their applicability to different providers. Generally speaking, the group reached consensus on the notion that when a face-to-face, personal relationship exists between a patient and a provider, identity proofing of medical records in person is the gold standard. But they hung up on the adequacy of identity proofing when there were lesser levels of a relationship between the recordkeeper and the person whose records were being kept, with much discussion centering on PHR systems being offered by insurance companies and other third-party payers.
The group put off deciding on a hierarchy of recommended lesser identity proofing techniques until a later meeting.
Read entire article at Modern Healthcare