|Home | About | Journals | Submit | Contact Us | Français|
Explicit guidelines are needed to develop safe and effective patient portals. This paper proposes general principles, policies, and procedures for patient portal functionality based on MyHealthAtVanderbilt (MHAV), a robust portal for Vanderbilt University Medical Center. We describe policies and procedures designed to govern popular portal functions, address common user concerns, and support adoption. We present the results of our approach as overall and function-specific usage data. Five years after implementation, MHAV has over 129 800 users; 45% have used bi-directional messaging; 52% have viewed test results and 45% have viewed other medical record data; 30% have accessed health education materials; 39% have scheduled appointments; and 29% have managed a medical bill. Our policies and procedures have supported widespread adoption and use of MHAV. We believe other healthcare organizations could employ our general guidelines and lessons learned to facilitate portal implementation and usage.
Patient portals are ‘healthcare-related online applications that allow patients to interact and communicate with their healthcare providers.’1 Using such portals, patients may view their electronic health record (EHR), schedule appointments, review test results, communicate with providers, pay bills, and receive personalized health information.2 3 Some 200 healthcare organizations and vendors4 have implemented patient portals.5–10 Obstacles to patient portal adoption have been well documented,11–18 but growing experience with these systems has produced both the knowledge and technological capability to overcome these barriers.17 19–21
Because patient portals must align with the Health Insurance Portability and Accountability Act of 1996 (HIPAA),22 it is critical for institutions to implement these systems in a thoughtful and organized manner.23 Researchers have articulated the lack of explicit guidelines directing the functionality and use of patient portals.23 24 In response, this paper describes procedures and policies directing the functionality of MyHealthAtVanderbilt (MHAV), a patient portal for Vanderbilt University Medical Center (VUMC).20 25 We elaborate on popular portal functions and discuss how guiding principles have addressed common user concerns, and have facilitated adoption and usage of MHAV.
VUMC is a private, non-profit, academic healthcare center in Nashville, Tennessee. VUMC includes the 916-bed Vanderbilt University Hospital, outpatient facilities that receive about 1.5 million visits per year, and inpatient facilities that receive about 50 000 admissions per year.
MHAV was launched in 2005 to improve communication between patients and healthcare providers. There were few patient portals and limited experience to guide system development at that time. Thus, our team designed governing procedures and policies to prevent privacy and security threats, ensure HIPAA compliance, and address common barriers to adoption. Stakeholders contributing to the design included healthcare providers, patients, privacy and security officers, legal representatives, and system developers.
The core functions of MHAV are similar to those of other patient portals5–10 and include:
Figures 1–3 illustrate these functions. In the sections below, we describe the procedures and policies governing each function and the associated usage statistics.
Privacy and security are the most common concerns of portal users,17 but complex authentication procedures may limit use. MHAV has two types of access to address these issues. Users may register for limited access online by providing their name, social security number, and birth date. Limited access users may exchange secure messages with established healthcare providers. Full access allows viewing of EHR information and requires the patient provide legal proof of identification in person.26 MHAV initially provided accounts for adult patients, and in August 2007 expanded access to pediatric patients.
New MHAV users must electronically sign an online user agreement before establishing a MHAV account (see online appendix). Adult patients may authorize one delegate to access their information through MHAV on their behalf. Delegates must register for a separate MHAV account with a unique username and password. Delegates do not need to be VUMC patients. Patients may authorize delegates to use selected MHAV functions including secure messaging, bill paying, and access to EHR data. The patient accepts full responsibility for granting or removing these permissions. These policies discourage patients from sharing their usernames and passwords, and document when another person acts on behalf of a patient.
For pediatric patients, the procedures and policies for access were designed to respect both the legal rights of the parents and the developmental state of the child. Parents or legal guardians must complete an application for access to MHAV and show a proof of identification to establish an account. For patients under 13 years of age, parents or guardians may create a MHAV account with controlled access for their child and may also assign a delegate. For patients 13–17 years of age, MHAV requires one parent or legal guardian to consent before a MHAV account can be established, unless a healthcare provider agrees the patient has conditions preventing participation in MHAV. As children enter adolescence, there is a shift from dependence on the parents to independent thinking, and it is important for teenagers to be able to exercise independence and communicate individual concerns.27 Patients who are 13–17 years old must also complete an agreement to allow parental participation in MHAV and may communicate with healthcare providers independently. When a patient reaches the age of 18 years or establishes emancipated status, parental or guardian access is terminated.
