Patient Portals: Express Lane on the Health Information Highway

By Lisa A. Eramo

No information request traffic jams.
No toll road trips to the physical HIM department.
Just an open and instant route to patient health information.
But building and managing a patient portal requires HIM knowledge and expertise.

Patient portals are rapidly expanding throughout the healthcare industry, and opening an express lane through the emerging health information exchange super-highway. In this era of patient-centered healthcare, portals that link to electronic health record (EHR) systems provide patients with what they want-easy access to their health information and other savvy online tools. However, portals also raise record management and privacy and security questions that HIM professionals should be ready to address.

Some providers may be able to activate portal functionality offered through their EHR vendor. More frequently, however, they must either build the portal in-house or engage a third-party developer to create it, says Kelly McLendon, RHIA, CHPS, president of Health Information Xperts, LLC, in Titusville, FL. Most EHR vendors don’t currently offer portals, and they probably won’t unless the EHR Incentive Program’s proposed stage 2 meaningful use criteria become finalized, he adds.

Proposed stage 2 criteria require eligible hospitals to provide patients with the ability to view online, download, and transmit information about a hospital admission within 36 hours of discharge. Eligible physicians must give patients the ability to view online, download, and transmit their health information within four business days. If finalized, these criteria-which implicitly require portal functionality-would replace the stage 1 meaningful use criteria that requires eligible hospitals and physicians to provide electronic copies of information to patients within three business days.

HIM professionals should be at the decision-making table and actively involved in patient portal design and implementation, McLendon says.

“HIM professionals are the record custodians who are responsible for the integrity of the record,” he says. “They’re also going to end up administering at least some part of the portal, so they need to be involved in the front end.”

Portal Tests HIM Best Practices

The portal has been-and continues to be-part of a larger initiative to satisfy clear patient expectations for fast online access to health information, says Robin Gann, MHA, RHIA, corporate privacy officer and director of HIM at CoxHealth, a large tertiary healthcare system headquartered in Springfield, MO. Gann was instrumental in developing a patient portal policy at CoxHealth as well as ensuring the portal adhered to HIPAA and Missouri state law. CoxHealth has more than 33,000 users regularly accessing a portal linked to the system’s EHR to check test results, refill prescriptions, exchange secure messages with physicians, engage in e-visits, maintain health journals, and more.

It’s critical for HIM professionals to get involved in portal discussions, Gann says. Nearly all of HIM’s best practices and recommended processes are put to the test with a patient portal.

“I would encourage people to not wait to be asked to participate,” Gann says. “Start talking about the issues that you need people to understand. Offer your services to your peers so they can get a more well-rounded understanding and can implement that information into the design process.”

Reconciling Regulations and Patient Access

The portal, which was initially tested using a five month pilot project involving three clinics, is currently live in all 56 CoxHealth clinics, including its pediatric clinics and each of its four hospitals.

During the design process Gann helped ensure that internal business analysts charged with designing the portal understood the regulations and their impact on patients. Portal access and development is less straightforward for some patients than others. For example, in Missouri, parents have the right to access a minor’s health information with the exception of protected minor visits. If the minor provides consent for treatment, as is the case for protected minor visits, then the minor must also be able to authorize or restrict the release of that information. When developing patient portals for minors, HIM professionals should consult with state law regarding the development, maintenance, and disclosure of minor-protected health information.

As regulations and policies regarding portals and minors can be complicated, some hospitals don’t include portal access for minors at all. Hospitals that choose to do this must carefully develop an appropriate strategy for managing the information. To address this in their own portal, which is governed by Missouri state law, CoxHealth decided that once a minor reaches age 13, he or she will receive notifications stating that certain sensitive information (i.e., STD testing, drug and alcohol abuse, and pregnancy testing) will be visible to his or her parents through the portal. The minor then has the option to disconnect the portal from his or her parents. This decision was made after consulting state law and the hospital’s internal policies. This portal policy would vary depending on where a facility is located and the laws of that state.

“We had to work through the regulations to ensure that we were comfortable with the processes and the protection of patient information,” Gann says.

For example, Gann helped to ensure a strict process for authenticating identity prior to providing patients with access to the portal itself. Patients must present in person and show a photo ID during registration or anytime thereafter before they receive an access code to use when logging into the portal.

“This is how we ensure that the information is protected and that the patient is the one who is creating the information,” she says. “Just because you’re releasing information electronically doesn’t mean the regulations change. You have to make sure that the intent of the regulations are met.”

Patients receive notifications every 12 months reminding them to log-in and update proxy designations and other information if it has changed. This helps ensure information is correct, and cuts down HIM work on the back end verifying portal user authorization to access information.

CoxHealth chose to develop the portal entirely in-house so that it could more easily integrate and exchange information between the EHR in its clinics and hospital settings, both of which currently use a different vendor. Integration also allows patients to be able to view their physician clinic chart, hospital encounter information, and emergency department/urgent care visits all in one place.

