Working on the patient portal portion of Stage 2 meaningful use? Officials at Mayo Clinic can offer some valuable insight into their own portal rollout – challenges that have arisen, privacy concerns and how to do it right.

Enterprise-wide, Mayo Clinic, with locations in Rochester, Minn.; Jacksonville, Fla.; and Scottsdale, Ariz., has more than 400,000 patients who now have online portal accounts (the clinic sees some 1.1 million unique patients each year.) 

"In terms of the view, download and transmit, we think that we'll be doing well from that perspective," said Mark Parkulo, MD, vice chair, meaningful use coordinating group, who spoke at the HIMSS Media/Healthcare IT News Privacy and Security Forum June 16 in San Diego.

On the hospital side, Mayo Clinic is poised to meet Stage 2 this month. For providers, they'll be ready in the fourth quarter.

Getting to this point was no easy feat, however, explained Parkulo, and Mayo is by no means out of the woods yet.

Boosting numbers

One of the things Mayo Clinic did in efforts to increase portal account numbers was allowing patients to sign up without face-to-face validation, said Parkulo. "We want to have as broad a number of patients being able to access across the portal as we can," he said. 

Over the last year, "the interests, the volumes really spiked," said Barbara McCarthy, health information management services and privacy officer at Florida's Mayo Clinic, who will also be speaking at the Privacy and Security Forum this June. 

This surge in accounts, however, did present a challenge from the privacy and security standpoint, Parkulo added. "It's probably not as robust as having a face-to-face validation, but we think that because of the number of patients that would have to validate and the ease of doing it online is that we're willing to take some risk with that."

Secure messaging 

One remaining challenge for Parkulo and his team is secure messaging. In accordance with Stage 2 requirements, message content must be encrypted, with the encryption and hashing algorithm approved by the National Institute of Standards and Technology. Moreover, both the patient and the provider/EHR technology user need to be authenticated. 

It's "still a bit of a challenge," said Parkulo. "We have the capability to do it. It's more of a culture shift, about getting both providers and patients used to that form of technology and that form of communication." And here, communication is king. Privacy and security issues pertaining to the patient portal involve including all relevant stakeholders at the decision table, Parkulo explained.

"We bring multiple people to the table when we try to do these things both from the practice side as well as from privacy, health information management, legal," he said, as privacy issues are multifaceted. "You could have really a high level of privacy and security, but it probably will inhibit you from meeting some of the metrics that are going to be necessary because of the large volume of patients you have to deal with," he said. Thus, somebody on the policy side might have something to say about it. 

In addition to focusing on secure messaging efforts, Parkulo and his team are in the process of gathering the portal data and drilling down into the numbers – looking at "how big an impact on patients seeing their own information, how much were they monitoring it, and how often were they requesting it be changed," he said. "It's actually a different angle in terms of their privacy…we are actually showing them a lot more information, and they have access to their own personal information much easier than they used to.