Member Forum

Expand all | Collapse all

Patient portals and adolescents

  • 1.  Patient portals and adolescents

    Posted 07-12-2018 04:49
    Hi All,

    How are you guarding adolescent confidentiality on your patient portals? PF offers an all or nothing access to the portal-- I can't grant access to the self-scheduler without giving access to diagnoses, meds, etc, which is problematic for teen patients.

    I am wondering if it makes sense to purchase a stand-alone portal/scheduler and would be interested in your thoughts.

    Thank you!

    Elizabeth Bird, MD
    Chester CT

  • 2.  RE: Patient portals and adolescents

    Posted 08-05-2018 13:28
    I'm not sure I understand.   If patients, including teens, ask for their PHI, you have to give them access to their med record, unless you think it's going to harm them, and they can challenge that judgement.  If state law is MORE stringent, then that also applies.

    Also, w a few exceptions, PARENTS have access to their minor children's medical records.  Age of majority is a state law thing.

    "Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child's personal representative when such access is not inconsistent with State or other law.

    There are three situations when the parent would not be the minor's personal representative under the Privacy Rule. These exceptions are:

    1. When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law;
    2. When the minor obtains care at the direction of a court or a person appointed by the court; and
    3. When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.

    However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent's right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor's medical information."


    "Denial of Access

    Grounds for Denial

    Under certain limited circumstances, a covered entity may deny an individual's request for access to all or a portion of the PHI requested.  In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.

    Unreviewable grounds for denial (45 CFR 164.524(a)(2)):

    • The request is for psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding.
    • An inmate requests a copy of her PHI held by a covered entity that is a correctional institution, or health care provider acting under the direction of the institution, and providing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate.  However, in these cases, an inmate retains the right to inspect her PHI.
    • The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research.  The individual's right of access is reinstated upon completion of the research.
    • The requested PHI is in Privacy Act protected records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), if the denial of access is consistent with the requirements of the Act.
    • The requested PHI was obtained by someone other than a health care provider (e.g., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.   

    Reviewable grounds for denial (45 CFR 164.524(a)(3)).  A licensed health care professional has determined in the exercise of professional judgment that:

    • The access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
    • The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.
    • The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.

    Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual's rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access. In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity's electronic health record vendor or is maintained by a records storage company offsite).

    Carrying Out the Denial

    If the covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request (or no later than within 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, the individual's right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).

    If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access. See 45 CFR 164.524(d)(3).

    The covered entity must, to the extent possible and within the above timeframes, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1). Complexity in segregating the PHI does not excuse the obligation to provide access to the PHI to which the ground for denial does not apply.

    Review of Denial

    If the denial was based on a reviewable ground for denial and the individual requests review, the covered entity must promptly refer the request to the designated reviewing official.  The reviewing official must determine, within a reasonable period of time, whether to reaffirm or reverse the denial.  The covered entity must then promptly provide written notice to the individual of the determination of the reviewing official, as well as take other action as necessary to carry out the determination.  See 45 CFR 164.524(d)(4).

    Also, see
    Does the HIPAA Privacy Rule allow parents the right to see their children's medical records?
    HIPAA Privacy Rule and Sharing Information Related to Mental Health

    Peter Liepmann MD FAAFP MBA
    My mission is to fix US health care
    Bakersfield CA

  • 3.  RE: Patient portals and adolescents

    Posted 08-06-2018 05:24
    Edited by Elizabeth Bird 08-06-2018 05:25
    Hi Peter,

    In our state of CT  minors do not require parental consent for care pertaining to  STI testing/treatment and other aspects of sexual and mental health care. With regards to the records around such care, it is a best practice to enter an agreement with parent and adolescent whereby certain aspects of their care and record remain under the adolescent's control.  AAP and ACOG have sample forms and go into this in great detail.

    When eliciting sensitive information, such as drug and alcohol use and sexual activity, the parent provides consent to this exam, and the provider explains to both the parent and the minor that the exam should be private and that the provider will keep the minor's confidences. Where the provider assents to this agreement, the minor, and not the parent, will have the right of access to, and control over health information covered by the agreement ((See 45 CFR @164.502(g)(3)(iii)). I have never had a parent refuse or demand records after the fact (knock on wood).

    As far as I can tell, PF's portal prominently displays diagnoses such as chlamydia and lists the drugs I might use to treat it. That is all well and good but there is no way to separate patient scheduling from the portal.

    I would like to grant a 16 year old's parent access to online scheduling but not to his/her sexual health.

    That is all.

    Elizabeth Bird, MD
    Chester CT