Tip

Patient-facing information systems raise HIPAA concerns

    Requires Free Membership to View

Christina Beach Thielst

There is a move toward the integration of patient-facing information systems and the use of portals as a way to engage and provide seamless access to patients and their family caregivers. But, just as with the implementation of EHRs and information exchange, privacy and security concerns quickly arise and warrant some consideration. This is especially true when one is navigating the more stringent privacy requirements related to adolescent, behavioral health, HIV and other populations.

The most conservative interpretations of HIPAA and approaches designed to limit risks and protect personal health information could actually hamper communications with patients, family and other caregivers. This comes just as we are trying to find ways to engage patients and their caregivers to take a more active role in care processes and contribute to improved outcomes. It's important to remember that HIPAA legislation does allow for communications when they are relevant to the involvement of a spouse, family members, friends or other persons identified by a patient during the care process.

Proxy accounts allow for family caregivers to act as a patient when they are within the system, but EHRs don't always support multiple "patients" for one record. Not offering proxy access to family and friends creates a new risk when patients allow these caregivers to sign on to the portal with their user name and password to add information and make changes on their behalf. The risk that arises for healthcare providers is not being able to distinguish between access to or changes made by caregivers and those made by patients themselves.

Legal risk also arises when providers elect not to share information if a document contains only a small portion of protected health information -- especially when it comes to referring and caregivers in other settings. This creates the need for providers to balance the risk of adverse reactions or outcomes with privacy concerns.

As increasing amounts of health information is maintained as structured data, it will be possible to tag and not disclose discrete elements. The Department of Veterans Affairs and the Substance Abuse and Mental Health Services Administration are using a classification and coding system developed by Health Level 7 International to identify sensitive data and automatically assign metadata tags to sensitive data, marking it "do not disclose." This ability to tag and build conditions around the sharing of sensitive and private health information will help providers comply with both state and federal privacy laws, as well as share relevant information and data with those who need it.

Christina Beach Thielst, a fellow of the American College of Healthcare Executives, is vice president of TOWER, a patient experience consulting group for the healthcare industry. Let us know what you think about the story; email editor@searchhealthit.com, or contact @SearchHealthIT on Twitter.

This was first published in May 2013

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.