With health care portals so pervasive in hospitals and doctors’ offices, data breaches, such as sending a medical record to the wrong person, are going to occur, either because of human error or a glitch in the system. Practices that offer portals to patient can take measures to minimize the risk of such breaches.
When contracting with a vendor to establish or manage a portal, it is important to be sure the vendor is qualified, stressed David Holtzman, vice president of compliance strategies at CynergisTek, Inc., based in Mission Viejo, California. Basic questions that should be asked of a vendor include:
- Who will have administrative control?
- Will the vendor or practice be responsible for set up?
- Who will manage information security over time (such as updating and patching software)
- Who authenticates users?
- Will authentication be single- or multi-factorial?
- Where will data be stored?
Practice personnel need to know when they will be notified if a breach occurs and who will be responsible for notifying patients. They also should ask vendors if they plan to de-identify portal data and use it for secondary purposes. If so, doctors should understand the process and be comfortable with it.
Once information leaves a portal, providers no longer are accountable for its security, but this does not mean they should not be concerned about patients’ use of the system. The process begins when patients initially sign up to use the portal, said Darice Grzybowski, president of H. I. Mentors, a health information management consulting firm based in LaGrange, Illinois. “It’s a good idea to give patients a temporary password and then have them sign on and change it so they can see how to do it,” Grzybowski said. “It saves [a practice] from having frustrated users.”
Physicians also should provide a brochure with portal instructions and security reminders, such as keeping login information confidential and alerting them that transmitting information over the internet (as by email) can be risky. Patients also should be cautioned that once they take information from the portal, it is their responsibility to keep it confidential.
In addition, physicians have to decide whether patients will be given access codes automatically or if they need to opt into the portal. Other considerations include how password resets will be handled (for example, by administrative staff or vendor), and whether patients will be able to add information to the portal. Gryzbowski recommends making portal information read-only and listing a phone number patients can call if they have concerns about information on the portal. Physicians need to determine if portals will be enabled to receive data transmitted from wearable medical devices or if patients will input data from these devices.
Holtzman noted that physicians need to decide who will have access to patients’ portals. Patients can designate a personal representative, so practices need to establish policies and procedures related to this. Parents typically are the personal representatives for their teenage sons and daughters, but in states that allow minors to consent to services for sexual health or reproduction, giving parents access to their teens’ information related to these services would be a HIPAA violation.
Practices must determine how they will communicate with patients regarding information that is in the portal, such as test results or doctor’s appointments. Problems can arise if policies are not in place. For example, a man may not want his wife to know he made an appointment with a urologist, but an email reminder about that appointment might wind up being sent to their shared email account.