The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 includes the requirement to guard the privacy and security of health information of individuals, defined as “protected health information” (PHI). The HIPAA regulation pertains to “covered entities”, such as healthcare providers, health plans and healthcare clearinghouses.
The 2009 American Recovery and Reinvestment Act (ARRA) passed by the Obama administration, includes a section called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act promotes adoption of “electronic health records” (EHRs) to enhance efficiency and lower healthcare costs. Anticipating that the widespread adoption of electronic health records would increase privacy and security risks, the HITECH Act introduced new security and privacy related requirements for covered entities and their business associates under HIPAA.
Further, the fines for non-compliance with the HIPAA privacy rule have increased significantly with the introduction of the HITECH Act. Smaller practices are now being fined thousands of dollars and large provider organizations are now being fined millions of dollars centered on some recent landmark cases. Up to now, the government has found that performing HIPAA compliance audits is just a significant revenue generation opportunity. As a result, it has hired additional audit staff and plans to significantly increase the amount of HIPAA Compliance Audits. For providers, this implies a heightened risk of significant financial penalties, should you be found to be non-compliant.
Complying with your ACTs (HIPPA + HITECH are collectively referred to as the ACTs) requires an investment in the adoption of HIPAA Compliance Plans, training of staff and attention to the particular details of the ACTs. Remember that the ACTs do NOT require the usage of technology, although HITECH in combination with ARRA does heavily promote and incentivize the adoption of EHRs. The objective of this document is to simply help healthcare providers know the way patient portals help achieve HIPAA compliance. There are numerous approaches to the broader compliance topic that range from hiring HIPAA compliance consultants to adopting HIPAA Compliance Plans which have been written for similarly situated organizations. These topics are beyond the scope with this paper.
So how can practices meet the insatiable desire for electronic communications to deliver patient satisfaction, yet adhere to HIPAA and HITECH? Patient portals are definitely part of the answer. To put it simply, patient portals are healthcare related online applications that enable patients to interact and communicate using their healthcare providers. The functionality of patient portals varies significantly but may include secure usage of patient demographic information, appointment scheduling, payments, bidirectional messaging and usage of clinical data if the portal is being supplied by the EHR provider.
Today used, we find patient portals being supplied by EMR/EHR providers, firms providing “Practice Management” (PM) solutions and even third parties which can be promising patients eventual usage of all their health information in one portal. They are typically referred to as “Personal Health Portals” and many consider “Microsoft Health Vault” to be the best choice in this space. Since the personal health portal doesn’t directly connect to the practice, these portals typically only contain clinical information that can be acquired through the myriad and increasing quantity of healthcare data exchanges.
Change Management. This issue impacts small and large organizations undertaking major system implementations. Comprehensive systems implementations require redefinition and remapping of business processes by all members of an organization. The problems and significant challenges involved with taking on these kinds of projects are well documented and beyond the scope with this paper, but they’re real problems that are slowing the adoption of new technologies
Cost/Time to Implement. The us government recognized the price section of this problem and with the ARRA is providing up to $44,000 per practice for implementing an EHR solution and meeting all the yet to be defined “meaningful use” criteria. In many practices, time for you to implement is still a big hurdle as practitioners are busy seeing patients all day long each day and these systems invariably take weeks and months of training and lost productivity as a result of learning curve of the newest technology
Existing EHR Solution meets core requirements but patient portal isn’t available. This can be a very common issue, especially for larger and/or very specialized providers where systems have already been developed and customized to generally meet the complex clinical requirements, but were not designed to handle patient communications and other patient facing requirements of today. Due to this complexity and customization, adoption of a fresh solution is quite impractical and wholesale replacement isn’t deemed an alternative by many of these providers
Beyond the adoption issues stated above and a number of other unstated ones, there’s a broader trouble with the usage of practitioner-level patient portals for clinical information. To understand the author’s perspective on this problem, consider that one of the real advantages of electronic health information is that theoretically it is easily shared, aggregated, disaggregated and exchanged. Free IAS Study Portal The stark reality is achieving these benefits is still a couple of years away, maybe more. The establishment of statewide healthcare exchanges marks a significant milestone but much work remains to be performed to achieve interoperability of clinical data. Microsoft Health Vault is pushing hard to function as the platform that securely delivers the entire group of clinical data to patients that incorporates data from all its providers, pharmacies and lab results in a single simple to use portal.
At best, then the practitioner-level patient portal providing clinical data only presents an individual provider view, yet lots of the patients that want these records the absolute most have multiple providers engaged in their care. For example, an individual patient could have a family physician, an internist, a cardiologist and an endocrinologist all engaged in their care. Taking a look at the information from any single practitioner wouldn’t give a complete picture. Because of this, the author believes that clinical data is best delivered as an individual portal to the patient by an alternative party that can make arrangements to aggregate data from all sources and deliver it to the patient in a single portal.
Given the adoption challenges of the EHR/PM-centric (patient) portals, and the broader problems with delivering clinical data in practitioner-level portals, there’s a role for “standalone” portals. By standalone portals, we mean portals that provide direct patient usage of the creation and editing of patient demographic information, bidirectional secure messaging, appointment scheduling, payments and other non-clinical features. These portals don’t provide usage of the clinical data. But standalone portals offer healthcare providers the capability to quickly join the digital revolution, meet the insatiable desire of patients to communicate electronically in a way that is secure and HIPAA compliant, allow online self-registration and drive multiple efficiencies at the exact same time.