The Smart Card Alliance announced today it strongly endorses the Electronic Health Record (EHR) privacy authentication recommendations made by the HIT Policy Committee Privacy and Security Tiger Team. The group proposed rules it deems as necessary to provide a suitable trust framework for information exchange between EHR systems. Specifically, the Alliance agrees with the team’s recommendation that all organizations involved in health data exchange involving personally identifiable health information should be required to use digital certificates.
“Digital certificates are essential to achieving a high level of assurance that organizations participating in electronic healthcare information exchange are who they say they are,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “In our view, provider entities and organizations should take note of this proposed ruling and go even further; digital certificates should also be the basis for identifying and authenticating all individual health professionals, including administrative staff, who have access to electronic health information records.”
Individual health professionals were outside the scope of the Tiger Team discussions; however, in making their recommendations, they noted that HIPAA security rules already require organizations to develop and implement policies to identity proof and authenticate their individual users.
“HIPAA is very clear that if someone accesses personal health information that they are not authorized to see, that constitutes a breach. And now health information breaches must be disclosed and carry penalties. With the usage, storage and transmission of electronic health records, the risk of breach is magnified, putting a clear burden on all organizations participating in the healthcare industry to make sure they know who can access healthcare records, and which parts of those records they can see. The safest way to protect the exchange and use of healthcare information by individuals in healthcare provider organizations is with a digital credential securely stored on a smart card,” said Vanderhoof.
Smart cards are an effective and user friendly way to distribute and use digital credentials, and are already widely used worldwide in both government and the private sector, for example, in the defense, aerospace, healthcare and pharmaceutical industries. Credentials on cards stay with the owner, enable PIN or biometric-based security for credential use and provide a second authentication factor in transactions. This approach ensures that only the right people have access to information, and protects individual healthcare data records as required by HIPAA.