If you don't remember your password, you can reset it by entering your email address and clicking the Reset Password button. You will then receive an email that contains a secure link for resetting your password
If the address matches a valid account an email will be sent to __email__ with instructions for resetting your password
Managing confidential adolescent health information in patient portals presents unique challenges. Adolescent patients and guardians electronically access medical records and communicate with providers via portals. In confidential matters like sexual health, ensuring confidentiality is crucial. A key aspect of confidential portals is ensuring that the account is registered to and utilized by the intended user. Inappropriately registered or guardian-accessed adolescent portal accounts may lead to confidentiality breaches.
We used a quality improvement framework to develop screening methodologies to flag guardian-accessible accounts. Accounts of patients aged 12–17 were flagged via manual review of account emails and natural language processing of portal messages. We implemented a reconciliation program to correct affected accounts’ registered email. Clinics were notified about sign-up errors and educated on sign-up workflow. An electronic alert was created to check the adolescent’s email prior to account activation.
After initial screening, 2,307 of 3,701 (62%) adolescent accounts were flagged as registered with a guardian’s email. Those accounts were notified to resolve their logins. After five notifications over 8 weeks, 266 of 2,307 accounts (12%) were corrected; the remaining 2,041 (88%) were deactivated.
The finding that 62% of adolescent portal accounts were used/accessed by guardians has significant confidentiality implications. In the context of the Cures Act Final Rule and increased information sharing, our institution’s experience with ensuring appropriate access to adolescent portal accounts is necessary, timely, and relevant. This study highlights ways to improve patient portal confidentiality and prompts institutions caring for adolescents to review their systems and processes.
This article describes the early steps of addressing inappropriate guardian access of confidential adolescent patient health information via an institution’s electronic patient portal. In the context of the Cures Act Final Rule and increased health information sharing, the institution’s experience ensuring confidentiality in adolescent portal accounts is timely and relevant.
Management and distribution of confidential adolescent health information presents unique challenges. On one hand, we seek to empower adolescents to engage with their healthcare, promoting greater ownership and management of their own health. On the other hand, there is a push to increase transparency and access to healthcare data for both patients and their guardians. Ensuring confidentiality is a key part of achieving a balance between adolescent engagement and increased access to data. Various state confidentiality laws covering sensitive matters such as mental health, reproductive health, and substance abuse help ensure confidentiality is protected [
]. With broader adoption of electronic health records (EHRs), accompanying patient portals and tools to enable health information exchange are being implemented throughout the country. Since the recent passage of the 21st Century Cures Act Final Rule, healthcare systems must ensure that patients’ medical record information is easily and immediately accessible in an electronic format and that healthcare data are not blocked [
Our institution’s online patient portal system provides adolescents (defined at our institution as ages 12–17) and their guardians with electronic access to communicate with their provider, view and schedule appointments, request medication refills, view laboratory test results, and view educational materials. Access to health information and a patient’s medical team via a patient portal can promote greater ownership and management of an adolescent’s health [
]. However, some of these features can risk breaching adolescent confidentiality. For example, if an oral contraceptive prescription or sexually transmitted infection testing result is displayed in the patient portal and viewed by a guardian, this may represent an inadvertent confidentiality breach. National guidelines from professional societies have provided guidance on these confidentiality principles [
]. The latest joint statement from the Society of Adolescent Health and Medicine and the North American Society for Pediatric and Adolescent Gynecology outlines specific recommendations for balancing adolescent health privacy with implementation of the Cures Act Final Rule [
In alignment with these national guidelines and recommendations, we have been working to segregate information, so confidential information is shared only with the adolescent’s portal account and not with the guardian’s proxy account. Unfortunately, as we began implementation of differential access to confidential information in the patient portal, the patient portal team was alerted that a guardian received a notification of their child’s upcoming confidential appointment. In reviewing this case, it was discovered that the guardian’s email was registered to the adolescent’s account. This discovery launched a quality improvement effort to examine how many accounts were similarly affected, review the portal access registration process, and develop a workflow to screen for erroneously registered or guardian-accessible adolescent accounts to prevent further confidentiality breaches. Sharing these early efforts with other institutions that care for adolescent patients will provide a basis for screening and identifying problematic accounts to ensure confidentiality.
