Patient Portals, Personal Medical Records and Confidentiality

With many physicians and providers moving to address Meaningful Use 2 requirements, there is a push on to get patients to use patient portals.  It is time to start paying close attention to how your provider’s portal is implemented and how this affects the confidentiality of your health data.  A colleague recently noticed that their physician’s office was using the Jardogs FollowMyHealth(TM) PMR to implement a patient information portal.  When they read the terms of service agreement, it stated that they as a patient were releasing their health records to the vendor, not the patient’s provider and therefore that use of the data was not covered by HIPAA.  In follow up, another colleague who is on the faculty at very well known school in Boston noted that the school was offering a similar service with similar terms under the guise of allowing patients the freedom to move their data between providers.  Until this discussion, he had not read the Terms and Conditions in detail and was disconcerted to learn that he had agreed to release his medical record for redistribution.

Jardogs was recently bought by Allscripts, the second largest EMR vendor in the country. Their Terms and Conditions are available on line

Several items are of concern

– Jardogs can change terms at any time without notice

– Changes and corrections you make to your PMR will NOT be transmitted back to your provider

– You give Jardogs the right to redistribute your information

– Jardogs specifically asserts that they are NOT a covered provider under HIPAA

There is a general (and reasonable) assumption on the part of patients that if a provider say “We are using a portal now.  If you want to sign up, you can get your lab results etc. on line.” that this is a HIPAA protected service.  Provider patient information sites, certainly encourage this view, see for example:

Vendors like Jardogs are offering the healthcare provider a low cost solution where the patient agrees to give them as a third party PMR the right to access the patient’s PHI and the PMR will provide portal services without all the liabilities of HIPAA/PHI as well as the potential revenue of selling advertising on the site and reselling patient data.  Obviously, the Jardogs solution will be much cheaper for the health care provider compared to implementing an internal HIPAA compliant site with all it attendant security requirements and liability.  There has been some discussion as to whether Jardogs is correct in asserting that their Terms and Conditions releases them from HIPAA  If they have an ongoing business association with your provider, they may in fact not be able to escape HIPAA despite their Terms and Conditions.  Nevertheless, Gresham’s law, the inexpensive solution is likely to win out.

To be fair, there are pluses and minuses to either solution:

Third party PMR

– Able to integrate data from multiple providers

– You control your account, it moves with you if you change providers

– Login/authentication are likely to be more convenient albeit less secure

– No guarantee of HIPAA compliant confidentiality

– Limited ability to collect damages if a breach occurs

Provider portal

– Confidentiality is guaranteed by HIPAA, and the provider faces major liability for breaches

– Only carries data from on provider.  If you see multiple providers you will need to go to multiple sites

– If you change providers, your previous providers data is unlikely to ever get incorporated into another providers EMR/portal

– Will require two factor authentication which is somewhat cumbersome to setup and maintain

To meet Meaningful Use 2 requirements, providers must demonstrate that some fraction of their patients are using portals and electronic communications.  Jardogs is advertising itself as a certified solution to MU2 requirements

There is going to be a push on the part of many providers to get patients onto portals to meet MU2 requirements.  Patients need to be aware that there is a difference between a portal operated by their provider and a PMR operated by a third party.

Leave a Reply

Your email address will not be published. Required fields are marked *