Meeting Patient Engagement Objectives of Meaningful Use Stage 2: Credentialing Patients

**UPDATE** The Privacy and Security Tiger Team of the Health IT Policy Committee, and the Privacy and Security Working Group of the Health IT Standards Committee, will host a web hearing on credentialing patients on November 29, 2012 from 12pm to 4pm.

Giving patients access to their health information—and providing them with tools to electronically communicate with their clinical care team—is critical to making health care more patient-centered. 

To meet the requirements of Meaningful Use Stage 2, health care providers need to more actively engage patients by providing them with the capability to electronically view, download, and transmit relevant information from their provider’s electronic health records. This could include lab test results, a list of current medications, and hospital discharge instructions.

For physicians and other clinicians participating in meaningful use, patient engagement for Meaningful Use Stage 2 also includes bi-directional, secure email with patients. We want to make sure we facilitate electronic data access and email in a way that protects the privacy, confidentiality, and security of that information.

Web Hearing on Credentialing Patients

Later this month, on November 29, 2012 from 12pm to 4pm, the Privacy and Security Tiger Team of the Health IT Policy Committee, and the Privacy and Security Working Group of the Health IT Standards Committee, will host a web hearing on credentialing patients (verifying patient identity to make sure that in an electronic environment, they are who they say they are) to enable them to take advantage of new online tools.

In short, we will discuss the following questions:

  • What steps should we be taking to make sure that the person who is remotely accessing the record is the actual patient (or that patient’s authorized representative)?
  • How can we reliably issue these “digital credentials” without making it too hard or too expensive for patients?

Patients and caregivers, we want to hear from you. We encourage you to respond to these questions in the comment section below, or email ONC directly at

For those of you who already have online access to your health record in your doctor’s office or your hospital record, we are interested in how that access was granted.  For example:

  • Did you have to show up in person at your doctor’s office or were you able to establish the account online?
  • If you were able to establish the account online, what steps did you have to go through to prove your identity?
  • Once you established the account, what steps do you have to go through to access it?
  • Do you believe the process for giving you access to your account will keep your information secure?
  • What other approaches would you recommend to provide patients with secure online access to their medical information?

Provide us with your thoughts on how patients (and their authorized representatives) can be provided with easy and secure access to their medical records. If you do not yet have online access to your health records we want to hear from you on this topic as well. We encourage you to respond in the comment section below, or email ONC directly at

All responses will be collected and shared with the Health IT Policy and Standards Committees as part of the November 29, 2012 web hearing.

Attending the Web Hearing

If you are interested in attending the web hearing, please refer to the ONC FACA webpage.

For More Information




  1. Dixie B. Baker, Ph.D. / Chair HITSC Privacy and Security Workgroup says:

    Accessing health information online is quite similar to accessing a bank account online. So it might be useful to consider what we need to do, and what information we need to provide, to get online access to our bank accounts. For example, to get online access to my bank account, I had to submit a request, which asked me to select a username, and to provide some identity information, such as address, account number, and date of birth. Later, I received in the USPS mail two letters: one asking me to confirm that I had requested the account (no response meant “yes”), and the other providing a URL and a temporary password. Then I had to login using my username and temporary password, which I was immediately asked to change to something that met the bank’s password-strength requirements. I was then asked to select and provide answers to several questions, such as my father’s mother’s first name, the name of my favorite teacher, and my favorite color (I didn’t pick that one, since my favorite changes frequently). Finally I was asked to select an image that would appear each time I logged in.

    Now, whenever I login, I’m asked to provide my username, after which my selected image appears and I’m prompted for my password. If I’m logging in from other than my home personal computer, I’m required to correctly answer a couple of the questions I selected. If I remain logged in for a period of time without taking any action, it asks me to confirm that I’m still there, else it logs me out.

