The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

Are there special privacy and security issues and concerns when allowing patients direct access to their records in our EHR and how do we address them?

Three distinct ways exist to satisfy a patient's request for electronic access to their medical records. The adequacy of each method is dependent on the nature of the request. Under the HIPAA Privacy Rule, with a few exceptions, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.

A patient portal allows patients to access some EHR resources through a web interface. Typically only the least sensitive portion of the EHR is made accessible to patients, such as appointment schedules, current medications, and negative test results. Patient portals sometimes allow patients to update contact information, provide their annual history information and send emails to clinicians.
Patient portals create significant risk and thus require substantial efforts to ensure they are appropriately secured.

The following can help address security concerns related to the use of a patient:

  1. Implementing a multi-tier architecture that isolates the web, application, and EHR servers behind multiple firewalls. The application architecture must consider requirements for intrusion protection.
  2. Designing an appropriate method for provisioning patient accounts on the EHR system. The practice will need a procedure that ensures log-on credentials (user name and password) are delivered to the patient in a secure fashion. It should include an efficient method to reset passwords when the patient requests. Patient credentials should also be coordinated with the master patient index to safeguard against confusing access among similarly named patients.
  3. Implementing a proactive incident recognition and response program. Significant damage to reputation can occur when a security breach is not handled in a timely fashion. A critical aspect of good incident response is proactively monitoring the portal for suspicious events, service interruptions, code errors, and general utilization issues. Timely responses to analyze root causes, correct deficiencies, and communicate with the patient population are essential activities.

There are a number of high profile vendors that provide patients with low cost or free Personal Health Records (PHR). The PHR is a repository for medical information received from the patient's current and previous providers. From a security perspective, an advantage of these PHR systems is that they are maintained by vendors who have the resources to dedicate staff to professionally managing the PHR system. Partnering with a PHR vendor carries substantially less risk than does provisioning a patient portal.

In order to address some of the security concerns, the sponsoring provider should address the following issues:

  1. The PHR vendor may disclose or use patient data for purposes not authorized by the patient. To mitigate this risk, the sponsoring provider should execute a HIPAA Business Associate Agreement or similar document which requires the PHR vendor to limitations of its use or disclosure of the heath information. Additionally the vendor should agree to report security incidents, cooperate with any required patient notification, and guarantee the destruction or de-identification of patient information if operations or relationships cease.
  2. Because PHR vendors offer their service on a national basis, special care is required to ensure that records are associated with the appropriate individual. The sponsoring provider should verify that any information it provides will be accurately associated with the correct individual.
  3. Any transfer of patient information from an EHR to an independent PHR will be a disclosure under HIPAA. Since the PHR vendor is not typically a health care provider, it is necessary that such transfer be authorized by the patient. The exception is if the PHR vendor is operating as a business associate of the sponsoring provider.
  4. If the transfer of records will occur over the Internet, the transfer is subject to the risk of interception. The sponsoring provider must ensure that the transfer is done securing which generally means the data is encrypted so that it is only readable by the receiving PHR system.

Under the Health Breach Notification Rule (PDF - 511KB) issued by the Federal Trade Commission (FTC), PHR vendors must notify consumers when the security of their individually identifiable health information has been breached. 
There are no extraordinary security concerns in giving electronic records directly to the patient. In principle, providing the patient with an electronic copy of the patient's own records is no different than releasing paper copies to the patient.

If an organization decides to give the patient their electronic record the primary concerns are to ensure the transfer is accomplished securely. Below we identify some approaches that can be used to ensure secure transfer.

  1. Record integrity.  Electronic records are ephemeral and could be altered by the patient.  To protect against such alteration, the record should either be written on WORM ('write once, read many') media such as CDs or DVDs.  In addition, electronic records that are digitally signed cannot be altered without detection.
  2. Record formats.  PDF ('portable document format') is the file format generally used to distribute documents because it can be read on almost any computer system.  Adobe the creator of the format makes the "reader" program freely available.  PDF does have limitations as a data transfer method, since the file created is a single image.  The text can cut and pasted into a word processing program but does not lend itself to integration with a PHR or EHR.
  3. An alternate format is the ASTM/HL7 Continuity of Care Document (CCD). The HL7/ASTM Continuity of Care Document (CCD) is an implementation guide for sharing Continuity of Care Record (CCR) patient summary data using the HL7 Clinical Document Architecture (CDA).  The CCD files stores information in an XML format that allows the patient record to be easily imported into EHR systems.  The capability to produce and import a CCD is a required element for CCHIT EHR certification so all certified EHR systems will support this format.  Two CDA, Release 2 implementation guides released as draft standards for trial use (DSTU) by HL7 utilize CCD templates: Consult Notes and Operative Notes.
  4. Media.  If writing records to patient supplied media, it is prudent to scan for the presence of virus or other malware on that media before writing to it. 



Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed