- User Authentication -- "If you are going to provide good access control, there has to be a way on the portal for patients to authorize uniquely to the portal, such that they are only looking at their own information and not somebody else's," McMillan explained.
- Secure Transport -- A portal that allows users to download information must provide a secure, encrypted connection between patient and portal. This is often accomplished through a virtual private network (VPN) or a gateway that's part of the provider's network.
- Auditing and Integrity Control -- Providers need to be able to audit what a user has done with the information obtained through a portal -- what they have looked at and what they have changed. If a patient is able to enter or alter his or her health data, integrity control provides a way to verify the information. The EHR linked to the portal retains a patient's previous data so they can be compared with the new data. If a patient with a penicillin allergy inadvertently changes the health record to indicate no such allergy, the system can flag the problem.
MORE ON THE WEB
- "Feds Raising Awareness of Patient Rights on Accessing Health Data" (Pfister/Ingargiola, iHealthBeat, 8/9).
- HHS' Office for Civil Rights memo on patients' access to health data
- Meaningful Use Stage 2 final rule