NICEVILLE, Fla. — This week, Jeff Werner tackles a reader’s frustration with patient portals that no longer remember login credentials, exploring whether recent changes are due to HIPAA rules, browser settings, or just cautious web design.
QUESTION:
Our primary care doctor and another medical office both use Athena to let us access their patient portals. My wife and I access the same primary office portal through our own laptops, both using Edge. My wife also accesses a different medical office portal through Athena.
Athena, at some point a few weeks ago, changed its programming so that we have to manually type in user IDs and passwords. I contacted its support office and was told they can’t discuss the matter with me “because of HIPPA,” which makes no sense to me. Whole ‘nother bureaucracy issue, so I stopped trying with them.
The IT tech in our primary office was apprised of the situation. We agreed that it was Athena’s issue. After a week or so, I was able to log on to that portal normally, but my wife’s laptop still requires a manual password. The other medical office portal still requires manual user/password entry. It has a poor reputation for response, and I’ve been unable to get a satisfactory answer from their support people. Again, whole ‘nother issue, but I refuse to chase down people who should be returning calls.
I don’t know if there are variations in minor switches/checkboxes between our two laptops, and in any case, I don’t know what or where those are. I just like things to work as planned, so…help (squared). And thanks.
– Morris F.
Navarre, Florida
ANSWER:
I’m no legal scholar, but I can use Google better than the next few people (hence my claim as the sole holder of the coveted Geekudon Black Belt in the dark art of Google-Fu — but I digress). I thought I understood that HIPAA rules (Health Insurance Portability and Accountability Act) are strictly about protecting the privacy of individuals’ patient health information. Were that true, I don’t see how having an issue with your website login could possibly fall under the HIPAA standards.
However, as I did some reading, I found that part of the HIPAA standard includes “Ensuring Data Security.” Items that fall under this category include safeguarding personal health data from unauthorized access and misuse and reducing the risk of identity theft and other data breaches.
One could certainly make a case that discussion of user IDs and passwords and whether they are retained in a browser falls under this category.
Or, perhaps the person was just playing the HIPAA card because he or she didn’t know, and HIPAA offers them blanket protection against such discussions — especially over the telephone.
There is very little you can do if a website (patient portal or otherwise) decides they don’t want your session held open between accesses. Understand, from their perspective, they don’t know if you’re accessing their site from the security of your home, if you’re in the Wi-Fi pool at your local restaurant or coffee house, or worse, on a shared computer at a hotel or library, where the next person could sit down and with no effort at all be browsing your very personal data.
So, I apologize for not taking your side in this, but the honest truth is that these providers are making legitimate, necessary attempts to protect people from themselves.
About the most secure way to do that is to require a login — hopefully a multi-factor login — at the beginning of each session. Just to put a thought in your head, is this not the case with other highly vulnerable sites, like your bank or your credit card company?
Personally, I would be shocked if I was let in using the credentials of my last session rather than being fully vetted and validated each and every time. And for the record, I would never access such sites from a shared public computer anyway, and I recommend my readers don’t either.
To view additional content, comment on articles, or submit a question, visit my website at ItsGeekToMe.co (not .com!)
Jeff Werner, a software engineer based in Niceville, Florida, has been writing his popular “It’s Geek to Me” tech column since 2007. He shares his expertise to help readers solve everyday tech challenges