“We’re also continually expanding the data elements that the patient has access to because we eventually want them to have access to the whole record,” Gann says.

Gann says the health system chose to implement the portal in its clinics first because it wanted to enhance the relationship between physicians and patients in that setting. Mandatory physician participation has helped the health system grow and sustain the effort.

“We actually went clinic by clinic and rolled out the portal with training, testing, and go-live support one by one,” Gann says. “It has taken more than a year to get all providers set up and offering this service to their patients.”

In addition to managing consent, Gann helped open the lines of communication with physicians who advocated for a delay in the release of certain types of sensitive, life-threatening, or serious medical information. Results are automatically released either upon physician signature or 71 hours from the time the results are made available to the physicians for review. The only exceptions are pathology and HIV-related results, which are held for 14 days regardless of physician signature.

“The physicians wanted an opportunity to communicate with the patient themselves rather than having them read about it on the portal,” Gann says.

The volume of requests for record amendments has risen since the launch of the portal at CoxHealth. However, Gann doesn’t attribute the increase directly to the portal.

“I think it’s more about patients being aware of their rights and wanting the information to be accurate,” she says.

Making Portal Exclusion Decisions

When developing their patient portal, the Springfield Clinic had to make decisions to exclude certain types of information in addition to what would be included.

Behavioral Health: Under Illinois law, behavioral health providers can deny a patient access to their records if the ability to review them may pose a danger to the patient or others, or if they feel it will be detrimental to the patient’s recovery.

Protected Minor Visits: Protected minor visit privacy is governed by state law, and will vary from state to state. If parents sign up as a proxy for a minor’s patient portal, information from protected visits would need to be excluded from that access.

Research Records: Research services are not a part of the typical legal health record primarily because it is not in the best interest of the patient. If patients review their records during a trial and find that they are receiving the placebo or subtherapeutic dosage, for instance, they may drop out and ruin the study.

Business Records: Business records are typically excluded from the legal health record because they are not related to actual care. Like research records, they are available to providers in the EHR but are not released beyond point of care access.

Other Sensitive Records: Other records that require additional patient authorization for release include thermograms, clinical photography, and genetic testing.

HIM Instrumental in Portal Design

While the portal at Springfield Clinic was a physician-driven initiative led by one of the clinic’s medical directors, HIM provided significant input on the design and use of the technology, says Linda D. Meadows, RHIT, CHP, information privacy officer at Springfield Clinic.

Springfield Clinic, a multi-specialty medical organization with more than 20 offices throughout Illinois, has nearly 13,000 users regularly accessing their health information and performing other tasks through its portal.

The clinic launched a pilot of the portal, created by a third-party developer, in January 2011 with health records from approximately 200 employees. A few months later, the first few clinics began to officially use the portal. Today, all clinics use it.

HIM is involved in the portal’s operations from the moment patients sign up through their use of the technology, says Meadows, who was instrumental in helping to design workflows that would ensure the portal met HIM and other regulatory compliance.

When a patient expresses interest in signing up for the portal, a receptionist at one of the Springfield Clinic’s sites validates the patient’s identity using a photo ID and captures his or her e-mail address. Next, a full-time portal support specialist sends an e-mail invitation to the patient notifying him or her of the access code that will activate the account. To enhance security, the e-mail includes a link to the portal that is valid for only seven days.

The development of the portal lead to new HIM job roles. Two newly added full-time portal screeners pull and screen patients’ charts, looking for any misfiles (i.e., files that belong to other patients or files that are incorrectly labeled). These portal screeners ensure data integrity and prevent HIPAA violations prior to releasing the record. Clerks take an average of five to seven minutes to screen each chart. Auditors then fix any errors before files are downloaded into the portal.

“It’s an expense to do that for a free service that we’re offering, but we couldn’t tolerate the ratio of internal misfiles and potential HIPAA violations,” Meadows says. “We decided to go ahead and spend the money to have the charts screened, and we’re fixing a lot of our errors before they go out the door.

“We have in the last year prevented more than 3,000 HIPAA violations this way.”

Release Forms Still Required

Once patients gain access to the portal, they must sign an electronic authorization that Meadows drafted to allow Springfield Clinic to release records to the portal. If patients assign proxies, the clinic asks for a second authorization to allow clinical staff to communicate through the portal as well as verbally with those individuals. Patients must also sign a separate consent to download sensitive information, such as clinical photography or body imaging.

In addition to authentication and consent, HIM professionals also provided input into what, and how much, information to release through the portal. Rather than taking a more conservative approach, the Springfield Clinic HIM department decided to release the entire legal health record from October 1, 2008 to the present with a just few exceptions.

“It doesn’t cost us anything more to do that. I figured it was the best thing to do for patient care,” Meadows says.

