Practices must be able to protect the confidentiality of adolescent patients’ sensitive condition treatment information in patient portals. Consider the following case.
A family practice physician called the NORCAL Risk Management department to get advice about parent access to adolescent patient treatment information through the patient portal. He was considering sending letters to all of his patients age 13-17 requesting permission to give parents/guardians access to their patient portal accounts. If he could not get permission from the adolescent, parent/guardian access would be blocked. Alternatively, he thought he could just withdraw access to the portal for all parents of patients aged 13-17, and then restore parent access upon the adolescent’s approval of the parent’s application for proxy access. He wanted to know if there were any guidelines on how to protect adolescent patient confidentiality in patient portals.
More Information About Adolescent Consent and Privacy
- Overview: Adolescent Consent and Privacy
- Case Study: Consent for Treatment of an Adolescent: Drug Testing
- Case Study: Consent for Treatment of an Adolescent: Unaccompanied Adolescents
- Case Study: Consent for Treatment of an Adolescent: Third-Party Consent
- Case Study: Adolescent Health Information: Is it Confidential?
- Best Practices: Adolescent Health Information Privacy
How a practice handles parent portal access to adolescent patient medical information depends on whether the practice’s patient portal has the capacity to filter out data that becomes confidential when the child reaches 13 (or whatever age the state law designates). Practices without these capabilities will most likely need to deny parent portal access to their adolescent child’s portal account unless the adolescent patient authorizes access to his or her protected information. The family practice physician’s solutions in the foregoing case, although imperfect, were appropriate, as his portal program was not able to filter out sensitive information for parent accounts.
If a portal system can limit the data accessible to parents, the practice will need to determine which information to limit pursuant to federal and state privacy laws.1 Then the practice will need to determine how they will shift diminishing/expanding access from parent to child as the child matures. There are various ways to accomplish shifting portal access. For example, at Atrius Health both parent and child have portal accounts. When the child is age 0-12, parents are given “pediatric proxy access,” which gives them access to the entire record. When the child reaches 13, the parent’s pediatric proxy access is automatically transitioned to “adolescent proxy access.” The parent’s adolescent proxy access gives the parent the ability to view portions of the record that are not confidential. Adolescents apply for “adolescent access” at age 13, which gives them access to their confidential information and other components of their medical record. When adolescents reach age 18, the parent’s access is discontinued, but the parent can apply for “adult proxy access,” which must be approved by the adult child.2
When both parent and child accounts exist and are linked, certain sensitive information can be tagged (e.g., labs related to pregnancy, sexually transmitted illnesses, genetic results, select confidential appointments, and potentially sensitive problems and medications) and sent only to the adolescent patient’s account. The chart below is an example of a patient portal configuration that allows limited access to either the child patient or parent as the patient matures. The child’s parents start with full access, then lose access to sensitive information and finally lose access to all of their child’s medical information when the child reaches their 18th birthday.
Practices may also allow the parents of adolescent children to limit the adolescent’s access to selected general medical information. For example, if the parent believed the adolescent was not mature enough to view the results of some tests, those could be masked. A system like this must also have the flexibility to deny parent access to confidential information that falls outside of set age brackets in a parent access plan; for example, lab reports for an 11-year-old with an STI.1
Chart: Example Patient Portal Configuration1,3
|Medical Record Content||Parent Access to Pediatric Information
|Parent Access to Adolescent Information
|Adolescent Access to Adolescent Information
|Parent Access to Adult Child Information
|Appointment Request Capacity||✓||✓||✓||✕|
Medical Liability Risk Management Recommendations1,4
- Work closely with IT personnel and attorneys to safeguard confidential adolescent healthcare information in patient portals.
- Ensure that parents and adolescents understand the services and information that will be available to them through the patient portal.
- Have a system in place to authenticate parents/guardians during the portal registration process.
1. Fabienne C. Bourgeois, MD, MPH, et al. “Whose Personal Control? Creating Private, Personally Controlled Health Records for Pediatric and Adolescent Patients.” Journal of the American Medical Informatics Association, 2008;15(6):737-743. (accessed 1/31/2019)
2. Atrius Health. “Proxy Access.” (accessed 1/31/2019)
3. The Office of the National Coordinator for Health Information Technology. “Ensure Portal Access for All Patients.” Patient Engagement Playbook. Chapter 3.1. (accessed 1/31/2019)
4. Sheila Green-Shook, MHA. “Parental Proxy Access via Web Portals: Ensuring Compliance and Quality Documentation.” Journal of AHIMA. 2009; 80(7): 60-61. (accessed 1/31/2019)