PERSONAL HEALTH RECORDS

FOLLOW-UP RESEARCH

FOR

PATIENT IDENTITY PROOFING PRACTICES

May 17, 2007

BACKGROUND

On February 20, 2007, research was presented to the American Health Information Community (AHIC) Confidentiality, Privacy, and Security (CPS) workgroup regarding patient identity proofing (IDP) practices performed by personal health record (PHR) providers, where the PHR providers were assumed to have had no prior relationship with the patient. Furthermore, the PHR providers researched were those that provided “value-added” services with their PHRs, where those value-added services went beyond the traditional medical journal services typically associated with a PHR, and included services such as secure messaging with a care provider, prescription refill requests, and read-only and read/write access to PHRs by other 3rd parties. (Note: All initial research information was based on publicly available information from PHR vendor websites.)

The identity proofing practices most commonly uncovered by those PHR providers was the collection of the following identity information: name, mailing address, phone number, email address and credit card information. In most cases, credit card information was used to purchase the PHR. In some cases, additional information such as date of birth and gender were also collected. The research conducted did not clearly provide evidence that once a PHR provider received identity data, it was verified in any manner to confirm the patient’s identity prior to the establishment of a PHR for the patient.

At the February 20, 2007 AHIC CPS workgroup meeting, Mr. Kirk Nahra and other CPS workgroup members requested that additional research be performed to determine how much verification, if any, of patient identity information is performed by PHR providers before establishing the PHR for the patient. This report represents the additional research accumulated to date since the last CPS workgroup meeting.

ADDITIONAL RESEARCH ON PHR IDP PRACTICES

The initial research presented at the February 20, 2007 CPS workgroup meeting was based on thirteen PHR providers. (Note: Fifty PHR providers were initially researched; only thirteen of them provided value-added services.) Of those thirteen providers, all were attempted to be contacted to gather additional information on the PHR IDP practices. Five PHR providers have responded to date:

• Primetime Medical Software, Inc. (www.medicalhistory.com)

• Laxor, LLC (www.laxor.com)

• Epic Systems (www.epicsys.com)

• Dr. I-Net (www.drinet.com)

• Cerner Corporation (www.cerner.com)

In addition, Anakam (www.anakam.com/web/solutions/healthcare.asp), which is an identification and authentication (I&A) technology provider, also responded. Each of their responses is summarized below.

1. Primetime Medical Software, Inc. clarified that they are not a PHR provider. Their product, Instant Medical History, provides an online medical history service that is typically called from within a PHR or EHR, where the resultant medical history information is then stored in a PHR/EHR repository. Therefore, their product is integrated with PHR/EHR services. For example, a doctor’s office that has already installed an EHR solution can add the Instant Medical History capability to offer additional medical history services to the doctors’ patients. In this case, the patient has an established relationship with the doctor.

2. Laxor noted that they use Personal Health Information Managers (PHIMs), a term created by Laxor, to assist patients in establishing PHRs and setting up authorizations and privileges for other 3rd parties to access the PHR. Once a consumer provides an initial set of information (name, address, email, date of birth, gender, and credit card information), a PHIM follows up with the consumer via a phone call to complete establishment of the PHR. The establishment of the PHR requires that the consumer identify at least one care provider, typically the consumer’s primary care physician. Laxor will perform some level of identity proofing on the care provider (e.g., the care provider is licensed), but admitted that it does not go through the same identity proofing rigor that a hospital would for its doctors. Assuming the care provider identity check is successful, the PHIM will complete establishment of the PHR for the consumer, and also assist the consumer in managing his/her PHR, which includes setting up authorizations and privileges for the care provider and any other 3rd parties that the consumer wishes to have access to the PHR. Access is defined as “no access”, “read only access”, and “write access”, and can be granted at a record level within the PHR, as well as within a time constraint.

3. Epic Systems clarified that their PHR service is an extension of their Electronic Medical Record (EMR) service that is sold to care providers. Therefore, the care providers are leveraging their personal relationships they have with patients to identity proof the patients before granting patient access to a portion of the EMR, which is referred to as the PHR (called My Chart) by Epic Systems. Identity proofing is typically performed at the point when care is being provided (e.g., routine check-up), and information on setting up a PHR is provided to the patient. To complete the set up of a PHR, an activation code is typically mailed to the patient’s home. Epic Systems also noted that they are aware of PHR vendors implementing Knowledge Based Authentication (KBA) technology into their PHR products and services to increase the level of identity proofing performed on the PHR owner; however, they were unable to provide information on the identity of those PHR vendors. KBA is a common identity proofing technology used by many financial institutions in support of their on-line banking applications. KBA typically leverages information found in public database, but it can be extended to private databases to provide higher assurance identity proofing solutions.

4. Dr. I-Net did not provide much insight into their IDP practices. They did state that previously they implemented a much more rigorous registration process, similar to what financial institutions do in support of their on-line banking applications. However, their users found the registration process to be burdensome and long. Given that they offer a free service, they simplified the registration process for PHR users. Dr. I-Net also offers privately branded portals, where they can implement registration and IDP processes per customer requirements.

