Infertility is a medical issue faced by many, but, as with most medical treatments or issues, it’s one we don’t talk about. When it comes to the sensitive information discussed in appointments, through emails, mail or in a client portal, the only people who should be privy to that information are the patient or couple and the doctor. With the amount of pain that couples struggling with fertility experience, having their troubles accidentally be made public should never happen.

And yet it does, not just in fertility treatment centers, but in doctors’ offices and hospitals across the country. Whether it’s through intentional access, like what happened in a Northwest Indiana hospital, or unintentional, patients’ health records are more at risk than ever before. In fact, one in three patients have had their health records breached in the span of only one year — 2015.

The Sensitive Data in an Electronic Health Record

If you’re reading this, you’ve most likely been to a doctor before. You know what goes into your health record — it’s some of the most sensitive information available. The data contained within a health record can include:

  • Medical history
  • Medication and allergies
  • Immunization status
  • Lab test results
  • Radiology images
  • Vital signs
  • Age and weight
  • Demographics
  • Billing information

If made freely available, this information could not only be embarrassing but it could cause long-lasting damage to the exposed patient. It could give employers a reason to deny a job to someone, a business a reason to discriminate or expose the pain of parents struggling to conceive.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into action in 1996, in an effort to protect the multitudes of delicate and sensitive personal information that go into the record of a patient receiving medical care. However, due to advances in technology and medical records, many healthcare organizations and their medical staff have had trouble complying with the 20-year-old act.

In fact, the healthcare industry is so bad at protecting PHI that it falls behind nearly every industry — energy/utilities, retail, the federal government and finance when it comes to keeping information secure. The only industry healthcare bests is education.


With all the recent breaches, hacks and mistakes, it seems like most healthcare organizations are not taking any steps to improve privacy for their patients. However, some organization are being proactive by finding technology that will keep patients’ PHI safe while allowing them the access to their information that can help speed up the treatment process.

How a Medical Clinic Can Help Their Patients

When a fertility clinic came to us looking for a solution on how to share medical data with their patients, it was apparent that they were one of the few health organizations looking to provide convenient access to their patients while also placing their security as top priority.

The clinic used a clinical electronic health record software. It’s a great platform for healthcare organizations that have transitioned over to digital health records. However, the clinic was having trouble with the client-facing portal. It lacked the functionality for uploading and downloading that would help them be in better communication with patients about billing, treatment and lab reports.

Going back to HIPAA, we see that one of the provisions stipulates that patients must be able to get a full record of their PHI whenever they request it. The Privacy Rule requires that the business associates, the fertility clinic in this example, make a patient’s health records available and also allow them to make corrections to it.

Without the ability to send patients’ health records and PHI through the portal, the billing department, nurses and receptionists have to send them through mail. This only causes a logjam for providers and the patients seeking their information. This can tie up the time of medical staff and cause an interminable wait for patients seeking treatment. For couples looking to get pregnant, this wait is even more torture in a process that should be as smooth as possible.

The Solution: HIPAA-Compliant Healthcare Portal

Imagine if a client could ask a nurse or doctor for their medical record and the practitioner could send it right from their tablet, phone or computer. That’s what they can do with the SmartFile platform — within a HIPAA-compliant portal and storage system, healthcare organizations can create accounts for each patient and specify who can have access. There’s no “accidental” peeping or access into records that don’t belong to a patient, because practitioners can set the permissions for who has access and who doesn’t.

Under HIPAA’s Security Rule, there are a number of technical, physical and administrative safeguards that need to be in place for this information to remain secure. Clinics take care of the physical and administrative safeguards, while SmartFile can take care of the technical.

Technical standards that must be met include access control, audit controls, integrity, authentication and transmission security.

Unique User Identification is the first standard, falling under access control. Each user must be identified by a unique name or number so that access can be tracked. SmartFile gives each user an identity and each action they take, whether sending a record through the portal or downloading it, is tracked in a log.

All of this activity, uploading, downloading, sharing and sending, is tracked in a visual dashboard called SmartStats. This on-prem feature complies with the second standard of Audit Controls. Administrators or practitioners can track users, activity, IP addresses, date and time of access, location and more. By using a visual dashboard to track it instead of just lines of data, it’s easier to identify anomalies among users or activity, meaning clinics can shut down the threat early.

HIPPA’s Emergency Access Procedure, also falling under the Access standard requires that, in an emergency, ePHI be accessible. This is hugely important. If a clinic were to go down or lose power, they’d still be able to access files and records over an internet connection, because the portal is web-accessible.

As for the last required standard, Authentication, SmartFile uses a number of services to authenticate users, including LDAP/Active Directory, Octa and Radius integrations. Users logged in will be tracked and administrators can set alerts to see when internal users as well as patients have accessed information.

Sharing EHR Between Organizations

Beyond these standards, it’s also increasingly important for patients to have access to their own records and for records to be shared between doctors, clinics, hospitals and other healthcare organizations.

It could seriously lessen the number of mistakes that are consistently made in the United States every. Johns Hopkins found that, if not for an issue with vital tracking statistics, medical errors would be the third leading cause of death in the United States, just behind heart disease and cancer. Many of these mistakes are due to nurses and doctors who don’t have the full picture of a patient’s medical history. Who knows how many could prevented if health records were more easily shared?

With a patient portal, records could be shared securely between doctors offices, ensuring that patients stay safe and healthy and doctors stay informed.

Give Patients a Better, Safer Experience with Your Clinic

SmartFile isn’t the only step in making sure patients’ information is secure. It’s important to implement training policies for employees on how best to keep PHI and electronic health records safe. Together with training, the SmartFile file management platform can protect your patients but also ensure they have a great experience with your clinic.

Ready to See It In Action?

Are you a healthcare organization looking for a better way to share files between patients and doctors? Demo our secure file management solution today!

Click Here To Setup Demo

2 thoughts on “Patient Access to Electronic Health Records Shouldn’t Be So Hard”

  1. Accenture doctor survey reveals most US doctors believe patients should help update their electronic health records, but shouldn’t have access to their full record.

    1. Interesting! I wonder if patients’ access to their health records would let them be better advocates for themselves in certain situations and possibly help prevent some of those medical mistakes that lead to death? Either way, HIPAA allows patients to receive their record, so it’s curious that doctors believe they shouldn’t have access.

Leave a Reply

Your email address will not be published. Required fields are marked *