So this is the first true part of what is a patient portal. I introduced it yesterday but that was only to pave the way for the topics. Remember, my purpose is to define the complexities of a portal and not the features and functions. So on to the subject at hand.
A lot has been said about the various regulations but let me tell you about the key regulation and the key acronyms that keep popping up. Keep in mind that I’m a portal expert and not a healthcare expert so anyone who catches an error, feel free to comment and I’ll correct the error and attribute it to you.
HIPAA
This came a while back but the Health Insurance Portability and Privacy Act and the term Protected Health Information (PHI) come up all the time with a portal. It’s usually in terms of what a security person tasked with limiting hospital liability will not allow you to do. Anything that conceivably allows someone who shouldn’t see protected information to access it is off the table. In many cases, HIPAA and PHI stand directly against what the Affordable Care Act wants to do in getting patients access to their electronic medical records. Here are a couple examples:
- A patient cannot enroll online. They must come into the hospital and show ID and sign a piece of paper called a written consent form. No, we don’t care about the 1998 online signature act and we aren’t too hip on the really cool RSA id verification system you want to use.
- While an id may be good enough for TSA, it’s possible for an angry ex-spouse to con a friend into impersonating you with a stolen ID. We want you to use the ID along with further information specific to your hospital visit like the bill # or the MRN.
I could go on but you get the idea. Because the cost of even one breach is so high, most hospitals are more afraid of the “bad things” that can happen than in providing the experience the later law tries to mandate.
Note: Thanks to Tom Simmons for pointing out my mis-spelling of HIPAA.
PCI
The Payment Card Industry Standard (PCI) mandates how sites that accept credit cards should be architected and secured. This compliance can be reviewed yearly. It’s expensive to setup and expensive to maintain. If you want to accept credit card payments for your bills or you want to let a person pay for that weight loss class with a card then you have to figure out how to support PCI. If you don’t, you have opened yourself up to significant liability.
Meaningful Use
Meaningful Use 2 (MU2) provides all the feedback on what a patient portal must be according to the United States Government. They mandate things like:
- What to show in the medical record.
- What format to use when you download a medical record (CCDA)
- That you must be allowed to transmit it. Keep in mind that transmit is meant to make it easier to share your medical record with anyone you want including other medical professionals. However, HIPPA mentioned above mandates that all protected health information must be encrypted. So now you have a conundrum. I must transmit. I must transmit encrypted. How will anyone make use of what I transmit?
- Let you see who has accessed your record
- Rule that you must get at least 5% of your patients in a given reporting period to see their medical record
- Rules on how to attest or report that
- Rules that you must certify your patient portal with a certified third part testing service
- Need to allow people to proxy for their children and for an adult like your aging parent. Keep in mind that if a hospital serves patients across multiple states and those states have different laws on when a kids is no longer a kid then you have to age out proxy. You also have to be aware of what part of the medical record belong to what state. So if your hospital is in one state and you have a clinic across the state line, you may have to filter out your child’s medical records if you are no longer able to view them. This is a real pain.
So There You Have It
Regulations that are sometimes at odds with each other and which sometimes haven’t been fully baked mandate a very specific set of tasks for your patient portal. Frankly, at least 1/3 of your costs will be in the discussion on how to satisfy those regulations. You have to get a lot of people on the same page before you can move forward. It can get a bit fun and you will doubtless shake your head at least once a week throughout the entire time you are implement a patient portal.