patient health portal legalities

by Mrs. Estella Bogan IV 9 min read

Legal, Practical, and Ethical Considerations for Making ...

15 hours ago In the United States there is widespread use of online patient portal Web sites, which offer patients access to their electronic health record (EHR). Specifically, online patient portals afford access to a variety of features, including viewing recent lab test results and visit summaries, refilling medications and making appointments, and ... >> Go To The Portal


Patient portals have been in use for nearly two decades, but adoption has increased recently in response to consumer demand and government regulations, such as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). 15 They have been implemented in diverse settings, including large academic medical centers, primary and specialty care practices, and community hospitals. 16 Implementing and maintaining patient portals may require significant capital and resource investments 17 Understanding how patients and health systems use the portal to support patient engagement and self-management is important to evolving functionality and improving patient engagement. 18–20 Studies have been conducted to understand ways in which the patient portal meets the needs of patients and their caregivers. 20–25

Full Answer

What is a patient portal?

In the United States there is widespread use of online patient portal Web sites, which offer patients access to their electronic health record (EHR). Specifically, online patient portals afford access to a variety of features, including viewing recent lab test results and visit summaries, refilling medications and making appointments, and ...

Do you need more than one portal for patient information?

Largely driven by the financial incentives of the HITECH Act's Meaningful Use program as part of federal US health care reform, access to portal Web sites has rapidly expanded, allowing many patients to view their medical record information online. Despite this expansion, there is …

Are portals accessible to more vulnerable patient populations?

Sep 29, 2017 · A patient portal is a secure online website that gives patients convenient, 24-hour access to personal health information from anywhere with an Internet connection. Using a secure username and password, patients can view health information such as: Recent doctor visits; Discharge summaries; Medications; Immunizations; Allergies; Lab results

Are there legal and Ethical Mandates for improving portal accessibility?

Apr 08, 2021 · Promised Data. Actors who “advertise” or otherwise tell their patients that certain specific USCDI/EHI (e.g., labs and other diagnostic results) will be made available through the portal and encourage registration for portal accounts must make such “promised” information available in the patient portal without delay. Impermissible Delays.

image

Is patient portal legitimate?

A patient portal is a secure online website that gives patients convenient, 24-hour access to personal health information from anywhere with an Internet connection. Using a secure username and password, patients can view health information such as: Recent doctor visits.

What does HIPAA have to say about patient portals?

Online patient portals allow patients to view their medical records, schedule appointments, and even request refills of prescriptions, anywhere the patient has access to the Internet. Patient portals contain information that constitutes electronic protected health information (ePHI) under the HIPAA Security Rule.

Are patient portals HIPAA compliant?

Patient healthcare portals help medical practices adhere to HIPAA regulations both by providing patients with easy access to their medical records and by using security measures to protect those records.

What are the disadvantages of a patient portal?

Even though they should improve communication, there are also disadvantages to patient portals....Table of ContentsGetting Patients to Opt-In.Security Concerns.User Confusion.Alienation and Health Disparities.Extra Work for the Provider.Conclusion.

Who does the 21st Century Cures Act apply to?

electronic patient health informationThe requirements of the 21st Century Cures Act only applies to electronic patient health information. If you are using paper records, it will not apply to you. There is no mandate for you to move to an EHR.

Does 21st Century Cures Act apply to paper records?

The 21st Century Cures Act only applies to patient health information that is stored electronically. If you are using paper records, the requirements of the Act do not apply to you.

Is Facebook portal HIPAA compliant?

Conclusion: Facebook is not HIPAA compliant because it will not sign a BAA. However, covered entities can use it—as long as they do not share any PHI.

Should patients have access to their medical records?

The studies revealed that patients' access to medical records can be beneficial for both patients and doctors, since it enhances communication between them whilst helping patients to better understand their health condition. The drawbacks (for instance causing confusion and anxiety to patients) seem to be minimal.

Is it a HIPAA violation to look at your own chart?

A. No. It is NOT a HIPAA violation to view your own medical record.

What are the pros and cons of using a patient portal?

