03-05-13 | Blog Post

Liveblogging from HIMSS 13: Managing Privacy and Security Challenges of Patient EHR Portals

Blog Posts

Online Tech is exhibiting our HIPAA hosting solutions for the healthcare industry at HIMSS 13 in New Orleans this year! Tune into our Twitter and follow our blog for updates on the latest HIMSS 13 news.

If you’re at HIMSS 13, visit booth #1369 to say hi or schedule a free one-on-one consultationwith a panel of health IT experts.

Managing Privacy and Security Challenges of Patient EHR Portals

HIMSS 13 Security Challenges of Patient EHR Portals
HIMSS 13 Security Challenges of Patient EHR Portals

Adam Greene, JD, MPH Davis Wright Termaine and Jackie Monson, JD, CHC Mayo Clinic discussed some of the real life privacy and security challenging facing patient EFR portals at HIMSS 13.

One aspect that challenges patient portals is handling permissions of patient representatives for minors or those who have a medical decision maker appointed.

Mayo clinic found that they had more patient requests for amendments to their patient records. It’s easy to request an amendment, but this has proven overwhelming to the security and privacy office so far. They have seen a 100% increase in patient requests for medical record amendments. This ranges from simple changes such as “Right” to “Left” for correcting an amputation record to asking for their entire medical record to be rewritten.

Many patients are reading notes from physicians for the first time, and correcting inaccuracies or objecting to aspects they disagree with.

Make sure to include the patient portal within the scope of the risk assessment to evaluate risks including:

  • interception during transmission,
  • unauthorized access,
  • internet-facing interface,
  • EHR portal software problems (has it been independently tested)

Authentication issues
Does there need to be in-person authentication? Will you require seeing a driver’s license for example? What do you do for patients who cannot easily come in person, but want remove access to their information.

How about strong passwords? Will they impact patient usability?

How are the servers protected? Are their physical safeguards protecting against theft? Is encryption being used? What happens of the patient contributes to a security failure with a weak password, sharing credentials, or loses their mobile device. What can you do to limit risk of any single point of faliure?

Jacki Monson, JD, CHC has been struggling with security issues at Mayo clinic. Now they have an outside vendor performing monthly testing and make sure that their audit logs are turned on so they can get to the bottom of troubleshooting issues. For example, their patient portal was changing a number

Mayo allows their patients to choose if they want in-person validation or not. Some patients want to make sure that their spouses can’t authenticate even if they know answers to personal information such as what was the first car they drove or where they lived 15 years ago.

Make sure that audit logging is in place to a level of detail that will be helpful to find out what went wrong when it goes wrong.


  • PHR = Personal Health Record is a patient controlled record
  • EHR portal is a window into a patient’s own electronic health record – it is not their patient-controlled PHR.

PHR and EHR can work together so that patient gets to see their information through the EHR portal, the EHR portal feeds into the PHR, and/or facilitating patients adding information through the PHR and deciding if they want it shared with the EHR.

Is PHR considered PHI (protected health information) belonging to the covered entity? Is it on the covered entity’s servers or their business associates? Just because the patient controls their PHI in the PHR, if the patient information is on the CE or BA servers, then it must be protected.

Will the portal include sensitive information subject to state law restrictions such as HIV/STD tests, dental health information, genetic test results, alcohol or substance abuse treatment information?

Mayo spans many states, and follows the most restrictive state law that applies to information in the portal. Currently, clinical information that triggers a strict state law are not being released on the portal, for example, information for an emancipated minor.

Mayo has had to meet mobility security challenges with their new mobile health applications for iPhones and iPads which helps Mayo Clinic meet MU requirements. These include authentication, encryption, password, privacy challenges such as appointment reminder popups and portal messages to patients.

What does the future hold? Stage 2 Meaningful Use pushes strongly for the use of patient portals. It also strongly promotes inclusion of patient amendments. When an HIE maintains the EHR record, will an HIE provide a patient portal view for patients?

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved