Patient Portals: Security ChallengesWeighing Ease of Use vs. Adequate Protections
Healthcare providers are turning to patient portals to provide remote access to electronic health records. But privacy attorney Adam Greene says there are challenges when it comes to parents or guardians accessing the records of minors of a certain age.
Because some minors have the right not to disclose certain medical information, such as reproductive health services, to their parents, it could be a HIPAA violation to disclose the services to the parent, says Greene, a partner at the law firm Davis Wright Tremaine.
"You ... have [patients that are age] 18 and over [who] are full individuals and their parents should not have any rights to their information," he says in an interview with Information Security Media Group [transcript below].
"You have the lower age group, which might be [age] 12 and under - this can vary based on state law - whose parents should have access to all of their information," he says. "Then you're going to have this challenging in-between, which, depending on state, could be [age] 13 up until the eighteenth birthday, where parents have a right to see most of the information but not some."
Healthcare providers can choose to give parents access to the minor's records via a patient portal, but the providers should consider segregating certain information to make those confidential services inaccessible by the parent, Greene says. Healthcare providers that do not have that ability to segregate sensitive data may need to grant a patient portal access solely to minors at age 13 so the parent cannot see their information.
In the interview, Greene also discusses:
- The struggles healthcare providers will have with balancing strong authentication with easy access;
- Other challenges involved with in-person versus remote identity-proofing, and the various ways to authenticate patients once they've been authorized to access their records via a portal; and
- The challenges involved with providing adult children access to the health information of elderly patients via patient portals.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
The Role of Patient Portals
MARIANNE MCGEE: What are patient portals? What sorts of organizations are launching them, and why are they important from a regulatory standpoint?
ADAM GREENE: Patient portals usually refer to some way for a patient to be able to view some portion of the electronic health records ... of a healthcare provider. ... You can have significant variation with respect to how much information is in the patient portal itself. It could be clinical notes; it could be a much smaller subset of information. This is different than certain other things such as, a personal health record, which is where a patient can keep their own information electronically for their benefit. You could have situations, for example, where someone wants to access their information through an EHR portal of one particular healthcare provider, and then take that along with information from a number of other providers and put it into a single personal health record.
From a regulatory standpoint, there are two that add issue here. The biggest one is the [HITECH Act] meaningful use [EHR incentive program]. In particular, meaningful use Stage 2 is pushing for healthcare providers to provide more immediate access, particularly the ability to view, download, and transmit information through what is normally expected to be some sort of patient portal. The other major regulation is HIPAA, in that there has been a longstanding obligation to provide patients with a copy of their medical and billing records, or certain other information in what is referred to as a "designated record set." This can be partially achieved, at least, through a patient portal, in which you give patients some of the most critical information from their medical record immediately upon request, rather than having them submit a request through a health information management department, for example. Meaningful use is really going to be pushing healthcare providers to launch patient portals far more than before, and this will be very important with respect to complying with their HIPAA obligations.
Privacy Challenges with Patient Portals
MCGEE: What do you think are the biggest privacy and security challenges related to patient portals?
GREENE: I think one of them is authentication. How do you know that the patient is who the patient really says he or she is? There are a number of different strategies for trying to tackle that.
Another privacy and security challenge here is that you have an Internet-facing website, essentially with a large volume of sensitive information, and you have to make sure that it is fully protected against different threats and vulnerabilities, such as SQL injection and things that might allow one patient or hacker to see the information of another. Another big challenge area is ... if you are a parent of the minor, what information you should have access to and what information is not accessible to you unless the minor has signed an authorization.
Authentication for Portal Use
MCGEE: What are the various ways that individuals can be credentialed and authenticated for accessing patient portals?
GREENE: There are two stages here; the initial identity-proofing and the subsequent authentication every time someone logs into the patient portal. The identity-proofing normally happens either in-person or online. The in-person part could happen as part of the registration process, or it could happen next time someone visits for an appointment. The healthcare provider signs them up, creates an account, and assigns a password because they know the individual; they've checked the driver's license or some other proof of identification of the individual.
