The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 includes the necessity to protect the privacy and security of health information of people, defined as “protected health information” (PHI). The HIPAA regulation applies to “covered entities”, including healthcare providers, health plans and healthcare clearinghouses.

The 2009 American Recovery and Reinvestment Act (ARRA) passed by the Obama administration, features a section called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act promotes adoption of “electronic health records” (EHRs) to boost efficiency and lower healthcare costs. Anticipating that the widespread adoption of electronic health records would increase privacy and security risks, the HITECH Act introduced new security and privacy related requirements for covered entities and their business associates under HIPAA.

Further, the fines for non-compliance with the HIPAA privacy rule have increased significantly with the introduction of the HITECH Act. Smaller practices are now being fined countless amounts of dollars and large provider organizations are now being fined an incredible number of dollars predicated on some recent landmark cases. To this point, the federal government has unearthed that performing HIPAA compliance audits is just a significant revenue generation opportunity. Consequently, it has hired additional audit staff and plans to significantly increase how many HIPAA Compliance Audits. For providers, what this means is a heightened danger of significant financial penalties, in case you be found to be non-compliant.

Complying with these ACTs (HIPPA + HITECH are collectively referred to as the ACTs) requires an investment in the adoption of HIPAA Compliance Plans, training of staff and attention to this details of the ACTs. Observe that the ACTs do NOT require the use of technology, although HITECH in conjunction with ARRA does heavily promote and incentivize the adoption of EHRs. The objective of this document is to help healthcare providers know how patient portals help achieve HIPAA compliance. There are many approaches to the broader compliance topic that range from hiring HIPAA compliance consultants to adopting HIPAA Compliance Plans which were written for similarly situated organizations. These topics are beyond the scope of this paper.

So just how do practices meet the insatiable desire for electronic communications to deliver patient satisfaction, yet adhere to HIPAA and HITECH? Patient portals are definitely part of the answer. Simply put, patient portals are healthcare related online applications that allow patients to interact and communicate making use of their healthcare providers. The functionality of patient portals varies significantly but may include secure use of patient demographic information, appointment scheduling, payments, bidirectional messaging and use of clinical data if the portal is being supplied by the EHR provider.

Today used, we find patient portals being supplied by EMR/EHR providers, firms providing “Practice Management” (PM) solutions and even third parties which are promising patients eventual use of all of their health information in one single portal. These are typically referred to as “Personal Health Portals” and many consider “Microsoft Health Vault” to be the first choice in this space. Since the non-public health portal does not directly connect to the practice, these portals typically only contain clinical information that can be obtained through the myriad and increasing amount of healthcare data exchanges.

Change Management. This dilemma impacts small and large organizations undertaking major system implementations. Comprehensive systems implementations require redefinition and remapping of business processes by all members of an organization. The issues and significant challenges a part of taking on these kinds of projects are well documented and beyond the scope of this paper, but they are real issues that are slowing the adoption of new technologies

Cost/Time to Implement. The federal government recognized the price element of this problem and with the ARRA provides around $44,000 per practice for implementing an EHR solution and meeting all of the yet to be defined “meaningful use” criteria. But in many practices, time to implement is still a huge hurdle as practitioners are busy seeing patients all day long everyday and these systems invariably take weeks and months of training and lost productivity because of the learning curve of the newest technology

Existing EHR Solution meets core requirements but patient portal isn’t available. This is a very common issue, especially for larger and/or very specialized providers where systems have been developed and customized to meet the complex clinical requirements, but weren’t designed ias preparation website  to address patient communications and other patient facing requirements of today. Because of this complexity and customization, adoption of a brand new solution is very impractical and wholesale replacement isn’t deemed an option by a number of these providers

Beyond the adoption issues stated above and a number of other unstated ones, there is a broader problem with the use of practitioner-level patient portals for clinical information. To comprehend the author’s perspective on this problem, consider that one of the real advantages of electronic health information is that in theory it is easily shared, aggregated, disaggregated and exchanged. The truth is achieving these benefits is still many years away, maybe more. The establishment of statewide healthcare exchanges marks an essential milestone but much work remains to be performed to achieve interoperability of clinical data. Microsoft Health Vault is pushing hard to function as platform that securely delivers the whole set of clinical data to patients that incorporates data from every one of its providers, pharmacies and lab results in one single simple to use portal.

At best, then a practitioner-level patient portal providing clinical data only presents an individual provider view, yet most of the patients that need this information probably the most have multiple providers engaged in their care. For example, an individual patient might have a household physician, an internist, a cardiologist and an endocrinologist all engaged in their care. Considering the information from any single practitioner would not provide a complete picture. Because of this, mcdougal believes that clinical data is better delivered as an individual portal to the individual by a 3rd party that may make arrangements to aggregate data from all sources and deliver it to the individual in one single portal.

“Standalone” Portals

Given the adoption challenges of the EHR/PM-centric (patient) portals, and the broader problems with delivering clinical data in practitioner-level portals, there is a position for “standalone” portals. By standalone portals, we mean portals that provide direct patient use of the creation and editing of patient demographic information, bidirectional secure messaging, appointment scheduling, payments and other non-clinical features. These portals don’t provide use of the clinical data. But standalone portals offer healthcare providers the ability to quickly join the digital revolution, meet the insatiable desire of patients to communicate electronically in ways that’s secure and HIPAA compliant, allow online self-registration and drive multiple efficiencies at the same time.

Leave a Reply

Your email address will not be published. Required fields are marked *