Our institution is a California-based tertiary-care academic pediatric health system consisting of Lucile Packard Children’s Hospital Stanford, a 361-bed, freestanding, academic children’s hospital, plus more than 60 ambulatory locations across the San Francisco Bay Area with an annual outpatient volume of ∼525,000 visits. A full complement of pediatric subspecialty and general medical services are available via its hospital and clinic network. Patients and guardians can utilize the MyChart patient portal, which is part of the Epic EHR (Verona, WI). As of August 2020, our institution had ∼190,000 activated MyChart accounts, of which ∼40,000 were adolescent or adolescent proxy accounts (Supplemental Figure 1). Each month, we recorded ∼50,000 unique visitors to the portal. In the last calendar year, 255,000 messages were sent from patient accounts to their healthcare providers. We focused on accounts for patients between the ages of 12–17 years, as these patients have specific state-mandated confidentiality protections. Broadly summarized, adolescents in California have rights to consent to and receive confidential services pertaining to reproductive and sexual health, mental health, and substance use [
The MyChart application is supported by a team of analysts working within our hospital’s Information Systems group. This team works closely with the Chief Medical Information Officer; compliance, privacy, health information management systems teams; and medical provider representatives to ensure functionality and regulatory compliance of the MyChart system.
After identifying the erroneously registered adolescent account, the MyChart team began by reaffirming the following guiding principles for our adolescent patient portal: (1) clinical information should be as available as possible through the patient portal while respecting legal limitations; (2) guardians should have access to nonconfidential health information of their adolescent children via proxy accounts—this principle is crucial to reducing the incentive for guardians to inappropriately use their adolescent’s account; (3) adolescents should have access to their own confidential health information; (4) adolescents, with their guardian’s consent, should have access to their nonconfidential health information; and (5) until system functionality exists to allow differential release of confidential information, records should not be indiscriminately released through the patient portal. Instead, records should be released via existing request of information mechanisms which have additional checkpoints to ensure information is being released to the appropriate parties. Segregation of confidential from nonconfidential data is a nontrivial task in itself and is an ongoing parallel effort at our institution. In summary, our overall approach to portal access is to be transparent with information for both adolescents and their guardians while observing relevant state and federal laws.
With these principles in mind, we defined a quality improvement project with the following aim: to ensure adolescent patient portal accounts are properly registered to adolescents (and not accessed by their guardians). We achieved this by first addressing all existing adolescent accounts and second by establishing a process to minimize the percentage of newly flagged accounts. Our initial outcome measures were defined as follows: (1) percentage of adolescent accounts associated with a guardian’s email and (2) percentage of adolescent accounts with outbound messages suggestive of nonpatient communication to the provider. These measures were chosen with the ultimate goal of preventing another patient/family report of a confidentiality breach event from occurring.
As illustrated in the Key Drivers diagram (Figure 1), addressing this problem involved not only addressing the portal access registration process as a contributor to erroneous registrations, but also recognizing the need for education on appropriate use of the patient portal by all parties (adolescents, guardians, healthcare providers, and clinic staff). Developing a mechanism to reconcile existing accounts with erroneous registrations was also critical to our approach. The key drivers’ identified and associated interventions are arranged by how upstream or downstream in the portal account registration process they fall. However, the order in which we approached each driver was as follows:
Given that existing adolescent accounts were erroneously registered with their guardians’ email, we developed a screening methodology with our Information Systems team to identify portal accounts registered with an email address likely to be a guardian’s. This screening methodology was iterated upon and included methods such as manual review of the account’s registered email, manual review of portal message content, account email to guardian name string edit distance calculation (i.e., the number of letter or number changes one has to make to make the guardian name match the email address), and natural language processing (NLP) of message content. In conjunction with the adolescent family advisory council, messaging was developed to notify patients and their guardians to correct the registration of a flagged account. If flagged accounts were not resolved within a certain timeframe, they were deactivated until the correct registration process was completed.
In collaboration with our outpatient clinics and patient access phone line, we clarified the workflow for registering patients for portal access. Patients can register for the portal in-person at the clinic, over the phone through patient access, or online via the portal Web site, though the majority do so at clinic or over the phone. Thus training materials and presentations were created to reinforce verification of the adolescent’s email prior to account activation, and training was given to front desk staff and schedulers. Leveraging reporting and analytics, we targeted additional training by identifying clinics with high registration error rates.
