Validation of email addresses can be done at different levels.
Initial basic validation may just involve checking that it is the right format, with an @ symbol and possibly checking that the domain name is valid.
In healthcare (and most other organisations that retain a person’s email address for ongoing communication) an extra step is usually required, which involves sending a test email to the person’s email address and asking them to either reply or enter a code from the test email.
Is anyone on the forum aware of any existing standards that apply to validating a patient’s email address (and identity) in the healthcare setting?
Too onerous a verification process of email and identity will limit the ability of people to be onboarded to an electronic communication system in large numbers and reduce the benifits of the system to the population as a whole. However a less rigorous process may risk health information about an individual person ending up in the wrong hands. Are there any guidelines that help with working out what level of risk is appropriate to accept? After all, postal paper mail is far from perfect.
And also:
Should we be using the national “My Health Account” where possible to verify identities?
From a Google search I have found the following policies which relate to this:
And if you aren’t familiar with digital identity, then you might know most of the adult population have My Health Account already, you used it during COVID response to generate your vaccination certificates.
And yes you should be using MHA, because you will be asked to start using it as one of the only ways as a consumer or non-Health New Zealand employee to access information for yourselves or those you care for (as whanau or as health provider) in the publicly funded health system, unless you use realme verified which is federated.
Authentication is a major area where traditional methods lack sufficient levels of assurance, and therefore stops being trustworthy in pure digital settings for disclosure and making digital authorisation or consenting options.
If you like to learn more about what My Health Account can solve for you, please get in touch as I still look after the operations. It has come a long way since the last time @damon raised it in 2023.
Complicating this is the problem that email addresses can be dynamic (i.e. work emails here on the eHealth Forum!), and people variably engage with them.
To my overly simplistic view of the world, it makes oh so much sense to rely on a secure identification service (i.e. My Health Account or RealMe) which also houses the email address that the patient happens to be using at the present - rather than have every medical facility attempting to keep their email records up to date for all of their patients.
But I think that we are a little ways off that yet, unfortunately.
Of note, it is getting more difficult to get away with authenticating via simple email in the IT world. We are hanging onto enforcing this with the eHealth Forum for now (and have resisted MFA except for @moderators), but one day will need to join the party.
I hadn’t known about the NZ Digital Government identification standards so thanks for sharing that. It seems like a big document and not particularly with healthcare in mind. If it is intended that this does cover public hospitals, it may be helpful to have a hospital related summary of this articulated at the national level as I don’t think each region or district will have the time to go through this to figure out how it relates to the public hospital setting.
Also, with regards to My Health Account, it seems the Auckland Region as well as the South Island region are going through a process to verify patient email addresses to allow appointment information to be sent to patients.
Do you know from a My Health Account perspective, if there is any plans for these regions to link their email verification projects with My Health Account? It would seem like the logical next step, so that patients would then only need to update their email address centrally with their My Health Account, and not with each region that they may have also interracted with.
This is the Health version of the Identification Management Standard, but we need to conform to the DIA standard.
There are three email related programmes at present, outside of My Health Account, which covers notification services. You have referred to the hospital equation at Northern and Southern Regions, plus validation happening at Primary care (recorded on National enrolment service) and Public health (Via CPIR and Whaihua services). There’s also a digital post programme that recently kicked off. So when I mentioned the first message, you need to identify what is the purpose:
If you are trying to notify the user, do you care if it’s to the designated contact address, or are you trying to reach the person with PII restricted information
If you are notifying a representative of that person, shared email is permissible, but it might be clear it’s used to notify as contact detail (e.g. appointment booking for a support person/carer), not specifically expected it is to the individual
If you are sending clinical notes/details where HIPC covers clinical details (e.g. lab results, clinic note summaries, discharge summary), then you would probably want to make sure the email is unique to the user you want and they are legally able to be disclosed that information.
The emails validated in NES or hospitals, do not make any distinguishing components that the person behind the email is specific to only that person, just the designated contact details provided by the patient.
Digital Post and CPIR do that context if two people share the same email, and distinguishes between <16 year old and those older with agency, but it it still contacts the designated contact details.
MHA authenticates the user and presently requires 1 email to one specific user with MFA validation prior to disclosing health or PII information.
Hence the email validation purposes comes down to what is the purpose and what risks business/service owners wants to do with that email against a person record.
With regards to your final question if it’s linked, early conversations are underway, but there are a few things to happen from change management perspective first. New Dunedin Hospital might pose the first solid integration programme.