Managing the Data Security Risks of Patient Portals

In Security by Shelly Kramer1 Comment

The rapid advances of technology are affecting all areas of our lives, and in the process is throwing up new, and often unexpected challenges to our privacy, especially the security of our personal information. This is notable in the intimate realm of our health, as well as our relationships with our medical practitioners and providers. As the use of electronic patient portals grows, health care providers, their IT teams, and the managed service providers (MSPs) with whom they work face a minefield of potential legal risks. They will collectively need to navigate these with care.

Health is always going to be a key area for the use of IT, especially with the rapid expansion of telehealth and virtual care. However, this is a landscape where development is not just driven by the end users’ needs. Changes in our legislation also mean that health care providers and their IT teams are under pressure to improve outcomes, while also reducing costs. It’s in this environment that the patient portal is going to play a pivotal role, still achieving balance between functionality and patient privacy.

Patient portals offer benefits to patients and providers alike, both in terms of access to health information and in enabling an effective means of communications. Patient portals allow patients to view medical records and test results, along with the option to request prescriptions, make appointments, and communicate with their health care teams via email or video link. Development is somewhat slow, however, due to two major factors:

  •   The highly regulated health nature of health care and;
  •   The restrictive rules surrounding reimbursement providing a disincentive to investment.

Legislative protection

Writing in Electronic Health Reporter in October 2014, Dell Healthcare compliance officer Martin Edwards highlights that legislation does offer some protection to patient portal providers. According to HIPAA requirements, if all devices containing protected health information (PHI) are properly encrypted, providers are exempt from any improper disclosure being considered a breach of the regulations. Providers though, must be on their guard, as legislators at both federal and state level continue to develop laws regulating the use of technology in the provision of health care services.

Take for instance some of the current issues under consideration as highlighted at Lexocology, an online information service for law practitioners from the Association of Corporate Counsel (ACC). It appears that in addition to solid encryption, there are other issues under consideration that those who operate telehealth and patient portal services need to keep abreast.

These involve both national and state-specific regulations and developments. On a national level, there are several separate developments that have the potential to affect the way patient portals operate. These include the following:

  • The House Energy and Commerce Committee released a discussion document that, while containing provisions for telehealth, doesn’t address any technology limitations. According to the ACC, that means that the current rules, where reimbursable telehealth services may be provided only via interactive video-audio systems, would still be applicable. This is important for IT teams and their managed service providers to keep in mind while developing solutions for health care providers.
  • The Federal Drug Administration FDA confirmed that devices used for “active patient monitoring”will fall outside new rules deigned to relax controls for medical device systems, and will continue to be separately regulated.
  • The Federal Trade Commission (FTC) issued a new report in response to the rapid spread of interconnected devices, including those developed and intended for health monitoring, that the “Internet of Things”is bringing. The FTC report recommends that companies build cyber protection into their products at the outset and that they minimize the collection and retention of data. They also recommended that Congress consider further legislation to promote data security, so watch this space on that one.

Different states, different approaches

Many states are considering or introducing new legislation concerning telehealth and this will no doubt continue on an upward trend. As anyone immersed in the field knows, it’s becoming an increasingly complex landscape in which to operate. One of the key issues affecting the patient portal is determining what, exactly, defines the doctor-patient relationship. Take Texas and West Virginia as examples. According to the ACC article, both states are taking a different approach to the situation. Let’s take a look:

Texas. The Texas Medical Board proposes that before any prescription is issued, a relationship between doctor and patient must be established by “at a minimum, among other things, a physical examination that must be performed by either a ‘face-to-face’ visit or in-person evaluation.” The rules also establish that “questions and answers exchanged through email, electronic text, or telephonic evaluation of or consultation with a patient,” are insufficient to establish a relationship.

West Virginia. By contrast, a senate bill introduced in West Virginia in January 2015 states that “when a prior physician–patient relationship does not exist, it can be established using telemedicine as long as real-time video conferencing or similar technologies are utilized.”

Pretty interesting, isn’t it? And definitely something to stay up-to-date on, whether you’re a health care CIO, an IT pro working in the health care space, or a managed service provider serving clients on either a regional or national basis.

There is also the issue of reimbursement to consider, although I don’t intend to bore you with the minutiae of Medicaid. Suffice it to say that of the eight states that introduced bills concerning the subject at the start of 2015, there were four different approaches to resolving the thorny issue of providing remuneration to providers. That, too, should only increase in complexity in the coming months and years.

Thus far, in general, our experiences with patient portals have largely been limited to basic functions with single-source providers. As our health care providers continue to recognize the value that technology can bring to engaging with patients in a cost effective way, that situation is likely to change. Providers will need to adapt and stay on top of what’s happening from a technology standpoint, and their IT teams will need to work to create a great user experience across the board and a “one stop” experience for patients, with a single portal providing access to multiple services. In order for health care providers to not only stay competitive, but also to serve their clients most effectively, they’re going to need to focus on developing effective communication channels to facilitate interaction between patients and medical practitioners.

The challenge facing health care industry IT pros is in ensuring that the development and implementation of the technology goes hand-in-hand with the evolving legislation. This is particularly so as individual states impose their own layers of regulation over the federal law makers. As the adoption of telehealth and patient portals grow, our health care providers need to keep abreast of ever-changing regulations and tread warily to make sure that their policies and practices around health IT aren’t creating the potential for future liabilities.

What about you? Are you working on creating user experiences via the development of patient portals and navigating these waters? If so, I would love to hear your thoughts on the challenges ahead and how you might be dealing with them.

Other resources on this topic:

The Medical Internet of Things
Telehealth and health IT Policy: considerations for stakeholders
The Brave New World of Modern Medicine: Healthcare Meets the Digital Age

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Photo Credit: emilydpardo via Compfight cc

This article was originally seen on V3 Broadsuite Blog

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”


  1. Pingback: Managing The Data Security Risks Of Patient Portals

Leave a Comment