The HIMSS Version of Voter ID Laws

Adrian GropperAt a time when patients, physicians, and even congress are all clamoring for the interoperability we were promised with the HITECH incentives, the principal EHR vendor organization has figured out yet another way to add to their barricades. HIMSS has just released their “Recommended Identity Assurance for Patient Portals” provide cover for more impediments to the patient’s right to access our own health information.

The parallels to voter ID initiatives is striking. A self-assembled “HIMSS Identity Management Task Force” decides to invent a security threat that is undocumented and then propose a self-serving solution. I had the privilege of witnessing this process first hand.

The use of HIPAA as a barrier to patient access is well known. Almost all of us, as patients, have experienced denial of access to our own health information “because of HIPAA”. This misinterpretation of the law is so pervasive that the Office for Civil Rights, in September 2013, issued a right to access memo  that articulates the patient’s right to an electronic copy of her record and to have that record sent to someone else. Later, in comments designed to encourage adoption of the Blue Button initiative, the Office for Civil Rights made clear that the patient’s right of access included the right to insist on transmission of the record by insecure means if that was what they wanted. (By the way, how many of you have actually received a useful Blue Button file from private-sector hospital?)

18 months and maybe $15 Billion of HITECH incentive payments after the OCR memo, the EHR vendors have come up with their interpretation of the HIPAA patient right of access. I urge all of you to read the 3-page HIMSS recommendation and try to understand what this means to you as a patient.

Secure and privacy-preserving patient identity is currently under consideration by the IDESG Healthcare Committee https://www.idecosystem.org/group/healthcare-committee. On this page you will find the contact info for the leadership and I hope you will send your comments and even consider participating. Or, just comment below.

Adrian Gropper, MD is the CTO of Patient Privacy Rights.

Categories: Uncategorized

4 replies »

  1. Thanks for this! This document looks like a list of barriers I will need to overcome to get access to my data, not a recipe to make it easy.

    A friend who was seeking to challenge a hospital bill recently was told that on the basis of HIPAA she was not allowed to see an itemized bill of the procedures associated with her hospital stay. Exactly whose privacy was being protected here?

    This does not have to be this hard. Thanks for raising this, Adrian.

  2. Thanks Adrian for raising this important issue! Security and privacy have become the catch all excuses for not making data available or liquid. We will never see the progress we envisioned through the HITECH Act until we have health data liquidity and interoperability.

  3. Congress and ONC are on this. Just out today is a 39-page report from ONC in response to the congressional inquiry: http://www.ihealthbeat.org/articles/2015/4/10/onc-slams-ehr-vendors-providers-for-information-blocking

    The language on the ONC blog is unusually scathing (it makes my post look normal) http://www.healthit.gov/buzz-blog/from-the-onc-desk/health-information-blocking-undermines-interoperability-delivery-reform/ For example: “Indeed, the most definitive finding of our report is that most information blocking is beyond the current reach of ONC or any other federal agency to effectively detect, investigate, and address. Moreover, the ability of innovators and the private sector to overcome this problem is limited by a lack of transparency and other distortions in current health IT markets.”

  4. There is no more effective way of improving health care outcomes for patients than providing patients with immediate and thorough access to their records, without barriers from providers or payers. In view of the excessive errors in records, and the potential for those being multiplied in digital systems, the patient must have continuous and easy access for those records. The patient may also need the ability to grant similar access to his surrogates, whether family or other medical professionals.

    The proposed limitations in the recommendations create greater barriers, and impede the rights of patients to this access, and these limitations should NOT be incorporated into any guidance.