Identity management in healthcare was a hot topic at the Smart Card Alliance 9th Annual Smart Cards in Government Conference held last week in Washington. Controlling access to healthcare records, particularly when it comes to consent, was an issue recognized by experts as requiring more innovation.
New to this year’s conference was expanded coverage of the government’s efforts to improve and implement secure electronic medical records and smart card applications with the potential to improve the security and privacy of patient information, provide the secure carrier for portable medical records, reduce healthcare fraud, and support new processes for portable medical records.
Officials said national efforts to implement electronic health records throughout the healthcare system are picking up speed. Deborah Lafky, security lead in the Office of the National Coordinator for Health IT, reported that 70 regional extension centers, established to provide local help to healthcare organizations, are now starting to have an impact.
While identity management continues to take a backseat to the broad goals to establish and exchange electronic medical records, privacy advocate Deven McGraw, director of the Center for Democracy and Technology, said that one of the watershed events in 2010 was the recognition that privacy and security are a key point for “meaningful use” of EHR technology required in order to receive health IT incentives.
Officials said controlling access to information in healthcare records is one of the privacy and security concerns getting more attention, particularly in the area of consent.
“Role-based access control is too blunt an instrument,” said Lafky, explaining that some patients may not want to give a doctor blanket approval to see everything in a health record. She suggested some kind of attribute-based approach is likely to be required to provide a patient with a higher level of granularity with which to control access to his or her information.
“The law is already set. It’s a breach if someone internally looks at a record they’re not supposed to see,” said McGraw. Still, she recognizes that we can’t look to policy to answer all of our questions. She believes there will be more technology innovation by individual organizations as they see problems or opportunities and act on their own to enhance the privacy and security of healthcare.
