Patient Portal Q & A: Part 1
As hospitals and physician offices are rapidly rolling out patient portals in an effort to meet the requirements of the Meaningful Use program, we are seeing some common legal and practical issues and questions surface. This first article in a multi-part series will address a few of the most common questions we are seeing as clients are operationalizing their patient portals.
Q1. Do patients need to “Authorize” or “Opt-In” to having their records uploaded to the portal?
A1. No. Patient portals are simply another means of medical record maintenance, and more specifically, medical record access. Patients do not need to sign an authorization or “opt in” to have their records uploaded or transferred to the portal. We are hearing many clients describe that their patient portal vendor has a default setting requiring the patient to “opt in” to the portal. This can present a challenge procedurally as you deal with these default settings. Our advice first and foremost is to challenge your vendor as to whether their settings truly have to include a checkbox for opting in or out of the portal. If the vendor is unwilling to adjust their default settings, you should determine whether this opt-in or opt-out setting is an internal setting viewed only by provider staff, or whether the patient is required to make the selection. Assuming it’s an internal setting, we believe it is appropriate for you not to advertise or otherwise publish to the patient that there is an opt-in or opt-out setting, because there truly is no such feature. The system should be set to automatically default patient records as “opt in” if your vendor is unwilling to disable that setting completely. Patients have the choice whether to actually register for the portal and use the portal to access their information, but there is no meaningful choice for the patient as to whether the information will be stored on the portal ready for patient registration and access should they so choose. If your vendor mandates an opt-in or opt-out by the patient directly, you may need some assistance in discussing the issue with your vendor to better understand their set up and any alternatives available.
Q2. Do patients need to complete an Authorization before registering or accessing their records on the portal?
A2. No. A formal Authorization to access records on the portal is not necessary. You may choose to use a form to document a patient’s email address or other means of providing access to the Portal, but we do not recommend using an Authorization form for a patient’s access to his or her own record, or a parent’s access to their minor child’s record. An Authorization form signals to regulators that you are disclosing the patient’s record to someone other than the patient or the patient’s personal representative. You would use an Authorization, however, if you plan to allow a an “authorized representative” of the patient to access the patient’s record through the Portal. This would be the scenario of an adult child accessing the portal records of their elderly parents. This is different than the parent/minor child situation where the parents stand in the shoes of the minor child. This is where an adult patient of sound mind authorizes another individual to be given access to their medical information on the portal. We do recommend that a formal Authorization form be used in this case. You would treat this situation just as you would if someone called in or presented to the medical records department asking for access to someone else’s records. If the individual is the parent of a minor child, you give access only requiring proper identification and verification of parental relationship. If the request is not a minor child or guardian scenario, you would require the patient to have signed an Authorization before disclosing to another individual. You follow the same process for the Portal.
Q3. Is it okay if a patient allows another person access to their portal account by just sharing their user name and password with this other person?
A3. Yes, and likely it will happen this way. We do not recommend that you encourage or advise the patient to give out his or her user name and password to family or friends for this purpose, but if you are aware that it has happened, you do not need to take any action to stop it.
Q4. May minors have access to their records on the portal? May parents have access to minors’ records?
A4. The topic of minors’ records on a Portal presents the most common and difficult challenge faced by providers in implementing a Portal. There is no law to prevent minors from having access to their own records through a Portal. The real dilemma is that parents need access to a young child’s records, but for certain records involving STD testing and treatment where the minor is permitted by state law to seek specific services and consent to those services without parental involvement or parental payment for the services, the parent is not legally entitled to have access to those records. In order for a parent to have access to the minor child’s record on the Portal, there must be a mechanism for those records described above to be excluded from the parents’ access through the Portal. You should first start with your portal vendor to determine what technical solutions exist. If your portal does not provide a technical solution to prevent the viewing of certain records by parents based on legal requirements then you must look for a manual solution. Is there a manual process that will allow you to flag certain records so they are not sent to the portal? If there is not an automatic or manual solution, you will need to evaluate whether the minors’ records can be put on the portal at all. Some providers are choosing to allow parental access to minors’ records until they reach a certain age (e.g., after age 13 parents no longer get access). Some providers are choosing to exclude minors’ records completely. You may want to also consider whether your system and processes allow you to create a separate ID for the minors receiving these STD testing and services (or other services minors are permitted to receive under a particular state’s law without parental consent). You would need to ensure the two IDs are linked for patient care purposes, but not linked for Portal access. In any assessment of your options, you should analyze the impact those decisions will have on your ability to meet the Meaningful Use requirements moving forward.