Practices must be able to protect the confidentiality of adolescent patients’ sensitive condition treatment information in patient portals. Consider the following case.
Case File
A family practice physician called the Risk Management department to get advice about parent access to adolescent patient treatment information through the patient portal. He was considering sending letters to all his patients between the ages of 13 and 17 requesting permission to give parents/guardians access to their patient portal accounts. If he could not get permission from the adolescent, parent/guardian access would be blocked. Alternatively, he thought he could just withdraw access to the portal for all parents of patients between the ages of 13 and 17, and then restore parent access upon the adolescent’s approval of the parent’s application for proxy access. He wanted to know if there were any guidelines on how to protect adolescent patient confidentiality in patient portals.
Discussion
How a practice handles parent portal access to adolescent patient medical information depends on whether the practice’s patient portal has the capacity to filter out data that becomes confidential when the child reaches 13 (or whatever age the state law designates). Practices without these capabilities will most likely need to deny parent portal access to their adolescent child’s portal account unless the adolescent patient authorizes access to his or her protected information. The family practice physician’s solutions in the foregoing case, although imperfect, were appropriate, as his portal program was not able to filter out sensitive information for parent accounts.
If a portal system can limit the data accessible to parents, the practice will need to determine which information to limit pursuant to federal and state privacy laws.1 Then the practice will need to determine how to shift diminishing/expanding access from parent to child as the child matures. There are various ways to accomplish shifting portal access. For example, at Atrius Health, both parent and child have portal accounts. When the child is age 0-12, parents are given “pediatric proxy access,” which gives them access to the entire record in the EHR. When the child reaches 13, the parent’s pediatric proxy access is automatically transitioned to “adolescent proxy access.” The parent’s adolescent proxy access gives the parent the ability to view portions of the record that are not confidential. Adolescents apply for “adolescent access” at age 13, which gives them access to their confidential information and other components of their medical record. When adolescents reach age 18, the parent’s access is discontinued, but the parent can apply for “adult proxy access,” which must be approved by the adult child.2
When both parent and child accounts exist and are linked, certain sensitive information can be tagged (e.g., labs related to pregnancy, sexually transmitted illnesses, genetic results, select confidential appointments, potentially sensitive problems, and medications) and sent only to the adolescent patient’s account. The following chart is an example of a patient portal configuration that allows limited access to either the child patient or parent as the patient matures. The child’s parents start with full access, then lose access to sensitive information and finally lose access to all their child’s medical information when the child reaches their 18th birthday.
Practices may also allow the parents of adolescent children to limit the adolescent’s access to selected general medical information. For example, if the parent believed the adolescent was not mature enough to view the results of some tests, they could be masked. A system like this must also have the flexibility to deny parent access to confidential information that falls outside of set age brackets in a parent access plan.
Chart: Example Patient Portal Configuration1
| Medical Record Content | Parent Access to Pediatric Information (0-11 Years) |
Parent Access to Adolescent Information (12-17 Years) |
Adolescent Access to Adolescent Information (12+ Years) |
Parent Access to Adult Child Information (18+ Years) |
| Labs | ✓ | Some withheld |
✓ | ✕ |
| Immunizations | ✓ | ✓ | ✓ | ✕ |
| Allergies | ✓ | ✓ | ✓ | ✕ |
| Growth | ✓ | ✓ | ✓ | ✕ |
| Appointment Request | ✓ | ✕ | ✓ | ✕ |
| Appointment View | ✓ | ✕ | ✓ | ✕ |
| Problem List | ✓ | ✕ | ✓ | ✕ |
| Medications | ✓ | Some withheld |
✓ | ✕ |
Medical Liability Risk Management Recommendations1,3
- Work closely with IT personnel and attorneys to safeguard confidential adolescent healthcare information in patient portals.
- Ensure that parents and adolescents understand the services and information that will be available to them through the patient portal.
- Have a system in place to authenticate parents/guardians during the portal registration process.
References
1. Fabienne C. Bourgeois, et al. “Whose Personal Control? Creating Private, Personally Controlled Health Records for Pediatric and Adolescent Patients.” Journal of the American Medical Informatics Association, 2008;15(6):737-743.
2. Atrius Health. “MyHealth Online - Proxy Access.”
3. Sheila Green-Shook. “Parental Proxy Access via Web Portals: Ensuring Compliance and Quality Documentation.” Journal of AHIMA. 2009; 80(7): 60-61.
