Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.
Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.
A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.
Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.
While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.
A comprehensive encryption solution can allow implementation of a portal without additional risks to PHI security. Indeed, whether you implement a portal or not, encryption should be incorporated at the very core of your information security practices, from every access point down to the data at rest in offsite disaster recovery environments. This approach means PHI is never in an unencrypted state. Vendor encryption products should meet guidelines established by NIST or federal information processing standards (FIPS).
Beyond encryption, organizations need to have a comprehensive security program that, in addition to addressing the required elements in HIPAA and meaningful use, includes a solid understanding of the organization’s data security risks and contingency plans in case of a breach.
Several of the critical activities of a comprehensive security program include:
- Enable portals that have integrated security features – This should include user authentication, role-based authorization and single sign-on capabilities.
- Conduct a comprehensive security assessment – A comprehensive risk assessment is required under the HIPAA security rule and meaningful use. Risk assessments should include assessing the risk posed by patient portals and the possibility of unauthorized access during transmission. An integrated identity and access management tool is important here.
- Implement user authentication to ensure your data is truly secure – For example, in some patient portals, after displaying one patient’s record, a different patient’s record could be displayed simply by editing the URL in the browser.
- Have an incident response plan in place –When a breach does happen, determining the root cause can be difficult and time consuming. This is why it’s important to implement incident response plans. Knowing exactly when a security incident became a “breach” and whether it was truly due to malicious outsiders or to inside individuals is critical to an organization’s ability to respond to and prevent future breaches.
A recent blog by Dan Munro claims that, “To be a successful player in the healthcare arena, a company needs to be in the ‘behavioral change’ business. Boosting adherence, bending the cost curve and shifting from treatment to prevention will require dramatic shifts in patient behavior. Customizing the individual experience is key to improved outcomes.”
Patient portals provide an opportunity for healthcare providers to offer patients that individual experience and to support their efforts at managing their own care, enabled by automation and empowered by the availability of data. If providers can secure PHI and provide the confidence consumers and providers need, patient portals will become a useful tool for healthcare transformation.