The secure messaging system of MHAV emerged as an extension of VUMC's EHR provider to provider messaging capabilities with additional procedures to maintain patient privacy. MHAV users are required to have a valid electronic mail (email) account for communication. When a VUMC provider sends a message to a user through MHAV, a notification is sent to the user's email address. However, the user must login to the secure MHAV system to view the message. Protected health information is not sent directly through email as these systems may not be secure or answered reliably. If the user does not open a message within a specified time period, the message bounces back to the provider, who can contact the recipient in another manner. The default time for returning a message is 5 days, but may be adjusted depending on the time-sensitivity of the message. This closed-loop system ensures that healthcare providers are notified when messages have not been received.
MHAV messaging procedures formalize a series of institutional best practices around messaging workflows. Patients can send messages to healthcare providers with whom they have an established relationship, defined by a scheduled appointment or having received care from that provider within the past 4 years. To maximize provider productivity,28 messages are sent to clinical groups and are often answered by a staff member (eg, nurse, administrative assistant, or allied health professional).15 29–31 Clinically relevant messages are forwarded to the patient's physician or another provider within a closed-loop system. Because messages are handled by clinical groups rather than by individuals, a provider's absence does not impose a delay on message response. Providers may initiate messages to MHAV users and specify that responses be sent directly back to them. All provider or staff member initiated messages contain a message date, time, and name of sender with degree information, thereby notifying the recipient of who sent the message. There have not been any MHAV user complaints about the message triage system.
MHAV messages may only be viewed and answered in the context of the VUMC EHR. This policy ensures that providers have seamless access to patient information and are responding to messages in the context of how they typically interact with protected health information. Using other types of communication, a provider might process a message in a less secure or private environment.
The messaging function overcomes several limitations of email and telephone communications, such as allowing users and providers to communicate sensitive information asynchronously, and after hours, so both parties may be in a private and secure environment.29 31–34 Messages sent through MHAV are submitted through a secure web-based form, and the EHR-based communications protocols make it difficult for messages to be intercepted. Users may communicate without exposing or accessing personal email accounts or telephone numbers. These procedures promote a sense of privacy and respect for personal boundaries. In addition, MHAV automatically stores all messaging threads to the EHR, providing a permanent documentation of correspondence; in some systems, this record is optional.10 Retaining messages in the EHR encourages MHAV users to send messages for appropriate concerns and encourages providers to generate thoughtful responses. This process differs from the documentation of telephone calls, which usually consists of an interpretation of an interaction rather than the complete communication.
Unanswered messages may potentially compromise patient safety and quality of care. In 2006, a review of MHAV messages identified approximately 19 000 unopened messages—some marked urgent—from virtually every department. New processes to identify and prevent unattended messages were developed. They included tallying unattended messages on a weekly basis, hiring a designated person to respond to this audit, notifying department administrators of unanswered messages, and training providers and clinic managers on safe messaging practices. In addition, two new provider messaging functions were implemented: an ‘out-of-office’ function that allows healthcare providers to inform patients and colleagues of absences, and an ‘email alert’ function that delivers email notifications to providers when they have an incoming message. The latter function was designed for part-time clinicians who might not regularly access the EHR. Answering messages in the EHR is a required clinical responsibility at Vanderbilt; both individual healthcare providers and clinical administrators are notified when responses are significantly delayed.
Access to EHR data through a patient portal creates concerns about privacy for patients and fears of misunderstanding from healthcare providers. However, MHAV policies address these issues through limitations on the types and timing of available test results. Only full access users are allowed to view information from their EHR. All test results are organized into three groups according to acuity, sensitivity, and need for healthcare provider interpretation. Group A contains approximately 300 blood test results that have high value for immediate user viewing with a low risk of untoward reaction to the information (eg, cholesterol levels). Group A test results are displayed in MHAV as soon as they become available. Group B includes approximately 6700 test results that with standard radiographic reports, are available through MHAV after a 7-day delay, which allows providers to review these results and contact the patient directly. Group C contains highly sensitive results that are never released through MHAV (eg, HIV test results and cancer pathology reports).
The accessibility of certain test results differs between pediatric and adult user accounts as the sensitivity of information may be age dependent (eg, pregnancy test results). MHAV users may also view vital signs, immunization information, and medication and allergy lists.
