Patient Portal Q & A – Part 2
Note: The following questions are the second part in a series about patient portals. For last month’s article on patient portals click here.
Q: How should information about patient portals and the functionalities/capabilities be communicated to patients?
A: Each patient portal is unique in terms of how patients register and access the portal, what treatment and diagnosis information is maintained on the portal, how patients can communicate with providers through the portal, and other specific functionalities/capabilities including scheduling appointments and the availability of third-party educational materials. Most patient portals are developed and maintained by external software vendors. Portal vendors may provide some informational resources for distribution to patients (including paper brochures or sample information about the portal that can be included on a provider’s website). However, there is no one-size-fits-all approach to patient portals, and it is important that providers closely review any documents or templates provided by vendors to ensure the information accurately describes the provider’s specific portal. Providers should also consider the following:
- Additional Information Via Websites, Brochures, Etc. There are a variety of ways to educate and update patients about a patient portal. For example, providers should consider including a description of the portal and its specific functionalities on the provider’s website. This may include basic tutorials on how to register for and use the portal, frequently asked questions (FAQs) about the portal, descriptions of how the portal can be used to increase patient/provider engagement, and any provider-specific conditions or restrictions that apply to the portal (including access to minors’ records, use of a shared e-mail address by patients, and the availability of sensitive treatment or diagnosis information).
Q: What are some of the security concerns associated with user authentication?
A: While patient portals are tied to a provider’s Meaningful Use patient engagement requirements, securing and authenticating user access is a critical part of the process. When implementing patient portals, providers will need to continually weigh ease of use versus the need to ensure strong authentication standards. Even if a portal only allows patients access to a limited amount of information, there are still security concerns associated with the portal. For example, if patients can only access lists of their current medications and appointment schedules, there are still risk factors present. Password strength, multifactor authentication and password reset policies must be considered. Providers must also ensure that their internal servers remain secure, because a breach of one patient’s record may affect all patients using the portal.
In studying this issue, the Health IT Policy Committee (the body that makes recommendations to the National Coordinator for Health IT on policy issues related to the HITECH Act electronic health record incentive program) has recommended that authentication of patients accessing their data through a portal needs to be strong but should not be so cumbersome that it deters patient from using the portal. Traditionally, this is accomplished by using two-factor authentication such as issuing a key fob or token to users; however, these methods can be expensive. Other alternatives are emerging such as sending a text message or automated voice call to a user’s phone when they log on or using geolocation services to determine if a user’s phone is located next to the computer being used to sign-on.
The Health Resources and Services Administration offered these patient portal security tips for organizations trying to harmonize accessibility and security:
- Implementing a multi-tier architecture that isolates the web, application, and EHR servers behind multiple firewalls.
- Designing an appropriate method for provisioning patient accounts on the EHR system. The practice will need a procedure that ensures log-in credentials are in place and delivered to the patient in a secure fashion. It should include an efficient method to reset credentials when the patient requests. Patient credentials should also be coordinated with the provider’s master patient index to safeguard against unauthorized access among similarly named patients.
- Implementing an incident detection and response program. A critical aspect of good incident response is actively monitoring the portal for suspicious events, service interruptions, code errors, and general utilization issues. Timely responses to analyze root causes, correct deficiencies, and communicate with the patient population should be considered essential activities.
Also, because many providers turn to third party vendors for help in deploying their patient portals, providers should ensure that vendors are providing the fundamentals of security – authentication, auditing and integrity checking – within their portal products. Providers should also conduct their own periodic security assessments and architecture reviews of their portals.