Meaningful Use Stage 2ID Verification PoliciesAnd Authorized Access

Highlights of the November 29, 2012,Trusted Identity of Patients in Cyberspace Hearing – Policy: P&STT and the HITSC

Privacy & Security Workgrouphttp://

www.healthit.gov/policy-researchers-implementers/federal-advisory-committees-facas/calendar/2012-11?tid=125

Introduction

• Identity management is a fundamental issue for the healthcare industry, and that any efforts to improve healthcare information systems, reduce administrative costs, fight healthcare fraud and identity theft, and improve patient care must start by building a solid healthcare identity foundation.

• HHS should educate the general public on Levels of Assurance and recommend the use of higher assurance credentials (Level 3 and Level 4).

• The Blue Button Initiative makes it imperative that two-factor authentication be offered to those who are utilizing the Blue Button to download their health information.

• Neither the FACAs nor ONC should endorse specific products; rather they should approach the issue of patient authentication with an eye towards a standards-based solution that utilizes non-proprietary, mature technologies that have a proven track record.

The Problems: ‘Siloed’ Records and Access Consent

• John Halamka, MD, tells the story of his mother’s hospitalization:– A fall resulted in a broken hip,

• IV morphine administered on admission• Pain and morphine resulted in an inability to reconcile her own

medications

– No easy exchange of electronic records available• Medication ‘reconciliation’ via examination of all medication

bottles in her name resulted in her being put on 22 medications• Further deterioration of mental status limited capability to

provide informed consent for her son to act as her healthcare advocate

How Meaningful Use Stage 2 Helps

• Due to Dr. Halamka’s intervention:– the care team understood the poor quality of the data they had

reconciled and the lack of coordination among caregivers, they agreed to discontinue everything except Tylenol and an anti-hypertensive.

– The next morning, the patient was ‘foggy’ and had no recollection of the previous two days, but regained her involvement with the rehabilitation process and became a partner in her care planning.

• Under Stage 2 of meaningful use, patient and family view/access/download/transmit to her various data sources will be required: – Data exchange at transitions of care will be required. – Decision support that would likely have offered best practices for

medication management in the elderly would have prevented the cocktail that altered her mental status.

Developing a Strong Health Information Management System

• Starts with the accurate identification of each person receiving or providing healthcare services, as well as anyone accessing or using this information.

• Issues with establishing identity are compounded as electronic medical records (EMRs) are used by many different organizations at the regional, state, and national levels.

• There must be a way to uniquely and securely authenticate each person across the healthcare infrastructure, whether that interaction is in-person at point of care or over the Internet.

Online Credentialing Solutions Issues

• In some cases, in-person single-factor authentication could be sufficient. – Providing patients with a username and password that would

grant them access to already-established patient portal profiles.– Jonathan Hare, chairman and founder of Resilient Network

Systemstestified that this system is not foolproof:• Front desk staff responsible for issuing online credentials typically

has no training in ID verification• Process relies too heavily on single-factor authentication, which is

not the most secure approach.• "If you want to have high assurance you should be using multiple,

independent ways to verify identity"

Multifactor Authentication Not Foolproof

• Multifactor authentication may be more secure, but it has its drawbacks– Elizabeth Franchi, data quality program director at the Veterans

Health Administration who has worked on the VA's Blue Button initiatives:• Adding more steps to the verification process typically causes users to

drop out of the system before completing verification, leading to low utilization of patient portals and other online services.

• For example, the doctor may issue a username and password during a patient visit, and then call the patient's personal phone number to make sure the patient was in fact the person who entered the account before allowing full access.

• Patients often find this type of process onerous, making them less likely to follow it through to the end.

– "Our biggest lesson learned is that burden has to be lessened for the patient. In order to facilitate this, we need to streamline this.”

Smart Card Solutions

• Mature, trusted, and non-proprietary technologies– Any technology deployed to modernize our healthcare system

must perform a number of tasks: it must improve the quality of patient care, reduce costs, minimize provider workflow and address the concerns and efficiencies required to justify investment.

– Being able to validate a person’s identity immediately introduces real benefits to health care delivery and the ability to control cost and reduce fraud.

• Identification and authentication are currently uncontrolled and not standardized among medical systems, locations, and organizations within the healthcare community.

• Smart Cards provide the easiest, most cost-efficient, secure, and user-accepted method for solving the healthcare identity management problem

Smart Cards and Emergency Medical Information

• A secure, portable way to store patient data that could be critical in case

of an emergency, such as:– current medications, – allergies, and – blood type

American Medical Association’s (AMA) Health Security Card (HSC)

• A three-year public health translational research • In April 2012, a live simulation of a public health triage

scenario using the HSC was conducted. 40 patients were divided into two equal groups: – Group 1 carried a HSC containing name, gender, date of birth, allergies,

current medications, blood type.– Group 2 did not have a HSC. Some had an ID card or health insurance

card.

• The average length of patient encounter was – 53 seconds for those not carrying a HSC– 32 seconds when the HSC was presented– Patient satisfaction was significantly higher

• 75% of individuals carrying a HSC rating the quality of their care to be Excellent or Very Good

• 35% of those not carrying a card gave a rating of Excellent or Very Good

Combining Smart Card Technology, Cryptographic Functions and

Biometrics• Digital signatures ensure that the biometric template

being used has not been altered.• Encryption protects the biometric template and other

personal information stored on the smart card.• The smart card compares the live biometric template with

the biometric template stored on the card. The biometric template never leaves the card, protecting the information from being accessed during transmission

• A cryptographic challenge authenticates the legitimacy of the card and the reader, ensuring privacy for the cardholder, preventing inappropriate disclosure of sensitive data, and thwarting “skimming” of data that might be used for identity theft.

Sources

Burns, E. (12/3/2012). ID verification policies needed in stage 2 meaningful use. SearchHealthIT. http://searchhealthit.techtarget.com/news/2240173745/ID-verification-policies-needed-in-stage-2-meaningful-use.

Halamka, J. (11/6/2012). Why meaningful use Stage 2 is so important. Healthcare IT News. http://www.healthcareitnews.com/news/why-meaningful-use-stage-2-so-important.

Magrath, M. (November 29, 2012) Testimony at P&STT and the HITSC Privacy and Security Workgroup Meeting. HealthIT.gov. http://www.healthit.gov/sites/default/files/20121129_michael_magrath_testimony_-_gemalto_and_smart_card_alliance.docx.