From: HealthITSecurity
Author Name: Patrick Ouellette
While EHR patient portals are tied to the EHR Meaningful Use Program’s patient engagement requirements, securing and authenticating user access is a critical part of the process. During iHT2’s “Secure Access for Web-based Patient Portals and Applications“ webcast, Chris Brooks, SVP of Technology at WebMD explained how he views the authentication landscape from the WebMD perspective.
Though WebMD isn’t a provider and deals more with payers, it still must adhere to federal patient privacy and security regulations such as HIPAA. Brooks began the presentation by reminding the audience of Stage 2 of the CMS Incentive Program sets goals for patient engagement:
Core Measure 7 – Provide patients the ability to view online, download and transmit their health information within four business days of the information being available to the EP.
Core Measure 17 – Use secure electronic messaging to communicate with patients on relevant health information.
But how do you reconcile these meaningful use requirements with HIPAA regulations? Brooks said that healthcare organizations need to continually weigh ease of use versus ensuring robust authentication standards. For example, Brooks cited a WebMD mobile application that doesn’t allow access to or sharing of personal health information but patients can share daily wellness activities with WebMD. Patients authenticate with an initial authorization code, but there’s no password required because of the nature and sensitivity of the information. Healthcare organizations are slowly beginning to take advantage of these applications, but it’s hard to compare authentication levels for patient-centric apps with clinical apps that have protected health information (PHI) running through them.
When evaluating authentication needs based on risk (sensitivity of data) and engagement requirements, however, Brooks did say there can be confusion with certain types of data. “One potential gray area is the blood sugar tracker,” Brooks said. “If a user opts in to using a mobile blood sugar tracker, where does that fall?”
Brooks provided a map of authentication levels from his vantage point at WebMD, while drawing parallels to some of the security issues with online banking from a few years ago:
Leave a Reply