    I feel comfortable that my bank takes my personal privacy, and the security of my information, very seriously. I would expect no less from my healthcare providers because my health information is at least as sensitive as my financial information – and unlike unauthorized use of my credit card, the loss of my health information cannot be reversed by sending me a new body. The upcoming hearing focuses on identity assurance to support the 2014 meaningful-use requirements for patient portals and secure email between providers and patients. The principal identity risks associated with these requirements are that an individual impersonating a patient could: 1) login to a patient portal using a patient’s identity, to access the patient’s health information and possibly send it to unauthorized third parties; 2) use a patient’s email account to trick a provider into disclosing confidential information or prescribing drugs or treatments; and 3) via either portal or email, providing inaccurate or misleading information about a patient, which then could corrupt the individual’s EHR, putting the patient’s health and safety at risk.

    I’m very much looking forward to our Trusted Identity in Cyberspace Hearing on October 29 – and to reading blog entries about individuals’ experiences and expectations for online identity authentication.

    • Robin says:

      I totally agree with Dixie. My financial position is just as important to me as my health. I don’t want anyone disquised as me spending my money. I, too, utilize online banking and manage credit cards online. Each place has its own sign up policies but in all cases, I was required to create a log in and password and select a few questions that I could answer if I was unable to remember my password etc…

      Patient portals and on line access to health care records is not a new concept. Some organziations have been doing this for well over decades. They apparently have put into place a system in which their patients feel safe signing up and participating. They should be asked the process as they would be able to include the technical steps they take to protect our privacy. As a patient,I can only tell you the most basic thing, like I had to create a username and password.

  2. Faqih says:

    Articles on patient encounters are quite excited

  3. Loran says:

    Since the value of my heath data being compromised is quite low, I’m in favor of more open (and arguably less secure) methods of identification – things that rely on my own memory, such as questions that I set up to answer to verify my identity, etc. If I had more sensitive medical records, I might feel more secure with a unique identifier or even biometric scan.

    As a society, I think we benefit so much more by sharing health records than we risk to lose by having sensitive items uncovered, that it behooves everyone to make identity practices no more complicated than they are for banking institutions.

    • Jeff Brandt says:

      Actually the value of health data has increased, I read (sorry don’t have the cite) a SS number is worth about $1 each and Medical Record $5 in quantity. Drug Fraud and benefits provide the ROI

      Jeff Brandt

    • Sue Popkes says:

      Until recently, I was under the impression that I would only gain by sharing my health data. I have changed my mind. While I still believe in pretty much complete sharing with my health care providers, I have learned that ‘on the street’ my health information can be used by the bad guys to get paid for fraudulent prescriptions and procedures. I understand that my health care record may be worth from 30-50 dollars to these bad guys whereas my financial identity is worth maybe from 1-5 dollars.

      I have no idea how these dollar figures were created, but it does make you think.

  4. David C. Kibbe says:

    The bank account analogy works quite well if we assume that the citizen/patient is using a patient portal account supplied by his or her provider organization, e.g. medical practice, hospital, clinic, ACO, etc. And, if we assume that the patient is viewing and entering information about her health, much the same way that we view and enter data in an online banking portal about our finances.

    In fact, most provider organizations that offer their patients a patient portal account follow much the same identity verification and UserID/password practices that Dixie Baker describes in her comment above.

    Let me put aside the somewhat obvious threats to security and privacy in such portal accounts, e.g. the weakness of relying on UserIDs and passwords that are so easily cracked today. We can deal with them separately.

    Now let’s consider some patient-centered actions involving their personal health information that lie outside the banking analogy. For example, suppose that the patient Bob uses a patient portal account supplied by his primary physician’s practice, to view his health information, message with the practice, and download clinical summaries. But suppose that Bob wants the practice to send a copy of his clinical summary to a third party, let’s say a family member or another doctor. And let’s suppose that the way he wishes to do that is via the family member’s or the other doctor’s Direct address. Now what? Can his primary physician’s practice handle that in a secure and trustworthy fashion?

    Or, let’s consider the situation in which Bob’s primary physician makes a referral for Bob to see a specialist, say a dermatologist. Bob wants his medical records to travel with him, so he asks the dermatologist to send a report of his visit to his patient portal account with his primary physician. He provides the dermatologist his Direct address associated with his patient portal account with his primary physician.

