As healthcare facilities launch their own patient portals, technology is only the first step. Administrators are learning that decisions need to be made on everything from patient login protocols to support for patient record revisions.
HIPAA regulations, always a primary concern when patient records are involved, are far from clear cut and that means administrators need to carefully consider the choices, says Adam Greene, a lawyer and consultant on HIPAA-related issues with his firm Davis Wright Tremaine LLP. He spoke at the AHIMA annual conference in Atlanta on October 28.
Even the question of how to provide account logins requires serious attention, Greene said. Patient records must secure, but complex password requirements may create the impression that a provider is in the position of denying a patient access to his records. Greene advised against requiring high-security protocols for passwords that require multiple character sets: “You need to have password security that is not so strong that users can’t get in.”
Healthcare providers need to take reasonable care with logins and other security measures to guard against unauthorized intruders into their record systems. But once reasonable care is taken, the organization has met its responsibility. For example, if account login information is provided to patients, and the patient does not properly protect the document, a provider is not at fault as long as reasonable care was taken when the information was in the care of staff. “If they lose their data, that’s not your fault,” Greene told the audience of about 200.
Greene also advised the audience that under meaningful use rules, providers need to give patients access to their records in the form that they request. “The law gives patients the right to request records by email, he said. “You can’t deny access because it’s your policy. The law trumps policy.”
Patient portals will also introduce a level of interaction that may require additional staff. HIPAA’s Right of Amendment gives patients the right to request amendment of their records. Greene has observed that for some facilities, after a patient portal was deployed, there was a 100 percent increase in the number of requests for amendments to records. While some of the requests were frivolous (correcting spelling mistakes), he said, others were very much beneficial, such as correcting the record to show it was a right leg with a problem, not the left leg.
HIPAA’s “right of access” rules state that patients are entitled to their “designated record set,” which includes medical and billing records. But questions arise because healthcare providers are also required to provide access to “other records used to make decisions about a patient.” And HIPAA also permits an entity to deny access to records that are “likely to endanger life or physical safety” of a patient.
Finally, Greene advised, before launching a patient portal, the entire team needs to be ready to support it and to ensure that it is working as expected. Penetration testing is essential to provide security. For example, in some patient portals, after displaying one patient’s record, a different patient’s record could be displayed simply be editing the URL in the browser.