Abstract
Research examining whether and how adolescent patients should gain access to their electronic health records is gaining momentum. We conducted a survey to explore diversity in adolescent privacy policies and identify common approaches in health information technology management for adolescent patients. Through descriptive analyses of survey data, we found a wide range of institutional policies regarding adolescent patient privacy, and large variations in health IT executives’ baseline knowledge of access policies. A majority of respondents agreed that formal guidelines pertaining to adolescent health record privacy would be helpful. Respondents suggested that these guidelines can be developed through the synthesis of multiple perspectives, including those of pediatricians, adolescent specialists, privacy experts, parents, patient advocates, and other professional entities.
Introduction
Many active research efforts in the AMIA community tackle different facets of a common goal: how informatics systems can be designed, implemented and improved upon to support patient-centered care across the patient’s lifetime. In this paper, we report results of a survey study gauging electronic patient portal implementation and policy for a particularly complex life stage: adolescence. The survey study we present here is one of many studies that we are conducting to better understand how electronic health records (EHRs) and patient portals can successfully span multiple care settings and family situations, to accommodate the adolescent patient. Since this life stage is characterized by both increases in autonomy—developmentally, socially and legally—and potentially sensitive health needs, there are inconsistent federal policies, state laws, and community norms surrounding adolescent health care.
To explore diversity in adolescent privacy policies and identify common approaches in health information technology (IT) management for this consumer group, we conducted a small-scale survey study with key informants from different types of medical organizations, in different regions of the country. Our main objective was to identify the potential need for more formalized guidance and standards on privacy features within the patient portal. The survey findings contribute knowledge that can help guide health IT initiatives aimed at supporting adolescent patients and their parental caregivers. As such, they are relevant to active efforts in the Ethical, Legal, and Social Issues, People and Organizational Issues, and Consumer and Pervasive Health Informatics working groups at AMIA (among other groups).
Background
Adolescence is a time when patients are approaching autonomy, both developmentally and legally, but are still minors. Parents have legal and moral responsibility for their children’s health care and may be able to supervise health and health care better with full access to their children’s medical records. On the other hand, adolescent minors may begin to discuss sensitive issues with their physicians, such as sexual activity or drug and alcohol use; a substantial amount of evidence suggests they will be more forthcoming with physicians if they are confident their parents will not find out.1,2 In addition, adolescents are beginning to learn to take responsibility for their own health, and being able to access their own medical information may enable them to take a more participatory role in their health care.3 This insight has led to recent research to better understand physician perceptions of the role of patient access to pediatric health data.4 In Bush et al.’s recent study, physicians reported that patient access to an electronic patient portal could be valuable for promoting efficient communication among patients, parents, and providers, but also opened up new challenges (i.e., frequent questions from some parents and medical visit avoidance).4
Our previous qualitative work has demonstrated that federal policy, state law, and community norms are not entirely consistent about adolescent medical privacy.5 In some jurisdictions, and under some circumstances, adolescents may have medical privacy rights similar to those of adults, and in other situations, parental notification is required, or there is no clear guidance.6 In the absence of national guidelines, medical centers go through individualized development processes to establish their policies about adolescent access to electronic medical records. Across institutions, there are different ages of adolescent onset, different proxy policies (ranging from full parental access to no parental access), and different amounts of medical information access (ranging from full records access to partial access).5 Third-party payer systems introduce another level of complexity in maintaining adolescent privacy.7
Our objective in the current study was to complement our qualitative research through a quantitative survey study of key informants at medical centers nationwide.
Methods
We conducted a survey study with participants of the 2017 pre-symposium AMIA CMIO Workshop,8 which gathered together a large national pool of chief medical information officers (CMIOs) and other key stakeholders involved in informatics implementation and operations at their medical centers. Thirty minutes of the scheduled workshop period was dedicated to this survey. Integrating the survey study into the schedule of the workshop allowed us to capture a purposive sample while reaching participants from medical organizations across the four census regions of the country, and multiple organizational types (pediatric hospital, community health center, non-pediatric academic medical center, outpatient practice, public hospital, etc.).
Figure 1 is a flowchart of participant recruitment and response rate throughout the survey.
Figure 1:
Survey study participation. After 39 respondents were assessed for eligibility (institution has an EHR system and serves a pediatric population) 27 participants met the eligibility criteria. The majority of these 27 (78%) answered questions about whether institution offered online personal health records or patient portal accounts for adolescent patients.
We developed an online survey by referencing a 2012 policy statement from the American Academy of Pediatrics (AAP)9 and Sharko et al’s interview study on adolescent access to electronic patient portals.5 These statements include ideal principles for electronic health record systems.
