Taking Steps to Protect Patient Portals
Threats and vulnerabilities, such as hacking potential and password strength, should be considered.
Meaningful Use Stage 2 regulations from the Centers for Medicare and Medicaid Services have almost made the use of patient portals imperative. Measures in the regulation require that patients have timely access to health information after a physician visit and that 5% of patients download, view, or transmit their health information. Because this is just another avenue through which protected health information is being disseminated by providers, it has to be considered when thinking about HIPAA. Experts recommend a handful of things to keep in mind when creating or managing your portal.
Angela Rose, director of health information management access at the American Health Information Management Association in Chicago, said portals enhance patient-physician communication and allow patients to take greater responsibility for their own care. For this to happen, however, patients must understand how to use the portal and protect their information.
Physician offices have to think about how they want to provide access to patients and educate individuals on keeping information safe. Registration and enrollment is an important part of the process, and many offices like to do that in person, she said. This is a good time to review the portal agreement and give an activation code for setting up an account. Providers would be wise to educate patients on the importance of not sharing their password. Patients should be made aware of the possible risk of disclosure when they download or forward information from the portal. Once they have moved the data, the patient is then responsible should the information be compromised. Patients can be asked to sign a document acknowledging they understand their responsibility for keeping their own information secure.
Staff should also be trained on their responsibility and the significance of keeping protected health information in the portal secure, Rose said. Every office should have a designated person who deals with potential portal breaches, and patients should be informed of whom to contact.
Along with dealing with portal breaches, staffers need to be tasked with amending records. Under HIPAA, patients have the right to amend their billing and medical records. Because a portal makes information readily available and it is often simple to submit a request for amendment online, this may even take additional staffing. Adam Greene, an attorney with Davis Wright Tremaine LLP, based in Seattle, performed an analysis of the Mayo Clinic after it implemented a portal. He found a 100% increase in amendment requests prior to deployment.
HIPAA also requires that facilities provide patients with access to their information in the format they request—for example, through the portal, via a paper copy, or by email—as long as the office is able to create that format.
“You can offer a really great patient portal to provide secure electronic access, but if they want it in paper copy, you can't refuse that and point them toward the portal,” Greene said.
It should also be noted that, while the portal gives some access, not all of the information a patient is entitled to under HIPAA is available there. Think of the portal as a summary instead of a complete record.
The portal must be included in any risk assessment. Threats and vulnerabilities, including hacking potential, software problems that could create vulnerabilities, and password strength, should all be considered. Practices can look to banks for a way to balance patient convenience with security. The passwords have to be strong, but not so complicated that patients cannot access their data. One way to do this is to use multi-factor authorization when it is available from the vendor. With this authentication, patients can use a second source, like a cell phone, to verify their password.
Many small- to mid-sized offices are unable to do a full risk assessment on their portal, so it is important to confirm the software vendor has done vulnerability testing through a third party. Independent testing will find issues like a person changing the URL in their records and seeing private information from another patient, which Greene has seen occur.
“What happens sometimes is vendors are focused on making a consumer-friendly product with security as secondary in the coding process,” Greene said.