Security and Privacy Risks Associated With Adult Patient Portal Accounts in US Hospitals.

This cross-sectional study examines the use and risks of proxy access to adult patient portals in independently operated and system-affiliated US hospitals. Importance Patient portals can help caregivers better manage care for patients, but how caregivers access the patient portal could threaten patient security and privacy. Objective To identify the proportions of hospitals that provide proxy accounts to caregivers of adult patients, endorse password sharing with caregivers, and enable patients to restrict the types of information seen by their caregivers. Design, Setting, and Participants This national cross-sectional study included a telephone survey and was conducted from May 21, 2018, to December 20, 2018. The randomly selected sample comprised 1 independent hospital and 1 health system-affiliated general medical hospital from every US state and the District of Columbia. Specialty hospitals and those that did not have a patient portal in place were excluded. An interviewer posing as the daughter of an older adult patient called each hospital to ask about the hospital's patient portal practices. The interviewer used a structured questionnaire to obtain information on proxy account availability, password sharing, and patient control of their own information. Main Outcomes and Measures The primary outcome was the proportion of hospitals that provided proxy accounts to caregivers of adult patients. Secondary outcomes were the proportion of hospitals with personnel who endorsed password sharing and the proportion that allowed adult patients to limit the types of information available to caregivers. Results After exclusions, a total of 102 (51 health system-affiliated and 51 independent) hospitals were included in the study. Of these hospitals, 69 (68%) provided proxy accounts to caregivers of adult patients and 26 (25%) did not. In 7 of 102 hospitals (7%), the surveyed personnel did not know if proxy accounts were available. In the 94 hospitals asked about password sharing between the patient and caregiver, personnel in 42 hospitals (45%) endorsed the practice. Among hospitals that provided proxy accounts, only 13 of the 69 hospitals (19%) offered controls that enabled patients to restrict the types of information their proxies could see. Conclusions and Relevance This study found that almost half of surveyed hospital personnel recommended password sharing and that few hospitals enabled patients to limit the types of information seen by those with proxy access. These findings suggest that hospitals and electronic health record (HER) vendors need to improve the availability and setup process of proxy accounts in a way that allows caregivers to care for patients without violating their privacy. Question Do hospitals allow caregivers to access patient portals in a manner that protects security and privacy? Findings In this cross-sectional study of 102 US hospitals, 68% of hospitals in the sample offered proxy accounts to caregivers of adult patients, 45% of the hospital personnel surveyed endorsed sharing of login credentials, and 19% of hospitals that provided proxy accounts enabled patients to limit the types of information seen by their caregivers. Meaning Findings of this study suggest that hospitals and electronic health record vendors should work together to improve the availability and setup of proxy accounts not only to facilitate caregiver access but also to protect the privacy and security of patient health information.