    The asymmetry here is that Bob doesn’t have a patient portal account with the dermatology practice, and probably doesn’t want to go through the hassle of setting one up, because he may never see the dermatologist again after that one visit.

    Banks CAN transfer money and information between an account holder’s accounts with different financial institutions, in part because there are well established and trusted routing policies and practices established for that purpose.

    However, in the scenarios we just encountered with Bob, he’s asking the providers to send his health information to unknown, untrusted (at least from the providers’ perspectives) parties that lie outside of each provider’s patient portal membership, and perhaps even outside any provider-supplied patient portal account. Since he’s very unlikely to have a patient portal account with each and every health care provider and provider organization he contacts, inter-organizational exchanges and transactions for Bob’s health information follow the banking analogy only so far, and then we must think of something else.

    Fortunately, that “something else” is Direct message exchange, which will allow for any party to send messages to any other party over the Internet, regardless of whether they are within a patient portal account with a provider, with the caveat — and it’s a big one — that the identity providers and other security and trust agents acting on behalf of the senders and receivers all play by the same rules and policies, and thus work within a single community of trust.

    That’s very much the issue. How can we establish and maintain a community of trust and trusted agents for Direct communications between providers and patients that doesn’t require the patient to have a patient portal account with each provider? Put another way, how can we raise the level of assurance of identity for all participants in Direct message exchange, such that the risks are mitigated and yet the costs and complexities don’t get in the way?

    I think the answer lies in how we plan and execute a trust model and a Trust Framework for the entities that participate in the exchanges on behalf of Direct addressees. That is a challenge, but I do think it can be done.

  5. Dave Kirby says:

    Consider supporting a model in which the patient has a PHI storage/use facility (e.g. an untethered PHR) that is independent of any one provider and, among other things, is used to pivot information from one provider to another via the provider’s access to the PHR. This resolves a number of the inter-party trust issues while raising the issue of the ability of the receiving provider to be confident that the information received is complete and came from the provider it claims to be from. In theory, PKI-based digital signing of the content by the originating provider could provide this confidence, but building out the needed infrastructure would be a considerable task (with other benefits as well).

    • Robin says:

      Much of healthcare is based on referral and Providers refer you to other Providers they know and trust. Meaningful Use criteria includes exchange of key health information between Providers. I don’t think it is a trust issue between Providers as they are already working collaboratively and know what form of information they can receive from each other.

      The great point you make though, is how does a Patient get all of their records in one place. No patient really wants to manage multiple portal accounts. That is inconvenient. And I agree with David Kibbe that patients will want access to the portal of their main Provider, their Primary Care Provider. They will also want all of their information in one place and using Direct messaging is a great idea to get it there.

      Another issue both of you bring up is how can we be sure the information is complete and it came from the Provider it claims to be from. That’s where Patient and Provider communication is so crucial. As I said before, much of healthcare is based on a referral and appointment system and that tracking is being done. My Primary Care Provider sends me to a dermatologist that he/she knows, the EHR records a referral and until the documentation from the visit comes back to my Primary Care Provider, the referral stays open. My Primary Care Provider, when he/she sees me next, should be asking me if I went to that appointment and what happened etc… I realize that as a Patient, I may also self refer. But again, it is up to me to review my records and question things that I don’t understand or things that I don’t feel happened. Again, this is no different than having a credit card account online. If you see a charge that you didn’t authorize, you would immediately get on the phone and call your credit card company, wouldn’t you?

