Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

E-Patient Update: Reducing Your Patients’ Security Anxiety

Posted on March 31, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Even if you’re not a computer-savvy person, these days you can hardly miss the fact that healthcare data is a desirable target for cyber-criminals. After all, over the past few years, healthcare data breaches have been in the news almost every day, with some affecting millions of consumers.

As a result, many patients have become at least a bit afraid of interacting with health data online. Some are afraid that data stored on their doctor or hospital’s server will be compromised, some are afraid to manage their data on their own, and others don’t even know what they’re worried about – but they’re scared to get involved with health data online.

As an e-patient who’s lived online in one form or another since the 80s (anyone remember GEnie or Compuserve?) I’ve probably grown a bit too blasé about security risks. While I guard my online banking password as carefully as anyone else, I don’t tend to worry too much about abstract threats posed by someone who might someday, somehow find my healthcare data among millions of other files.

But I realize that most patients – and providers – take these issues very seriously, and with good reason. Even if HIPAA weren’t the law of the land, providers couldn’t afford to have patients feel like their privacy wasn’t being respected. After all, patients can’t get the highest-quality treatment available if they aren’t comfortable being candid about their health behaviors.

What’s more, no provider wants to have their non-clinical data hacked either. Protecting Social Security numbers, credit card details and other financial data is a critical responsibility, and failing at it could cost patients more than their privacy.

Still, if we manage to intimidate the people we’re trying to help, that can’t be good either. Surely we can protect health data without alienating too many patients.

Striking a balance

I believe it’s important to strike a balance between being serious about security and making it difficult or frightening for patients to engage with their data. While I’m not a security expert, here’s some thoughts on how to strike that balance, from the standpoint of a computer-friendly patient.

  • Don’t overdo things: Following strong security practices is a good idea, but if they’re upsetting or cumbersome they may defeat your larger purposes. I’m reminded of the policy of one of my parents’ providers, who would only provide a new password for their Epic portal if my folks came to the office in person. Wouldn’t a snail mail letter serve, at least if they used registered mail?
  • Use common-sense procedures: By all means, see to it that your patients access their data securely, but work that into your standard registration process and workflow. By the time a patient leaves your office they should have access to everything they need for portal access.
  • Guide patients through changes: In some cases, providers will want to change their security approach, which may mean that patients have to choose a new ID and password or otherwise change their routine. If that’s necessary, send them an email or text message letting them know that these changes are expected. Otherwise they might be worried that the changes represent a threat.
  • Remember patient fears: While practice administrators and IT staff may understand security basics, and why such protections are necessary, patients may not. Bear in mind that if you take a grim tone when discussing security issues, they may be afraid to visit your portal. Keep security explanations professional but pleasant.

Remember your goals

Speaking as a consumer of patient health data, I have to say that many of the health data sites I’ve accessed are a bit tricky to use. (OK, to be honest, many seem to be designed by a committee of 40-something engineers that never saw a gimmicky interface they didn’t like.)

And that isn’t all. Unfortunately, even a highly usable patient data portal or app can become far more difficult to use if necessary security protections are added to the mix. And of course, sometimes that may be how things have to be.

I guess I’m just encouraging providers who read this to remember their long-term goals. Don’t forget that even security measures should be evaluated as part of a patient’s experience, and at least see that they do as little as possible to undercut that experience.

After all, if a girl-geek and e-patient like myself finds the security management aspect of accessing my data to be a bummer, I can only imagine other consumers will just walk away from the keyboard. With any luck, we can find ways to be security-conscious without imposing major barriers to patient engagement.

E-Patient Update:  Is Technology Getting Ahead Of Medical Privacy?

Posted on December 9, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about y’all, but I love, love, love interacting with Google’s AI on my smartphone. It’s beyond convenient – it seems to simply read my mind and dish out exactly the content I needed.

That could have unwelcome implications, however, when you bear in mind that Google might be recording your question. Specifically, for a few years now, Google’s AI has apparently been recording users’ conversations whenever it is triggered. While Google makes no secret of the matter, and apparently provides directions on how to erase these recordings, it doesn’t affirmatively ask for your consent either — at least not in any terribly conspicuous way — though it might have buried the request in a block of legal language.

Now, everybody has a different tolerance for risk, and mine is fairly high. So unless an entity does something to suggest to me that it’s a cybercrook, I’m not likely to lose any sleep over the information it has harvested from my conversations. In my way of looking at the world, the odds that gathering such information will harm me are low, while the odds collection will help me are much greater. But I know that others feel much differently than myself.

For these reasons, I think it’s time to stop and take a look at whether we should regulate potential medical conversations with intermediaries like Google, whether or not they have a direct stake in the healthcare world. As this example illustrates, just because they’re neither providers, payers or business associates doesn’t mean they don’t manage highly sensitive healthcare information.

In thinking this over, my first reaction is to throw my hands in the air and give up. After all, how can we possibly track or regulate the flow of medical information falls outside the bounds of HIPAA or state privacy laws? How do we decide what behavior might constitute an egregious leak of medical information, and what could be seen as a mild mistake, given that the rules around provider and associate behavior may not apply? This is certainly a challenging problem.

But the more I consider these issues, the more I am convinced that we could at least develop some guidelines for handling of medical information by non-medical third parties, including what type of consumer disclosures are required when collecting data that might include healthcare information, what steps the intermediary takes to protect the data and how to opt out of data collection.

Given how complex these issues are, it’s unlikely we would succeed at regulating them effectively the first time, or even the fourth or fifth. And realistically, I doubt we can successfully apply the same standards to non-medical entities fielding health questions as we can to providers or business associates. That being said, I think we should pay more attention to such issues. They are likely to become more important, not less, as time goes by.