(Reuters Health)—Patient portals at U.S. hospitals leave a lot to be desired in terms of privacy when individuals want to share access with an informal caregiver, a new study finds.
At nearly half of 102 hospitals included in the study, personnel advised that patients share their account password to give access to a family member or friend, and few institutions enabled patients to limit the types of information that could be seen by those with proxy access to the patient’s records, according to the report in JAMA Internal Medicine.1
“Although some of the patient portals in U.S. have proxy accounts, they are not easy to set up, so they are often not being used,” says the study’s lead author, Celine Latulipe, an associate professor of computer science at the University of Manitoba, Winnipeg, Canada, and the Department of Software and Information Systems, at the University of North Carolina, Charlotte.
The result, Prof. Latulipe says, is that hospital personnel often suggest that patients share passwords with caregivers instead of helping them create a proxy account. “That sets up a lot of privacy and security issues,” she adds. “And in most cases, it probably goes against the terms of service for using the portal, so staff are telling people to violate the terms of service. It’s also a violation of HIPAA.”
Phone calls to 102 hospitals by researchers posing as the daughter of an older patient revealed that 69 of the institutions offered proxy accounts to caregivers of adult patients and 26 did not. Personnel at seven of the hospitals did not know if proxy accounts were available.
When personnel at 94 of the hospitals were asked about the possibility of password sharing between the patient and the caregiver, 42 endorsed the practice. In hospitals that provided proxy accounts, only 13 of 69 offered controls that enabled patients to restrict the types of information their proxies could see.
Password sharing may not be the official policy, Prof. Latulipe says, but if it is not, that means there are serious deficiencies in staff training. “That is problematic.”
Patients who are worried about test results and want to access them online most likely aren’t thinking about privacy when they ask someone to help them gain access their medical records, Prof. Latulipe says. “So when the caregiver, or neighbor, or friend logs on with the patient’s username and password, they suddenly have access to the patient’s entire medical history, and that includes billing information,” she adds.
The solution is for hospitals to make it easy to set up a proxy account, which will allow the patient to limit the kinds of information the proxy can access, Prof. Latulipe said. That way the proxy can have their own account with a different username and password from the patient, she adds.
To take a closer look at proxy accounts, Prof. Latulipe and her colleagues randomly chose one independent hospital and one health system-affiliated general medical hospital from every U.S. state and the District of Columbia to be called by a researcher posing as a caregiver between May and December 2018.
“The study, which included the use of deception, was approved by the Wake Forest School of Medicine Institutional Review Board,” Prof. Latulipe and her colleagues explain. “Informed consent was waived because institutions were considered the study participants and obtaining informed consent would likely lead to social desirability bias.”
The new study highlights issues with the way electronic access is set up for patients and their proxies, says Albert Wu, MD, an internist and a professor of health policy and management at the Johns Hopkins Bloomberg School of Public Health, Baltimore.
“I think the patient portal is one of the best things about the electronic health record, which has been a bit of a mixed blessing, though admittedly an advance,” Dr. Wu says. “It’s a convenient way for doctors and patients to securely communicate, with a guarantee that the patient will actually get the message. But, patient portals have their own perils.”
It’s disturbing that one quarter of the hospitals did not offer a proxy portal, which means that patients who are not tech savvy may not be able to get help accessing their information, Dr. Wu says. “Perhaps even more disturbing is that at half of the hospitals the workaround recommended was for patients to share their password with their proxies,” he adds.
“This suggests the current system is broken,” Dr. Wu says. “It’s vital for patients to be able to stay in touch with their doctors and that’s especially true during this COVID crisis. This study reveals that despite the billions invested in the electronic health record, organizations haven’t taken the basic step of providing proper access for patients to this vital communication channel.”
References
- Latulipe C, Mazumder SF, Wilson RKW, et al. Security and privacy risks associated with adult patient portal accounts in U.S. hospitals. JAMA Intern Med. 2020 May 4. [Epub ahead of print]
- DesRoches CM, Walker J, Delbanco T. Care Partners and patient portals-faulty access, threats to privacy, and ample opportunity. JAMA Intern Med. 2020 May 4. [Epub ahead of print]