  6. Barry Hieb says:

    It seems likely that there will need to be a variety of techniques, technologies and processes employed to meet various healthcare person identification and authentication needs. PKI, the Kantara Identity Framewok and biometrics are just a few of the options. However, the common denominator for all of these different approaches is that they should ultimately identify an individual patient. At GPII we thus believe that the privacy and security tiger team should endorse a variety of methods for patient authentication but that all of these should converge on a common identifier once the person is known. Voluntary Universal Healthcare Identifiers are the only existing, standards-based private enterprise option currently available to meet this need. We are starting to gain traction in healthcare and would look forward to a discussion with the tiger team concerning how this infrastructure could be used to enable a wide variety of authentication and authorization approaches within healthcare while vastly simplifying the downstream processing that needs to occur once the individual is known. In addition, this approach opens the door to an evolving set of privacy capabilities that will become the next ‘must have’ as healthcare identity services continue to progress.

  7. John Haggard says:

    Choices for authenticating users are vast, but still fall into three basic categories of what a user knows, has, or is. The latter two categories present challenges on meeting anywhere, anyplace, anytime requirements.

    The primary “what you have” choice is anything that can display a one-time password such as tokens, phones, even or even scratch pads. “What a user is” usually is reserved for biometric methods. Both OTP and biometric authentication methods are valid good choices, but require management of devices, biometric samples etc.

    Another mechanism, which qualifies as multifactor authentication, but stays in the realm of “what you know,” is graphical passwords from Passfaces ( This meets the three “anys” requirement without additional tokens, phones, or biometric acquiring devices. What is required is a graphical logon interface which is almost universal in today’s web and mobile world.

    What differentiates Passfaces from other graphical mechanisms is the unique ability for humans to remember faces (Fusiform Gyrus); patients can easily imprint on a set of faces and pick them out one by one on successive grids of faces presented during logon, even after months or years of previous logon attempts. Furthermore, unlike traditional passwords, humans have little ability to accurately communicate to others what faces (e.g. password) they have assigned.

  8. sofia watson says:

    tage 2 patient engagement objectives create an ideal justification for telephonic patient HIT systems. Whether land-line or cel, telephone technology is nearly universal and superbly “transparent” for all demographic groups.

    Speech recognition (SR) can readily input PHI for encryption into a web database / health record. Or “Press # for …” systems can be used in lieu of SR for inputting readily-scripted or a limited number of data.

    Large-number keypads and on-screen text can enable easier use by people who have vision or dexterity constraints.

    The data base can automatically provide the greater than percentage of a provider’s patient census who used the HIT to provide patient-reported data, access their latest PHI from a provider’s EHR, and who used secure messaging to clarify discharge instructions or therapy intent.

    Remote patient monitoring (RPM) systems also can shoulder PHI-reporting burdens while ensuring patient use of HIT After all, the system is worn by a patient. As such, it is a constant reminder to adhere to her / his therapy regimen and focus on (Hawthorne-effect like) health behaviors.

  9. Joseph Schneider says:

    MU 2 requires health care practitioners to provide patients with the capability to electronically view, download, and transmit information from electronic health records. The issue about credentialling that arises from this is based on a flawed approach, as outlined below.

    The MU requirement appears to be based on the assumption that as a patient, I will want to 1) go to URL of multiple doctor’s records (I have four to remember), 2) log in to each using a different interface and probably a different username and password, 3) view or download the information that is presented in different ways, 4) maybe upload the file to a place where I keep my records and 5) maybe consolidate the information into a single record that I keep for myself. I’m a motivated patient, but remembering how to use multiple different systems is going to discourage even me.

    If, however, the MU requirement had been to have the record of each healthcare encounter automatically exported to the location of the patient’s choice, (e.g.., a web-based personal health record, a healthbank, a USB drive, etc), the question of patient access to multiple practitioner records could be avoided altogether. The consolidated record that would result from this would go a long way to eliminating problems we have with multiple HIEs containing pieces of a patient’s health history over time. Access to the consolidated patient record by the patient or their guardian would be worked out between the patient/guardian and the organization providing the consolidated service, which would be selected by the patient..

    So I would change MU2, but failing that, we need to addresss the access issue that it creates. Compounding factors will be adolescent privacy, name changes with newborn babies, delegation issues where there is an older parent or for children where the parents are separated, etc. I have few answers for these problems. My only recommendation is that we use the banking model where I get a username and password and then have to provide some personal information if I change computers. I should have the ability to change the username and password on my multiple accounts to a single username for ease of remembrance.

