Patient Portals: Manage Risk & Protect Privacy

During the past few years, the traditional physician-driven model of delivering healthcare has given way to a more patient-centered approach in which the patient is actively engaged in their own care. In fact, many newer forms of alternative care delivery, such as patient-centered medical homes (PCMHs) and accountable care organizations (ACOs), use active engagement as a significant component of the care they provide to their patients. And, being truly patient-centered today means offering the kinds of electronic information and communication that patients need and expect.

Your practice may already be using electronic means, such as email and text messaging, to communicate with your patients. While these methods meet the spirit of electronic patient engagement, they do present HIPAA privacy and security concerns. For this reason, many facilities and organizations are looking to patient portals as a secure means for patients to access their medical record, while also meeting HIPAA requirements when sharing protected health information in an electronic format. If your facility utilizes Electronic Medical Records (EMRs), allowing patients to access their records through a patient portal may be the next logical step in improving communication.

The What and the Why of Patient Portals
What is a patient portal? According to, “A patient portal is a secure online website that gives patients convenient 24-hour access to personal health information from anywhere with an Internet connection.”
Office practices that have successfully adopted patient portals have seen many benefits, such as improved patient participation and satisfaction, better communication, more timely self-care by patients, and increased opportunities for physicians to better focus on high-priority patients.

Managing Risks Associated with Patient Portals
The use of portals does come with risks, such as privacy and security breaches, inappropriate patient use, and unrealistic expectations on the part of both the patient and the provider. Many of these risks can be addressed through a well-planned implementation of the portal, clear usage policies and procedures, and appropriate training for staff and patients alike. Consider the following recommendations as you incorporate the use of patient portals at your practice or facility.

To reduce the risk of privacy and security breaches:
  • Require each user to register with a unique username and password.
  • Do not post or permit access to sensitive patient information (e.g., treatment pertaining to mental health, sexually transmitted diseases, or substance abuse).
  • Include portal access in all relevant privacy and security policies and procedures.
  • Develop portal-specific policies and procedures, as necessary.
  • Include portal use in your annual information technology security risk assessment.
To reduce the risk of inappropriate patient use:
  • Define appropriate use.
  • Determine how patients will communicate through the portal and what they should expect for a response turnaround time.
  • If patients are permitted to request prescription refills, determine limitations (e.g., no narcotics) and how much notice is required (e.g., two to four working days).
  • Determine if patients will be permitted to upload information to be included in their record, how the information will be uploaded, and what types of information will be accepted.
  • Develop and implement a portal user agreement that includes what the patient may expect from the office practice. Describe unacceptable uses, such as emergency or urgent situations, and specify the consequences. Use the agreement as a teaching tool and as documentation of informed consent. Provide the patient with a signed copy of the agreement and maintain a copy at the practice.
  • Include language on the appropriate portal pages — such as the entry page and the messaging window — that clearly states the portal is not continuously monitored, must not be used for urgent communications, and that portal users are to call 911 in the event of a medical emergency.
  • Consult with legal counsel to determine if your state has specific requirements.
To reduce the risks of unrealistic expectations and patient dissatisfaction:
  • Learn as much about portals as possible. Visit practices that have successfully implemented a portal and ask them what works and what doesn’t. Your EMR system vendor may be able to provide contact information.
  • Consider including technologically savvy patients in your portal implementation and testing.
  • Provide role-based training for portal users. The training for patients will be different from that received by providers and staff members.
To address the needs and rights of minor patients:
  • Determine whether and how the portal may be used by pediatric patients. By their early teens, most youth are avid users of technology and may wish to access their own portal. This raises the question of whether and when parental access to the pediatric patient’s portal should be limited or completely restricted. Answers to these questions will be driven by your state’s laws pertaining to services minors may obtain based on their own consent, and whether health information related to these services may be blocked from display on the portal to prevent parental access to the information.
  • HIPAA expert Adam Greene suggests the following (subject to state law):
    • For patients aged 12 and under, parents have primary access. The child’s level of access should be guided by discussion with the family.
    • Patients between the ages of 13 and 18 may be able to consent to some services, such as birth control, without parental involvement. Parental access to their child’s patient portal should be determined by the ability to restrict sensitive information. If it is not possible to keep such sensitive information private, it may be necessary to terminate the parents’ access to the portal. Consider seeking legal advice before doing so.
    • At 18, parental access to the portal should be terminated, unless there are special circumstances (e.g., the child is not competent to consent to their own care) or the child agrees to permit parental access and signs a written authorization.
At the writing of this article, about half of all U.S. medical practices are using online patient portals to increase engagement and improve communication with patients. If you already have a portal in place, it’s imperative that you continually improve it, stay on top of privacy regulations, and find new ways to enhance the way your patients ― as well as you and your colleagues ― are making use of this powerful asset. If you are considering implementing a patient portal, be sure to start out on the right foot by taking the time to set clear guidelines and expectations and to train patients and staff alike. A well-implemented patient portal is far more than just an office tool and effort in efficiency; improved patient communication and engagement can significantly improve health outcomes and reduce risks.

No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.

Related Resources:

How to Effectively Use Social Media as an Emergency Communication Tool

Social media has changed the way people communicate. Is your emergency plan keeping up? Read More »

Pennsylvania Supreme Court: Informed Consent Is a Non-delegable Duty

Blog - 8/30/2017
Pennsylvania Supreme Court opinion could significantly change the way physicians and surgeons address informed consent. Read More »

Tips to Reduce Communication-Related Errors in Healthcare

Blog - 5/15/2017
Communication failures in healthcare―particularly in large hospitals or medical centers―are often inadequately addressed. This article outlines five things you can do to reduce communication-related errors. Read More »

​Caring for Gender-Expansive Youth

Article - 3/30/2017
Gender-expansive youth face many challenges in their lives. This article provides information to help healthcare providers do their best to ensure access to gender-affirming healthcare is not one of those challenges. Read More »

Caring for Transgender Patients

Article - 3/28/2017
Transgender individuals face many barriers when seeking healthcare. This article identifies common barriers and provides tips for healthcare providers to improve the care they provide to transgender patients. Read More »

Tips to Improve the Healthcare Experience for LGBTQ Patients

Blog - 3/27/2017
LGBTQ patients frequently experience healthcare disparities. This article provides tips to help physicians and healthcare providers change the narrative: to reduce fear, exceed expectations, improve patient satisfaction, and change lives for the better. Read More »

Making Patient-Centered Decisions

Blog - 3/9/2017
Tips to help healthcare providers understand biases, increase engagement, and develop a patient-centered approach. Read More »

Celebrating Patient Safety Month With Patient and Family Advisory Council Video Series

Blog - 2/28/2017
Learn how Patient and Family Advisory Councils (PACFs) are changing lives and improving care. Read More »

Patient Engagement: Challenges & Strategies

Article - 1/5/2017
Tips to help physicians and healthcare providers understand the challenges of patient engagement and strategies to improve engagement. Read More »

Shared Decision-Making & Patient Engagement

Blog - 12/15/2016
An overview of why patient engagement and shared decision-making is essential to successful patient-centered care. Read More »

Seven Tips to Increase Patient Engagement

Blog - 12/15/2016
Tips to help physicians and healthcare providers improve care through patient engagement. Read More »

Language to Encourage Patient Engagement

Blog - 12/15/2016
Insight into how the language you use when communicating with patients can help or hinder patient engagement. Read More »

Tips for Responding to Negative Online Reviews

Blog - 11/15/2016
Tips to help you develop and implement a response plan to negative online reviews. Read More »