8 Security Features You Need in a Patient Portal
Secure patient portals have become a very effective tool for communicating with consumers and enhancing the level of patient care. They allow information to be accessed faster and easier than ever, yet it is important to remember that it is the responsibility of practices to ensure individual’s health information is private and secure.
In order to successfully demonstrate Meaningful Use (MU), there are 15 core objectives (established by CMS, the Center for Medicare and Medicaid Services) that must be met, and a large part of this includes meeting the HIPAA privacy and security regulations.
Here, we look at what security features your patient portal should have to stay HIPAA-compliant and to protect the confidentiality and availability of the health information you keep.
1. Meet federal MU privacy and security requirements. In order to meet federal MACRA privacy and security requirements for the exchange of information between providers and with patients, eligible providers must use Certified Electronic Health Record Technology (CEHRT). More information on EHR requirements for MACRA can be found on the HealthIT Website or by watching this video: MACRA Quality Payment Program: An Explainer.
2. Encrypted database features. Encrypting patient data protects it wherever it travels or is stored and in the case of theft or interception. This feature allows data to be securely transmitted. When an encrypted message is sent, it is readable by authorized persons only by converting the original message or information into encoded text. There is a very low probability that anyone other than the receiving party (who has the code or access to a further confidential process) could decrypt and convert the encrypted text into plain, comprehensible information. It is best to use 256-bit encryption. Encryption for HIPAA is not required, but it is strongly recommended. If an organization deems encryption not reasonable or appropriate, it must be able to document the rationale for this decision.
3. Provide Role-Based Access Control (RBAC). Regulate who has access to specific information based on the role of each employee or user within the organization. For example, administrative staff may not need to see the same information and data as nursing staff. Consider what information each employee needs and just grant access to the specific areas as needed. RBAC is also an important concern for patient-authorized representatives, or proxy accounts. Having a patient portal that properly manages dependent or spouse accounts is a growing concern for healthcare organizations as patient portal adoption rates increase.
4. Extensive password protection. Your HIPAA patient portal should require a password to access the system, and again if there is a period of inactivity. If a password is entered incorrectly too many times, it should lock user accounts. Ensure that all employees (users) passwords are complex (with alpha, numeric and special characters), and are reset every 60 days. You can further validate users with additional security questions (such as place of birth). Even more robust validation can be applied with two-factor authentication, where the EHR can send a SMS message to a mobile phone, for example, with a security code to complete the user set-up and EHR access.
5. Audit Trails. Audit trails log and record key activities. It’s important to establish this and conduct periodic reviews to reduce the risk associated with inappropriate access and violations against HIPAA rules whilst establishing a culture of responsibility and accountability. Robust training, policies and agreements should also be in place for all staff members with patient portal access.
6. Consent. Your HIPAA Patient Portal should store, display and print patient consent forms. The most important consent form is an opt-in agreement where a patient understands, and agrees to the risks associated with the inevitably insecure patient provider communication.
8. PCI Compliance. If a patient submits credit card details, a fundamental part of online patient bill pay systems, it should not be stored by the portal or EHR unless your clinic complies with PCI Security Council Standards, which keeps customer’s payment card data secure.