Q&A: Liability when patient portal is hacked

Q: Regarding patient portals, to what degree is it the individual’s responsibility to keep his or her health information private? Would the healthcare organization be liable if someone else obtained the individual’s login credentials—perhaps if the individual is known to use the same password for many applications—and accessed the records? How about a situation where the individual leaves the patient portal up on his or her phone or computer?

A: The individual would be responsible for the exposure, sharing, or theft of patient portal credentials. What a patient does with login credentials is outside the control of the CE, or the vendor acting on behalf of the CE, so the liability or risk rests with the individual.

It is important to educate patient portal users that it is their responsibility to keep their credentials confidential, to not share their credentials, to periodically change their password, and so forth. The liability of each party should be put in writing. You’re responsible for securing the patient portal, and individuals are responsible for securing their credentials. That said, even though keeping patient portal credentials confidential and secure is the responsibility of the individual, this fact wouldn’t necessarily prevent the individual from filing a lawsuit blaming the CE for not instructing him or her to do so.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.