(Reuters Health)—Patient portals at U.S. hospitals leave a lot to be desired in terms of privacy when individuals want to share access with an informal caregiver, a new study finds.
At nearly half of 102 hospitals included in the study, personnel advised that patients share their account password to give access to a family member or friend, and few institutions enabled patients to limit the types of information that could be seen by those with proxy access to the patient’s records, according to the report in JAMA Internal Medicine.1
“Although some of the patient portals in U.S. have proxy accounts, they are not easy to set up, so they are often not being used,” says the study’s lead author, Celine Latulipe, an associate professor of computer science at the University of Manitoba, Winnipeg, Canada, and the Department of Software and Information Systems, at the University of North Carolina, Charlotte.
The result, Prof. Latulipe says, is that hospital personnel often suggest that patients share passwords with caregivers instead of helping them create a proxy account. “That sets up a lot of privacy and security issues,” she adds. “And in most cases, it probably goes against the terms of service for using the portal, so staff are telling people to violate the terms of service. It’s also a violation of HIPAA.”
Phone calls to 102 hospitals by researchers posing as the daughter of an older patient revealed that 69 of the institutions offered proxy accounts to caregivers of adult patients and 26 did not. Personnel at seven of the hospitals did not know if proxy accounts were available.
When personnel at 94 of the hospitals were asked about the possibility of password sharing between the patient and the caregiver, 42 endorsed the practice. In hospitals that provided proxy accounts, only 13 of 69 offered controls that enabled patients to restrict the types of information their proxies could see.
Password sharing may not be the official policy, Prof. Latulipe says, but if it is not, that means there are serious deficiencies in staff training. “That is problematic.”
Patients who are worried about test results and want to access them online most likely aren’t thinking about privacy when they ask someone to help them gain access their medical records, Prof. Latulipe says. “So when the caregiver, or neighbor, or friend logs on with the patient’s username and password, they suddenly have access to the patient’s entire medical history, and that includes billing information,” she adds.