    Hope this helps. I’m looking forward to the day when we trust patients with their own data and let them manage it. Many of us as patients are capable of this and there are ways to handle those who lack the capability

    Thanks for the opportunity to comment.

    Joe Schneider
    Dallas TX

  10. Pete Silva says:

    A creation of a secured web-based database of patients’ medical records should do, where patients may access their information in the comfort of their homes. Though it’s true that not all patients are electronically-inclined, their trusted family members and/or care-givers may access their information on their behalf, to maximize the use of this database system.

  11. Leslie Kelly Hall says:

    Access to Records

    Having access to our own health records is such a liberating thought. We no longer have to guess or remember what was said, what results were found, what risks and benefits we can achieve on our own. We have access. The ability to “View, download, and transmit” will allow each of us to define how we want ourselves and our providers to receive information. All of the stakeholders can get the information we deem important. This is truly liberating. It is a first step in crossing the digital divide in healthcare.

    Simple use case, simple solution

    We strive for simplicity. We want to tell the provider, “Just send it to my email account.” This is simple, and if the patient asks, providers are obligated to comply. Emailing to patients presents minimal risk to the provider, even though it might not be HIPAA compliant. That’s because before providers send the email, they can request written consent from the patient and mitigate the risks inherent in “email in the clear.”

    But designing an infrastructure that depends on non-secure, unencrypted email would be risky at best, and it goes against the privacy and security tenets of HIPAA. Many providers would prefer to opt for solutions that provide simplicity to the patient while also being HIPAA compliant. The ability to receive information as email is a start, but there is more protection and security that will be needed if patients and providers are to truly engage as partners in the digital ecosystem.

    Access evolves to interaction

    The natural evolution of access is interaction. We expect to do much more online in any other industry that we do in healthcare. However, healthcare is following the course of other industries. Banking online has evolved from viewing balances, to making complex transactions, to the use of mobile devices. The same will happen in healthcare.

    As the use cases evolve, the need for digital trust, or identity assurance, will need to evolve.

    Care team evolves—digitally

    Imagine a digital relationship with your provider that gives you the ability to interact on your terms. You share in decision making, and you provide health information such as family history, reasons for your visit, pre-visit preparation, digital uploads, and sharing the creation of care plans. All of this is reflected in a collaborative record.

    Your provider sends you helpful information so that your visit can be meaningful and direct. Your instructions about your values, preferences, and needs are understood and placed in the provider record in an actionable way. Just like any other input into the EHR—an observation, a result, a history, a finding, or an order—material information about your care and health is reflected in the EHR. But there’s one important difference— it is authored by you.

    Level-of-assurance continuum

    So there is a continuum of patient interaction in HIT that warrants a complete look at how patients first enter this digital world. Do they enter with the same level of assurance as a provider? Are they alienated when we make access too difficult just so we can confirm their identity? Do we approach access and interaction differently? Do we acknowledge that patients have different needs as they demand more or less of HIT?

    These questions have been discussed and puzzled over by groups such as the and ABBI projects. It could be argued that at the first digital point of entry, we need a high degree of identity trust. This would allow for the more advanced features where patient identity is assured, such as shared decision making, shared care plans, legal documents like advance directives, and more. As a consumer advocate, I have struggled with any level of assurance that minimizes or marginalizes the patient.

    Perhaps I struggle because in healthcare the patient has been the most disenfranchised member of the care team, separated by language, process, understanding, and culture. Yet most of the information in a health record is generated by patients, either directly (from their bodies) or indirectly (through their provider’s observation). The promise of digital integration gives us the same opportunity we have had in other industries—to act on our own behalf, to have independent and selective interactions with all of our care team members, and to interact without intermediaries and as important care team members.

