Getty Images

Understanding Proxy Access for the Patient Portal, Privacy Questions

Patient portal proxy access is critical for family engagement and care coordination, but healthcare experts and IT developers must consider the privacy questions that remain.

A medical encounter rarely only involves the patient; with the rise in family engagement, most patients have at least some loved ones involved in their care, making proxy access a key feature of the patient portal.

The patient portal is the nexus of patient engagement, granting individuals access to their own medical information, lab and test results, history, clinician notes, and other key patient-facing features. But it’s not often patients go it alone, with many having a family caregiver or some loved one there to support them during their medical journey.

Family caregivers may be in charge of some patient education, care coordination, and even at-home post-discharge recovery processes. For those managing a chronic illness, caregivers are important for ensuring disease management and care coordination.

In the pediatric realm, the role of the family caregiver is even clearer. Parents and guardians are in charge of all aspects of their children’s health, whether there are chronic or acute care management needs present or not.

That means that in many cases, family caregivers need to view the patient portal. Under HIPAA, health information may be disclosed and made available to authorized individuals identified by the adult patient; for pediatrics, parents and legal guardians have access to health data.

Under those legalities, many family caregivers have proxy access to the patient portal. Proxy access to the patient portal means an authorized individual—a family caregiver, a home health aide, a parent or guardian, an adult child, or a healthcare power of attorney—may view an individual’s patient portal.

Although that may seem simple, there are many questions about how patient portal proxy access should work and how to maintain patient privacy while enabling family engagement.

What Is Proxy Access for the Patient Portal?

Proxy access for the patient portal means an authorized individual is allowed to view and access a loved one’s or, in the case of home health aides and healthcare power of attorneys, a client’s patient portal. This is important for looping in caregivers for family-centered care and for enabling key healthcare decision-making, especially when a patient is incapacitated.

According to the Office of the National Coordinator for Health IT, the benefits of proxy access for the patient portal include:

  • Better care coordination
  • Provider ability to differentiate between patient and caregiver while using patient portal secure direct messaging functions
  • Respect for patient autonomy and preference for including others in their care
  • Improved patient safety through verification of health record accuracy
  • Better adherence to post-discharge follow-up plans

“Increasing shared access to patient portals by caregivers is the next step in patient engagement,” ONC wrote in the proxy access section of its patient engagement playbook. “It has the potential to increase clinical quality and patient safety, add to the convenience and timeliness of health system interactions, and strengthen partnerships between patients, caregivers, and clinicians.”

Many healthcare organizations that allow patient portal proxy access have set up an authorization form allowing patients to identify those who should have proxy access. Ideally, this means setting up separate log-in information for a caregiver and then selecting the level of access that caregiver would have.

Although this is a largely administrative task, there is a key role for patient-provider communication, especially as provider testimony serves as a key facilitator for patient engagement technology adoption.

Clinicians should discuss who should have proxy access, patient preferences for sharing medical information with authorized individuals under HIPAA, and the extent to which patients would like information shared. Patients may be comfortable sharing information about their asthma management, but not their reproductive health, for example.

However, patient portals are still somewhat limited in enabling proxy access. Practice administrators will play a key role in ensuring organizations have the right technology and patient privacy best practices in place for allowing proxy access.

Enabling patient privacy with portal proxy access

Not every patient portal actually allows for true proxy access; these patient engagement technologies do not always let patients and their caregivers create separate log-in credentials with specific levels of data access. Instead, many families are left to share the password for the patient’s portal account.

In fact, a May 2020 study published in JAMA Internal Medicine data indicated that most families must simply share the password for a patient portal rather than utilize proxy access to the tool. Overall, 45 percent of the 102 hospitals included in a secret shopper survey said they did not offer proxy access to the patient portal, but recommended patients share their passwords with caregivers.

Password-sharing presents numerous security issues, not least of which include allowing access to health data patients want to be kept private even from their loved ones. Conversely, allowing for true proxy access has many benefits, according to ONC. Foremost, allowing for separate proxy access credentials lets clinicians and health systems track who is using the patient portal the most, the patient or the caregiver.

Second, it allows learning health systems to capture both caregiver-reported data and patient-reported outcomes data.

Office administrators may circumvent this password-sharing problem by looking into EHR vendors that do offer patient portals enabling proxy access, ONC suggested. Administrators should also spearhead efforts to educate clinicians on discussing patient portal proxy access with patients and marketing and messaging about the proxy access to the general patient population.

Patient portal proxy access in pediatrics

Patient portal proxy access is a key tool for pediatric care management. Per HIPAA, parents and legal guardians have a right to access their children’s medical records, with this practice being key to care management.

However, proxy access to the patient portal becomes more challenging as a pediatric patient approaches adolescence. First and foremost, pediatric providers and parents are both working to foster autonomy in a teen, teaching the adolescent how to manage her own health as she approaches adulthood.

There is also the medical complexity an adolescent may experience, ranging from substance use to reproductive health concerns. This information may be better kept private between the teen and the provider to ensure the teen feels comfortable sharing all needs and concerns with the clinician.

And as noted above, there isn’t always a great solution for this. Not every healthcare organization has the technology to create separate proxy patient portals, so teens and their parents often share the same account, according to 2021 data published in JAMA Network Open.

Using natural language processing, the researchers looked at about 3,500 adolescent patient portals and the secure direct messages sent from them. The assessment found that somewhere between 52 and 57 percent of secure direct messages came from a parent or guardian, not the teen who owns the portal.

While not every parent or guardian is intentionally encroaching on teen patient privacy—they might not know about a proxy portal or their teen might’ve elected to share the password—the researchers did acknowledge the issue this may pose for free patient-provider communication.

“Confidential communication is necessary for many adolescents to feel comfortable seeking care for sensitive health needs (eg, pregnancy, sexually transmitted diseases, substance use),” the team stated.

“Furthermore, all 50 states in the US have some form of minor consent laws, which have associated rights to privacy protection for the minor according to the Health Insurance Portability and Accountability Act.”

Similar concerns cropped up when rules under the 21st Century Cures Act called for proxy and patient portal access to clinician notes. The rule did not take account for layered access for teens receiving clinician notes, which could discourage free sharing of medical concerns, like sexual health.

The laws governing adolescent patient privacy and the patient portal vary by state, but the general consensus is that teens should have access to their medical information and be able to elect to keep some of it private from their parents. That autonomy should build as the teen grows nearer to adult care.a

That does not mean a healthcare provider should not loop parents into care. It’s common for a teen to want to involve parents or guardians in care, and clinicians should encourage that, especially when there is a serious concern.

As medicine continues to move toward team-based care, it will be critical to ensure all members of the team have the right tools. This means allowing proxy access for patient portals that empowers caregivers and other entities to be engaged in their loved one’s care.

However, building these tools and regulating them will require nuance, as a patient still is entitled to privacy. Separate log-in credentials for proxy patient portal accounts will be key. Health IT vendors should create tools that enable layered data access to give patients the power to share only the information they choose.

Next Steps

Dig Deeper on Patient data access