During the past few years, the traditional physician-driven model of delivering healthcare has given way to a more patient-centered approach in which the patient is actively engaged in their own care. In fact, many newer forms of alternative care delivery, such as patient-centered medical homes (PCMHs) and accountable care organizations (ACOs), use active engagement as a significant component of the care they provide to their patients. And, being truly patient-centered today means offering the kinds of electronic information and communication that patients need and expect.

Your practice may already be using electronic means, such as email and text messaging, to communicate with your patients. While these methods meet the spirit of electronic patient engagement, they do present HIPAA privacy and security concerns. For this reason, many facilities and organizations are looking to patient portals as a secure means for patients to access their medical record, while also meeting HIPAA requirements when sharing protected health information in an electronic format. If your facility utilizes Electronic Medical Records (EMRs), allowing patients to access their records through a patient portal may be the next logical step in improving communication.

The What and the Why of Patient Portals

What is a patient portal? According to HealthIT.gov, “A patient portal is a secure online website that gives patients convenient 24-hour access to personal health information from anywhere with an Internet connection.”
Office practices that have successfully adopted patient portals have seen many benefits, such as improved patient participation and satisfaction, better communication, more timely self-care by patients, and increased opportunities for physicians to better focus on high-priority patients.

Managing Risks Associated with Patient Portals

The use of portals does come with risks, such as privacy and security breaches, inappropriate patient use, and unrealistic expectations on the part of both the patient and the provider. Many of these risks can be addressed through a well-planned implementation of the portal, clear usage policies and procedures, and appropriate training for staff and patients alike. Consider the following recommendations as you incorporate the use of patient portals at your practice or facility.

To reduce the risk of privacy and security breaches:
  • Require each user to register with a unique username and password.
  • Do not post or permit access to sensitive patient information (e.g., treatment pertaining to mental health, sexually transmitted diseases, or substance abuse).
  • Include portal access in all relevant privacy and security policies and procedures.
  • Develop portal-specific policies and procedures, as necessary.
  • Include portal use in your annual information technology security risk assessment.
To reduce the risk of inappropriate patient use:
  • Define appropriate use.
  • Determine how patients will communicate through the portal and what they should expect for a response turnaround time.
  • If patients are permitted to request prescription refills, determine limitations (e.g., no narcotics) and how much notice is required (e.g., two to four working days).
  • Determine if patients will be permitted to upload information to be included in their record, how the information will be uploaded, and what types of information will be accepted.
  • Develop and implement a portal user agreement that includes what the patient may expect from the office practice. Describe unacceptable uses, such as emergency or urgent situations, and specify the consequences. Use the agreement as a teaching tool and as documentation of informed consent. Provide the patient with a signed copy of the agreement and maintain a copy at the practice.
  • Include language on the appropriate portal pages — such as the entry page and the messaging window — that clearly states the portal is not continuously monitored, must not be used for urgent communications, and that portal users are to call 911 in the event of a medical emergency.
  • Consult with legal counsel to determine if your state has specific requirements.
To reduce the risks of unrealistic expectations and patient dissatisfaction:
  • Learn as much about portals as possible. Visit practices that have successfully implemented a portal and ask them what works and what doesn’t. Your EMR system vendor may be able to provide contact information.
  • Consider including technologically savvy patients in your portal implementation and testing.
  • Provide role-based training for portal users. The training for patients will be different from that received by providers and staff members.
To address the needs and rights of minor patients:
  • Determine whether and how the portal may be used by pediatric patients. By their early teens, most youth are avid users of technology and may wish to access their own portal. This raises the question of whether and when parental access to the pediatric patient’s portal should be limited or completely restricted. Answers to these questions will be driven by your state’s laws pertaining to services minors may obtain based on their own consent, and whether health information related to these services may be blocked from display on the portal to prevent parental access to the information.
  • HIPAA expert Adam Greene suggests the following (subject to state law):
    • For patients aged 12 and under, parents have primary access. The child’s level of access should be guided by discussion with the family.
    • Patients between the ages of 13 and 18 may be able to consent to some services, such as birth control, without parental involvement. Parental access to their child’s patient portal should be determined by the ability to restrict sensitive information. If it is not possible to keep such sensitive information private, it may be necessary to terminate the parents’ access to the portal. Consider seeking legal advice before doing so.
    • At 18, parental access to the portal should be terminated, unless there are special circumstances (e.g., the child is not competent to consent to their own care) or the child agrees to permit parental access and signs a written authorization.
At the writing of this article, about half of all U.S. medical practices are using online patient portals to increase engagement and improve communication with patients. If you already have a portal in place, it’s imperative that you continually improve it, stay on top of privacy regulations, and find new ways to enhance the way your patients ― as well as you and your colleagues ― are making use of this powerful asset. If you are considering implementing a patient portal, be sure to start out on the right foot by taking the time to set clear guidelines and expectations and to train patients and staff alike. A well-implemented patient portal is far more than just an office tool and effort in efficiency; improved patient communication and engagement can significantly improve health outcomes and reduce risks.

No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.