[Skip to Content]
[Skip to Content Landing]
Original Investigation
May 4, 2020

Security and Privacy Risks Associated With Adult Patient Portal Accounts in US Hospitals

Author Affiliations
  • 1Department of Computer Science, University of Manitoba, Winnipeg, Manitoba, Canada
  • 2Department of Software and Information Systems, The University of North Carolina at Charlotte, Charlotte
  • 3Department of Internal Medicine, Wake Forest School of Medicine, Winston-Salem, North Carolina
  • 4Department of Biostatistics and Data Science, Wake Forest School of Medicine, Winston-Salem, North Carolina
  • 5Department of Epidemiology & Prevention, Wake Forest School of Medicine, Winston-Salem, North Carolina
  • 6Department of Family and Community Medicine, Wake Forest School of Medicine, Winston-Salem, North Carolina
JAMA Intern Med. 2020;180(6):845-849. doi:10.1001/jamainternmed.2020.0515
Key Points

Question  Do hospitals allow caregivers to access patient portals in a manner that protects security and privacy?

Findings  In this cross-sectional study of 102 US hospitals, 68% of hospitals in the sample offered proxy accounts to caregivers of adult patients, 45% of the hospital personnel surveyed endorsed sharing of login credentials, and 19% of hospitals that provided proxy accounts enabled patients to limit the types of information seen by their caregivers.

Meaning  Findings of this study suggest that hospitals and electronic health record vendors should work together to improve the availability and setup of proxy accounts not only to facilitate caregiver access but also to protect the privacy and security of patient health information.

Abstract

Importance  Patient portals can help caregivers better manage care for patients, but how caregivers access the patient portal could threaten patient security and privacy.

Objective  To identify the proportions of hospitals that provide proxy accounts to caregivers of adult patients, endorse password sharing with caregivers, and enable patients to restrict the types of information seen by their caregivers.

Design, Setting, and Participants  This national cross-sectional study included a telephone survey and was conducted from May 21, 2018, to December 20, 2018. The randomly selected sample comprised 1 independent hospital and 1 health system–affiliated general medical hospital from every US state and the District of Columbia. Specialty hospitals and those that did not have a patient portal in place were excluded. An interviewer posing as the daughter of an older adult patient called each hospital to ask about the hospital’s patient portal practices. The interviewer used a structured questionnaire to obtain information on proxy account availability, password sharing, and patient control of their own information.

Main Outcomes and Measures  The primary outcome was the proportion of hospitals that provided proxy accounts to caregivers of adult patients. Secondary outcomes were the proportion of hospitals with personnel who endorsed password sharing and the proportion that allowed adult patients to limit the types of information available to caregivers.

Results  After exclusions, a total of 102 (51 health system–affiliated and 51 independent) hospitals were included in the study. Of these hospitals, 69 (68%) provided proxy accounts to caregivers of adult patients and 26 (25%) did not. In 7 of 102 hospitals (7%), the surveyed personnel did not know if proxy accounts were available. In the 94 hospitals asked about password sharing between the patient and caregiver, personnel in 42 hospitals (45%) endorsed the practice. Among hospitals that provided proxy accounts, only 13 of the 69 hospitals (19%) offered controls that enabled patients to restrict the types of information their proxies could see.

Conclusions and Relevance  This study found that almost half of surveyed hospital personnel recommended password sharing and that few hospitals enabled patients to limit the types of information seen by those with proxy access. These findings suggest that hospitals and electronic health record (HER) vendors need to improve the availability and setup process of proxy accounts in a way that allows caregivers to care for patients without violating their privacy.

Limit 200 characters
Limit 25 characters
Conflicts of Interest Disclosure

Identify all potential conflicts of interest that might be relevant to your comment.

Conflicts of interest comprise financial interests, activities, and relationships within the past 3 years including but not limited to employment, affiliation, grants or funding, consultancies, honoraria or payment, speaker's bureaus, stock ownership or options, expert testimony, royalties, donation of medical equipment, or patents planned, pending, or issued.

Err on the side of full disclosure.

If you have no conflicts of interest, check "No potential conflicts of interest" in the box below. The information will be posted with your response.

Not all submitted comments are published. Please see our commenting policy for details.

Limit 140 characters
Limit 3600 characters or approximately 600 words
    ×