What are the Top Pros and Cons of Adopting Patient Portals?Pro: Better communication with chronically ill patients.Con: Healthcare data security concerns.Pro: More complete and accurate patient information.Con: Difficult patient buy-in.Pro: Increased patient ownership of their own care.

Why do some patients fail to participate in the use of the patient portal?

The reason why most patients do not want to use their patient portal is because they see no value in it, they are just not interested. The portals do not properly incentivize the patient either intellectually (providing enough data to prove useful) or financially.

What is the most common barrier to the use of the patient portal?

Among nonadopters (n=2828), the most prevalent barrier to patient portal adoption was patient preference for in-person communication (1810/2828, 64.00%) (Table 2). The second most common barrier was no perceived need for the patient portal (1385/2828, 48.97%).

When does a health care provider have to comply with HIPAA?

A health care provider must still comply in full with HIPAA when responding to a patient’s request for access to her/his PHI, and may not limit the response to just USCDI. Beginning on October 6, 2022, health care providers must comply with the IBR with respect to all EHI. Proactive “push” of USCDI/EHI Not Required.

When will actors be required to respond to EHI requests?

Until October 6, 2022, Actors are only required to respond to requests for EHI with USCDI, but this is only for purpose of IBR. Other factors, such as how an Actor “holds out” its portal need to be considered when deciding what should be made available.

Can I share more EHI than is represented by the USCDI Version 1?

Of course, those who are able to share more EHI than is represented by the USCDI Version 1 need not wait to begin doing so. Similarly, as a way to prepare for October 2022, we strongly encourage the regulated community to make all EHI available as if the scope of EHI were not currently limited.”.

When is USCDI 2021?

Only USCDI From April 5, 2021 through October 5, 2022, Actors are only obligated to respond to a patient’s request with United States Core Data for Interoperability ( USCDI) data. This is part of the IBR’s Content & Manner Exception. For USCDI version 1, this includes: allergies and intolerances; assessment and plan of treatment; care team members;

Can an actor push EHI data to a patient portal?

Therefore, an Actor may, but is not required to, proactively push USCDI/EHI data to a patient portal unless the patient requests it or the Actor has “promised” that such data is being made available on the patient portal.

What is a patient portal?

Patient portals are web- and mobile-based programs that allow patients and their proxies remotely to interact with healthcare systems and their care providers. 1–3 These portals commonly allow users to view selected information from the electronic health record (EHR), review test results, message providers, schedule appointments, and pay medical bills. 4 A report by the Institute of Medicine specifies online access to personal health records, such as patient portals, as a promising technology to support patient engagement. 5 Functionality delivered through patient portals has been shown to improve chronic disease management, increase adherence to preventive care such as immunizations and screening, improve patient satisfaction, and better outcomes for some patients with chronic disease. 6–14

What is a well designed patient portal?

Well-designed patient portals, when combined with policies that promote use, offer significant opportunity for patients to engage in their healthcare. Without proper management, portals can suffer from decreased use and poor support from providers. In this work, we discuss the patient portal policies that govern account registration and management, shared access, and test result reporting at VUMC. We anticipate that other organizations can implement concepts from our policies to support the meaningful use of patient portals.

What is proxy access?

Proxy access is defined as an access class in which one individual receives access to another individual’s protected health information, communication tools, and functions in MHAV. In all cases, the proxy had to meet the eligibility criteria outlined in the table, even if the patient did not. Individuals could serve as proxies for competent adult patients, patients who were children or adolescents, and adult patients who met legal criteria for lacking the capacity to make medical decisions. VUMC policy distinguished two general categories of proxies: delegates and surrogates. The policy defined delegates as “an adult individual invited by a MHAV account holder to have access to that account holder’s MHAV account,” and stipulated that the account holder be a competent adult. For example, a competent adult may invite her spouse, adult friend, and adult child aged 18 or older to have delegate access to her account.

What is a surrogate account?

