The portability of medical records and use of patient portal apps to fulfill the patient engagement requirements of Meaningful Use and MACRA creates a generally healthier population. At the same time, their use creates concerns about record protection. Some patients might prefer to receive their protected health information (PHI) through an insecure email system they completely understand is not encrypted, driven by the notion that patient portals add unnecessary steps to acquiring the information they want. The question is, is it better to provide instant access or secure information? Of course, our position is not to provide legal counsel, rather help elaborate on the background of situations like these and to provide a context when discussing the situation with your practice’s legal counsel, and also providing context for medical staff training.
The ways in which medical and health data is transferred vary in terms of privacy. Standard internet communications include email, text and web browser channels to distribute this sensitive data. A combination of encryption and authentication generally provide a shell of security for PHI, although they have idiosyncrasies in terms of convenience of access. For example, authentication requires the creation of usernames and passwords to access encrypted data, which hinders easy access. Some patients have even considered personal email a more convenient way to transfer PHI than within an encrypted website, which would require the extra step of authentication.
Understanding the safe and proper transmission of patient records is important for the patient as well as for the health organizations which house these records.
HIPAA Regulations that Protect Patient Data
Initially, there were concerns related to this new pathway of medical information access: how can the provider make the patient’s PHI easily accessible online, while at the same time protect it from being intercepted?
The Health Insurance Portability and Accountability Act (HIPAA) provides a secure framework of regulations through which patient data can be transferred securely and in a user-friendly way. HIPAA compliance applies to equally to the provider it’s the health organization’s business partners, such as EHR manufacturers.
In order to remain HIPAA compliant in the EHR, healthcare organizations are required to meet 75 specific security controls, including the following:
- An annual HIPAA risk analysis (to identify organizational risk to patient data, as well as plan for remediation of those risks)
- Compliance with specific HIPAA Security Rule administrative, physical, and technical safeguards
- Development of specific policies and procedures Annual employee training
It’s important to remember that the “P” in HIPAA stands for portability and not privacy. A goal of HIPAA is to make PHI secure, yes, but the primary aim is to give the patient access to their data.
Secure, HIPAA-Compliant Patient Portals and EHR Software
Many medical practices have an integrated Patient Portal with their EHR system, which includes convenient mobile apps, text messaging, and secure, encrypted email. They allow the medical staff to send messages such as appointment reminders, electronic statements, and lab results to patients. Patient data is exchanged through each patient portal in a completely HIPAA-compliant, secure fashion.
Patients using PrognoCIS Patient Portal logged in over 17,000 times in one month in 2016. The majority of these patients using mobile apps came from pain management, psychiatric, and orthopedic clinics. Mobile apps provide the ability to reach a doctor (or receive health information) quickly and easily.
Additional Benefits of Using Patient Portals
Along with the patient, the office staff also can benefit from the use of a patient portal. Because the patient has access to their own paperwork and can fill it out in the comfort of their own home, office administrators have shorter wait times for patient information. Additionally, the use of a branded patient portal can help health organizations to grow their business through promotion, and bring in more patients.
There are many convenient and secure ways to satisfy a patient record requests. We suggest confirming with your practice’s HIPAA compliance counselor, who will most agree that patient data belongs to the patient, and so their requests are undeniable. Whether the patient prefers to access their data using an unencrypted email or an encrypted web browser, HIPAA guarantees access and portability of their records despite potential security risks. Keeping a record of informing patients about the risks of unencrypted transmission is the best practice when confronted with such a situation.
Setting up a patient portal in your medical practice increases your engagement with patients and helps you meet your quality reporting requirements. It sets up a secure line of communication through which patients can set their appointments and receive forms and receipts. Increasing patient access through a secure, HIPAA-compliant patient portal, as opposed to unencrypted email or text, is a safe and simple way to increase the quality of care in your practice.