5. Cerner Corporation provided the following written response regarding their PHR IDP practices:

Current State:

• • If consumer self registers, they only have access to basic PHR and health information.

  • The health provider/plan must authenticate the consumer account by validating the consumer credentials and changing the status of the consumer account to "identified". The consumer now has access to additional services the health provider/plan may have such as secure messaging, view of EMR, and appointments module.

  • Once a consumer account is "identified" they also have the ability to grant access to their account to other members or to Health Professionals. The consumer has the ability to look up account details on the health professional such as full name, gender, specialty, and address.

Future State:

• Ideally, an independent health data bank would hold this data, making it accessible to qualified purchasers, e.g. Providers, Public Health organizations, researchers, etc. Each consumer ultimately owns their data and agrees/controls access to it (each consumer owns a digital identity in the form of a health bank URL).

• The health data bank would be responsible for rigorously providing identity proofing for all member/consumer data inputs.

• Consumers must be able to set consent directives, and privacy/access permissions, around the use of any data they disclose from the PHR.

• Any interoperability standards for privacy and security need to enable sharing of those permissions with the data.

6. Anakam offers KBA-based technology solutions to be integrated into PHR services. Their technology initially collects name, mailing address, and year of birth from the consumer. That information is then checked against public records and databases to determine an identity for the consumer. Once the identity is presumed, a series of personal questions relating to past residence and relationship are posed to the consumer. If the consumer successfully answers the questions (i.e., the consumer needs to answer a certain percentage of them correctly), then the consumer’s identity is considered verified, and the application process continues (in this case, creation of a PHR account by the PHR vendor that has implemented the Anakam identity proofing technology). In addition, the Anakam KBA-based technology can leverage private databases to verify a relationship the consumer may have with a healthcare entity (e.g., an insurance, a care provider), and the questions posed to the consumer may be more tailored to that relationship (e.g., when was your last doctor’s visit). In terms of 3rd party access to the PHR, the Anakam technology allows the consumer to control the definition of privileges for 3rd party access, and performs IDP functions to verify the identities of these 3rd parties consistent with PHR provider requirements. Anakam has stated that they are working with My HealtheVet and MyMedicalRecords.com. My HealtheVet is an on-line healthcare services portal operated by the Veterans Administration (VA) for its military veterans. MyMedicalRecords.com (MMR) is an independent vendor that offers consumers an easy-to-use, secure web-based product that allows documents, images and voice mail messages to be transmitted in and out of the MMR system using a variety of methods, including fax, file upload and email.[FN1]

7. OBSERVATIONS AND CONSIDERATIONS FOR THE CPS WORKGROUP

• OBSERVATION: Not all PHR providers that were initially researched actually fall into the category of a “PHR provider with no prior relationship with the PHR consumer.” It appears that this market of PHR providers is in its infant stage.

• OBSERVATION: Four of the five the PHR providers noted above see value in leveraging patient relationships to provide better assurance of identity in the use of their PHR products and services. This is consistent with the CPS workgroup recommendations provided at the January 23, 2007 AHIC meeting.

• OBSERVATION: While technology providers offer a capability for PHR providers to support identity proofing with consumers with whom they have no prior relationship, the implementation and adoption of such a technical solution is not widespread. PHR providers still appear to be leveraging existing relationships with consumers to establish PHR accounts, in an effort to provide adequate security and trust to the PHR services.

• OBSERVATION: KBA technology is more effective when tied into private databases that can create more personalized questions for consumers during the identity proofing process (e.g., last doctor visit, last prescription refill, last medical claim). However, use of private databases implies a relationship with the consumer, and therefore does not necessarily offer a solution for the environment where no prior relationship exists with the consumer. KBA solutions that only leverage public databases are still prone to compromise by an unauthorized person who has the patience to research and discover a consumer’s public information (e.g., date of birth, social security number).

• OBSERVATION: One PHR provider posed an interesting concept of for a “health data bank” to perform identity proofing and provide verified identity data to qualified entities (e.g., care providers, insurers). This concept is more in line with a federated identity management approach, which has been accepted in other industries.

• CONSIDERATION: As it appears the PHR marketplace is an emerging marketplace, especially for those PHR providers who have no prior relationship with their consumers, the CPS workgroup has two courses of action to consider:

  • Let the marketplace continue to evolve and learn from PHR implementations before reassessing identity proofing requirements and developing recommendations where no prior relationship with the consumer exists; or

  • Develop recommendations now to help guide the PHR marketplace in the area of identity proofing to avoid privacy and security issues, as well as stove-piped, non-interoperable solutions that may be introduced as the market evolves. The recommendations would not necessarily have to be detailed such as to thwart market growth, but sound enough to promote consumer trust and PHR security without deterring authorized access to electronic healthcare information.

• CONSIDERATION: Determine the suitability of KBA-based technology in an electronic healthcare environment, where:

  • The KBA technology is solely based on public databases;

  • The KBA technology is integrated with private databases.

1 Description of MMR services taken from MMR web site located at www.mymedicalrecords.com.