Surrogate accounts were proxy accounts held by competent adults that give access to MHAV as a stand in for individuals who did not meet eligibility criteria for having their own independent account. This included children, adolescents, and adults lacking the capacity for medical decision making.

What is MHAV in Vanderbilt?

My Health at Vanderbilt (MHAV) is an institutionally developed patient portal which launched in a limited fashion in 2003 before being more widely deployed throughout all clinical specialties starting in 2007 ( Figure 1 ). The VUMC informatics, legal and operational teams internally established policies and procedures to govern MHAV use by patients, proxies, and healthcare providers. The initial policies are described by Osborn et al. 29 MHAV and its associated EHR were certified for Meaningful Use stages 1 and 2. MHAV supports core functionality similar to those of other patient portals, including secure messaging, appointment scheduling, bill management, access to select laboratory results, and access to select EHR data. 29,32 There were incremental changes to usage logging and functionality throughout the duration of continuous use.

How many portals do patients need?

A patient should only need one portal – a comprehensive one maintained by his or her primary care physician (PCP), who shares data with all those specialists and hospitals, gets timely updates, and is great at keeping records.

Why are portals important?

Yet, if we can get patients to use them, portals have a lot of potential benefits. Allowing patients to access their records can make them more informed. Asynchronous communication can be more efficient.

Is it better to send test results electronically?

Sending test results electronic ally can be more timely . However, the current state of the art needs work. A big problem is that portals are not standardized and often don't talk to each other.

What are the rights of individuals with respect to their own health information?

The Privacy Rule grants individuals several rights with respect to their own health information, such as the right to view and obtain a copy of much of their health information and to have corrections made to such information. See, for example, 45 C.F.R. §§ 164.524, 164.526. Because PHRs provide individuals with access to their health information and can facilitate communication between individuals and their health care providers or health plans, PHRs may be useful mechanisms for covered entities to facilitate providing individuals with their HIPAA rights.

What is a PHR in HIPAA?

PHRs offered by HIPAA covered entities, such as health care providers or health plans, generally link individuals to, and allow them to view, some or all of the health records maintained about them within the covered entity. In many cases, an individual may not be given access to the entirety of his or her health record held by the health care provider or health plan and may only have the ability to view and not update or edit the information that is assembled by the health care provider or health plan. These PHRs also may allow individuals to add their own information into their PHRs and to update or edit this self-entered information. Many PHRs will include notations as to the sources of information in the PHR, whether it be self-entered by the individual or entered by the health care provider or health plan. The individual may be able to control who else has access to the information in the PHR, such as, for example, a spouse, family member, or another health care provider.

What is the privacy rule?

The Privacy Rule gives individuals the right to have amendments or corrections made to the PHI in their health records or other designated record set held by a covered entity. See 45 C.F.R. § 164.526. PHRs that replicate some or all of the information in the health record may be helpful mechanisms for individuals to identify potential errors in their health information and to request that the covered entity correct the information. If there is a mistake, the covered entity can correct or append additional information to the individual’s health information held in the covered entity’s health records system and can update the PHR with the corrected information. The individual control inherent in PHRs also may allow individuals to revise and update some information, such as that information they themselves have entered in their PHRs.

What is a PHR business associate?

Covered entities offering a PHR may hire another entity as a business associate to administer the PHR or perform other PHR-related services or functions. The Privacy Rule allows a covered entity to use a business associate to perform functions or activities on behalf of, or provide services to, the covered entity that involve the use or disclosure of PHI, provided the covered entity obtains satisfactory assurances, through a contract or agreement, that the business associate will appropriately safeguard the information. See 45 C.F.R. §§ 164.502(e), 164.504(e). A business associate agreement must specify, among other things, the business associate’s permitted uses and disclosures of PHI and that the business associate will appropriately safeguard the information. See 45 C.F.R. § 164.504(e). The business associate may not use or disclose the information for any purpose that would violate the Privacy Rule. The agreement may specify the manner in which the individual will control access to the information in the PHR, including whether, and the circumstances under which, the business associate is to allow third parties and even the covered entity access to the information.

