Healthcare Information Security

Cybersecurity News

Patient VDT portal authentication: Privacy considerations

By Patrick Ouellette

- The Privacy and Security Tiger Team continued its discussion of access to View/Download/Transmit portals by friends, family members and personal representatives during its meeting on Monday, February 10.

But before the Tiger Team was able to delve into representative access, Joy Pritts, Office of the National Coordinator for Health Information Technology (ONC) Chief Privacy Officer, offered an update on her recent discussion with the Health IT Policy Committee (HITPC). “[My] report [on the team’s work] was very well received and general recognition that the Tiger Team does a lot of hard work in an efficient manner,” Pritts said. “It was an opportunity for the Tiger Team to summarize what it’s been doing to the new National Coordinator, Karen DeSalvo, and she was quite pleased to hear the summary and it helped catch her up very quickly.”

In regards to representative access, Deven McGraw, Chair, Center for Democracy & Technology, reminded the audience that the team would focus only on adults for now and would continue to look at access to protected health information (PHI) through the Stage 2 V/D/T capability. McGraw maintains that there were three main issues to work toward final resolutions for: Authorization of friends and family, identification of friends and family and granular access.

1. Authorization to access of friends, family members

McGraw explained that the Tiger Team knows at this point that patients will share their own credentials in order to grant access, but it’s certainly not best practice. Dixie Baker, Martin, Blanck, and Associates, chimed in as well. “It may be good to tell people of potential health risks with sharing passwords on portals that have intake capabilities, which will be more common with the increase in medical devices,” Baker said.

Judy Faulkner, Epic CEO, said it’s important for healthcare organizations to be able to give proxy access because otherwise patients will have to look at the different hurdles they have to go through and just pass their information onto their spouse [instead]. “Sometimes [organizations] require paper consent, sometimes they require a personal appearance at the organization,” she said. “This makes it difficult because compliance departments are nervous about what they can and can’t do. The more we eliminate compliance departments’ concerns, the more people will use these portals.”

2. Identification of friends, family members

3. Granular access to V/D/T?

The Tiger Team had previously found that authorization, identification and granular access should be consistent with the following overarching principles:

- Protections should be commensurate with risks.

- Approaches should offer simplicity and ease of use for patients and be consistent with what patients are willing and able to do.

- Solutions should provide flexibility in the methods offered; ”one size does not fit all.”

- Approaches should leverage solutions in other sectors, such as online banking.

- Solutions should be accompanied by education that makes these processes transparent to the patient.

- Approaches taken should build to scalable solutions (e.g., greater use of voluntary secure identity providers such as those envisioned by the National Strategy for Trusted Identities in Cyberspace (NSTIC)).

- Solutions need to evolve over time as technology changes

Some Tiger Team members also provide some additional background. Here is a snippet of a back-and-forth between Larry Garber, Member, Reliant Medical Group and John Houston, University of Pittsburgh Medical Center, on how representative access is handled in their own institutions.

Larry Garber

We’re firm believers in face-to-face authentication of patients and their proxies or family members when setting up online access.  We are aware of other organizations where online access using online authentication services failed to prevent a mother pretending to be her 18 year old daughter.  I suspect spouses could do the same thing in many cases. We have started to allow authentication for patients over age 25 via the telephone, thinking that we’ll have cleared the riskiest age and can tell a wife faking being a husband…

John Houston

We do use commercial tools to perform remote identity proofing.  In such cases, the identity can be confirmed for approximately 75% of the request for an account.  Where the patient’s identity cannot be confirmed, the patient can “prove” his/her identity in person.  We can also send correspondence to the patient at his/her address of record, so that the patient can complete the registration process remotely.

McGraw added that the Tiger Team has received 22 comments as of 2/7/2014 on its recent request for input on V/D/T capabilities.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks