The HITECH Act contains incentives (and disincentives) designed to accelerate adoption of electronic health record (EHR) systems and deliver on the original goals of the Health Insurance Portability and Accountability Act (HIPAA). These goals are rightly identified as “critical to patient safety, quality of care and reduction of delivery costs.” These are all admirable goals. However, regardless of how admirable, there is little among the many recommendations that address the significant consequences that accompany the rollout of EHR systems. Electronic medical records contain a vast wealth of personal information, and this information will only become more vulnerable, and more susceptible to potential misuse, as access extends to an ever wider network of consumers and health care providers. As has historically been the case with all information systems, the desire to provide more open access and greater usability is always at odds with genuine concerns for security and privacy.
The Privacy and Security Tiger Team of the Office of the National Coordinator for Health IT recently released recommendations aimed at addressing this big elephant in the room. They point out that the HIPAA Security Rule requires covered entities to implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. However, the Security Rule does not specify authentication options, assurance levels or verification requirements. The Tiger Team’s goal was to establish stronger authentication policy as part of governance for the Nationwide Health Information Network (NwHIN). Their recommendations for authentication of a certified EHR include:
- Baseline user authentication policies should require more than just user name and password for remote access. At least two factors should be required.
- Organizations and entities are encouraged to adopt a risk based approach and provide multi factor authentication for sensitive, high risk transactions
- Minimum two factor authentication of e-prescriptions of controlled substances are required, consistent with the current DEA rule.
- Meaningful Use Stage 2 certification testing criteria for EHRs should include testing of compliance with the DEA authentication rule
It is refreshing to see direct commentary regarding stringent authentication standards. However, the open access-security conflict is clearly apparent throughout the document. This is evident in statements such as “providers must manage the risk of inappropriate access; however they should not set the identification requirements in a way that discourages or inhibits patients from participating.” Open access to patients is no longer the future, it is happening now. EHR systems need to balance the requirement for access with the equally important need for security. An approach focused on layered access to information, using a risk based authentication modality that answers three simple questions – are you who you say you are, where will I allow you to go, and what will I allow you to do - is the best means of achieving this goal.
- ONC Privacy and Security Tiger Team
- Summary: HIPAA Security Rule