Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Patient-facing information systems raise HIPAA concerns

Patient-facing portals are becoming tools for engagement. But providers must consider HIPAA regulations before implementing such information systems.

Christina Beach ThielstChristina Beach Thielst

There is a move toward the integration of patient-facing information systems and the use of portals as a way to engage and provide seamless access to patients and their family caregivers. But, just as with the implementation of EHRs and information exchange, privacy and security concerns quickly arise and warrant some consideration. This is especially true when one is navigating the more stringent privacy requirements related to adolescent, behavioral health, HIV and other populations.

The most conservative interpretations of HIPAA and approaches designed to limit risks and protect personal health information could actually hamper communications with patients, family and other caregivers. This comes just as we are trying to find ways to engage patients and their caregivers to take a more active role in care processes and contribute to improved outcomes. It's important to remember that HIPAA legislation does allow for communications when they are relevant to the involvement of a spouse, family members, friends or other persons identified by a patient during the care process.

Proxy accounts allow for family caregivers to act as a patient when they are within the system, but EHRs don't always support multiple "patients" for one record. Not offering proxy access to family and friends creates a new risk when patients allow these caregivers to sign on to the portal with their user name and password to add information and make changes on their behalf. The risk that arises for healthcare providers is not being able to distinguish between access to or changes made by caregivers and those made by patients themselves.

Legal risk also arises when providers elect not to share information if a document contains only a small portion of protected health information -- especially when it comes to referring and caregivers in other settings. This creates the need for providers to balance the risk of adverse reactions or outcomes with privacy concerns.

As increasing amounts of health information is maintained as structured data, it will be possible to tag and not disclose discrete elements. The Department of Veterans Affairs and the Substance Abuse and Mental Health Services Administration are using a classification and coding system developed by Health Level 7 International to identify sensitive data and automatically assign metadata tags to sensitive data, marking it "do not disclose." This ability to tag and build conditions around the sharing of sensitive and private health information will help providers comply with both state and federal privacy laws, as well as share relevant information and data with those who need it.

Christina Beach Thielst, a fellow of the American College of Healthcare Executives, is vice president of TOWER, a patient experience consulting group for the healthcare industry. Let us know what you think about the story; email editor@searchhealthit.com, or contact @SearchHealthIT on Twitter.

Dig Deeper on Personal health record software and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.