A personalized patient portal experience is likely to promote adoption and encourage active participation in one's health management. After logging into MHAV, full access users are presented with information specific to their health conditions and demographic profile. This information is derived from the International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM) diagnostic and the free-text problems section of the EHR,35 which (unlike the ICD-9-CM codes used for billing) is actively maintained by VUMC providers.25 Codes derived from the patient's problem list, combined with the ICD-9-CM codes are automatically matched via computer algorithms to the ICD-9-CM codes assigned by VUMC library staff to each disease topic. When a match is made, the appropriate disease topic is displayed in the portal, allowing patients to see links to information directly relevant to their care.25 Preventive health topics are also linked by patient-specific demographic characteristics and US Preventive Services Task Force recommendations.36 For example, a 65-year old, female MHAV user will receive information on screening for breast cancer, osteoporosis, and colorectal cancer.25
All MHAV users may use the messaging function to schedule an appointment with an established VUMC provider. Full access users may also view upcoming appointments and request appointments with a new provider by completing an online form.
Full access users may also view and pay their VUMC medical bills, access patient insurance information, and submit billing questions through a standardized form.
Five years after initial release, MHAV has over 129 800 registered users, representing 27% of all VUMC patients. Of these users, 62% are female. In 2010, a total of 72 071 different users logged into MHAV 1 369 675 times. On average, 2900 new users signed up for access each month. Of the adult users, 1.2% have assigned a delegate to access their account.
Forty-five percent of users have sent and received a message from a VUMC provider. When the message audit process began, 10.7% of messages (~3000 messages) were unanswered each week. By December 2010, <0.5% of messages (~205) were unanswered each week.
Fifty-two percent of users have checked a test result and 45% have viewed other health information from the EHR. There are now over 61 health topics and more than 300 test results with associated explanations available through MHAV, and 30% of users have accessed this information. From January 2006 to December 2010, 2% of MHAV users had requested an appointment with a new VUMC provider, while 39% had viewed upcoming appointments. In this same period, 29% of users had viewed a medical bill, 31% of them had paid a bill, and 8% of all users had asked a billing question through MHAV.
As the demand for patient portals increases, so too does the need for guidelines to direct their design and use.23 We have described the procedures and policies that regulate the functionality and usage of MHAV. We have demonstrated enthusiastic adoption of this portal by the Vanderbilt community, with ongoing growth of MHAV accounts for both adult and pediatric patients, and increasing usage of functions that typically prompt concerns about privacy and security. Our policies for registration, tiered-level access, and accounts designed for parents and delegates help to prevent unauthorized use, but allow sharing of information among patients, families, and caregivers. Our messaging policies ensure that communications are delivered and answered in a secure and timely manner. Our procedures for categorizing and delaying or prohibiting the display of test results permits patients to view important health information through MHAV, but gives healthcare providers ample time to respond to critical findings and keeps users from receiving news online that should be delivered in a more personal manner. Together, all of these functionalities and associated policies support the execution of administrative tasks such as scheduling appointments and managing medical bills. Finally, connections to the EHR create a personalized experience with the delivery of customized and relevant health information.
The described procedures and policies were designed not only to promote acceptance and use, but also to facilitate high quality care and to assure patient safety. Our audit processes have resulted in a dramatic reduction in unanswered messages, which potentially improves both user satisfaction and quality of care. Our future research will include formal evaluations of the user experience as well as the measurement of quality and safety of care delivered through the patient portal.
Poorly designed and managed patient portals have the potential to discourage usage, decrease provider productivity, and compromise patient safety. We have provided a robust set of procedures and policies that promote the efficient delivery of safe and secure information through a patient portal. We believe other healthcare organizations could employ our principles and lessons learned to guide patient portal development and to maximize the benefits of patient portals through a thoughtful and organized process.
Funding: Dr Osborn is supported by the NIH National Institute of Diabetes and Digestive Kidney Diseases (Osborn, K01 DK087894) and by the Vanderbilt University Diabetes Research and Training Center Pilot and Feasibility Grant (Powers, P60 DK020593). Drs Jackson, Johnson, and Rosenbloom are supported by the Agency for Healthcare Research and Quality (Rosenbloom, R18 HS019276; Johnson, R18 HS018168). Drs Anders and Stenner are supported by the National Library of Medicine (Gadd, T15 LM007450). The content is solely the responsibility of the authors and does not necessarily represent the official views of these granting agencies.
Competing interests: None.
Provenance and peer review: Not commissioned; externally peer reviewed.