When HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996, the fundamental objective was to enable portability of health records and coverage when someone changed insurance plans, and to reduce fraud and abuse. In order to achieve this, health information needed to go from being paper-based to an electronic format. It made sense since it is much easier to transmit and share information electronically.
This created a requirement to ensure that such data, termed “PHI” (Protected Health Information), is kept private and only accessed under authorized circumstances. HIPAA includes security and privacy as core components within the legislation, but the reality is that they are more of a byproduct rather than the primary objective. By design, HIPAA serves as high-level guidance, yet stops short of prescribing what technology or implementation approach should be taken. In parallel, two federal agencies, the Office of the National Coordinator (ONC) and the Centers for Medicare & Medicaid Services (CMS) have been collaborating to define standards that will enable the secure exchange of health information across providers, payers (insurance companies) and patients.
We tend to think that our insurer already knows information about us, but their systems have been tuned more toward accepting and paying claims — often without the details on exactly what was done from a medical standpoint. In fact, most people have never seen their complete health record, and neither can their doctor.
Creating an ecosystem where Health Information Exchanges (HIE) can function without the reliance of direct point-to-point relationships is a focal point of healthcare IT strategy and planning. “There has been a great deal of progress, but the majority of healthcare entities are still concerned about controlling access to health information systems, applications and patient data,” explains Seonho Kim, Chief Architect at ApeniMED which specializes in enabling HIEs. “They require a stronger, standards-based, interoperable, and easy-to-use security infrastructure — especially federated identity and security and privacy controls. The result is that a lot of healthcare entities and systems still remain as silos.
“The lack of standardized strong identity would be the biggest obstacle in the success of health information exchanges and progressing toward next stages,” he adds.
The lack of standardized interoperable identity models in the healthcare IT environment has created a huge gap in operational efficiency, cost and quality of care.
Defining the Stakeholders
There are obvious non-technical challenges that each primary stakeholder group faces in the healthcare environment:
• Patients need to know they can receive and afford the best-quality care and it will be paid for, in most cases, by their insurance provider;
• Healthcare providers must be assured that the insurance companies will pay them, that they have the ability to perform the best in timely care at the lowest possible cost, with the ability to track fraud and abuse of the system; and
• Insurance providers and the government (Medicare/Medicaid) need insight into eligibility, outcomes vs. cost, and the abililty to detect and track fraud before offering payment.
These concepts form the framework for how identity and security can play a role in meeting all three stakeholders’ needs. Without a strong federated patient identity, healthcare providers and insurance companies cannot get a full picture of a patient’s medical information. Having a full view of the latest medical information for patients is critical — beyond the obvious quality of care, it can also reduce the registration process and administrative workflows, thus reducing costs for all stakeholders.