New study highlights privacy questions in teenagers’ electronic health records

Photo by Evolution Labs via Flickr.

Adolescent online patient portals can be set up confidentially so information about pregnancy testing, sexually transmitted diseases, mental health, and drug and alcohol use, etc., are kept private from parents and guardians. But a new study published in JAMA Network Open from three children’s hospitals revealed that more than half of adolescents’ accounts were inappropriately accessed by parents and guardians.

The study suggests there is more work to do both in designing these portals and in educating parents and their teens about them, the authors said.

Study methodology

Participating sites included Stanford Children’s Health in Palo Alto, Calif.; Rady Children’s Hospital in San Diego; and Nationwide Children’s Hospital in Columbus, Ohio — all of which allow adolescents to have patient portal accounts. Guardians can register for proxy accounts.

Investigators used a natural language processing algorithm to analyze all messages sent from patient portal accounts for 13- to 18-year-olds from June 2014 through the end of February 2020 to identify notes sent by parents/guardians. Some manual reviews at each institution were also performed. The study looked for either third-person references to the adolescent, phrases such as “my child,” or incidences where the signature matched the name of a guardian on file.

A closer look at the results

Researchers analyzed 25,642 messages sent from 3,429 adolescent accounts across the three institutions. After adjusting for sensitivity and specificity of the algorithm, they found that an estimated 64-76% of all accounts with outbound messages were accessed by parents and guardians. Parent access decreased as patients aged, from 59-64% in records for 13- to 14-year-olds to 40-50% in those for 17- to 18-year-olds.

Compliance with federal regulations and state confidentiality and consent laws for adolescents requires a reliable mechanism to share protected health information without guardian knowledge, the authors said. Thus, the study suggests that adolescent portal accounts as they exist today may be lacking.

“The 21st Century Cures Act has encouraged the sharing of health information with patients, which we totally endorse and really want to happen,” said senior study author Natalie Pageler, M.D., the chief medical information officer for Stanford Children’s Health, and a clinical professor of pediatrics and medicine at Stanford University, in a phone interview. “It’s the right thing to do for patients and families. But we think this issue [of parents accessing their teenagers’ accounts] is under-recognized…Many parents are getting access to information that they shouldn’t be, which creates a risk for teens.”

This includes the risk that if teens don’t trust that they have a confidential relationship with their provider, they won’t seek the care they need, Pageler said. Worse, for some teens there may be a risk of physical violence or retribution from parents.

According to Pageler, teenagers should have their confidential accounts, and parents can set up a proxy one granting them access to other health information that doesn’t fall under the above-mentioned categories. But it’s tricky, as state laws regarding consent can vary.

The study did not dive into why parents accessed their children’s records, but Pageler has several theories. Patients and parents may have been confused about how the portals work. It could be because babies’ electronic patient records are first established using parents’ contact information; the accounts may not be properly migrated to the children’s information later. Additionally, some teenagers initially don’t want to manage their health care information and give their login information to their parents. Finally, some parents may be checking the accounts surreptitiously, although Pageler says she believes that’s a small portion.

Investigators’ idea for the study was sparked by  a 2019 report in the Journal of General Internal Medicine looking at adult children accessing their parents’ patient portals. Their intent wasn’t necessarily malicious, Pageler said, but might have resulted from parents needing help from their kids in navigating portals. Protecting privacy to promote interoperability is a big issue now, she said. In other words, how do clinicians tag sensitive or private data in patient records and direct it to the right people while excluding others from it?

Stanford Children’s has started a cleanup of its adolescent records. First, they’re screening for guardians’ email addresses linked to the accounts, which appears to be about 60%, said lead study author Wui Ip, M.D., a pediatrician who recently completed a fellowship in clinical informatics at Stanford. Ip, Pageler and colleagues have embarked on a quality improvement project to notify those account holders that they must correct the records using the adolescents’ email addresses, or the accounts may risk being deactivated.

Journalists writing about patient portals for adolescents, or conversely for older adults, might want to ask hospitals about their patient portal registration policies. Then they can find out if they share sensitive information (visit notes, lab results, etc.) electronically through the portal, Ip suggested.

Other patient portal news

Office of the National Coordinator for Health IT released a new data brief in September on “Individuals’ Access and Use of Patient Portals and Smartphone Health Apps in 2020.” About six in 10 people nationwide were offered access to their patient portals, and nearly 40% accessed their record at least once in 2020, the report said. People encouraged by their health care providers to use the patient portal accessed them at higher rates, and nearly four in 10 users accessed their portal through a smartphone app.

Leave a Reply