I think the confusion is that (from what I understand), if it is setup as such, you can use the "secure messenger" to email anyone in the world. For example you could email your vendors securely and if they were not registered they would be emailed a link to create an account. Because you can do that, you can also email any patient (or non patient) records from a chart.
Our practice has the employee rights set to now allow a user to type in an email address to send a secure message. Our users can only hit the reply buttons to send a reply to a patient request.
This is what happened, as I understand it. There are two people. One is a patient of ours, let's call her Patient A of Pratice A. There is a second patient, Patient B of Practice B. Patient B set up her own access to the patient portal using her e-mail address with Practice B, using a PIN# to get registered. However, we are told, this PIN # is not used as a second identifier every time a patient gets a message from a provider. It is only part of the set-up process. Patient A was seen at a specialist's office, also among the groups using the shared medical record. (This means, since we are a shared medical record across many groups, that I could see the records of any patient in the system, even if they are not in our primary care group. It is just on my honor that I don't "go there" - of course, there would be a record of it. I have seen patients' records not in our group, but not on purpose - sometimes I am sent info from a specialist who thinks I am a given patient's primary care doctor, for instance.) The specialist's office either did the patient portal set-up for this patient or changed the e-mail address already in the system to the wrong e-mail address. So we now have a situation where both Patient A and Patient B are registered for the Patient Portal. Unfortunately, the address for Patient A is not correct. It is the address for Patient B (who may have more than one e-mail address - thus it may not necessarily be the one she set up her account with. I only mention this, not knowing if the Patient Portal would have popped up an error message if an e-mail address was already in the system for someone else.) So, when we sent an e-mail message to Patient A indicating labs were ready for viewing, it went to Patient B. Patient B is in the system, so she linked to the Portal thinking the message was really intended for her. She was able to get "into" the system, because she is a legitimately registered patient of "the system". She then got to see Patient A's personal health information - and was then kind enough to call us and tell us about this.
We were told that since the e-mail address itself is the only "unique patient identifiter" at this stage (the PIN # not being a "unique identifier", too, but only used in the process of registration, from what I understand, or possibly for some basic access to the portal - but not unique to a patient), that is why Patient B saw Patient A's health information.
It took our IT from June til September to explain to me why this happened, largely because I also assumed that the PIN# was an important part of how a patient was to gain access to inifromation in the Portal and couldn't conceive of why, if the e-mail address and PIN# didn't both "match" for a patient, someone could get in to see someone else's information. I thought there would be the e-mail address, then they would go to the portal and use a unique, personal PIN#. However, I was told that this is not the case and that the reason the breach occurred was "because the only unique patient identifier is the e-mail address itself". What I don't understand is why the PIN# ISN"T used as a second step for access to the Patient Portal, after the e-mail address (as the first step).
Set the portal to require email verification. That way if the email is changed in the registration, it does not automatically change in the portal. RWilliams mentioned this above as well. The user would have to change their email via the portal,thus logging into their account and changing it then they receive a notification email to the new address and click the verify link to say, yes, change the email to this. If the email was incorrect for that account, the user would never recieve the email, but the odds are the patient would enter their correct email.... maybe....
The PIN is only used for the registration process.
Yes. I am aware that the PIN# is only used for the registration process (unfortunately). The IT support for Centricity for all of our practices told us that. Because the e-mail address is the only "secure" identifier, we were told, that accounts for why one patient was able to see another patient's information - because both were legitimately registered in the Patient Portal. You are right - since the e-mail was not correct for our patient, she never did receive the e-mail. The e-mail was "correct" for another patient who also uses the same portal, however.
As you hint at toward the end of your message - even a patient could mistakenly enter his/her own e-mail address. In fact, when the other office changed the e-mail of our patient, it could be that they were accurately entering what the patient told them her e-mail was, but she gave an incorrect e-mail address. The message intended for this patient didn't go to her, but to the wrong patient - who also happened to be a patient in a practice using this shared medical record. Being a legitimate "community" member (patient) of the system - that e-mail address was "correct" for her. If she was asked (at the portal level) if this e-mail address was a "correct" address for her, wouldn't she verify that it was? Wouldn't that still let her see the other patient's private health information?
Also, I had this thought. I think someone above was trying to say that only one person in the system could have a particular e-mail address. So, if Patient X registered using one e-mail address and then Patient Z tried to register using the same e-mail address - that couldn't happen. (Is that correct?) However, many of us have more than one e-mail address. So, if Patient Z happened to enter an e-mail address that was wrong for Patient Z, but was another e-mail address of patient X - though not the one she registered with - then Patient X would still get e-mail intended for Patient Z. If it had been a while since registering, Patient X might not remember which e-mail she registered with. Even if X did think it was with another e-mail address, she might second guess herself and wouldn't have any reason to be suspicious the message was meant for someone else. (I don't know exactly what the patient sees when they go to log into the portal, so I will run your ideas by our IT and see what they say. Maybe it would work, if they aren't already doing it that way.)
