Implementing Patient Access to Electronic Health Records Under HIPAA: Lessons Learned
What lessons can be learned from the implementation of Patient Gateway, a secure, web-based, Boston health care system?
This article examines Patient Gateway; a secure, web-based health care system developed by Partners HealthCare System based in Boston and launched in 2002. Over the course of 2 years, it was released to 19 different clinics representing various socioeconomic statuses and urban/suburban populations.
In a 2001 report, The Institute of Medicine (IOM) issued 10 suggestions to improve healthcare in America. One suggestion called for closure of the “chasm” between information in the healthcare system and the individual or patient. Beginning in 2001, HIPAA set a baseline for privacy regarding such transactions and security of patient data. The authors note other studies which have shown that EHR's can be beneficial and have the ability to maintain the confidentiality of patient data.
The authors covered three areas Patient Gateway uses to maintain security and privacy.
Authenticating and Authorizing Patient Use
The initial design and specifications for security with regard to the authentication of staff have proved sufficient and secure. The initial design for patient authorization to the system has since been enhanced. Originally a forgotten password was mailed out to the physical address on file. This delay waiting for the letter to arrive caused frustration with the patients, so the system was upgraded so the patients profile would include a secret question to be used when retrieving a new password. Upon a successful answer to this secret question, a challenge question is asked of the patient. This question is derived from some bit of information in the patient’s record. These enhancements have improved the system.
Patient Gateway currently does not allow access to a proxy member, family, or friends. This situation is planned to change in the future, but currently is not available.
Authenticating and Authorizing Staff Use
Patient Gateway ensures the only the proper staff can access only the appropriate information. The main complaint with patients is that staff reviews all phone messages and emails to physicians. Many questions can be answered by staff to reduce the physicians workload, however this is within the privacy guidelines of Patient Gateway.
The Patient Gateway system will only allow patients with Web browsers which support high encryption. Also, the system encodes all information over a SSL connection and doesn’t store any information in the patient’s computer cache.
The 2001 IOM report desired to bring patients closer to their medical history and information. While in accordance with HIPAA, Patient Gateway has been able to make progress towards this goal. There are several important issues which must be addressed in future EHS implementations. The three areas which are of chief importance are: Authenticating and Authorizing Patient Use, Authenticating and Authorizing Staff Use, and Messaging. Future development will also need to focus on the way EHR's are presented to the patient. Currently, Patient Gateway presents selected information in the EHR to the patient. A patient’s entire medical history isn’t necessarily available online to the patient. This will need to be addressed in the future.
The authors have been able to review and summarize lessons learned from the implementation of this system. They been able to pursue the suggestion of IOM to close the chasm of information disconnect between healthcare and the patient. The security of these systems remains a priority and constant struggle. These systems can provide better healthcare as the communications between the patient and physician are improved.