We improved the electronic portal registration process; now when an adolescent account is registered, the email entered for the account is matched against the guardian’s email in the EHR. If the two emails match, a warning message is triggered, and a different email is requested before account registration can be completed.
The plans for this quality improvement project were submitted to our institution’s Institutional Review Board, which made a determination that it does not meet the criteria for human subjects research, and the project was exempted from further review.
In our first round of account reconciliation beginning in August 2020 (Figure 2), 2,307 of 3,701 (61%) adolescent accounts were flagged as being associated with a proxy email by manual detection methods (Figure 3A), with a higher flagging rate in younger patients (age 12: 80%, age 13: 85%, age 14: 73%). Notably, the patients with flagged accounts had a low rate of accompanying proxy account registration ranging from 20% to 32% (Figure 3B). The total number of adolescent portal accounts shifts on a rolling basis due to patients who age out (turn 18), as well as new account registrants. Via a MyChart message, these 2,307 account holders were notified that their account contact login information required resolution by our IT Help Desk.
To supplement the manual review of adolescent accounts, which is time consuming, we embarked on an iterative process to detect incorrect emails associated with adolescent account. We used the Levenshtein edit distance of the email tied to the adolescent account to the guardians’ names and determined an edit distance threshold of seven to flag email addresses for review [
]. For example, if the number of letter changes needed to transform [email protected] to John Smith is seven or less, the account would be flagged. This method was not used in the initial cohort of manually flagged accounts, but it has been incorporated into our ongoing account flagging methodology.
We also evaluated the portal messages coming from presumed adolescent accounts using NLP in order to flag guardian-accessed accounts. We evaluated text features using heuristics that suggest nonpatient use of their portal account. The heuristics for account messages being sent by a guardian included the following: (1) the patient’s name being referenced in possessive form (e.g., John’s); (2) the salutation matching a relative on file; (3) simple string matching for “my son” or “my daughter”; (4) the patient’s name being in the message body; and (4) third person referencing of the adolescent patient based on name (him, her, them).
By using this message analysis approach, we narrowed our search space to messages from a patient to their provider and exported them for further review. Many messages in the system are automated notifications and were excluded, leaving 13,610 eligible messages coming from 1,094 accounts. Of the 1,094 accounts analyzed, 43% were flagged based on message content. The results comparing the three methods are presented in Table 1. A cross-match of the manually reviewed accounts with the NLP-flagged accounts was performed and is summarized in Supplemental Figure 2—162 accounts were uniquely flagged by NLP only (i.e., the account’s email was not suggestive of guardian access), 306 accounts were flagged by both review of the email and by NLP, and 2,001 accounts were flagged by manual review only.
Table 1Summary of guardian-accessible account identification methods and percentage flagged by each method
Manual Inspection: Account Emails
Adolescent account email address is compared with the name/s of their guardians
Manual Inspection: Account Messages
If adolescent account email address is ambiguous, account messages are manually reviewed for guardian access
Email “Edit Distance”
Calculation of Levenshtein string edit distance between account email address and guardians’ names is calculated, and if below a threshold of 7, the account is flagged
Natural Language Processing of Portal Messages
Message text to providers in adolescent accounts analyzed for features suggestive of nonadolescent use
Notably, the number of accounts reviewed differs given differences in inclusion criteria and time frames of when accounts were queried.
Eight weeks after the initial flagged account notifications were sent, 266 of the initial 2,307 (12%) flagged accounts had their emails updated with the adolescent’s email. Guardians were encouraged to register for a proxy account in order to establish proxy access. Reconciled accounts by age are shown in Table 2. During this period, up to five MyChart message alerts were sent to flagged account holders. The message, developed with the Family Advisory Council, is shown in Supplemental Figure 3. An ongoing auditing report process combining the NLP and email edit distance algorithms was then created to continue to identify erroneous registrations. Registration processes and workflows are an ongoing effort and educational conferences have been occurring with clinic staff on an ongoing basis since September 2020. We also assessed which clinic locations and subspecialties had the highest rates of incorrectly registered accounts. The highest absolute number of problematic registrations was occurring over our patient access phone line. No specific trends were identified among our subspecialty or general pediatric clinic groups, therefore educational efforts were provided to all clinics. Modifications to the electronic registration process to crossmatch the email being registered to the guardian’s email at the time of registration is in the process of being deployed.
