Skip to Content

Patient Portal Q & A – Part 2

on Thursday, 18 September 2014 in Health Law Advisory: Zachary J. Buxton, Editor

Note: The following questions are the second part in a series about patient portals. For last month’s article on patient portals click here.


Q: How should information about patient portals and the functionalities/capabilities be communicated to patients?

A: Each patient portal is unique in terms of how patients register and access the portal, what treatment and diagnosis information is maintained on the portal, how patients can communicate with providers through the portal, and other specific functionalities/capabilities including scheduling appointments and the availability of third-party educational materials. Most patient portals are developed and maintained by external software vendors. Portal vendors may provide some informational resources for distribution to patients (including paper brochures or sample information about the portal that can be included on a provider’s website). However, there is no one-size-fits-all approach to patient portals, and it is important that providers closely review any documents or templates provided by vendors to ensure the information accurately describes the provider’s specific portal. Providers should also consider the following:

  1. Patient Portal Terms of Use. Providers should consider developing provider-specific terms of use that cover topics such as: how the portal should be used (for example, if the portal includes a messaging function, this should only be used in non-emergency situations); who can use the portal (including parents and/or personal representatives); the information made available via the portal; who will view and respond to patient communications made through the portal; disclaimer/legal liability language to protect the provider; and other provider-specific and state specific requirements or conditions that may apply.

    Many vendors will require patients to go to an external (non-provider) website and register to use a portal. Patients are usually asked to agree to the vendor’s terms of use as part of the registration process. It is also important for a provider to have its own terms of use in order to clearly set out its obligations and liability limitations to the patient. This is especially important when a provider uses a third-party vendor that provides its own terms of use with a patient.

    How patients actually receive and acknowledge or agree to provider-specific terms of use will depend on the specific portal. If patients cannot acknowledge receipt electronically (for example, through a check box during the portal registration), there are other ways to distribute the terms of use. For example, providers may distribute the terms of use in paper form at admission or discharge with documentation in the patient’s medical record that the terms of use were given to the patient; the provider’s website may include a description of the portal and a link to the provider’s terms of use; or the terms of use could be referenced or hyperlinked in other educational/informational materials that are distributed to patients. Providers should be familiar with the portal registration process and devise internal processes/procedures to communicate the portal terms of use to patients.

  2. Additional Information Via Websites, Brochures, Etc. There are a variety of ways to educate and update patients about a patient portal. For example, providers should consider including a description of the portal and its specific functionalities on the provider’s website. This may include basic tutorials on how to register for and use the portal, frequently asked questions (FAQs) about the portal, descriptions of how the portal can be used to increase patient/provider engagement, and any provider-specific conditions or restrictions that apply to the portal (including access to minors’ records, use of a shared e-mail address by patients, and the availability of sensitive treatment or diagnosis information).

Q: What are some of the security concerns associated with user authentication?

A: While patient portals are tied to a provider’s Meaningful Use patient engagement requirements, securing and authenticating user access is a critical part of the process. When implementing patient portals, providers will need to continually weigh ease of use versus the need to ensure strong authentication standards. Even if a portal only allows patients access to a limited amount of information, there are still security concerns associated with the portal. For example, if patients can only access lists of their current medications and appointment schedules, there are still risk factors present. Password strength, multifactor authentication and password reset policies must be considered. Providers must also ensure that their internal servers remain secure, because a breach of one patient’s record may affect all patients using the portal.

In studying this issue, the Health IT Policy Committee (the body that makes recommendations to the National Coordinator for Health IT on policy issues related to the HITECH Act electronic health record incentive program) has recommended that authentication of patients accessing their data through a portal needs to be strong but should not be so cumbersome that it deters patient from using the portal. Traditionally, this is accomplished by using two-factor authentication such as issuing a key fob or token to users; however, these methods can be expensive. Other alternatives are emerging such as sending a text message or automated voice call to a user’s phone when they log on or using geolocation services to determine if a user’s phone is located next to the computer being used to sign-on.

The Health Resources and Services Administration offered these patient portal security tips for organizations trying to harmonize accessibility and security:

  1. Implementing a multi-tier architecture that isolates the web, application, and EHR servers behind multiple firewalls.
  2. Designing an appropriate method for provisioning patient accounts on the EHR system. The practice will need a procedure that ensures log-in credentials are in place and delivered to the patient in a secure fashion. It should include an efficient method to reset credentials when the patient requests. Patient credentials should also be coordinated with the provider’s master patient index to safeguard against unauthorized access among similarly named patients.
  3. Implementing an incident detection and response program. A critical aspect of good incident response is actively monitoring the portal for suspicious events, service interruptions, code errors, and general utilization issues. Timely responses to analyze root causes, correct deficiencies, and communicate with the patient population should be considered essential activities.

    Also, because many providers turn to third party vendors for help in deploying their patient portals, providers should ensure that vendors are providing the fundamentals of security – authentication, auditing and integrity checking – within their portal products. Providers should also conduct their own periodic security assessments and architecture reviews of their portals.

Michael W. Chase

Grayson J. Derrick

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500