As a result government incentives, new care standards, and the demands of a more technologically sophisticated society, use of patient portals is becoming increasingly commonplace. But physicians must be aware that the specific functionalities of the portal directly impact the risk management strategies that must be employed by the practice to protect itself from liability.
Patient portals allow providers to conveniently and securely offer patients immediate access to their health information.
In general, all portals allow for patients to view some portion of their health information, although the extent of information involved varies greatly among providers (e.g., only test results and medications available versus the entire record). In addition, most portals allow for some mode of communication between the patient and the provider.
Other functionalities include, but are not limited to, obtain prescription refills, schedule appointments and management of chronic conditions.
In general, confidentiality and professional liability are the biggest concerns but patient satisfaction and understanding must also be considered. Providers should always be aware of, and prepare for, the pitfalls that might be encountered when patients have immediate access to their information.
The following are some consideration and strategies that can be employed when developing a patient portal.
By implementing just a few strategies, providers can ensure that it and its patients have a uniform understanding of the use of the patient portal. This protects against misunderstandings, HIPAA breaches and unnecessary professional liability claims. As the portal technology and functionalities continue to evolve, continued assessment of similar risk management opportunities should also occur.
HIPAA requires providers to protect patient information. This obligation extends to patient information maintained in, or available through, a patient portal. This does not mean that the provider must police to whom the patients grant access, but it does require that the provider establish safeguards to prevent unauthorized access to the patient’s information.
A first step in protecting unauthorized access is to evaluate how access is provided to the patient. In most instances patients will have a password which prevents unauthorized users from accessing the information. The vulnerability is in how the user name and password is provided to the patient.
If the password is provided “in person” to the patient, then the risks are minimalized, but if the password is emailed or based upon existing passwords, unintended recipients may obtain the password and thus access to the patient’s portal and information. For example, if it is the provider’s practice to email the patient an initial password to access the patient portal, the provider should inform the patient that anyone who has access to the patient’s email account (e.g., spouse, children) may then be able to access the patient’s health information.
Other strategies are to have the patient acknowledge in writing that any person to whom the patient provides the password will have access to the account, and that the patient needs to inform the provider if the patient is aware that an unauthorized person has obtained access to the patient’s password.
Finally, the provider should ensure that basic technical safeguards are in place and documented in the provider’s HIPAA risk assessment.
In order to manage patient expectations in regard to the portal, guidelines should be communicated to the patient regarding the use of the portal. If the portal only allows access to certain information, the guidelines might be limited to explaining that only limited information, along with an explanation as to how questions regarding the information can be posed.
If the portal allows for secure email communication with the provider along with access to patient information, additional guidelines need to be articulated to the patient.
Most notably, the patient should be informed, repeatedly, that the patient portal should not be used for urgent or life threatening matters. In addition, the patient should be told an approximate turn around time for messages and the type of messages that are appropriate (e.g., request for prescription refills might be appropriate but responding to questions for which physical exam is required cannot be answered).
Although the email communications may seem informal or inconsequential, all responses provided to patients by the provider should be maintained in the patient’s medical record. Such documentation is important to defend against professional liability claims or payor audits. Even though most email communications with patients are not reimbursable at this time, such communications may support or justify the medical necessity or appropriateness of subsequent care.
Stacey Gulick, JD, is a partner at Garfunkel Wild, P.C. in Great Neck, New York. Send your legal questions to firstname.lastname@example.org.
The five components to risk management The security infrastructure of a medical practice should have five components, according to the HIPAA security rule. The following table briefly outlines each component and provides examples.
|Security Components||Physical Safeguards||Administrative Safeguards||Technical Safeguards||Policies & Procedures||Organizational Requirements|
|Examples||Your facility and other places where patient data is accessed||Designated security officer||Controls on access to EHR||Written policies and procedures to assure HIPAA security compliance||Breach notification and associated policies|
|Examples of Security Measures||Building alarm systems||Staff trainging||Secure passwords||Written protocols on authorizing users||Agreement review and updates|
Source: The Office of the National Coordinator for Health Information Technology