Table 2Number of flagged accounts corrected by guardians versus deactivated by MyChart administration versus aged out (patient turned 18 during reconciliation window)
This initial assessment of a broader quality initiative demonstrated a high baseline rate of erroneously registered adolescent portal accounts. As our institution experienced, enabling adolescent access to their confidential health data can be challenging due to the myriad laws and regulations governing access to health information, electronic, or otherwise [
]. This is further complicated by varying state adolescent confidentiality and consent laws and the most recent Cures Act which expands patient’s rights to access to electronic health information. In this work, we have shown that taking steps to identify and resolve guardian-accessed patient portal accounts is feasible and necessary to ensure adolescent confidentiality.
Our goal has always been to maximize the utility of portal access in proxy accounts for guardians, as this will help engage families in the care of pediatric patients and likely decrease the incentive for guardians to misuse an adolescent’s own account. However, a recent survey by Goldstein et al. [
] showed highly variable degrees of access for both adolescent patients and their guardians across institutions. Health systems are actively grappling with these choices and challenges, especially with the recent Cures Act implementation and impending enforcement. Bourgeois et al. [
] aptly highlighted some example cases where confidentiality challenges arise when increased health information sharing is not supported by technology, workflow, and educational factors. Similar to the experience at another academic pediatric healthcare system, our institution’s adolescent patients are more likely to directly interact with the patient portal as they get older [
]. However, the majority of adolescents may still find it helpful for their guardians to be involved in their healthcare, especially if they have a complex medical history. This likely explains why younger patients had a higher rate of guardian associated email registration, since guardians are likely to be more directly involved in their younger children’s healthcare. In our cohort, flagged adolescent accounts had a relatively low rate of accompanying proxy accounts (20%–32%), which further corroborates the need for education to families, clinics, and providers that the ideal solution is to have two separate accounts (one for the adolescent and one for the guardian). Since the prevalence of incorrectly registered adolescent portal accounts was previously unknown, our team is also conducting a multisite study to identify the prevalence of guardian-accessed adolescent portal accounts at other institutions [
When guardians were notified of their erroneously registered accounts via the portal account, 266 out of 2,307 (12%) took the initiative to contact our information systems help desk to correct the account registration and create a proxy account. Interestingly, a handful of especially engaged families had to formally request access to their existing portal messaging history which would otherwise not be accessible via the new proxy account. This suggests that the patient portal facilitates close communication with the medical team and that these families highly value this tool. Conversely, given the relatively low rate of voluntary account updates (12%), this could also suggest that a large proportion of adolescents and their guardians may not engage with portal messages via their email or portal phone application. At this time, text messaging is only used for appointment reminders; we are in the process of implementing more ways to interact with the portal via text.
Another challenge highlighted by the process of addressing inappropriate account registrations is the lack of clarity when entering email contact information in the EHR demographics section—currently, there is no distinction between the adolescent and guardian email information. Separating out a confidential “adolescent email” and “adolescent phone” number is necessary, but may have downstream effects that are not readily apparent. This has prompted a more global review of how demographics are handled for all patients in our system and ongoing discussions with our EHR vendor. For now, the onus to protect adolescent confidentiality has been placed on individual institutions. However, advocating with EHR vendors for universal protections will have long-term benefits.
This early effort serves as a framework for considering how to release confidential medical information to adolescents via a patient portal. Adolescent accounts that can be used and accessed by guardians are highly prevalent. The current two blunt approaches of either only releasing nonconfidential information to all parties or giving portal access only to adolescents and cutting off access to guardians may not appropriately support adolescent and family engagement, especially in the case of adolescents with complex medical conditions. However, these may currently be the only technically feasible options for ensuring confidentiality at this time. As EHR vendors and health systems evolve in their approach to health information sharing, a nuanced approach must offer differential access of confidential information and secure messaging for the adolescent, while still providing portal access to nonconfidential information for the guardian via a proxy account. Here we draw upon multiple methodologies to identify erroneously registered accounts and determine if an adolescent account is accessible or used by a guardian.
