At a time when patients, physicians, and even congress are all clamoring for the interoperability we were promised with the HITECH incentives, the principal EHR vendor organization has figured out yet another way to add to their barricades. HIMSS has just released their “Recommended Identity Assurance for Patient Portals” provide cover for more impediments to the patient’s right to access our own health information.
The parallels to voter ID initiatives is striking. A self-assembled “HIMSS Identity Management Task Force” decides to invent a security threat that is undocumented and then propose a self-serving solution. I had the privilege of witnessing this process first hand.
The use of HIPAA as a barrier to patient access is well known. Almost all of us, as patients, have experienced denial of access to our own health information “because of HIPAA”. This misinterpretation of the law is so pervasive that the Office for Civil Rights, in September 2013, issued a right to access memo that articulates the patient’s right to an electronic copy of her record and to have that record sent to someone else. Later, in comments designed to encourage adoption of the Blue Button initiative, the Office for Civil Rights made clear that the patient’s right of access included the right to insist on transmission of the record by insecure means if that was what they wanted. (By the way, how many of you have actually received a useful Blue Button file from private-sector hospital?)
18 months and maybe $15 Billion of HITECH incentive payments after the OCR memo, the EHR vendors have come up with their interpretation of the HIPAA patient right of access. I urge all of you to read the 3-page HIMSS recommendation and try to understand what this means to you as a patient.
Secure and privacy-preserving patient identity is currently under consideration by the IDESG Healthcare Committee https://www.idecosystem.org/group/healthcare-committee. On this page you will find the contact info for the leadership and I hope you will send your comments and even consider participating. Or, just comment below.
Adrian Gropper, MD is the CTO of Patient Privacy Rights.