What are the two categories of PHRs?

For the purposes of this document, however, the universe of PHRs can be broken down into two categories: those subject to the Privacy Rule and those that fall outside of its scope. PHRs that are subject to the Privacy Rule are those that a covered health care provider or health plan offers. Examples of PHRs that fall outside the scope of the Privacy Rule are those offered by an employer (separate from the employer’s group health plan) or those made available directly to an individual by a PHR vendor that is not a HIPAA covered entity. Some stand-alone software packages or portable devices also may be available for use by individuals as PHRs. However, while third parties may provide individuals with information to upload into these tools, since they are solely in the custody of the individual and are not offered by or connected to a third party, they will not be addressed in this document.

How does a PHR work?

PHRs are a mechanism for individuals to engage in their own health care by being able to access and control their health information potentially at any time and from any computer at any location. The Privacy Rule applies directly to some PHRs and in other cases, will govern the flow of PHI from a covered entity into a PHR. In either situation, the Privacy Rule supports individuals’ use of PHRs as a mechanism to facilitate access to, and control over, their health information. Additionally, the use of PHRs can ensure that health care providers and health plans provide an individual with access to the individual’s health information, so that this information can be used by the individual in his or her PHR.

What is a PHR?

personal health record (PHR) is an emerging health information technology that individuals can use to engage in their own health care to improve the quality and efficiency of that care. In this rapidly developing market, there are several types of PHRs available to individuals with varying functionalities. Some PHRs are offered by health care providers and health plans covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, known as HIPAA covered entities. The HIPAA Privacy Rule applies to these PHRs and protects the privacy of the information in them. Alternatively, some PHRs are not offered by HIPAA covered entities, and, in these cases, it is the privacy policies of the PHR vendor as well as any other applicable laws, which will govern how information in the PHR is protected. This document describes how the Privacy Rule may apply to and supports the use of PHRs.

image

Background and Significance

Methods

  • Study site
    Vanderbilt University Medical Center (VUMC) is a private, nonprofit, and academic healthcare center located in Middle Tennessee. VUMC includes the 758-bed Vanderbilt University Hospital (VUH) and the 267-bed Monroe Carrell Jr. Children’s Hospital at Vanderbilt (MCJCHV). VUH rece…
  • My Health at Vanderbilt
    My Health at Vanderbilt (MHAV) is an institutionally developed patient portal which launched in a limited fashion in 2003 before being more widely deployed throughout all clinical specialties starting in 2007 (Figure 1). The VUMC informatics, legal and operational teams internally establi…
See more on academic.oup.com

Results

  • Policy on patient access and registration
    During the period covered by this review, My Health at Vanderbilt was made available to all competent adults age 18 and older, regardless of whether they had an established relationship with a Vanderbilt site (ie, whether they had a medical record number). With permission from a pa…
  • Proxy and nonpatient access
    The access policy also allowed a number of proxy access classes to account for diverse ways that family members or other caregivers support individuals receiving health care. Proxy access is defined as an access class in which one individual receives access to another individual’s protec…
See more on academic.oup.com

Discussion

  • Patients are increasingly interested in accessing their personal health data through the patient portal.4,24,34 There remains a need to understand how portal policies can enable use and promote engagement.13 Previous studies have found evidence supporting patient portal use and improved chronic disease management, improved patient satisfaction, and improved outcomes…
See more on academic.oup.com

Conclusion

  • Well-designed patient portals, when combined with policies that promote use, offer significant opportunity for patients to engage in their healthcare. Without proper management, portals can suffer from decreased use and poor support from providers. In this work, we discuss the patient portal policies that govern account registration and management,...
See more on academic.oup.com

Contributorship Statement

  • BS, JW, and TR conceived the study idea and design. BS, JC, BC, GS, and TR retrieved and described relevant policy information. BS and JW conducted quantitative data analysis. All authors participated in writing and reviewed the manuscript. All authors approved the final manuscript.
See more on academic.oup.com