We confirmed the face validity of the online instrument to ensure that the assessment items were appropriate to the targeted construct and study objectives, using a combination of experts and graduate students. Survey testers included a CMIO (not participating in the study), two faculty researchers in medical informatics with survey design expertise, and two graduate students. All testers took the survey multiple times with different scenarios in mind, to ensure completeness of response sets. All five testers were also asked to comment on clarity of wording, layout and order of questions, and perceived ability to answer the questions. Findings from these tests allowed us to improve the survey design in an iterative fashion before deployment. The online survey was developed and deployed using Qualtrics.
The survey study was determined to be exempt by the Georgia Tech and Emory IRBs.
We analyzed closed-format responses through descriptive statistics and open-format responses through thematic analysis by two researchers.
Results
There were 27 respondents with both EHR systems and pediatric patients. Respondents represented organizations located in four Census regions: West (4), Midwest (5), South (5), and Northeast (13). Institutional roles of the survey respondents are provided in Table 1. Specific EHR systems used at respondents’ institutions are are included in Table 2, with their frequency.
Table 1:
Institutional roles of survey respondents.
| Role | n | (%) |
|---|---|---|
| Associate CMIO | 3 | (11.1%) |
| Clinical Informatics Fellow | 4 | (14.8%) |
| Chief Medical Information Officer | 10 | (37.0%) |
| Clinical Professor | 1 | (3.7%) |
| Medical Director (Informatics) | 5 | (18.5%) |
| Neonatologist | 1 | (3.7%) |
| Physician EMR lead | 1 | (3.7%) |
| Resident Physician | 2 | (7.4%) |
Table 2:
EHR system brands at survey respondents’ institutions. Some respondents listed multiple EHR systems.
| EHR System | n | (%) |
|---|---|---|
| Allscripts | 3 | (11.1%) |
| athenahealth | 1 | (3.7%) |
| Cerner | 6 | (22.2%) |
| Epic | 16 | (59.3%) |
| GE (e.g., Centricity) | 2 | (7.4%) |
| Meditech | 1 | (3.7%) |
| OMR | 1 | (3.7%) |
Prior to Adolescence
Twenty-five respondents answered questions about whether their medical center gives guardians default access prior to the pediatric patient reaching adolescence. Seventeen of 25 (68%) gave guardians access. In contrast, four of 25 (16%) responded that their medical center did not give guardians default access. Four did not know.
In response to the question:
“Does your institution have a formal definition (age range) for an adolescent? For example, is a pediatric patient considered an adolescent when they turn a certain age?”
The majority of the respondents (16 of 25, or 64%) answered “yes” while five (20%) answered “no” and the remaining four (16%) did not know. Specific definitions are included in Table 3. The modal age of the definitions provided in survey responses was 13 years.
Table 3:
When adolescence begins (formal definition) at respondents’ institutions.
| Age | (count) |
|---|---|
| No access during adolescence: | |
| 0-12 (parent access only) or | |
| 0-13 (parent access only) or | |
| 0-18 (non-inclusive, adult portal only) | (6) |
| 12-17 | (3) |
| 13+ | (1) |
| 13-17 | (4) |
| 13-18 | (2) |
| 14-17 | (1) |
| Unknown | (2) |
Adolescent Account Availability
Twenty-one respondents answered questions about whether patient portal accounts were available for adolescent patients. Seven of 21 (30%) did not know whether or not adolescents could have accounts. However, there was a fairly even distribution among those who did know (n=13).
Five of 21 said adolescents could have accounts, and an additional one respondent mentioned limited accounts for adolescents (28.6%).
Four of 21, or 19%, said guardians could sign up for account, but adolescents could not have their own accounts.
Four of 21, or 19%, said an adolescent account was not available.
For those respondents who answered that adolescents could have an account (n=6), a follow-up question asked:
“Do adolescents require parental proxy permission to sign up for a patient portal account?”
All six said adolescents did not need guardian permission to get an account. All six said that parents could not control the information the adolescent could see in the account.
In response to the question:
“What is the minimum age for adolescent access to their medical records through your institution’s portal?”
Eight respondents specified minimum ages, which included Age 12 (inclusive) (n=2), Age 13 (inclusive) (n=5), and Age 18 (n=1) (adult access only).
In response to questions about guardian access to adolescents’ patient portal accounts, two of 12 respondents said definitively that guardians could not access the adolescent’s medical information through a portal, while four of 12 said that guardians required the adolescent’s permission to access the adolescent’s information. Finally, two of 12 said that the adolescent’s permission was not required for guardians to access the information.
Responses to questions about private messaging in the adolescent patient portal were also divergent. Six of nine respondents who answered questions about whether or not either party (adolescent or parent) could mark a message as private in the portal did not know, while one survey participant said that adolescents could send private messages through the portal, and two said that guardians could send private messages.
