Patient Portal Security is a serious issue in the maintenance of safe and secure EHR.
How can a small to medium sized practice make electronic medical records patient data available easily without compromising data security?
Here are some of the major issues in patient portal data security, according to the US Department of the HHS Health Resources and Services Agency:
- access management: who can log in? How do we know that a user’s log on information has not been compromised? How do we know that no one else has access to the personal data?
- accurate patient identification and sign off: how secure must the logon be? How soon to sign off a user who has not logged himself out?
- concern for patient requested restrictions: How much of this data is shared with other medical professionals, and with any other bodies making inquiries (such as schools, employers, etc.)
The security issues at stake on a Patient Portal Record are very similar to on-line personal banking issues, and a serious PHR provider / vendor will handle them in a similarly serious fashion. A multi-tiered architecture in which presentation, application processing, and data management functions are logically separated, will protect secured data more because updates will not impact or access all the data anytime they happen.
There also must be necessary contingency plans for confidentiality failures: what happens if there has been a security breach: A proactive security guarding plan is especially important in an environment where there can be some confusion about patients with the same names, or typos in identification information that might yield security breaches. The need to maintain software “patrols” in place to guard against such situations before they happen is paramount. This is like super anti-virus software for your Patient Portal.
But this is too much, you might say, for your small practice to handle. And you do want to offer some version of a Patient Portal, both for Meaningful Use considerations, for patient satisfaction, and for the time-saving considerations that an EHR patient portal might afford to you and your staff.
What to do to lessen the burden on your IT and professional staff?
Many practices have found that it makes most sense to partner with a PHR system maintained by a healthcare software vendor. These vendors have the IT resources that you don’t to maintain security of information better, to back up information, and perform all of the data checks, presentation issues, and cosmetic data management that your staff can’t possibly handle.
Since most patient portals are not full PHR’s it is important that, if you do maintain your own patient portal, you ensure that it has the ability to export data as a CCD/CCR (Continuity of Care Record/Document). The CCD can be imported into major PHR’s like Microsoft’s Healthvault, Epic’s Lucy, or Google Health.
Some PHR’s allow links so that patients can integrate their practices bill paying software with the PHR information. Large PHR providers, such as those mentioned above, have the staff and the infrastructure, both software wise and personnel wise to make such interactions happen in a fairly secure manner.
There are enough things to watch out for when contracting with a software vendor’s PHR. Among them:
- Establish a HIPAA Business Associate Agreement to protect your client base against the release of patient data to any third-party. The PHR provider also must inform the practice if there has been any data security breaches, and must commit to destroying patient information once a relationship with a practice has ceased to exist.
- PHR vendors must be able to demonstrate that their database is able to maintain the integrity of individual records. Since these are massive, national databases, there must be enough unique identifiers to make sure that multiple occurrences of names do not compromise individual records.
- Since the PHR’s do not belong to the doctors’ practice in many cases, patients must be asked to give HIPAA consent to the transmission of their data to the PHR providers since.
- Since PHR data is conveyed over the internet, data must be encrypted safely, and cannot be sent as simple data transmissions.
For a wonderful discussion of potential pitfalls of PHR’s regarding privacy, see www.healthit.gov/…/privacy-model-privacy-notice-consumer-guide-final.pdf. Though this is written from the point of view of the patient or client, a doctor’s practice considering partnering with a PHR provider, has nearly the same concerns as the patient does. This discussion is well worth your studying.
