- HIPAA Update - http://blogs.hcpro.com/hipaa -

HIPAA Q&A: Selecting records to include in patient portals


[1]Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com [2] and we will work with our experts to provide the information you need.

Q: With the implementation of patient portals, there is concern over accessibility of certain information. My organization does not include minors’ records in its portal, but we are uncertain about whether to include other records. For example, is including incapacitated individuals’ information in the portal acceptable? If so, how do we determine who has access to these patients’ records? Can the portal include information pertaining to mental health, HIV, STDs, etc.? What can/should a CE restrict when storing patient information on a portal?

A: Making information on minors available through a patient portal can be rather complex with the overlay of state minor laws, so excluding the records of minors from your portal is acceptable. Generally, a patient signs up to access a patient portal. You do not need to limit the health information that can be accessed through the portal, even in instances of specially protected classes of information such as an HIV/AIDS diagnosis.

You may or may not know whether a patient is incapacitated. If you are aware that a patient is incapacitated and you receive a request from a personal representative to access the portal, obtaining documentation showing that the personal representative is authorized to access the portal is a good idea. For example, obtain a copy of the power of attorney before granting access.

It’s also a good idea to include a disclaimer stating that if a patient elects to share his or her password with others, the organization is not liable for damages. An organization is responsible for securing its portal, but not for the actions of patients. Be prepared to shut down access if a patient reports unauthorized access to the portal.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. [3] This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.