How to Secure Personal Health Information in Patient Portals

Feb 20, 2018 10:31:30 PM


Patient portals can go a long way in bridging the care-delivery gap between patients and providers. This modern technology has a major role in keeping patients informed, involved, and connected with care providers.

According to TechTarget’s 2017 healthIT purchasing intentions survey, 67% of the organizations voted for patient portal as one of the promising technologies to boost patient involvement.


Today, patients have the key role in their treatment. They are generating their own health data (through wearables, personal healthcare devices, mobile apps) and transmitting them to the clinicians. This, consequently, is enabling the care-providers render coordinated care, thereby reducing cost and improving outcomes.

While patient portals are allowing fast access and transfer of such healthcare information, it is important that details stay private and protected. To ensure that sensitive data of patients and the businesses is secure when it is saved on mobile devices or transmitted through client-server model, there is HIPPA compliance. In the following segment, we take a look at the security features that a patient portal should have in order to be HIPPA compliant.

1. Encrypting and Decrypting PHI: There is a lot that can be done with the patient portal and therefore there is variety in the information that a patient actually exchanges through app. From personal details (for scheduling) to medical records (for consultation), there is a lot being shared through online portals. Therefore, encrypting the data as it travels from patient to doctor and vice versa minimizes the possibility that any unauthorized party in between can misuse it. It is the best practice to encrypt data with 256-bit encryption. If not encryption, then you must use any equivalent solution to meet regulatory requirement.

2. Role Based Access Control (RBAC): Regulating who-can-access-what is important on the basis of their roles is important. For example: The administrative staff and practitioners in a healthcare organization would require access to different information. Therefore, considering the needs of every role, access can be granted.

3. Extensive Login Controls: Passwords are a the first line of defense against unauthorized access of a system. Therefore, patient portals should offer the facility to create, change, and safeguard passwords. Make it a point that users have a complex password to access the portal (alphanumeric with special characters, preferably). Further, automate the portals to validate the users (occasionally) by asking them the security questions). Or make the login system more robust with two-step verification, wherein users receive an OTP to have access to the portal.

4. Opt-In Agreements: HIPPA ensures that a patient is informed about whats and whys within an app. Therefore, HIPPA compliant portals should have display relevant forms, wherever needed to collect a patient’s content. One of the most common and important content form is an opt-in agreement, wherein a patient understands and agrees to the risks associated insecure communication or for sharing their PHI information with third party.

5. Record Logs for Audit: As per HIPPA’s logging requirement, the regulated entities should implement hardware, software, or other procedural mechanism to record and examine the activity in any information system (mobile, computers, emails, file sharing applications, printers, routers etc.) that use or contain PHI.

The activities that can be recorded includes user logging in, files accessed by a user, addition of a new user, redefining access level to a user, firewall logs, changes to databases etc. Logging this information and reviewing it periodically is important, so as to ensure that the entire system is in accordance to the HIPPA rules and regulations.

6. Custom Terms and Conditions: Under HIPPA compliance, the patient portals should define the terms and conditions, outlining how the healthcare organization is going to collect, use, and handle personal health information on day-to-day basis.

ALSO READ: 5 Must Haves in Healthcare Patient Engagement Portals

Secure, integrated, and intuitive patient portals have fear-reaching consequences for the healthcare stakeholders. To conceptualize the benefits that a patient portals can render to your organization, connect to our health-tech expert via 30 minute free consultation service.

Topics: Healthcare

Archna Oberoi

Written by Archna Oberoi

Content strategist by profession and blogger by passion, Archna is avid about updating herself with the freshest dose of technology and sharing them with the readers. Stay tuned here as she brings some trending stories from the tech-territory of mobile and web.