Blog
← Back to Blog
November 15, 2024 medical

Patient Portals Are Now Mandatory Under HIPAA. Are Yours Secure?

Patient portal and healthcare access

Updated HIPAA rules now require covered entities to provide patients with electronic access to their health information through a patient portal or similar technology. For practices that haven't implemented portals, they're now mandatory. For practices with existing portals, security scrutiny is intensifying.

Portal Security Requirements

Authentication

Patient portal access must be secured with strong authentication. At minimum:

  • Unique username and password for each patient
  • Password complexity requirements (length, character types)
  • Account lockout after failed login attempts
  • MFA strongly recommended (and increasingly required by vendors)

Transmission Security

All portal access must use encrypted connections (HTTPS/TLS). Unencrypted HTTP for any portal page or API is a HIPAA violation waiting to happen.

Access Logs

Portal access must be logged: who accessed what records, when, from where. These logs support HIPAA's audit requirements and enable breach investigation.

Proxy Access

When minors or incapacitated adults need portal access, proxy access for guardians or parents must be properly documented and authorized. Unauthorized proxy access is a HIPAA violation.

Common Portal Vulnerabilities

Weak Password Policies

Portals that allow "password123" or don't enforce minimum complexity create credential stuffing risks. Compromised patient accounts expose all of that patient's records.

No Session Timeout

Portals that stay logged in indefinitely on shared computers create exposure. Implement automatic session timeout (15-30 minutes of inactivity).

Uncontrolled Third-Party Access

Portal APIs that allow third-party apps to access health data without proper controls. OAuth scopes should limit what apps can access.

Insufficient Logging

Portals that don't log access or don't retain logs long enough to meet HIPAA requirements (6 years).

Vendor Evaluation Checklist

When selecting or auditing a patient portal vendor:

  1. Will they sign a Business Associate Agreement?
  2. Do they support MFA for patient accounts?
  3. Where is patient data stored? Is it encrypted at rest?
  4. What is their breach notification procedure?
  5. Do they have SOC 2 Type II certification?
  6. How are portal access logs provided to you for audit purposes?
  7. What happens to patient data if you terminate the service?

Patient portals improve access and patient satisfaction. But they're also internet-facing applications containing every patient's complete medical record. Deploy them with the security they require.