Information Technology (ONC) consider this recommendation for incorporation into federal policy and ... Before a patient
HIMSS Identity Management Task Force
Recommended Identity Assurance for Patient Portals The HIMSS Identity Management Task Force (IDM TF) serves as a multi-stakeholder industry liaison group, and focuses on the development of tools and resources that will inform HIMSS members on policy and technical challenges relating to patient identity, provider identity and IT asset identities. In line with one of our expected deliverables, create guidance for specific levels of identity assurance to meet healthcare requirements [NIST Special Publication 800-63-2], the HIMSS IDM TF developed the following recommendation for HIMSS for review and decision regarding next steps. Recommendation The HIMSS IDM TF recommends the following requirements for security in the case of a patient accessing their own protected health information (PHI) through a patient portal. In making this recommendation, the TF has considered the current and near-future technical capabilities of electronic data systems in healthcare and believe that it is feasible, cost effective, and necessary to preserve the confidentiality of PHI in electronic systems. Guidance for recommended methods, risk analyses, and documentation, as well as similar recommendations for other use cases may come from the task force as our work proceeds. Finally, the TF recommends that the Office of the National Coordinator for Health Information Technology (ONC) consider this recommendation for incorporation into federal policy and regulations. Requirements for security in the case of a patient accessing their own PHI through a patient portal All mechanisms or processes that provide electronic access by patients to their own protected health information (PHI, as defined by HIPAA) must be capable of employing user identity proofing and authentication at a high level of confidence, greater than or equal to National Institute of Standards and Technology (NIST) Level Of Assurance (LOA) 3 or equivalent (as determined by a documented HIPAA risk analysis). Before a patient is given the ability to view online, download, or transmit PHI, they must be informed about potential risks to their privacy in doing so, including differences based on any security choices they may have. With rare and well defined exception, all patients must meet such a high confidence identity proofing standard before being allowed electronic access to PHI. Guidance must be promulgated as to how a clinical encounter that results in a patient being ‘known to the practice’ can be conducted and documented to meet such a standard or equivalent, as well as how to enable the exception of authentication for a patient who is anonymous or cannot be proofed at the necessary level of confidence.
©2015 Healthcare Information and Management Systems Society (HIMSS)
Page 1 of 3
Recommended Identity Assurance for Patient Portals All patients must pass such a high confidence identity authentication standard (e.g., two factor authentication) before being given electronic access to PHI, unless they request access through a mechanism or process that bypasses such high confidence identity authentication (as allowed by HIPAA) after being informed about potential additional risks. Guidance must be promulgated as to the limitations and ramifications for the high confidence authentication for a patient who is ‘known to the practice’ but has not been proofed at that level. Background and Rationale The HIMSS IDM TF held weekly educational environmental scan and level setting activities in which we learned about identity management techniques being used in other industries, particularly the financial industry, and about current and developing technology in digital identity assurance and federation. We also met monthly to discuss and build upon the work that has already been done to focus on a small, well-defined set of deliverables that will be useful for the healthcare industry. Although the inputs and discussions have been broad, we decided to first focus our attention on something immediately useful and important, the use case of providing a patient with access to their own electronic health information through a patient portal. For example, this is the most common way for an eligible provider or hospital to meet a core requirement for Meaningful Use Stage 2: Provide patients the ability to view online, download, and transmit information about a hospital admission. This simplified use case describes identity proofing of a patient, within a clinical environment or remotely, and then subsequent authentication of that patient accessing the portal. Future work by the task force about specific criteria that the healthcare industry should adopt as best practices for how these functions should be implemented to maintain high confidence in the identities of those accessing the PHI should result in one or more short white papers that can promulgate these best practices to the whole industry. Our members report that the proofing currently done in the clinical environment is not consistent, and in some cases not done at all. For example, the concept of ‘known to the practice’ has been introduced without any specific criteria but with the sense that a patient who is known to the practice is a distinguishable biological entity ‘known’ at a sufficiently high level of confidence to be assigned a mechanism for the purpose of providing them electronic access to their own PHI, even if they request anonymity or present with a false identity. This is clearly not sufficient proofing for other purposes, but some of our members feel that it should qualify for this use case. However, there is a gap in guidance to providers in understanding best practices of how to do this, and a lack of clarity as to how to document a typical face-to-face clinical interaction for the purposes of granting patients access to their own data with confidence in the security of that access. For purposes of this recommendation, ‘known to the practice’ is assumed to be distinct from identity proofed at a high level of confidence and means that the patient is known only to the practice, and is not assumed to be ‘known’ outside the practice. Another example where standards and guidance is needed is in the use case of a patient who wants to designate a proxy or delegate, giving the delegate permission to access the patient’s PHI. In the interim, we felt that a statement of policy that reflects our work and conclusions to this point should be promulgated. Informed by a survey of our members, the task force discussed in detail how ©2015 Healthcare Information and Management Systems Society (HIMSS)
Page 2 of 3
Recommended Identity Assurance for Patient Portals these functions are performed currently in various environments. Although there is variability, we found that most patients who are given access to a portal are proofed at a high level of confidence but that most are subsequently authenticated with only some confidence in the asserted identity’s validity (i.e., with username and password). These correspond to the underlying concepts of NIST Levels of Assurance 3 for proofing, and 2 for authentication. We believe that raising the confidence level of patient authentication now is important to counteract the rising security risk of using passwords alone. We also found that the proofing and authentication methods used in healthcare do not always match the prescriptive methods that qualify for the NIST levels, but they could be evaluated and judged to be equivalent where appropriate. We recognize the tension in healthcare between wanting some transactions to remain ‘anonymous’ while desiring to protect the privacy and security of PHI with a high degree of confidence. Our work to define standards and guidance must keep the breadth and complexity of the healthcare industry in mind as we consider how to incorporate more definitive identification techniques, such as biometrics. We feel strongly that the increasing security risks to PHI plus the decreasing costs of implementing higher levels of assurance warrant setting an industry standard requirement of high confidence in the asserted identity’s validity (equivalent to NIST LOA 3) for both proofing and authentication for all accesses to PHI. Although we will deal with a requirement for healthcare provider identity proofing and authentication at this level or higher in the future, this use case is limited to patient access. We feel that all patient portal systems must be able to meet this standard and that this requirement should be lowered only in specific and well defined situations, e.g., establishing ‘anonymous’ patient identities and communicating through less secure means with the patient at their informed request. Next Steps for the Task Force: 1. Develop guidance as to how a clinical environment can conduct and document identity proofing and authentication at a high level of confidence, greater than or equal to National Institute of Standards and Technology (NIST) Level Of Assurance (LOA) 3 or equivalent (as determined by a documented HIPAA risk analysis). 2. Develop guidance as to how to conduct and document a HIPAA risk analysis to support #1. 3. Develop guidance as to how to enable authentication at a high level of confidence for a patient who is anonymous or cannot be proofed at the necessary level of confidence, including the limitations and ramifications of doing so. 4. Develop guidance as to how to designate a proxy or delegate and give the delegate access to the patient’s PHI with the same level of confidence.
©2015 Healthcare Information and Management Systems Society (HIMSS)
Page 3 of 3
