The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ privacy by limiting access to PHI (Protected Health Information) and governing acceptable use of their health data. The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of PHI in healthcare treatment, payment, and operations by covered entities.
What Is A HIPAA Patient Portal
A HIPAA Patient Portal is a form of patient engagement in which health care providers can share information with a patient. If said information includes PHI and medical records, the patient portal must be HIPAA compliant.
Must I Have A HIPAA Patient Portal?
If you have a patient portal developed, provided by, or on behalf of a covered entity (health plan, healthcare clearinghouses, or healthcare providers), it must be HIPAA compliant.
If you are a business associate that stores, collects, processes, or transmits PHI on behalf of covered entities, your patient portal must be HIPAA compliant.
What Information Does HIPAA Protect?
Protected Health Information (PHI) is any information that is held by a covered entity regarding a patient’s health status, provision of health care, or health care payment.
There are 18 PHI Identifiers:
All geographical subdivisions smaller than a State
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address
Biometric identifiers, including finger and voiceprints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Tips For Offering A HIPAA Compliant Patient Portal?
Never Store Protected Health Information (PHI) on a mobile phone.
HIPAA compliant messaging requires you to exclude PHI in an SMS, email, push, or IVR notification. If you do include PHI in a notification, have your patients accept terms and conditions which permit you to use limited PHI in your notifications, clearly defining what PHI is included.
When working with a web design, hosting company, patient portal vendor, or healthcare app development company, always get a BAA (Business Associate Agreement). A BAA shares the responsibility for all patient information that is received by the company or handled by the patient portal they build.
Ensure a HIPAA expert audits the final patient portal.
Have your terms and conditions created/reviewed by an attorney that specializes in HIPAA law.
Require patients log in each time to access PHI, with a 30-minute auto-logout. To make the patient portal more convenient and user-friendly, consider using face or fingerprint recognition for logins.
Conduct regular risk assessments. Also, regularly review records of system activity, including audit logs, access reports, and security incident tracking reports.
Maintain ePHI (electronic personal health information) integrity requirements by implementing information systems that provide features or processes for automatically checking data integrity. These include checksum verification or digital signatures and providing electronic mechanisms to ensure the integrity of ePHI.
Implement policies and procedures to protect ePHI from improper alteration or destruction.
Access controls must include unique user identification, emergency access procedure, and automatic logoff.
According to HIPAA, the information in a medical patient portal should be encrypted at all times – at rest and in transit.
What Are The Penalties For Not Being HIPAA Compliant?
There are several levels of violations based on what a covered entity did or didn’t do.
A covered entity that did not know and could not have reasonably known of an ePHI breach could be fined $100-$50,000 per incident and up to $1.5 Million.
A covered entity that “knew,” or by exercising reasonable diligence would have known of an ePHI breach but didn’t act with willful neglect could be fined $1000-$50,000 per incident and up to $1.5 Million.
A covered entity that acted with willful neglect and corrected the problem within 30 days could be fined $10,000-$50,000 per incident and up to $1.5 Million.
A covered entity that acted with willful neglect and failed to make a timely correction could be fined $50,000 per incident and up to $1.5 Million
More and more health organizations are implementing publicly-exposed web technologies containing Protected Health Information (PHI) which are subject to the laws of HIPAA. Common examples of such systems include Electronic Health Record (EHR), web portal, patient portal software, and mhealth solution. When those systems become integrated, PHI must travel from one platform to the other – exposing the systems to considerable risks not just in transmission but the very nature that the systems are publicly-exposed. In these situations, ensuring that HIPAA regulations are met has become crucial.
Here are three things about HIPAA that you probably didn’t know:
1. There is no such thing as HIPAA certified hosting
While HIPAA compliant cloud hosting is just a part of achieving HIPAA compliance, it is one of the more challenging aspects of HIPAA compliance. Software-as-a-Service (SaaS) applications and cloud hosting solutions are becoming the norm in healthcare. Both have lower upfront costs for healthcare organizations and require less maintenance. While many hosting providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers, or any other type of organization.
The Health Insurance Portability and Accountability Act is a set of rules and best practices. HIPAA makes little reference to technical specifications required for hardware, software or security, and it definitely doesn’t have a certifying government body.
It is possible, however, to be HIPAA compliant or seek certifications that encompass the laws of HIPAA or other laws with a similar scope of HIPAA. Examples of these include HITRUST and EHNAC or SOC 2 certifications. James Deck, CEO of Med Tech Solutions, a provider of HIPAA compliant cloud hosting services, explains that “EHNAC accreditation gives our customers the assurance that we are HIPAA compliant”. While these certifications or HIPAA audit services are a great practice for companies that specialize in hosting, they aren’t required for health organizations. James further explains that “Moving to the cloud doesn’t reduce your risk and the cloud alone isn’t necessarily HIPAA compliant. Hosting companies must provide a suite of services on top of their cloud hosting to achieve HIPAA compliance.” Companies can adhere to HIPAA regulations, put safeguards in place to ensure that policies are being met, and have the proper documentation to ensure compliance (e.g. a signed Business Associate Agreement)
2. Contact Us and Intake forms are permitted on websites
Website forms offer an easy and convenient way for patients to communicate with office staff – whether it is to schedule an appointment, complete an intake form, or to ask a general question. They are also one of the most vulnerable sections of any healthcare website because patient information is collected and inevitably transmitted online.
