"Patient Portals are continuing to evolve, like all medical software," says Jimmy Chapman, president of MedConnect, which makes the EHR distributed by MediSYS in Alabama. "Portals will change communication between physicians and patients."
Patient portals have had a rocky start. Since their introduction, patients have not been interested in sharing medical information through the internet. As a result, Meaningful Use for patient portals backpedaled from requiring 10 percent of patients to use the portal to just one patient.
The potential usefulness to practices, though, still stands. "These portals provide valuable service in reducing manpower hours," Chapman says. "That means savings."
A Birmingham ENT group started using their patient portal to solicit medical histories prior to visits. That action eliminated the handling and scanning of three pieces of paper per patient by the office staff. "The portal uploaded the information, but also allowed data to be captured in a discreet structured format so it met Meaningful Use requirements, as well as automatically populating the patient's chart," Chapman says. "It accomplished multiple objectives, and freed staff up."
Besides a more efficient flow of information into the EHR, portals were meant to get patients more connected to providers. Currently, patients must usually wait until the end of the day for a call back from the physician. "But a lot of interaction through the portal can be done at the availability of the provider throughout the day," Chapman says. "Patients need to know that using the portal can mean a faster response."
The most significant value of a portal to a clinic may be with refill requests. "The majority of providers have prescribed maintenance medication to patients that require refills," Chapman says. Patient portals automate that process.
Last year, a Birmingham primary care physician began requiring her patients to submit all their refill requests through the portal. "She has indicated that it's going very well," Chapman says.
She now requires lab results to be forwarded through the portal, as well, rather than mailed. That not only reduced her postage costs, but significantly reduced manpower costs, because with one click, physicians can usually forward labs to the patient portal as they are reviewing the documents. That also triggers an email notification to the patient. "So the patients get their results almost in real-time. They no longer have to wait for the mail," Chapman says.
Some area clinics are using prizes to foster patient engagement with their portals. Every patient who logs in and requests a refill or accesses their medical information is automatically entered in a monthly drawing for a gift card.
As practices increase the use of patient portals, security risks also rise. "One common mistake is a misguided trust that as long as the portal or EHR is HIPAA secure, then the practice is safe," says Chad Sizemore with ICS Medtech. "But if the network it rides on lacks security controls, like next-gen firewall, intrusion, or breach detection, that is a means for a hacker to get in."
When walking through clinics, Sizemore regularly sees security vulnerabilities such as computers plugged directly into cable modems, which don't always have firewalls. "So make sure you have policies and procedures in place for both the use of your portal and for your network," he says.
Like other aspects of an EHR, clinics should restrict access to the portal to only necessary staff. Password requirements for both staff and patients should be set to "strong" to require eight to ten characters that include numbers and upper and lowercase letters. "Make sure the staff's passwords are nothing easily duplicated or known, like 'welcome' or 'password'," Sizemore says. "It may sound like a joke, but you'd be surprised at how many we find out there."
For those staff accessing the patient portal, position their computer screen away from public view and have the setting for idle time set to no more than five minutes before it locks down and requires a password to become active again. "And have it lock out the user account if someone fails to enter the right password after three to five times, whether an employee or a patient," Sizemore says.
Breaches to a patient portal could originate anywhere. But because EMRs hold patient data, a breach would require OCR to be notified. "And you better have auditing procedure and practices in place to show for your portal," Sizemore says. "If you don't, you're going to be hammered. The fines are significant."
Chapman says that the rate of adopting patient portals lags not because of a lack of capability, but rather because portals are still so new to healthcare. However, as clinics start to use portals, they quickly see the savings they generate.