The alternative can be remote authentication, where you first do identity-proofing remotely. It could be [asking] questions that are not publicly available, but are known to the covered entity, or the healthcare provider. For example, what was the nature of the last bill or payment? What is the last four digits of your Social Security number as further confirmation, or it could be the healthcare provider outsources this to another company that [uses a] similar [method]. When you apply for one of your credit reports, you have to answer a number of non-public information such as, what street you lived on in a certain year. I know certain healthcare providers who are looking at identity-proofing options like that.
Then, once you've initially identified the individual, there is authenticating them every time that they log in. Subsequently, that could be just a password, or multi-factor authentication, such as entering the password and sending something to their cell phone with a code to put in. It could be a hybrid approach, such as, we're normally going to ask for just a password, but if you'd like this multi-factor option we can set that up for you. I think covered entities can choose from a variety of different authentication options here, although I expect most times it's just going to be a traditional username and password situation.
Why Only Passwords?
MCGEE: Why do you think most organizations that have a patient portals will go with the username and password only?
GREENE: Difficulty and lack of demand. I think there is going to be a minority of patients who may want the more robust features of multi-factor authentication, and may want to feel confident that their information is not going to be accessible to others based on just the password. I think that is going to be a pretty small minority of patients. I expect most patients would only want a password and would be very inconvenienced by having to go through multi-factor authentication. Here, with meaningful use, you not only have to make a patient portal or some similar technology available, you also have to have at least 5 percent of your patient population using, viewing, downloading, or transmitting information. You don't want to set up hurdles through authentication; otherwise that is going to impede the actual use of the patient portal.
MCGEE: What are the privacy and security challenges involved with providing access to health records of minors via the patient portals?
GREENE: This is a very tough situation. You're going to have, under the law, some minors who have their parent or guardian as their personal representative under HIPAA who has the right to access their information. But, minors may be able to consent to certain services, such as reproductive health services, or substance abuse treatment. For those services, the parent or guardian does not necessarily have a right to see the information. In fact, when a 17-year-old comes in for certain reproductive health services, or her state [allows] that without any sort of parental consent, it could be a HIPAA violation to actually disclose the occurrence of such services to the parent. So what you're going to be left with is three different sorts of age groups; you are going to have 18-year-olds and over, who are full individuals and their parents should not have any rights to their information. You have the lower age group, which might be [age] 12 and under. This can vary based on state law, [minors who] will not be able to consent to any healthcare services on their own, and so the parents should have access to all of their information. You probably want the parent having full rights with respect to that patient population. But then, you're going to have this challenging in-between, which, depending on state, could be [age] 13 up until the 18th birthday, where parents have a right to see most of the information but not some.
There is no one-size-fits-all solution to how you're going to address that age group. Some healthcare providers, for example, might provide parents with access to the patient portal, but may be able to segregate certain information that is not accessible to the patient portal for that patient population, so that you know the parent is not going to be able to see certain services. Other healthcare providers may not have that ability, and they may have to completely exclude this age group; unless the minor, for example, signs an authorization that says their parent can view any information that the minor is able to consent to on their own. So in that case, it may be that at age 13, the individual's information is no longer accessible to the parent because you're not able to ensure that certain information, such as reproductive health, is not included in the patient portal. There, you only make it accessible with something, [like] an affirmative statement from the minor in that case, which unfortunately, can also lead to very challenging conversations sometimes between healthcare provider, parent and minor asking for such an authorization. So these are challenges, but I think we're still looking at different healthcare organizations finding what works best for them.
MCGEE: What are the privacy and security challenges involved with giving access to elderly patients' information to say, an adult children?
