Last week, the Office of the National Coordinator for Health Information Technology (ONC) issued the final rule defining “Meaningful Use” for electronic health records (EHRs). Unfortunately, the definition does little to address concerns about the protection of personal health information and provides no guidance on the requirements to securely access electronic medical records.

On Tuesday, the House Ways and Means Health Subcommittee held a hearing titled: Promoting the Use of Health Information Technology.  Jonathan Hare, Chairman and Founder of Resilient Network Systems, testifying at the hearing, outlined why the need for authentication is so important for Health IT Meaningful Use, indicating the purpose of the government giving incentive payments for EHRs was to have an interoperable health information exchange (HIE).  Regrettably, as Mr. Hare stated “there is no requirement to implement authentication, consent, authorization, disclosure management or any other services specifically mentioned in the HITECH Act that are necessary to genuinely enable secure electronic exchange of information.”  The final rule is sorely lacking by not defining authentication requirements and not addressing privacy concerns as part of Meaningful Use. Without the proper authentication mechanisms, a truly interoperable HIE will be next to impossible. While some people believe a secure HIE is not feasible in the timeframe set forth, an unsecure HIE is not a viable alternative.

Securing EHRs with a strong, multi-factor authentication mechanism needs to be a priority for ONC to meet the mandate of Congress and deploy an interoperable HIE. This will not only prevent traditional online data breaches from occurring, but it would also render stolen laptops, hard drives, and other physical devices virtually useless because the lack of a proper authentication credentials, prevents access to protected health information.  Some people believe information sharing is cause for privacy concern.However, if we use appropriate authentication mechanisms to mitigate against the network’s vulnerabilities, privacy can be protected and even enhanced.

At the hearing Congressman Xavier Becerra (D-CA) pleaded with Dr. David Blumenthal, the National Coordinator for Health Information Technology and Tony Trenkle, CMS Director of e-Health Standards and Services to “please not slip on privacy” in relation to EHRs and Health IT.  The only way to protect privacy in an information exchange is through good, solid multi-factor authentication.  Unfortunately, for Congressman Becerra and the rest of us, the definition of Meaningful Use as outline in the final rule does not provide clear, strong authentication guidelines.  Strong authentication will create the necessary security to protect our personal health information and will enable and encourage interoperability within the HIE that is so desperately needed.

For more information on the protecting EHRs, please click here.