Patient portal proxy access allows caregivers or legal guardians to access their dependents’ patient portals. Studies have shown that patients generally saw benefits once caregivers had access to the information and functions within their patient portal, such as health literacy assistance and help in the time of medical emergencies. Proxy patient portal access is most commonly used in these scenarios:
A parent accessing their son or daughter’s patient portal account
A son or daughter accessing their elderly parent’s patient portal account
A nurse or caretaker accessing their patient’s account, when that nurse or caretaker is not affiliated with the healthcare organization providing the patient portal account
A husband or wife accessing their significant other’s patient portal account
“Parents are amongst the most active patient portal users. Therefore, providing parents with the ability to manage their children’s care from a patient portal or mobile app easily is an incredibly powerful feature,” explains John Deutsch, founder and CEO of Bridge Patient Portal. Patient portal systems can help caregivers better manage care for the patient. However, patients have shown concern about providing caregivers with information regarding stigmatized conditions and financial billing information.
Providing proxy portal access impacts a patient’s privacy and security in multiple ways.
Proxy portal access promotes better healthcare for minors, the elderly, and others that may struggle to manage their health independently, without infringing on privacy. Everyone has the right to privacy and the right to withhold information they consider sensitive. In one study, almost half of US hospitals failed to protect their patients’ data as they endorsed the sharing of login credentials. The sharing of login credentials should be against hospital policy and may invalidate the solution as being a HIPAA compliant patient portal.
Track Changes Made Within The Portal
Logging in as the patient allows third-parties full access to the healthcare portal and the ability to make changes on behalf of the patient. Healthcare organizations often assume incorrectly that these requests/changes are being made by the patient. This makes it difficult to track the true identity of the person making changes in the portal, as it may appear that those changes have been authorized by the patient.
Prevent Patients’ From Being Locked Out
The sharing of login details can result in patients being locked out of their own account. Losing access is not always due to malicious intent as caregivers may lock patients out of the portal by mistake. Secure software has protocols in place to flag suspicious activity such as multiple active logins, logins from unknown devices, or too many failed logins.
Honor Age Of Majority Laws
The sharing of login details allows for permanent access unless the patient changes their password. This may prove to be an issue when children become legal adults, but their parents still have access to their health information, or in any situation where a patient would like to revoke access. The patient portal proxy access should support state-specific age of majority laws so that once the child reaches the age of majority, the parent or guardian access to the dependent’s portal is automatically unlinked.
Stop Security Breaches
With regards to patient portal security, research has shown that people often use similar passwords across multiple systems; patients may not be aware that they are opening themselves to a massive security risk by using just one password.
Limit The Amount Of Access
Patient portal caregiver access is vital to our most at-risk population. The best solution would allow patients to give access to caregivers at a level they deem appropriate. Patient portals should provide patients with a default proxy account configuration that includes access to most information and functions, but requires an opt-in for the complete medical record, billing, and insurance information. Portals could also provide a simple checklist of access controls to help patients decide what information or functionality to grant the caregiver.
Registering for a proxy account can frequently prove difficult, and in many cases, requires the caregiver to go in person to the hospital or clinic. Patient portal self-registration is a valuable feature allowing patients and caregivers to register on their own with very little to no assistance required.
As patient portal proxy access continues to gain momentum, hospitals and electronic health record (EHR) vendors need to seek patient portal systemsthat allow caregivers to care for patients without violating their privacy or placing them at risk of security breaches.
Healthcare authorities are implementing new laws to boost interoperability within healthcare organizations and give patients more control and access to their personal health information. With this newfound sharing model, healthcare organizations and IT vendors must implement stricter patient portal security measures to protect valuable patient information. Healthcare data is increasingly becoming a more popular target with hackers as they innovate their techniques to gain access to this valuable and sensitive information.
As a result, the increased sharing of patient data has led to the demand for secure patient portals and mobile apps, which can serve as effective tools for secure patient-provider data exchange, communication, and care management. While patient portals allow information to be accessed and shared conveniently, healthcare organizations should be aware that there are several patient portal privacy and security issues. It’s the responsibility of the healthcare organization to ensure individual health information is kept private and secure.
Here we look at what features are required for patient portal security, and the protection and confidentiality of collected health information.
Encrypted database features. Encryption allows data to be securely transmitted or stored, meaning that it is readable only by authorized persons by converting the original message or information into ciphertext. There is a very low probability that anyone other than the authorized party could decrypt and convert the ciphertext into readable information. It is best to use the industry-standard AES-256 encryption to keep data secure at rest and TLS v1.2 or v1.3 with a robust cipher suite (following NIST recommendations) for data in transit.
Provide Role-Based Access Control (RBAC). Regulate who has access to specific information based on the role of each employee or user within the organization. For example, administrative staff may not need to see the same information and data as nursing staff. Consider what information each employee needs and grant access to the specific areas as required. RBAC is also an important concern for patient-authorized representatives or proxy accounts. Having proxy patient portal access that appropriately manages dependent accounts (e.g. a parent managing their child’s account) is a growing concern for healthcare organizations as patient portal adoption rates increase. 45% of the hospitals in the US do not offer proxy patient portal access.
Extensive password protection and MFA (multi-factor authentication). Your HIPAA patient portal should require a password to access the system, and again if there is a period of inactivity of 30 minutes. If a password is entered incorrectly too many times, it should lock user accounts. Ensure that all employees (users) passwords are following NIST recommendations and are reset every 60 to 90 days. A more robust validation can be applied with multi-factor authentication. Bridge Patient Portal, for example, supports SMS-based two-factor authentication for password resets and account registration. The patient portal sends an SMS message to a mobile phone with a time-sensitive security code to complete the patient portal security registration or password reset. Keeping a secure password can be a complicated procedure, that is why some secure patient portals offer biometric authentication (fingerprint and facial recognition) to provide patients with a quick, secure, and frictionless experience when accessing health information.
Audit Trails. It’s crucial to establish an audit trail that records key activities and conduct periodic reviews to reduce the risk associated with inappropriate access and violations against HIPAA rules. Robust training, policies, and agreements should also be in place for all staff members with patient portal access to ensure patient portal security.
Consent. Your secure patient portal should store, display, and print patient consent forms. The most critical consent form is an opt-in agreement where a patient understands and agrees to the risks associated with the inevitably insecure patient-provider communication.
Meet federal and state laws with regard to privacy and security. Follow the regulations set by healthcare authorities such as the Office for Civil Rights (OCR) and Health & Human Services (HHS) in regards to laws such as ADA, HIPAA, and CCPA.
PCI Compliance. HIPAA compliant bill pay requires that patient credit card details should not be transmitted or stored unless your clinic complies with PCI Security Council Standards, which keeps the patient’s payment card data secure.
Bridge is ONC 2015 Edition Certified and adheres to strict HIPAA and patient portal security protocols. Learn more about how Bridge implements compliance and security for its secure patient portal solution as well as its customers.