Patient portals mean additional risks


One of the biggest challenges now facing healthcare providers seeking to qualify for the HITECH act’s meaningful use incentives is the issue of allowing patients access to their electronic medical records (EMRs).

That is the view of Ruby Raley, director, healthcare solutions for Axway. “When you look at the fundamentals nobody’s really specced this out yet,” she said. “Questions remain such as: how are we going to give the patients this data – what type file will it be? What database will it be – will they access the full blown production system or a smaller, safer copy of it? How long am I going to leave the data there?”

She added that data breaches could arise from a system that allows thousands of patients access an organization’s database that has all its doctors’ notes and records in it.

“If I had a security problem that could be scary because the patient might see the wrong thing,” she said. “For example, how many John Smiths are there – what if one of them got to the wrong John Smith’s records?

You’re going to need to protect it from being hacked, you’ve got to make sure that it’s secure, and you’ve got to make sure data is not left out there.”

She added that further questions relate to liability issues: for instance, if a patient suffers identity theft as a result of accessing their information remotely, who is responsible? With all these issues in mind, risk managers need to get involved in setting policies, deciding how patients will log in to access their information, and conducting a risk assessment of any new patient portal.

“I believe many chief information officers are planning to get their patient portals from their EMR vendor but you will still need to review that EMR vendor’s approach to the problem to see how well it aligns with your own policy,” she said.

“You also need to update your training materials, to update your risk assessments, and potentially to ask the IT department to put some additional security scaffolding around what the EMR vendor delivers to you. Regardless of how you tackle this, the risk manager should be front and center and they should also be engaged in the actual delivery of the work to verify that the work is delivered as planned.”


Woodruff-Sawyer & Co, healthcare practice leader, insurance, risk management strategies, PHI, EMRs, patient portals