Patient Portals: Security Concern or Effective Tool?

Martin Edwards
Martin Edwards

Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.

Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.

A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.

Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.

While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.

A comprehensive encryption solution can allow implementation of a portal without additional risks to PHI security. Indeed, whether you implement a portal or not, encryption should be incorporated at the very core of your information security practices, from every access point down to the data at rest in offsite disaster recovery environments. This approach means PHI is never in an unencrypted state. Vendor encryption products should meet guidelines established by NIST or federal information processing standards (FIPS).

Beyond encryption, organizations need to have a comprehensive security program that, in addition to addressing the required elements in HIPAA and meaningful use, includes a solid understanding of the organization’s data security risks and contingency plans in case of a breach.

Several of the critical activities of a comprehensive security program include:

A recent blog by Dan Munro claims that, “To be a successful player in the healthcare arena, a company needs to be in the ‘behavioral change’ business. Boosting adherence, bending the cost curve and shifting from treatment to prevention will require dramatic shifts in patient behavior. Customizing the individual experience is key to improved outcomes.”

Patient portals provide an opportunity for healthcare providers to offer patients that individual experience and to support their efforts at managing their own care, enabled by automation and empowered by the availability of data. If providers can secure PHI and provide the confidence consumers and providers need, patient portals will become a useful tool for healthcare transformation.

One comment on “Patient Portals: Security Concern or Effective Tool?”

Write a Comment

Your email address will not be published. Required fields are marked *