Patient Portal Privacy, Security TipsGiving Patients Secure Access to Records
In response to requirements in the HIPAA Omnibus Rule and the HITECH Act that call for providing patients with electronic access to their health information, more healthcare organizations are rolling out patient portals. But before healthcare providers create portals to give individuals a window into their electronic health records, experts say there are several important factors to keep in mind.
For starters, remember that under HIPAA, patients have the right to access their "designated record set," which includes not only their medical records, but also their billing records and other records used to make treatment decisions, says privacy attorney Adam Greene, a partner at Davis Wright Tremaine.
2013 HIMSS Conference session.
Meanwhile, if you think having patients access their records via a portal will cut down on requests for hard copies of patient records, think again. At Mayo Clinic, which rolled out a patient portal in 2011 that is now used by about 260,000 patients, the patient portal has resulted in a 50 percent increase in paper record requests, Jacki Monson, Mayo's privacy officer, said during the HIMSS presentation.
"Most people still want paper copies," especially once they see copies of their information via the patient portal, Monson says.
Also, remember that under HIPAA, covered entities are permitted to deny a patient - or their authorized representative, such as a spouse or parent - access to information for numerous reasons, Greene says. Those reasons include a likelihood that access could cause physical danger, such as in an abuse case. Another reason a covered entity can deny access is that they obtained the information from a non-healthcare provider under promise of confidentiality.
At Mayo, patients or authorized representatives can be denied access to clinical notes that clinicians mark as confidential, Monson says.
Healthcare organizations must have strategies for dealing with records access exceptions. That might include data segmentation, where, for example, a parent might be blocked from seeing reproductive health information regarding a teenage child, unless the minor has given consent. Because laws regarding minors vary from state to state, Mayo abides by the laws of the states with the strictest restrictions, Monson says.
Portals can be a two-way street. Under HIPAA, patients are allowed to submit amendments, such as corrections to their medical records. And portals can be an easy way to submit these amendments. Mayo saw 100 percent increase in record amendment requests from patients after the portal was rolled out, Monson says. But clinicians can deny having the amendment added if the information, for instance, is incorrect, she notes.
Some important security considerations in rolling out patient portals include remembering to include portals in risk assessments, Greene says. That includes assessing the risk of the portal being accessed by unauthorized individuals or data being intercepted during transmission.
Also, organizations should determine if the vendor providing the portal software has had the product independently tested for security robustness, he recommends.
Another consideration for security is authentication of users. While the HIT Policy Committee that advises the Office of the National Coordinator for Health IT has recommended that clinicians use multi-factor authentication for remotely accessing patient data, the committee's Privacy and Security Tiger Team has recommended that authentication of patients access to their data should not be so difficult that it becomes a deterrent to consumers using portals, Greene notes.
Greene says healthcare providers need to consider several factors for patient portal user authentication, including:
- Whether there needs to be initial in-person authentication of patients;
- How strong passwords need to be;
- Whether patients have the option of requesting higher security, such as multifactor authentication;
- What the policy for consecutive failed login attempts should be;
- How password resets should be handled.
At Mayo, patients are not required to appear in person for initial authentication because the clinic's patients come to the institution from many states, Monson says. However, after five failed password attempts, patients must appear in person to get new authentication, she adds.
Other security issues to keep in mind for patient portals are physical safeguards and encryption to protect servers holding the patients' data as well as appropriate levels of auditing to spot inappropriate or unusual activity, Greene says.
Mayo has a team of three people responsible for auditing patient portal logs, Monson says.
"It's important to have privacy and security members involved with the design of the portal," she adds.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.