Patient data access requirement poses privacy, security challenges

The Stage 2 Meaningful Use requirement to provide patients access to their electronic health data brings with it significant new privacy and security burdens, health IT analyst John Moore writes this week on

It's new ground for many providers, Moore says, because most websites are "informational, rather than access-oriented," requiring less stringent security and privacy measures. Patient portals, in which patients may access their electronic health records through a single entry point, appear to be the go-to solution for most providers.

There's a clear demand from patients for electronic data access. While 65 percent of adults queried in a recent Harris Interactive survey said access to their health information is important or very important, only 17 percent said their physicians provide that access.

Meeting the Stage 2 requirement for patient engagement already has some providers worried, though. "I understand the desire to drive patients online and change behavior, but feel that it is unreasonable to put that burden on the healthcare provider," Indranil Ganguly, CIO at Freehold, N.J.-based CentraState Healthcare System, told FierceHealthIT in August shortly after the requirements were announced.

Moore cites three core elements for patient portal security provided by Mac McMillan, chief executive of the health IT security firm CynergisTek:

  • Strong user authentication.
  • Secure, encrypted transport of data downloaded by patients, oven through the provider's virtual private network (VPN).
  • Auditing of what users do with information obtained and changed through the portal, and integrity control of data entered by users.

Network scanning and monitoring also are important, Jared Rhoads, senior research specialist at the CSC Global Institute for Emerging Healthcare Practices, tells Moore.

Providers can build their own portals, but most either will have portals built into their EHRs, or use a separate health IT vendor for a portal, Moore says. Vendors would be responsible for building in the attendant security and privacy components.

Representatives from the White House and relevant federal agencies have been discussing ways to increase patient access to data, including protecting patient privacy and identifying and prioritizing standards and best practices.

To learn more:
- read Moore's article