GREENE: I think it's a great idea. I think you definitely want to give the tools so that the patient does not have to share their username and password, but instead could have a greater level of control by creating a delegate account where the delegate is able to view and not do anything else with the information. That could be, as you mentioned, an adult child or caretaker of some sort. There, the simplest method may be getting a full HIPAA authorization. [However,] the recent HIPAA Omnibus Rule did provide the tool that an individual can designate a third-party to receive a copy of their medical record. You can use that, you don't need a full authorization for that: It only needs to specify the name and address of the third-party in writing. So that could be, for example, someone electronically stating, "Please provide this third-party with access to my information at this email address." At which point you send out an invitation to that email address. So, the most conservative thing would be to get a full HIPAA compliant authorization, but we do have this greater flexibility now with respect to individuals being able to designate third-parties. I think that has actually reduced a potential privacy and security problem there.
Other Methods of Access
MCGEE: How do patient portals compare with other methods of providing patients with access to their health information, such as secure e-mail?
GREENE: I think it is much easier to use. It will also link in sometimes with these other practices. So for example, the patient portal may also be a messaging portal where a secure e-mail is received by an individual. They receive an unsecure e-mail that just says they've got a message waiting for you at the patient portal. They log in [to portal] and see their information that way. So it's not just a way to provide patients with a copy of some of their medical record information, it may also be an integrated secure messaging tool. This could be dramatically easier than the patient having to go in person and request a copy of their medical record through an HIM department. Although, what we also see is the patient portal provides some information, and then leads to an increase in patients coming in and requesting full copies of their medical record through the more traditional means. But, I think the patient portal will really help facilitate patient engagement in a way that can potentially be much easier for patients than navigating the normal release of information process.
There are going to be some patients who are still going to want a copy of their medical record e-mailed to them via unencrypted e-mail, because they don't want to deal with passwords or things of that nature. HIPAA does say that to an extent, covered entities should provide a copy of the medical record in the form and format requested. So a patient, despite having the [option of using a] patient portal, still has that right [to ask for] ... an unencrypted e-mail. There, the guidance to the HIPAA Omnibus Rule suggests that you make sure the patient is aware that there is some risk of unauthorized viewing of the information as it travels over the internet, but if they agree to accept that risk, then you should go ahead and provide through unencrypted e-mail.
Biggest Emerging Threats
MCGEE: What do you think the biggest emerging privacy and security threats for portals?
GREENE: I think as you get more of these, there will be more stories of vulnerabilities that have been identified. If the individual changes the URL by one number, and they are able to see someone else's information, I think we'll see security challenges on that front. I think we're going to see a continuing struggle with the initial identity-proofing. Some providers will take the approach that we will only authenticate someone if they show up in person with an ID, and other than that, we will not provide the [individual] with a full patient portal account where they can see their own information. No patient wants to make an extra trip to the hospital or doctor's office, especially if you have a hospital that has patients coming in from across the country. Now the alternative is, if you do this remote authentication, there is always going to be some circumstance, no matter how good the tool is, where someone such as an ex-husband or ex-wife could potentially answer all the [authentication] questions and open up an account and see the person's information.
If you go with remote identity-proofing, you're going to have a challenge such as that. I think healthcare providers are going to struggle and have to look at their particular patient populations, what works best, and how willing they are to take on the risks associated with remote identity-proofing in order to offer that as an added convenience. We're going to continue to see challenges on the fronts of minors on to how to deal with their records, with hopefully some improvements on the ability of patient portals to segregate out certain information so that you can provide a parent with the full medical record except X, Y, and Z. But, I don't know if the technology is necessarily there yet, and so until it is, I think that's going to be a challenge for organizations.
Then the other is just finding the right balance between usability for patients and good security. To what extent are we going to require robust passwords, or if the patient wants to use their username as their password, are we going to allow that as a convenience for the patient? I think there is no correct answer there. Some organizations will not allow patients to use anything but strong passwords, and then they may get some pushback and impact their ability to meet [HITECH Act] meaningful use criteria of getting a certain percentage [of patients] using it. Others may risk security problems by allowing patients to have much less robust passwords.