Protecting Privacy — Who Gets Access to Patient Information?

One of the major responsibilities and challenges for technology-based healthcare systems is to safeguard the privacy of Protected Health Information (PHI) and to limit access to appropriate individuals only. At the core of this problem is identity management. How does one know whether an individual accessing an EHR or patient portal has been properly credentialed, whether that be a patient, designated caregiver, or third party who has been provided access to the medical record? This problem faces healthcare organizations and national programs alike. If providing access becomes too complicated or is too difficult to maintain, the service is simply not used. As a comparison, the financial industry has accepted a four-number PIN for debit cards that can be used worldwide to withdraw money from bank machines. What banks (and we as consumers) also accept is a certain amount of fraud as a cost of doing business. Debit cards could be made more secure by requiring users to change their PIN number at set intervals, but the downside (frustration for customers, deactivated cards, increased phone and online support) means that most individuals create their PIN once and never change it. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires a higher level of diligence in terms of access to Protected Health Information.

To meet Meaningful Use Stage 2 requirements, eligible providers need to provide patients with the capability to electronically view, download, and transmit relevant information from their provider’s electronic health records including information such as lab results, current medications, and hospital discharge information. On November 29, from 12 pm to 4 pm, the Privacy and Security Tiger Team of the Health IT Policy Committee, and the Privacy and Security Working Group of the Health IT Standards Committee, will host a web hearing on patient credentialing. In order to provide patients with access to online tools, a mechanism is needed to verify the identity of that individual. There are some very interesting comments that have been provided in advance of this meeting which can be accessed here.

The greatest problem appears to be identifying an individual (credentialing). There are very few locations in the world that have solved this issue to the point that citizens have universal and unfettered secure access to their confidential health information. One country in which identity is not an issue is Denmark. Denmark is a country of 5.5 million citizens and in 1968 began issuing a Central Person Registry number to each citizen. This number is used for a number of purposes including birth and death, the linking of family members, inpatient and outpatient healthcare information, and social service information. Since Denmark began issuing CPR numbers, the country has not had to conduct a census because there is an accurate count of all citizens at all times. Something as logical as a unique identification number has many advantages in an increasingly more connected healthcare system. Most importantly, it allows relationships to be established — between a patient and their primary care provider(s) or specialist(s), as well as other institutions such as diagnostic facilities and hospitals. In addition, it simplifies the “what you know” part of the credentialing challenge and simplifies access for a patient as they are able to use a single identifier to access multiple databases or services. In Denmark, a patient can view their medication profile online and can also see who has accessed their profile — providing a highly effective oversight mechanism that deters inappropriate access.

Comparing a country like Denmark with the United States is not fair. Much of what the Danes were able to accomplish was due to the geographic size and the small population. However, they have managed to create a near ideal identity scenario based upon a single unique identifier for each citizen. In addition to privacy requirements under HIPAA, and security processes and tools that will be needed to ensure appropriate access to protected health information, there is also a cultural change that needs to take place in which patient and provider feel comfortable sharing information. Cultural change and acceptance will be based upon trust. If the processes to become credentialed and maintain privacy are too stringent, usability and access will suffer. It will be challenging to find a balance that works for all parties.

I will be watching with great interest as great minds try to solve these complex problems. Consider Pay Pal an example of innovation. Who would have thought, even 10 years ago, that it would be possible to simply and securely send or receive money using a regular email address? And yet today this is a commonplace and accepted form of financial transaction. Perhaps that is the key: a Pay Pal for healthcare. Establish the trusted connections behind the scenes among healthcare providers and organizations, and allow patients to control the transaction using their regular email address. Simplistic? Maybe. But it would certainly solve some big challenges.

What are your thoughts? Do you have any suggestions on how to create a simple credentialing system for patients?


One response to "Protecting Privacy — Who Gets Access to Patient Information?"
  • November 20, 2012
    Neil Jackson

    Very pointed and informative article. Years ago we deployed a very technical, yet user controllable technology Fedmark, which when applied to patient data, FedmarkHealth and in most formats assures the patient secured access and the capacity to view all authorized (by the patient) viewers/users of the data with incredible audit, forensic and exception reporting capabilities to any platform. Patients may decide to authorize a viewer’s access at anytime. They may also capture and retain securely unauthorized viewers/users and then report such activity to internal security and external law enforcement as necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *