Q: What suggestions do you have for operating a patient portal and ensuring confidentiality of patient information?
A: First, remember that Indiana has regulations regarding e-communications, so it’s a good idea to read and comply with those regulations.
Patient portals allow patients to access and Interact with their medical information 24/7, whether via a stand-alone website or applications integrated with a health care provider’s existing website. The downside to this access is the potential for liability risk and for breach of patient confidential medical information.
Risk management experts offer the following suggestions to employ with patient portals to minimize risk.
- Develop a disclaimer for the portal that states it may not be used for emergencies or urgent problems, and that advises patients to call 911 or go to the nearest emergency room for such situations.
- Require patients to have user names and passwords, and ensure these are encrypted and delivered to patients in a secure manner. Of course, only established patients should have access to the portal.
- Have the portal automatically “lock” the account after a set number of failed login attempts.
- Develop policies and procedures addressing the types of information patients can access (i.e., medical appointments, medication refill inquiries, downloads of patient forms, routine appointment reminders). These also can address physician response time, the type questions patients may ask, what staff other than the physician may process messages, and the fact that e-communications become part of legal hold in the event of a malpractice action.
- Obtain patient-physician consent to communicate via the portal, and configure the system to include an automatic reply acknowledging messages have been delivered and messages have been read. Additionally, encourage patients to confirm that messages are received and read.
The American Health Information Management Association has tips about patient portals on its website; see them on their website.
Physicians insured by ProAssurance may contact our Risk Management department for prompt answers to liability questions by calling (800) 292-1036 or via email.