The Challenge of Creating Secure Patient Portals

Patient portals are changing the way patients think about and access health care. Along with messaging their physicians, patients can now use portals to schedule appointments, access lab results, fill prescriptions, view their health records, update their demographic information, access discharge and medication instructions, and pay their bills. In some cases, they can even video chat with their providers.

The potential advantages should be increasingly clear to physicians, too. Portals can promote patient engagement and allow caregivers to use analytics to measure how well patients are progressing or whether they need to initiate interventions or adjust care plans. And portals can be used to encourage patients to handle routine inquiries on their own, thus freeing up more time to devote to patient care.


Breaches happen

But along with their many advantages, portals present some challenges, chief among them security and Health Insurance Portability and Accountability Act (HIPAA) compliance. Safety concerns are warranted, of course, considering the frightening number of attacks that hackers have been waging against healthcare institutions. If you’re thinking of using patient portals, you need to take all reasonable steps to keep data safe, and you need to make sure you comply with the meaningful use criteria of the Centers for Medicare and Medicaid Services (CMS) Electronic Health Records (EHR) incentive program.

A recent breach illustrates the kind of mistake that’s too easy to make. Recently, an IT consultant discovered that he could not only access his own test results through a healthcare services company portal, he could also access test results and personal health information of other patients. All he had to do was change one digit in the URL, because the records had been set up sequentially with no encryption. Fortunately, he wasn’t out to exploit the flaw, and he made sure the company was alerted.


What’s required

The CMS EHR incentive program mandates six meaningful use criteria related to patient portal functionality:

  • A clinical summary to the patient after each visit
  • Secure messaging (SM) between patient and provider
  • Ability to view, download, and transmit personal health record data
  • Patient specific education
  • Patient reminders for preventative services
  • Medication reconciliation

Additionally, HIPAA requires providers to protect all information maintained in, or available through, patient portals. But just as HIPAA regulations don’t prevent patients from providing access to friends or family to written personal information, regulations don’t prevent patients from granting portal access to others of their choosing. HIPAA does, however, require providers to establish safeguards to prevent unauthorized access to patient information.

That usually means, among other things, providing a password. The best way to prevent vulnerability, say experts, is to give the patient the password in person, minimizing the possibility that unintended recipients will gain access to it via email or other means.

How complex should the password be? Complex enough that providers can be shown to have taken reasonable care to guard against unauthorized access, but not so complex that users have trouble accessing their records, say experts. Ultra-complex protocols requiring multiple layers or character sets may create the impression that providers are trying to deny patients access to their records.


Safer and stronger

Here are some other suggested steps to ensure that your portals are secure:

  • Encrypt the information. Encryption makes information unreadable unless you have a security key, making it useless to hackers or unauthorized users.
  • Implement a need-to-know approach to limit access to information. Employees should have different levels of access, depending on what kinds of information they need to do their work.
  • Consider using two-factor authentication. For example, require patients to type in security codes sent to their mobile phones to be able to log in to the portal.
  • Have strong audit logs. Logs should show what information was accessed, along with details on destination and source addresses, a timestamp, and user login information.
  • Train staff to explain to patients what they can do to keep their health data secure.
  • If you accept online payments through a portal, make sure it complies with The Payment Card Industry Data Security Standard.

Moving forward

There’s no doubt that with every day that goes by, more and more patients expect to be able to communicate online and through chat. LifeLink’s chatbot platform is designed to supplement the utility of patient portals and accelerate the successful transition to value-based care by providing smart, personalized, on-demand conversations that span the full patient experience.

Chatbots connect with patients and their families, send appointment reminders, answer concerns, and ultimately help deliver care that surpasses expectations. They deepen patient engagement, improve the experience of care, and ultimately increase patient loyalty.

By pairing LifeLink with CareThrough’s highly skilled navigators, you can provide the highest level of care support and free your care teams to always work top-of-license.

Michael Murphy, MD
Dr. Michael Murphy is co-founder and Chief Executive Officer of ScribeAmerica, LLC. He co-founded ScribeAmerica in 2004, and it is now the country’s largest and most successful medical scribe company with a staff exceeding 7200 employees operating in over 46 states nationwide. Today, ScribeAmerica is the recognized leader of the medical scribe industry and remains at the forefront of professional scribe education, training, and program management nationally. Dr. Murphy served as an Army Ranger for the 1st Ranger Battalion in Savannah, Georgia, which allowed him to gain various leadership skills along with the ability to develop standard operating procedures. He applies this to his daily duties for ScribeAmerica. Dr. Murphy has been a leader on multiple issues including scribe policy, hospital throughput, electronic medical record implementation and optimization of provider to patient ratios. His goals are to continue making all medical practice locations an environment built for an exceptional patient experience that allows providers to focus solely on patient care. Dr. Murphy received his Doctor of Medicine from St. George's University and completed his residency training in Emergency Medicine at the University of Medicine and Dentistry of New Jersey in Newark. He has co-authored one textbook and is involved in 3 peer review articles.
Posted In: CareThrough, Future of Healthcare, General, Quality, Efficiency, Utilization On: Tuesday, 22 May, 2018

1 Comment

Leave A Comment


Copyright © 2004-2020. Scribe America. All Rights Reserved.