About Kirsty Watson

Internal Marketing Specialist

Find more about me on:

Here are my most recent posts

Author Archives: Kirsty Watson

Internal Marketing Specialist

Is Your Healthcare Patient Portal HIPAA Compliant?

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ privacy by limiting access to PHI  (Protected Health Information) and governing acceptable use of their health data. The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of PHI in healthcare treatment, payment, and operations by covered entities. 

What Is A HIPAA Patient Portal

A HIPAA Patient Portal is a form of patient engagement in which health care providers can share information with a patient. If said information includes PHI and medical records, the patient portal must be HIPAA compliant.    

Must I Have A HIPAA Patient Portal?

  • If you have a patient portal developed, provided by, or on behalf of a covered entity (health plan, healthcare clearinghouses, or healthcare providers), it must be HIPAA compliant.
  • If you are a business associate that stores, collects, processes, or transmits PHI on behalf of covered entities, your patient portal must be HIPAA compliant.

What Information Does HIPAA Protect?

Protected Health Information (PHI) is any information that is held by a covered entity regarding a patient’s health status, provision of health care, or health care payment.

There are 18 PHI Identifiers:

  1. Names
  2. All geographical subdivisions smaller than a State
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address
  16. Biometric identifiers, including finger and voiceprints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

Tips For Offering A HIPAA Compliant Patient Portal?

  • Never Store Protected Health Information (PHI) on a mobile phone.
  • HIPAA compliant messaging requires you to exclude PHI in an SMS, email, push, or IVR notification. If you do include PHI in a notification, have your patients accept terms and conditions which permit you to use limited PHI in your notifications, clearly defining what PHI is included.
  • Always use a HIPAA-Compliant Hosting Service.
  • When working with a web design, hosting company, patient portal vendor, or healthcare app development company, always get a BAA (Business Associate Agreement). A BAA shares the responsibility for all patient information that is received by the company or handled by the patient portal they build.
  • Ensure a HIPAA expert audits the final patient portal. 
  • Have your terms and conditions created/reviewed by an attorney that specializes in HIPAA law.
  • Require patients log in each time to access PHI, with a 30-minute auto-logout. To make the patient portal more convenient and user-friendly, consider using face or fingerprint recognition for logins.
  • Conduct regular risk assessments. Also, regularly review records of system activity, including audit logs, access reports, and security incident tracking reports.
  • Maintain ePHI (electronic personal health information) integrity requirements by implementing information systems that provide features or processes for automatically checking data integrity. These include checksum verification or digital signatures and providing electronic mechanisms to ensure the integrity of ePHI.
  • Implement policies and procedures to protect ePHI from improper alteration or destruction.
  • Access controls must include unique user identification, emergency access procedure, and automatic logoff.
  • According to HIPAA, the information in a medical patient portal should be encrypted at all times – at rest and in transit.

What Are The Penalties For Not Being HIPAA Compliant? 

There are several levels of violations based on what a covered entity did or didn’t do.

  • A covered entity that did not know and could not have reasonably known of an ePHI breach could be fined $100-$50,000 per incident and up to $1.5 Million.
  • A covered entity that “knew,” or by exercising reasonable diligence would have known of an ePHI breach but didn’t act with willful neglect could be fined $1000-$50,000 per incident and up to $1.5 Million.
  • A covered entity that acted with willful neglect and corrected the problem within 30 days could be fined $10,000-$50,000 per incident and up to $1.5 Million.
  • A covered entity that acted with willful neglect and failed to make a timely correction could be fined $50,000 per incident and up to $1.5 Million

 

As you can see, being HIPAA compliant is extremely important and very costly if disregarded. Offer your patients a HIPAA compliant patient portal with Bridge Patient Portal.

Internal Marketing Specialist

How Bridge Patient Portal Can Help You Meet Patient Needs During COVID-19

Bridge Patient Portal is an important part of how our clients communicate with their patients. At Bridge, we think its important to share ways that Bridge Patient Portal can be used to help our clients meet their patients’ needs during this challenging time.

The Bridge team is available to help with any of the below items, AT NO COST, as part of our commitment to providing our clients the highest level of support in these situations.

In-Portal Alerts

Throughout Bridge, clients are able to place an “Alert Message” (see the images below) to help educate patients on any changes taking place with a client.

Homepage Alert Message:

 

Appointments Alert Message:

 

Messages Alert Message:

 

There is also a “Custom Widget” which can be placed on the portal home page to provide detailed information, such as links to external resources (i.e. CDC), symptom information, visit/scheduling protocol, etc.

 

Mass Messaging (SMS & Email)

In the Bridge admin panel, clients can filter patients by many different criteria (i.e. age, provider, active portal account, etc.) then type in a message to be sent to all patients meeting the filter criteria. The message can be sent in an SMS or Email format.

Automated Pre/Post Visit Messages

Using the Bridge admin panel, clients can create automated email notifications to be sent before and/or after a certain appointment type. This could be used, for example, to educate patients on a new visit policy.

Telemedicine

Bridge is committed to fully developing its telemedicine solution in 2020. This has been many years in the making as the Bridge team has carefully watched the telemedicine market for trends, new innovations, and standout vendors. We will be working closely with our clients in the coming months to evaluate the best course of action for our telemedicine solution and explore partnerships with industry-leading vendors.

In the meantime, there are many features in Bridge to help our clients facilitate telemedicine encounters and online communication with their patients.

  1. Secure Patient-Provider Messaging – Bridge supports secure messaging between patients and providers or delegated to a provider’s team. Interface permitting, messages can be received and replied to in the provider’s EHR. Many questions can be answered in this way and for providers using patient-provider messaging already, this is the most commonly used feature in the portal. Educating patients that this is a reliable way to communicate with the provider for non-emergent questions, especially defining the protocol for when a message should be sent to a provider. This protocol can be shared with the patient in the messaging feature, using the “Alert Message” feature.
  2. Telemedicine Appointment Scheduling – Bridge offers appointment requests and self-scheduling functionality. Depending on the telemedicine program of a particular client, different options are available for helping patients schedule a telemedicine appointment. In first place, a telemedicine appointment type can be created, which would then allow better organization of provider schedules. If self-scheduling is already in use, a protocol that manages the times and providers that a telemedicine appointment can be scheduled can be created in Bridge. Again, using the “Alert Message” feature, clients can educate their patients on how to schedule a telemedicine appointment.
  3. Facilitating Video Conferencing – Once an appointment is scheduled a message can be sent to the patient with a link to the video conference. It’s important that whichever video conferencing solution is used, that it meets HIPAA requirements. (Improving this functionality is where Bridge will be investing most of its efforts in 2020)

DISCLAIMER: Client environments and the capabilities of their environments can vary. Some functionality may not be available in certain environments. Please speak with a Bridge client manager to learn more.

Internal Marketing Specialist