Regardless of how comfortable one is with high-tech methods of communicating with patients, little doubt exists that patient portals are here to stay.

As you likely know, a patient portal is an product that allows patients to access parts of their medical records maintained by their providers.  Patients log onto portals from their personal computers, tablets, or smartphones.

One EHR vendor listed the following benefits of patient portals:

• Reduced incidence of no shows. Most portals have the capability to send emailed appointment reminders and patients appreciate the ease of scheduling appointments.
• Improved patient engagement. Patients become more actively involved in their healthcare because they can access health information, such as test results, more easily, and generally stay more informed.
• Greater efficiency. Portals can be an efficient method to complete a number of daily administrative tasks that typically require several staff members. Allowing patients to make appointments themselves on the portal and request medication refills helps streamline otherwise time-consuming tasks.
• Improve communications. Patient portals allow patients to contact providers about small concerns that would otherwise require a time-consuming and potentially costly office visit. Improved communications improve patient satisfaction which usually leads to improved outcomes. See exscribe, Orthopaedic Healthcare Solutions, EHR/EMR, Orthopedic News “4 benefits of patient portals,” July 9, 2016, at https://www.exscribe.com/orthopedic-e-news/ehremr/4-benefits-of-patient-portals.

In addition to the above benefits, patient portals can also provide ways to do the following:

• View current and past medications.
• View immunization records.
• View and update allergies.
• Send and receive secure messages with provider’s office.
• Download copies of medical records.
• Provide access to family members to perform functions on behalf of the patient.

See Dave Newman, “What is a Patient Portal? About Online Patient Portals,” Healthcare IT Skills, Aug. 8, 2017, at https://healthcareitskills.com/what-is-a-patient-portal/.

This article notes that providers often do not share progress notes through the portal, although (in my opinion) the HIPAA Privacy Rule considers them part of a system of records and thus requires patient access. The providers who do not allow access to progress notes through the portal typically require a written request and then provide the access unless one or more of the grounds exist for denying access in 45 C.F.R. § 164.524(a)(2) or (3). Patients have a right of access―that is, to inspect and copy―all PHI in a “designated record set,” which consists of medical records, billing records, and other records used to make decisions about them.

Patient portals raise both privacy and security concerns under HIPAA. The main privacy issues involve the aforementioned patient right of access and their right to request correction and/or amendment.

Other than the access issue raised above, generally speaking, HIPAA provides that individuals are entitled to a copy in the form or format that they request, if readily producible.  If not readily producible, the covered entity’s default is to produce a hard copy or an electronic copy, depending on whether it maintains the requested protected health information (“PHI”) electronically.

The patient portal will not be every patient’s requested form or format. Thus, the covered entity must continue to provide alternatives, such as hard copies, CDs, or email attachments.

Among the grounds for denying access are the following:

• The access is reasonably likely to endanger the life or physical safety of the individual or another.
• The PHI references another person, and access is reasonably likely to cause substantial harm to that individual.
• The request is by a personal representative, and access is reasonably likely to cause harm to the individual or another.
• The PHI was obtained from a non-health care provider under a promise of confidentiality.

This ground for denying access raises the issue of whether the patient portal could have information that could result in harm or was obtained under a promise of confidentiality. Can the covered entity act to flag information that could cause harm or simply not have it accessible through the portal? Your release of information or patient access to records policy typically should talk about flagging paper and electronic medical records so that the workforce member acting on a request for access does not release the harmful information without approval. But if there is no workforce involvement in the patients’ access to the portal, how do you keep them from viewing such PHI?

You must also be concerned about who may access the portal. Those who may access the portal could include the following:

• The individual (patient or client).
• An authorized person, as permitted by a HIPAA-compliant authorization.
• A designee that the individual designates in writing.
• A personal representative. A personal representative―that is, the holder of a health care power of attorney, a guardian, or an executor or an administrator of the estate of the decedent―exercises the rights of the individual, including the right to access in form or format requested if readily producible. Note that a power of attorney expires upon the death of the individual.

Minors may pose a problem with patient portals. Depending on state law, a parent cannot be a personal representative for certain information, such as reproductive information. So do you segregate such information in the portal so that the parent has access only to the rest of the PHI? Or simply exclude such information from the portal? Or grant access to such segregated PHI only with the minor’s proper authorization?

Another privacy issue with patient portals is that the individual (or his or her personal representative) has a right to request correction or amendment of PHI maintained in a system of records. The covered entity must correct or amend the record unless the covered entity did not create the PHI, it was not in a designated record set, or the PHI is accurate and complete. Besides their right to appeal to HHS, patients have a right to append a statement of disagreement to the record. Your portal would have to allow for this appendage of a statement of disagreement and, if it is not the “official” medical record, ensure that a correction or a statement of disagreement is properly entered into the official record.

Not only does a patient portal raise privacy issues, but also it most certainly will have HIPAA security issues. You must include a patient portal in your risk assessment. I strongly suggest that you do so before permitting patient use. But if you haven’t previously done so, get on it! Failure to perform a risk analysis is the single biggest violation leading to seven-figure civil money penalties (“CMPs”) or settlements in lieu thereof.

The risk assessment should focus on the following:

• The risk of unauthorized access to data at rest in the portal.
• The risk of data in transit being intercepted by an unauthorized party.

With regard to unauthorized access, you must determine how to allow authorized users access while blocking unauthorized ones through some form of authentication, such as a password. Retinal scans and thumbprint readers may not lend themselves to patients accessing the portal remotely with different devices and may be prohibitively expensive. Do you want to give your patients the option of multifactor authentication, such as a second layer of password or a security question? How many login failures are tolerated? How can patients recover a forgotten password? Or change one that they no longer want to use? You must think of all these things when implementing the portal.

The Security Rule has an information system activity review requirement. How are you going to audit patient portal use? What are the criteria? Random or focused on suspicious patterns? What happens if you detect misuse?

What if the patient causes a breach, such as by using a weak password, sharing credentials, or losing a mobile device that has a connection to the portal?

And, of course, you must have proper physical, technical, and administrative security on the equipment used to run the portal.

Patient portals can have important benefits to both patients and providers, but they certainly carry risks to privacy and security that you must be aware of and protect against. Include patient portals in your risk analysis, and it should not be difficult to do so in a HIPAA-compliant manner.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMHO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation, including a release of information policy and a right of access policy. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly, after restarting your heart, if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts. And we wish you Merry Christmas, or Happy Hanukkah, and Happy New Year!