    So is the level of assurance needed for this interaction dependent on the use case?
    Here is a potential use case that evolves with the need. In this first use case, the patient says “Send it to my email account.” The provider knows the patient and sends the email with confidence that in this instance, the email address matches this patient. The provider’s system sends an encrypted message to the patient. The patient then clicks something to receive the email, typing some password that the patient knows and/or has been arranged ahead of time with the provider.

    Digital sentry

    This works. Receiving information is a passive activity, and no more assurance is needed. It is when the patient wants more that is at issue. It gets more complicated when the patient wants more interactivity.

    Let’s expand the use case to allow for this future state. The patient logs on for an initial email from the provider. She is asked if she wants to provide data, participate in shared decision making or shared care plans, or provide advance directives, etc. with this or another physician at some future date. If she does, she is asked to go through a new process to get a higher level of digital credentials (LOA3). If not, she proceeds with the email.

    When care information is generated by the patient and is sent to the provider, more trust is needed. It could be family history, insurance, observations, shared decision making, etc. In order for the EHR to accept the information in a way that is actionable and is trusted by the provider, efficient to the business, and convenient to the patient, the care team members have to be confident that the inbound data is operating at a high level of trust. The care team must be confident that the source address is private, that the information has been sent securely, and that the patient can be identified as connected with the sending address. The level of assurance must be higher and the identity matched to the patient.

    There is a role to be played by the sending and receiving systems, a digital sentry of sorts. As the patient sends the data, the sending system, or HISP, recognizes the receiving system as a provider location. The HISP recognizes that the level of assurance is not strong enough for the provider EHR to know and feel confident in the data security and patient identity. The HISP then redirects the patient via a process that asks a series of questions (similar to safe bio pharma and no more burdensome than Paypal) to confirm that patients are who they say they are. The system then can upgrade the credentials and redirect back to the HISP for DIRECT email processing. The HISP is a sentry of sorts, validating the credentials needed for each use case.

    This process could be used for inbound patient-generated data as well as for data that is pulled by the patient in the process envisioned by the ABBI project. A publish/subscribe system sees an inbound request associated with a DIRECT address. If the credentials and level of assurance are strong enough, the sentry lets the request continue. If not, the sentry redirects in the same process as above. Once the proper credentials and level of assurance are met, the data is released.

    This staged approach could meet the immediate access needs without jeopardizing future use cases as long as: 1) we acknowledge that there are more robust needs in the future, 2) we allow for those needs, and 3) we provide proper regulatory direction to promote these needs.

    So in brief view, download and transmit (to providers) could go forward for patients at LOA2. Transmit to patients and their designees requires LOA3. Shared care planning, decision making, advance directives, pre-visit preparation, and any patient-generated data needs an LOA3.

  12. Patrick Young says:

    There are in my opinion two or three methods that are fairly simple to implement and provide multi-factor authentication.

    When the patients phone number and or mobile number is included in their records authentication is quick and easy.

    On the patient access portal or , display a 4 digit PIN number and give the patient the choice to receive an automated phone where they respond with the posted PIN number. Alternately they can be given the option to TEXT in the PIN via SMS Text Messaging.

    The third method would be postal. A PIN number being provided via snail mail. This is the weakest with SMS Text being the strongest.

    Information on pre-authentication using these methods can be included in statements and other mailings.

    Authentication should NEVER include anything to do with Email. The complexities associated with secure email is beyond the scope of patients. Same goes for digital signatures, certificates, and tokens.

  13. Ryan Smithson says:

    I think texting will work as long as a stable phone number is used. There are also several families that may share a single cell phone. I think a kiosk at the medical office where the patient can choose the best way to contact them and input the details directly without any paperwork, would be the best way.

  14. Lunil English says:

    we may benefit so much more by sharing health records than we risk to lose by having sensitive items uncovered, that it behooves everyone to make identity practices no more complicated than they are for banking institutions.

  15. David Kickinger says:

    we may benefit so much more by sharing health records than we risk to lose by having sensitive items uncovered, that it behooves everyone to make identity practices no more complicated than they are for banking institutions.

    This is definitely true.

Leave a ReplyComment Policy