5 Security Measures for Safe Patient Portals
Many patients are apparently wary of embracing patient portals due to security concerns. Learn how you can reassure them about the safety.
No doubt, patient portals are highly effective in increasing patient engagement and optimizing treatment outcomes. But many patients tend to be reluctant in adopting this “new” tool as they are concerned about the security and privacy issues.
The safety concerns make a lot of sense considering how hackers are increasingly attacking health data. If your practice uses patient portals, it’s your responsibility to convince the patients that their sensitive information is in safe hands. How will you do that?
First, the patient portals should meet the criteria for meaningful use (MU) by CMS, the Centers for Medicare and Medicaid Services. MU requires the practice to provide:
- A clinical summary to the patient after each visit.
- Secure messaging (SM) between patient and provider.
- Ability to view, download, and transmit personal health record data.
- Patient reminders for preventative services.
- Medication reconciliation.
Next, since patient portals involve patient records, they should be HIPAA-compliant. You can find more information on HIPAA here.
Before we explore more about specific security measures that you should have in your patient portals, let’s have a quick overview of what a patient portal actually is:
“A patient portal is a website for your personal health care. The online tool helps you to keep track of your health care provider visits, test results, billing, prescriptions, and so on. You can also e-mail your provider questions through the portal. For access, you will need to set up an account. The service is free. A password is used so that all of your information is private and secure.”
Use these Measures for Enhanced Security of Patient Portals
- Encrypt the information. Whether you are storing the information or sending it through the internet, encryption is strongly recommended. Encryption renders the information unreadable to those who do not have a security key. The security key is available only to the authorized persons. With encryption, even if a hacker gets access to the data, they cannot make sense of it. Two forms of encryption are- hardware encryption and software encryption. For the highest level of security, experts recommend using both these forms.
- Implement a strict “need-to-know” approach to limit the access to information. The most powerful model that controls access is Role-based access control (RBAC), or role-based security. As the name suggests, RBAC allows access to concerned persons or employees based on their need to see the information. Meaning, different employees can have different levels of access. For example, a non-medical staff and a medical staff may need to see different kinds of information as a part of their work. Thus, you should consider granting access to the information specific to their needs. Also, make sure the access control information is clear, concise and positive.
- Use proper authentication mechanisms. When we talk about authentication, generally, password and password strength comes first in our mind. But passwords are just one type of authentication algorithm. In fact, you have other options available for use in your patient portals. For example, digital signatures, and challenge-response authentication protocols could be used. A two-factor authentication process, in which you obtain a security code from your mobile phone, is another great option. Learn more about the benefits of two-factor authentication here. If your system uses passwords for the security of your patient portals, make sure they are complex. Moreover, ensure that consecutive failed login attempts are blocked.
- Have a company policy on Privacy and “terms and conditions” for patient portals. Well, we have HIPAA Privacy Rules that regulate patient portals. HIPAA has been instrumental in providing preliminary guidelines on the safety and privacy of health information. But HIPAA rules can stir confusion among the users. Most notably, many patients still do not know enough about their right to the medical privacy. It is important that you sit with an expert and formulate clear company policies so that you will be able to show the patients that you care for their privacy.
- Have good audit logs. An audit log helps to determine what information was accessed or viewed. Audit log entries contain the details on destination and source addresses, a timestamp, and user login information. They contain as little PHI (Protected Health Information) as possible. Meaning, you can see the user ID, but not the name of the user. Likewise, the patient ID is there but it does not display the patient’s name. In case of the lab results, they have the lab order number, but not the actual results.
Safety of Patient Portals: Extra Tips to Follow
- See if the software for patient portals was independently tested for security readiness. Use only a HIPAA-compliant software from a reputed vendor. Update the software regularly.
- Don’t underestimate the value of physical safeguards in reducing the risk of breaches or unauthorized access. For example, consider installing an alarm system in the building or the facility that houses the servers.
- Make sure your staff has received proper training on explaining what patients can do to keep their health data secure.
- Use secure online forms to collect patient information. Find more on Creating Secure Web Pages and Forms.
- If your portal accepts online payment using a credit card, it is essential that it complies with The Payment Card Industry Data Security Standard (PCI DSS).
The Bottom Line
Patient portals are relatively new in the Health-IT arena. And as with any new tool, a mass adoption is sure to take some time. No doubt, patient portals have some security concerns. However, this does not take away the fact that they are a great tool for enhanced patient engagement. With the right policies on risk management, you can expect to attract more patients in your portal.
To know more about how you can incorporate security measures in patient portals and web sites, talk to the experts at LuxSci for a FREE CONSULTATION.
- Does my patient intake form need to be HIPAA compliant?
- What Is HIPAA-Compliant Videoconferencing?
- Is sharing my patient list with a marketing company OK under HIPAA?
- If my web site is very simple, do I have to worry about HIPAA compliance?
- LuxSci HIPAA Services a Perfect Fit for Home Health Care Agencies