Meaningful use stage II is requiring a certain percentage of patients to be able to view their patient health information. At HIMSS in New Orleans there was a lot of conversation about this. And many vendors talking about their solutions. InteliChart is a good example of these portals. What happens if a patient goes to different doctors? Different portals. And most of the security is username + password. Not much 2-factor authentication in place.
Then layer in the requirements for the Health Information Exchanges. Each patient needs to be perfectly matched to every EMR where their records reside. Name + date of birth does not work so well if you are John Smith or Maria Garcia. And who has access to these records? And how does the patient know? Again, many vendors have their unique solutions requiring everyone to sign up for their particular system.
These systems are being built bass-ackwards. Here's a novel concept: Have the patients in control of their own identities and they decide when and where other people (or their surrogate like their primary care physician) can access their information. And the patient knows everytime who accessed what information and for what purpose.
Universal identity cards will work as well as a social security number. They won't. Instead, patient supply their own credentials and each entity verifies if they indeed trust that that patient is who they say they are. Can this be done programmaticly? Yes and it's not that hard.
Look at project VRM:
Create a personal private cloud for each patient. Then create an oAuth service that each provider entity and HIE can connect. The trick here is that all authentication and access flows through the individual patient's personal cloud. Use a certificate authority to create irrefutable credentials and use for 2 factor authentication (added bonus - public /private key encryption)
Time to build it.