The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 includes the necessity to protect the privacy and security of health information of individuals, defined as “protected health information” (PHI). The HIPAA regulation relates to “covered entities”, which include healthcare providers, health plans and healthcare clearinghouses.
The 2009 American Recovery and Reinvestment Act (ARRA) passed by the Obama administration, includes a section called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act promotes adoption of “electronic health records” (EHRs) to enhance efficiency and lower healthcare costs. Anticipating that the widespread adoption of electronic health records would increase privacy and security risks, the HITECH Act introduced new security and privacy related requirements for covered entities and their business associates under HIPAA.
Further, the fines for non-compliance with the HIPAA privacy rule have increased significantly with the introduction of the HITECH Act. Smaller practices are now being fined tens of thousands of dollars and large provider organizations are now being fined countless dollars based on some recent landmark cases. To this point, the us government has discovered that performing HIPAA compliance audits is really a significant revenue generation opportunity. As a result, it has hired additional audit staff and plans to significantly increase the amount of HIPAA Compliance Audits. For providers, this implies a heightened danger of significant financial penalties, in case you be found to be non-compliant.
Complying with your ACTs (HIPPA + HITECH are collectively referred to as the ACTs) requires an investment in the adoption of HIPAA Compliance Plans, training of staff and focus on the particular details of the ACTs. Note that the ACTs do NOT require the utilization of technology, although HITECH in combination with ARRA does heavily promote and incentivize the adoption of EHRs. The purpose of this document is to greatly help healthcare providers know how patient portals help achieve HIPAA compliance. There are numerous approaches to the broader compliance topic that range between hiring HIPAA compliance consultants to adopting HIPAA Compliance Plans that have been written for similarly situated organizations. These topics are beyond the scope of this paper.
So just how do practices meet with the insatiable desire for electronic communications to supply patient satisfaction, yet adhere to HIPAA and HITECH? Patient portals are area of the answer. In other words, patient portals are healthcare related online applications that allow patients to interact and communicate making use of their healthcare providers. The functionality of patient portals varies significantly but may include secure access to patient demographic information, appointment scheduling, payments, bidirectional messaging and access to clinical data if the portal has been given by the EHR provider.
Today used, we find patient portals being given by EMR/EHR providers, firms providing “Practice Management” (PM) solutions and even third parties which can be promising patients eventual access to their health information in one portal. They are typically referred to as “Personal Health Portals” and many consider “Microsoft Health Vault” to be the leader in this space. Since the non-public health portal does not directly communicate with the practice, these portals typically only contain clinical information that can be acquired through the myriad and increasing amount of healthcare data exchanges. IAS Online Study Portal
Change Management. This problem impacts small and large organizations undertaking major system implementations. Comprehensive systems implementations require redefinition and remapping of business processes by all members of an organization. The problems and significant challenges involved with accepting these kind of projects are well documented and beyond the scope of this paper, but they’re real problems that are slowing the adoption of new technologies
Cost/Time to Implement. The us government recognized the fee element of this dilemma and with the ARRA is providing as much as $44,000 per practice for implementing an EHR solution and meeting every one of the yet to be defined “meaningful use” criteria. But in many practices, time to implement is still a big hurdle as practitioners are busy seeing patients all day each day and these systems invariably take weeks and months of training and lost productivity due to the learning curve of the brand new technology
Existing EHR Solution meets core requirements but patient portal is not available. This can be a very common issue, particularly for larger and/or very specialized providers where systems have been developed and customized to meet the complex clinical requirements, but weren’t designed to handle patient communications and other patient facing requirements of today. Due to this complexity and customization, adoption of a new solution is very impractical and wholesale replacement is not deemed a choice by many of these providers
Beyond the adoption issues stated above and many other unstated ones, there is a broader issue with the utilization of practitioner-level patient portals for clinical information. To comprehend the author’s perspective on this dilemma, consider that one of many real benefits of electronic health information is that in theory it’s easily shared, aggregated, disaggregated and exchanged. The truth is achieving these benefits is still a couple of years away, maybe more. The establishment of statewide healthcare exchanges marks a significant milestone but much work remains to be achieved to attain interoperability of clinical data. Microsoft Health Vault is pushing hard to function as platform that securely delivers the whole group of clinical data to patients that incorporates data from most of its providers, pharmacies and lab results in one simple to use portal.
At best, then a practitioner-level patient portal providing clinical data only presents a single provider view, yet most of the patients that want these details the absolute most have multiple providers engaged inside their care. As an example, a single patient may have a family group physician, an internist, a cardiologist and an endocrinologist all engaged inside their care. Taking a look at the information from any single practitioner wouldn’t give a complete picture. For this reason, the author believes that clinical data is better delivered as a single portal to the in-patient by a third party that could make arrangements to aggregate data from all sources and deliver it to the in-patient in one portal.
“Standalone” Portals
Given the adoption challenges of the EHR/PM-centric (patient) portals, and the broader problems with delivering clinical data in practitioner-level portals, there is a function for “standalone” portals. By standalone portals, we mean portals that provide direct patient access to the creation and editing of patient demographic information, bidirectional secure messaging, appointment scheduling, payments and other non-clinical features. These portals do not provide access to the clinical data. But standalone portals offer healthcare providers the capacity to quickly join the digital revolution, meet with the insatiable desire of patients to communicate electronically in ways that is secure and HIPAA compliant, allow online self-registration and drive multiple efficiencies at exactly the same time.