There are several limitations to this work. First, this work was performed at a single pediatric institution with a relatively mature implementation of its EHR and patient portal, which may limit generalizability. Second, the resources in place to address this issue at our institution may not be readily available at other institutions, especially if they are not pediatric-focused centers. Third, review of the account email addresses does not account for the possibility that the adolescent has either given permission for their guardian to use their account or has been coerced to do so. NLP review of adolescent account message content addresses the shortcoming of manual review but is unlikely to identify all guardian-accessed adolescent accounts. Specifically, it is possible to miss cases of guardian access when the guardian has access to both the adolescent’s email account and portal account. Furthermore, if there is no portal message content to analyze, NLP will be unable to detect these cases. Finally, since this process is ongoing, we have not yet reached our goal of sustained prevention of registration errors or guardian-accessed accounts that could lead to confidentiality issues. The data and initial intervention described here serve as a baseline and first plan-do-check-act cycle of an ongoing quality improvement effort. We do not yet have additional time series data from ongoing account registration flagging rates. Ideally, an automated account flagging process (similar to the one which we have developed) will help provide our MyChart analyst team with a manageable number of accounts to review and provide a workflow for correction.
As clinicians and informaticists strive to implement patient portals for adolescents, respecting the complexity of adolescent confidentiality is not as simple as building all the right access control levels for different account types; implementation must also encompass the specific registration workflow and account validation. Different methods for detecting erroneous registration can be implemented to prevent inadvertent confidentiality breaches both upstream and downstream in the portal registration process. As we move forward, shifting away from time-intensive manual review to an automated email string-matching and rule-based NLP system will assist with this. Furthermore, education for providers to recognize when a guardian is inappropriately using an adolescent account is another way to flag and address the potential for confidentiality breaches.
The lessons learned in fine tuning confidentiality protections for adolescents can also be applied for adults who choose to assign care proxies. As described by Latulipe et al. [
], adult portal accounts are fraught with similar security and privacy risks. This should spur informatics teams and health systems to be conscious of allowing adequate proxy portal access while also building in access controls to appropriately keep confidential information hidden.
Although this work is ongoing, in the context of the Cures Act Final Rule timeline, sharing our institution’s experience with implementation of adolescent patient portal accounts with accompanying differential access for their proxies is timely and relevant. Preventing information blocking and releasing more information to patients and guardians is a laudable goal, but it is fraught with issues surrounding confidentiality, especially in the adolescent population. Our discovery of adolescent portal accounts that can be accessed by guardians highlights suboptimal confidentiality protections and should prompt all institutions caring for adolescent patients to review their systems and processes. We hope our strategies to address this issue via screening and reconciliation of problematic accounts; optimizations to account registration; and education of patients, families, providers, and clinic staff will ensure that adolescents are able to receive the confidential care they are entitled to.
No funding was secured for this study.
We would like to thank all members of the MyChart and “Teen Action Plan” teams for their hard work that has contributed to ensuring confidentiality for our adolescent patients.
Author contributions: Drs. Xie and Pageler conceptualized and designed the study, drafted the initial manuscript, contributed to design and validation of analyses, and reviewed and revised the manuscript. Mr. McPherson, Mr. Hogan, and Mr. Fong led educational efforts, workflow changes, and account analyses and upkeep, and reviewed and revised the manuscript. Mr. Austin led the design and validation of automated analyses, and reviewed and revised the manuscript. Drs. Ip and Morse contributed to design and validation of analyses, and reviewed and revised the manuscript. Drs. Carlson and Lee critically reviewed the manuscript for important intellectual content, and reviewed and revised the manuscript. All authors approved the final manuscript as submitted and agree to be accountable for all.
Redesign of the health information system was a key element in the agenda presented in 2001 by the Institute of Medicine's call to arms to improve the U.S. health-care system, “Crossing the Quality Chasm” . This report suggested that a primary goal of electronic health record (EHR) systems should be to improve the quality and efficiency in the delivery of health care. EHR systems should facilitate interinstitutional connections and provide patients with access to their health information through patient portals.