Why Patient Portal Privacy Is ComplexFederal Adviser Tripathi Discusses Privacy, Security Challenges
Differing state privacy laws and a lack of technology standards are among the factors that make patient portals complex to manage, says Tripathi, who co-chairs the Privacy and Security Tiger Team, which advises the HIT Policy Committee of the Office of the National Coordinator for Health IT.
For example, providing access to minors' health information via a portal is particularly challenging. "You may have a portal in which the parent has access to [their child's] information, but there is certain information that the parent [under various state laws] in not authorized to see, unless that child authorizes it," Tripathi explains in an interview with Information Security Media Group. That information can range from reproductive health services to substance abuse treatments - services that minors can receive without a parent's consent. "Literally every state has different laws and regulations," he notes.
Because a one-size-fits-all approach does not apply to patient portals, the challenge for healthcare providers and technology vendors, Tripathi says, is "how do you construct a patient portal and any sharing of information where a parent might be part of that information flow that protects the child's well-established rights?"
The tiger team, which recently began discussions on minors' health data access, will likely continue working on the topic for the next few months and could potentially make recommendations to the HIT Policy Committee that might help healthcare entities and technology vendors navigate through the complexities (see Navigating Access to Minors' Health Data).
Meanwhile, on the other side of the age spectrum, other privacy and security challenges arise when providing adult children and other personal representatives with access to elderly patients' medical information via portals - with the patients' consent, Tripathi says. "How you handle that from a technology perspective as well as workflow ... all those issues come into play and it becomes very complex," he says. "There are no national standards or guidelines about this."
HIPAA and participation in the HITECH Act financial incentive program for electronic health records require doctors and hospitals to provide patients with electronic access to their health information, and many healthcare providers are looking to comply with those regulations through the use of patient Web portals.
In the interview, Tripathi also discusses:
- Emerging privacy and security challenges he sees facing the healthcare sector;
- How HITECH Act funding winding down will impact the regional extension center program that provides technical assistance, including privacy and security help, to smaller healthcare providers;
- Other privacy and security issues that the tiger team is tackling this year.
Tripathi is president and CEO of the Massachusetts eHealth Collaborative, which is supported by several non-profit healthcare organizations in Massachusetts. The organization specializes in advising physician group practices and others about the implementation of electronic health records. In addition to co-chairing the tiger team, Tripathi also chairs the health information exchange workgroup of the Health IT Policy Committee. Before joining the collaborative, Tripathi was a manager at the Boston Consulting Group and served as founding president and CEO of the Indiana Health Information Exchange.