It all gets back to this, though: I still can't understand why there isn't a second level of protection - a special, unique PIN# for each patient to use in addition to his/her e-mail address. Then, if the message landed in the wrong patient's e-mail, when that patient went to the portal, she would have to enter a second unique identifier and if it didn't match, then she couldn't see the other patient's information. I don't understand why GE doesn't insist on this. I am not a tech person, just a doctor, so can someone please explain to me why this hasn't been done? Is it really so difficult in this day and age....when the banking community seems to have figured out how to do it decades ago? We were told that GE has no plans to do this. Why not?
(I really appreciate all the comments. This is very interesting.)
Additional thoughts: I am not a patient, so I don’t know exactly what a patient “sees” when they get to the portal. If a patient had a similar e-mail address to another patent, as described in my previous post, but the name was sufficiently different (which certainly could happen) – if, when they got to the portal and were asked if the e-mail they got there was “theirs” and saw that it wasn’t – then likely they would say “no”. However, don’t forget that one common reason for someone having a similar e-mail address is that they have the SAME name. Has the process revealed any additional information about the account at this point? If it doesn’t show any other information, then the patient would likely say it is the proper e-mail address. If it shows any additional information (date of birth, for instance, or home address), then wouldn’t that be private information that another person should not see? (In the modern medical office waiting room, we are not even allowed to use last names of patients, for privacy reasons!) And doesn’t this rely on the “honor system” too much? Even an honest person might very honestly think that the e-mail was meant for them, but that the demographic information was incorrect. All of this can easily be avoided by requiring a second identifier. If a second unique identifier was required (a “password”, if you will), they wouldn’t have been able to get in to see any additional information. If they put in their own second identifier and it didn’t match the account, they might think they misremembered a password, but no personal information – no address, no date of birth, no health information – would have been revealed.
I think the best solution is to make sure your chart demographics are not pushing to the portal and have the user update their email from their existing portal account. This way if an email is changed in the reg module, it won't automatically change the portal account. It would ultimately end up in bad mail folder in the SMPP config file. When the user change emails via their current portal account, they must go through a verification process via email. For a new user, an incorrect email address would be a null point, because they would never receive the PIN to register the account.
We never email PIN numbers to patients to avoid security issues like this. PIN letters are generated in the office while the patient is present, and in some of our locations, the portal account is set up for the patient by our staff (this has greatly improved registration numbers). This was our choice as we felt that emailing any kind of registration information was a security risk. We used a different portal prior to Kryptiq, and the registration process was even less secure. I think it's partly what you make of it with policies and procedures.
Now that I think of it, we don't mail PINs either - we also generate them right in the office while tthe patient is there. They are told to confirm everything later, I think. The problem is, though, that we have no control over how it was done in the specialist's office and it was through them that it changed. Since this is a shared medical record across many practices, we are subject to any mistake anyone at any other practice could make (innocently or maliciously), and we all can access any patient in the system, not just those in our own practice. We wouldn't have a reason to access a patient of another primary care practice, but the system is so big, there are many instances of patients with the same name, so this could quite easily be done by mistake. Our patient look-up window is defaulted to our local practice - BUT, the way the shared medical record works, if our patient sees a specialist somewhere who also uses the same shared record (which is most of the time, since most of our patients are supposed to use doctors in our PHO - and we are all linked to that shared medical record), they fall out of the local list and we have to click to look up in a list of all patients in the shared medical record. It is relatively easy to pick the wrong name in this instance.
I will forward your ideas to our IT - maybe if rules are generated, people would follow them and this kind of thing could be prevented. However, with so many practices sharing the electronic medical record, I don't hold out much hope that the rules would be followed. I can't tell you how many times somebody makes changes to the pharmacies listed in the EMR - when we have been told time and time again not to do this and call IT to have them make any changes. They can't block anyone from making changes, however, just "ask" everyone not to make changes. For some reason, when anyone other than IT makes changes, it screws up the functioning of the system (typically prescriptions don't reach the proper destination, for instance). Then we get yet another flag from IT admonishing us not to make changes ourselves........only to have it happen again weeks later. But that's another issue.........
It sounds like too many people have administrative rights in your system. Only our IT/EMR group can make changes to pharmacies or portal settings or any other major aspects of the system. Users basically can update the chart and registration module and that is it. Billing can update the PM aspect but has read only access to the chart.