Protecting Patient Portal Information

Patient portals have made it easier than ever for consumers to access their own electronic health information. However, the availability of online access brings a new set of challenges. Meeting HIPAA/HITECH requirements is a primary concern. The impact of a security breach can cause financial harm and loss of consumer trust.

As organizations implement portals, healthcare organizations must be ready to address privacy and security issues. Technology alone is not enough to protect health information-continuous improvements to risk assessments, security monitoring, education, patient engagement initiatives, information governance programs and more must be addressed. A collaboration among healthcare executives, HIM, and IT will need to be established, if not already, to create practices that promote secure and effective portal use.

Protecting Sensitive Health Information
Managing the disclosure of sensitive health data is a pressing priority. Limiting access to an individual for specific information can be difficult. Have you thought about what personal representatives are able to view in the patient portal? Does the patient portal have role-based access? Can the data be segmented to ensure its protection?

Separating out subsets of data-data segmentation-is key to preventing sensitive data from being posted without proper authorization. This requires the right technology supported by a data governance plan to effectively protect privacy. For example, even though a patient’s STD test is left out of the EHR, a medication list might reveal the diagnosis.

Managing Portal Access for Minors
Making decisions about portal access for minors can be complicated. At what age can a minor consent to sharing their information? What is the potential harm to the patient?

Organizations must be aware of the complexities of regulations and develop procedures for handling the information according to state and federal laws. Many providers are allowing minors to sign a parental proxy authorization, subject to annual renewal, upon the time of right of consent. For others, the decision is less clear cut. Some have even decided against portal access for minors.

Melissa H. Jarriel, RHIA, CHP, Director of HIM services at Georgia Regents Medical Center in Augusta, Georgia, describes her team’s process of addressing the issue. “During implementation of our portal, we focused on emulating the way we were already handling access to minors’ records-on a case-by-case basis, considering the parents’ involvement in care,” she explains.

“For example, if a parent requests the record of a 15-year-old who has a STD, we don’t readily disclose that information without involving the teenaged patient in the decision. Also, when granting portal access to a parent of a teenaged patient, we consider the documented involvement of the parent in that child’s care.”

After much deliberation, they decided to combine the case-by-case approach with a hard stop at age 18 for suspending parental access, except for minors unable to care for themselves. Since going live March 1, 2014, this policy has worked well.

Engaging Employees First
Georgia Regents Medical Center made a smart decision to begin portal implementation with employee engagement as a model for patient engagement. “We encouraged all employees who would be part of the portal process to participate-frontline nurses, IT, HIM, PAS staff. With firsthand experience, they would become our best advocates,” Jarriel says.

First, a mini-enrollment fair gave IT and HIM an opportunity to walk through the registration process-sit down at the computer, log in with a user ID and password, and accept an invitation via email. This was followed by a larger employee enrollment of over 400 people.

“We learned the value of creative marketing to achieve successful enrollment aimed at privacy and security,” Jarriel adds. “The theme of our campaign was VIP-Virtually Informed Patient, featured on electronic bulletin boards, posters on easels, cards on patient trays, employee lanyards, and a slide show with a link to our consumer website.”

So far, Georgia Regents Medical Center’s strategies have proven effective. The organization now has approximately 23,000 patients enrolled and approximately 6,300 of those have logged in and accessed their records. Meaningful Use (MU) compliance percentages are currently 60.6 percent (timely access) and 8.9 percent (view-download-transmit).

Building Best Practices
As organizations open access to patient information, best practices must balance regulatory compliance with patient engagement. HIPAA must work for patients, helping them to manage their health information securely online. Patients who are involved in their own care tend to make more informed decisions, achieve better outcomes, have fewer readmissions, and help reduce their healthcare costs.

Here are four best practices for promoting secure and effective portal use:

1. Maintain technical safeguards including data segmentation and two factor identification and authentication for portal access such as login ID, password, and patient notification via text, call, or email. Also insist that information remains encrypted during transit and at rest, usually through a VPN or private gateway.

2. Establish a security monitoring and remediation program that includes periodic HITECH/HIPAA compliance and security risk assessment reviews and updates.

3. Improve data quality through encouraging patients to review their information for accuracy.

  • Allow requests of amendments through portals.
  • Support with policies and procedures for evaluation and response.

4. Provide ongoing education for staff and patients.

  • Staff-Raise awareness about regulatory requirements, incentives, and penalties associated with patient portals through HIPAA privacy and security and Meaningful Use training.
  • Patients- Provide education to patients through online tutorials, handouts, seminars, and one-on-one in-person educational sessions. Clearly communicate risks and benefits of patient portal access so that patients are well informed about their responsibilities as a patient accessing the portal.

As a reminder, organizations that have not yet performed a privacy and security risk assessment should do so now. This is vital from a privacy and security standpoint, and it must be complete for Meaningful Use purposes as well.

Making Information Governance Top Priority
Protecting privacy and security of health information is a continual process as technology evolves and creates new challenges. Consider all the mobile technology and personal devices used by patients to collect and transfer data. How will that information be securely shared with providers? The increase in patient generated health data (PGHD) amplifies the need for new protocols.

Information governance must be a key focus. Proper implementation of privacy and security measures requires effective information governance, as outlined in AHIMA’s recently released Information Governance Principles for Healthcare (IGPHC)™.

HIM professionals play a critical role in successful implementation of patient portals because they understand the legal requirements surrounding health information and have served as the hub of health care organizations for many years. HIM in collaboration with IT, executives, clinical personnel and many others means that together we can transform an increasingly complex healthcare environment. Now is the time for collaborative leadership.

Alisha Smith is a health information educator at HealthPort. She can be reached at [email protected].

About The Author