Certain Restrictions Apply

However, operationalizing this task was easier said than done. It meant that the clinic had to include problem lists, medications, allergies, flow sheets, provider notes for office visits, diagnostic test results, correspondence, ambulatory surgery center records, and limited non-clinical information. However, it also had to exclude behavioral health, protected minor visits, research records, business records, and other sensitive record content.

The portal automatically downloads or excludes documents based on type or provider, says Meadows, who helped solidify a process for integrating the portal with the EHR. The HIM department’s ROI supervisor approves each document type as it’s added to the EHR so that it’s either included or restricted from the portal. A list of all documents and files as well as their portal status is accessible on the clinic’s intranet.

“You really do need to understand the document types in the EHR if you’re going to put information out there for patients to see,” Meadows says. “You need to decide what’s appropriate and what’s not.”

For example, although the legal EHR includes insurance investigator reports for worker’s compensation cases, this information is excluded from the portal for a number of different reasons. In addition to being purchased services, investigations may include information on discovery of patient activities they do not want disclosed or, in some cases, could even aid individuals in developing claims fraud tactics. The clinic would typically refer the patient to the employer for access to these records.

Certain providers’ notes (i.e., behavioral health specialists) are always excluded. The portal also excludes protected minor visits. This means physicians must use the “protected minor note” template to document these encounters or else the information will automatically upload into the portal.

Providers must use the correct note type at all times, which is something that required significant physician education prior to the rollout, Meadows says.

“We had to review with physicians that the note type on which you dictate determines whether or not this information goes out on the portal,” she says.

In some cases, physicians must dictate two separate note types for the same visit to ensure that information flows correctly into the portal. At Springfield Clinic, clinical research records aren’t part of the legal EHR, which means they’re not part of the portal either. If a patient participating in a breast implant study presents for a mammogram follow-up, the physician must document the follow-up information as part of an office visit note and then open up a separate document type to discuss and document information related to the research study.

Privacy, Security, and Education a Top Priority

The HIM department is also involved in helping to ensure the privacy and security of information in the portal. This includes identifying and working to prevent any potential HIPAA violations. For example, HIM staff provide physician education regarding clinical family history and the importance of not documenting other family members’ names and clinical information in a patient’s record.

HIM staff also train receptionists about the importance of capturing e-mail addresses accurately so that information isn’t sent to the wrong patient. The portal includes a 10-minute timeout session to avoid any incidental disclosures when users don’t sign out of the portal after using it.

HIM staff also ensures compliance relative to certain patients who must be excluded from the portal entirely. For example, when prisoners receive treatment at one of the Springfield Clinics, HIM staff adds them to a database of invitees to exclude.

“We treat prisoners, but we refuse them portal access or family proxy access because they will get advance notification of appointments,” Meadows says. “That information isn’t shared with prisoners or family in advance due to security reasons.”

Education on the portal has been a primary focus for HIM staff as well. Springfield Clinic employs approximately 350 providers in 50 clinical specialties. All providers, nurses, and receptionists receive training about sensitive workflows and their role in the portal initiative.

Physician education focuses partially on record transparency. HIM staff encourages physicians to eliminate the use of slang or derogatory terminology. HIM staff also remind physicians about the importance of updating problem lists. Physicians are encouraged to avoid excessive use of medical abbreviations or template cut-and-paste style documentation.

“We talked to the doctors about the fact that you’ve got to be able to document appropriately, not leaving anything out, but also understanding that patients and their family will see the information and ask about it,” Meadows says.

Patients also receive education about the portal. Meadows helped create an informational brochure for patients, and her work group is in the process of creating a list of medical abbreviations that patients can use as a reference. HIM staff has also educated patients about other aspects of releasing information. For example, in the forthcoming HITECH Act final rule, patients who self-pay for treatment will be able to withhold personal health information connected to that treatment from a health plan.

“Are they (patients) actually going to catch that and accidentally release it to their insurance company later?” asks Meadows, who plans to send reminders about this and other important information to patients using the portal. Although the IT help desk handles most technical questions about the portal, HIM staff handle HIPAA-related issues and requests for amendments, which Meadows says have increased by at least 20 percent since the implementation of the portal.

“The idea is to get the physician and the patient really communicating and correcting any perception issues,” Meadows says, adding that HIM staff most often receive calls about the problem list and other details, such as dates for immunizations, that may be missing from the record.

Patients can make changes to the information in their portal, but Springfield Clinic retains the ability to refresh the data if patients accidentally delete or alter information and want access to the original copy.

New HIM Opportunity

General consensus says the more information patients have about their own healthcare, the better care they will receive. The HIM professional’s role will be to help manage that access portal and to help patients manage the information held within it.

Lisa A. Eramo ( is a freelance writer and editor in Cranston, RI who specializes in healthcare regulatory topics, health information management, and medical coding.

Article citation:
Eramo, Lisa A. "Patient Portals: Express Lane on the Health Information Highway" Journal of AHIMA 83, no.9 (September 2012): 24-28.