Patient portals allow providers to conveniently and securely offer patients immediate access to their health information.
In general, all portals allow for patients to view some portion of their health information, although the extent of information involved varies greatly among providers (e.g., only test results and medications available versus the entire record). In addition, most portals allow for some mode of communication between the patient and the provider.
Other functionalities include, but are not limited to, obtain prescription refills, schedule appointments and management of chronic conditions.
In general, confidentiality and professional liability are the biggest concerns but patient satisfaction and understanding must also be considered. Providers should always be aware of, and prepare for, the pitfalls that might be encountered when patients have immediate access to their information.
The following are some consideration and strategies that can be employed when developing a patient portal.
By implementing just a few strategies, providers can ensure that it and its patients have a uniform understanding of the use of the patient portal. This protects against misunderstandings, HIPAA breaches and unnecessary professional liability claims. As the portal technology and functionalities continue to evolve, continued assessment of similar risk management opportunities should also occur.
Confidentiality and security
HIPAA requires providers to protect patient information. This obligation extends to patient information maintained in, or available through, a patient portal. This does not mean that the provider must police to whom the patients grant access, but it does require that the provider establish safeguards to prevent unauthorized access to the patient’s information.
A first step in protecting unauthorized access is to evaluate how access is provided to the patient. In most instances patients will have a password which prevents unauthorized users from accessing the information. The vulnerability is in how the user name and password is provided to the patient.
If the password is provided “in person” to the patient, then the risks are minimalized, but if the password is emailed or based upon existing passwords, unintended recipients may obtain the password and thus access to the patient’s portal and information. For example, if it is the provider’s practice to email the patient an initial password to access the patient portal, the provider should inform the patient that anyone who has access to the patient’s email account (e.g., spouse, children) may then be able to access the patient’s health information.
Other strategies are to have the patient acknowledge in writing that any person to whom the patient provides the password will have access to the account, and that the patient needs to inform the provider if the patient is aware that an unauthorized person has obtained access to the patient’s password.
Finally, the provider should ensure that basic technical safeguards are in place and documented in the provider’s HIPAA risk assessment.