Despite the risks associated with contact and intake forms, they are allowed on medical websites as long as the necessary steps are taken to safeguard PHI (e.g. name, phone number and medical information), which is protected by HIPAA. What you need to do is make sure that your website properly deploys an SSL certificate. This encrypts information sent from the user’s browser to your web server. In addition to ensuring that the form is encrypted, you will want to make sure that the forms are transmitted, accessed and viewed by office staff in a secure way, like a HIPAA-compliant email service. It is also recommended to provide a disclaimer and clear instructions for how the form should be used, essentially releasing the healthcare organization from liability for the transmission of PHI through the form.
If you’re unsure about the security of your online forms, the best advice is to consult a HIPAA expert. They can check your website for compliance and provide best practices for medical website security. In the meantime, you may choose to add a disclaimer to your website asking patients not to enter health information in any form. Instead, they can call your office with specific medical questions, or you can direct them to your patient portal.
3. Emailing patients is okay, even if the email on their end is unencrypted
The first thing that you need to know about HIPAA compliant messaging and HIPAA compliant emailcommunication with patients is that HIPAA provides very little specific guidelines about what is acceptable and what isn’t when it comes to electronic messaging. One important thing that we do know is that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Many providers think that using encrypted email is enough of a precaution; however, that is incorrect. Even though your hospital or practice encrypts its end of the email transport, there is no way to ensure that the communication is secure once it leaves your organization’s server. Still, this doesn’t mean that emailing patients is off the table.
Communicating with patients via email is perfectly acceptable as long as the patient requests to be contacted by email and is advised of the risks, ideally signing (or clicking) an opt-in agreement. Just make sure that you document the patient’s approval for your protection and are using a secure email system on your end.
For more information about HIPAA compliance best practices and how a patient portal helps make HIPAA secure messaging easy, contact a Bridge Patient Portal sales representative.
Healthcare authorities are implementing new laws to boost interoperability within healthcare organizations and give patients more control and access to their personal health information. With this newfound sharing model, healthcare organizations and IT vendors must implement stricter patient portal security measures to protect valuable patient information. Healthcare data is increasingly becoming a more popular target with hackers as they innovate their techniques to gain access to this valuable and sensitive information.
As a result, the increased sharing of patient data has led to the demand for secure patient portals and mobile apps, which can serve as effective tools for secure patient-provider data exchange, communication, and care management. While patient portals allow information to be accessed and shared conveniently, healthcare organizations should be aware that there are several patient portal privacy and security issues. It’s the responsibility of the healthcare organization to ensure individual health information is kept private and secure.
Features required for patient portal security
Here we look at what features are required for patient portal security, and the protection and confidentiality of collected health information.
Encrypted database features. Encryption allows data to be securely transmitted or stored, meaning that it is readable only by authorized persons by converting the original message or information into ciphertext. There is a very low probability that anyone other than the authorized party could decrypt and convert the ciphertext into readable information. It is best to use the industry-standard AES-256 encryption to keep data secure at rest and TLS v1.2 or v1.3 with a robust cipher suite (following NIST recommendations) for data in transit.
Provide Role-Based Access Control (RBAC). Regulate who has access to specific information based on the role of each employee or user within the organization. For example, administrative staff may not need to see the same information and data as nursing staff. Consider what information each employee needs and grant access to the specific areas as required. RBAC is also an important concern for patient-authorized representatives or proxy accounts. Having proxy patient portal access that appropriately manages dependent accounts (e.g. a parent managing their child’s account) is a growing concern for healthcare organizations as patient portal adoption rates increase. 45% of the hospitals in the US do not offer proxy patient portal access.
Extensive password protection and MFA (multi-factor authentication). Your HIPAA patient portal should require a password to access the system, and again if there is a period of inactivity of 30 minutes. If a password is entered incorrectly too many times, it should lock user accounts. Ensure that all employees (users) passwords are following NIST recommendations and are reset every 60 to 90 days. A more robust validation can be applied with multi-factor authentication. Bridge Patient Portal, for example, supports SMS-based two-factor authentication for password resets and account registration. The patient portal sends an SMS message to a mobile phone with a time-sensitive security code to complete the patient portal security registration or password reset. Keeping a secure password can be a complicated procedure, that is why some secure patient portals offer biometric authentication (fingerprint and facial recognition) to provide patients with a quick, secure, and frictionless experience when accessing health information.
Audit Trails. It’s crucial to establish an audit trail that records key activities and conduct periodic reviews to reduce the risk associated with inappropriate access and violations against HIPAA rules. Robust training, policies, and agreements should also be in place for all staff members with patient portal access to ensure patient portal security.
Consent. Your secure patient portal should store, display, and print patient consent forms. The most critical consent form is an opt-in agreement where a patient understands and agrees to the risks associated with the inevitably insecure patient-provider communication.
Meet federal and state laws with regard to privacy and security. Follow the regulations set by healthcare authorities such as the Office for Civil Rights (OCR) and Health & Human Services (HHS) in regards to laws such as ADA, HIPAA, and CCPA.
PCI Compliance. HIPAA compliant bill pay requires that patient credit card details should not be transmitted or stored unless your clinic complies with PCI Security Council Standards, which keeps the patient’s payment card data secure.
Bridge is ONC 2015 Edition Certified and adheres to strict HIPAA and patient portal security protocols. Learn more about how Bridge implements compliance and security for its secure patient portal solution as well as its customers.