Don’t underestimate the importance of a good log out procedure.
Your patients have the right to access their records, but you must ensure that the process you use to give patients access doesn’t create problems down the line. Consider using a dedicated computer as a patient portal and build in appropriate safeguards with this advice.
Who’s Entitled To What?
Allowing your patients to access their information via a PHI kiosk does not mean you have to allow them to see everything included in their records. You have to ask yourself: “What do my patients want to see?”
According to the Department of Health and Human Services (www.hhs.gov/ocr/privacy/hipaa/understanding/), “An individual’s right of access generally applies to the information that exists within a covered entity’s designated record set(s), including the following:
One way to give patients access to their files is to designate one computer in your practice as a patient portal. The obvious risks are threefold: password protection, physical privacy and security, and automated procedures to ensure patients log off before walking away, all of which you should consider in-depth.
1. Password Protection
Patient passwords need to be something besides their own personal identifying information, so that the system can authenticate the patients’ identities. Strong, complex passwords will go a long way in protecting that PHI.
Problem: If your patients don’t practice “good password hygiene,” all your controls will be useless. Once patients are involved, you have far less administrative control, as they are not necessarily complying with HIPAA.
Solution: Educate your patients about how to safely access and manage their information. Example: Train your patients not to carry their passwords around with them or write them down. By giving them the tools to keep their information private, you are saving both your patients and your facility from potential problems down the line.
2. Physical Protection
You must have a system to keep other people from seeing your patient’s information on the screen, just like at an ATM.
Tip: This physical protection could include a privacy screen or marking a line for the next patient to stand behind. You could also put the computer in a place that makes it hard for passers-by to see.
Another component of this physical safeguard is deciding how patients are allowed to view their PHI.
Ask yourself: “Can they print their information or only view it on the screen?”
Caution: Allowing patients to print the information leads to a new set of privacy concerns, since the papers could get lost or misplaced while still in your office. If you decide to allow patients to print their PHI, your printer needs to be located where only the person using the screen can have access to it. And you probably need to provide a way for patients to destroy information once it is printed.
3. Logging Off
One of the biggest challenges is ensuring that a patient logs out of the system after reviewing his or her private information. Patients who aren’t adequately trained are likely to leave the PHI kiosk without logging out of their accounts. This can lead directly to strangers inappropriately accessing their PHI.
Combat this problem by having your system automatically log patients out of their accounts after a certain period of time with no activity, experts suggest. You can also remind patients at the sign-in screen that they are being allowed access under certain circumstances and they are responsible for protecting their PHI by logging out.
The Bottom Line
Though your patients agree to assume responsibility, the PHI they are viewing is still under your control and in your possession. That means you must apply stringent controls to ensure that the information is not inappropriately released to someone else.
Remember: Your auditing needs will increase as patients begin using this system. No patient should ever need to see another patient’s record. An audit log will allow you to catch and mitigate any inappropriate disclosures.
The main benefit of this information station is that it saves time and permits quicker access to information. However, before you launch into this project, ask yourself the following questions:
As always, document your processes in deciding whether PHI kiosks will work for your organization and then train your staff accordingly. In addition, be sure you are aware of the current HIPAA laws regarding what your patients can and cannot access. Typically, you can get this information from your practice’s attorney or on the government’s HIPAA website at www.hhs.gov/ocr/privacy.