Care Provider Controls
An emphasis on the importance of paying more attention to adolescent privacy in EHR system design was echoed in open-format responses to a variety of survey questions about the ability to limit or share specific types of EHR data. For example, 18 respondents answered the question:
“Are there any mechanisms in place to protect patient privacy when potentially sensitive information could be revealed through the insurance bill, explanation of benefits, or post-visit survey?”
Seven indicated that they did not know; five indicated that adolescents could not, and six indicated that specific mechanisms were in place, with some respondents elaborating on how the mechanisms are limited. For example,
“HIM policies and procedures are in place relative to the release of information [but] nothing specifically to do with [online technologies such as] the portal.” -P7
“We do not have the ability to restrict such data. Adolescents are informed that the parent may have access to the diagnosis if the visit gets processed through insurance, i.e. for oral contraceptives. Alternatives such as obtaining those via Planned Parenthood, etc. are discussed if this is a concern for the adolescent” -P15
When it came to care provider control mechanisms, 14 respondents answered the question:
“Can providers control what information the portal user can see/access?”
Most (n=8) reported that providers can control what information the portal user can see, while five reported that providers cannot, and one was unsure. When elaborating on how such control was implemented, respondents detailed manual processes that required that physicians make choices to release or not release individual data types, but in somewhat inflexible ways.
“[Providers] can control access but not view (except they can selectively remove/prevent results on an order-by-order basis)” -P7
“[Providers] can mark diagnoses and results to not release.” -P10 “They can manually unrelease a particular problem or lab.”-P12
“[Providers] can select dx to not be released, also labs. (Across the system we do not release STD-related labs.)” -P13
“No [providers cannot], except by not publishing information to the portal, such as visit summaries or lab results. PAMI data cannot be restricted - if entered in the chart it will display on portal.” -P15
Formal Guidelines
Two survey questions asked respondents about whether and how formal guidelines should be developed to guide implementation decisions about adolescent access. Eighteen respondents answered the first question:
“Do you feel that more formal guidelines would be helpful in determining which features of an EHR system to implement pertaining to adolescent privacy?”
Of the 18, a majority (12) answered “yes” while only two answered “no”. The remaining three respondents gave free-text responses, in which two indicated uncertainty (i.e., “unsure”, “I don’t know”) and the remaining one emphasized the importance of paying more attention to the general topic.
“Adolescent privacy is a very important topic and severely lacking in the current EHR world. The ability to restrict information from release via the portal or limit access to the adolescent only must be developed by the vendors.” -P15
A follow-up survey question was conditionally shown to those answering “yes” or “other” (n=15) to the previous question. It asked:
“How do you feel guidelines for adolescent access to patient portals should be developed, and by whom?”
One fewer respondent answered this question (n=14), and those who did provided a wide range of suggestions for how formal guidelines might be developed. Suggested sources for guidelines are included in Table 4.
Table 4:
Suggested sources for developing formal guidelines for adolescent access to their electronic health record. Most respondents mentioned a combination of one or more stakeholders or professional organizations.
| Stakeholder group | (Mentioned by) |
|---|---|
| Adolescent medicine professionals (e.g., pediatricians, specialists) | (8) |
| Adolescents | (2) |
| American Academy of Pediatrics | (2) |
| Lawyers | (2) |
| Parents | (2) |
| Patients | (2) |
| Primary care physicians; academic and community doctors | (2) |
| Professional associations with input from AMIA | (2) |
| Ethicists | (1) |
| Privacy experts | (1) |
| Do not know/unsure | (3) |
One participant also elaborated on their suggestion for who should be involved in drafting guidelines, mentioning:
“A joint task force between AMIA and AAP should consider having SMEs draft guidelines.”-P12
Finally, another respondent mentioned suggestions pertaining to how guidelines should be developed:
“Nationally, by pediatricians, adolescent specialists, and privacy experts to account for state by state differences. And then nationalize those standards.” -P4
Discussion
Our study aims to call attention to the need to create formal guidelines and standard privacy features to inform the design of patient portals and other data access tools in ways that accommodate the privacy needs of adolescents and parental proxies. The need for both adolescent confidentiality as well as parental proxy access for certain types of medical data open up new challenges for the design and implementation of electronic health systems.10 Prior research has outlined certain special requirements and challenges concerning the patient’s privacy and access to sensitive health information (i.e., statements regarding abuse, sexual activity and mental health).10-12 For adolescents with chronic illnesses, family access to electronic health records is important for everyday illness management, and for supporting the gradual transition to adulthood.13
Informed and motivated by our prior study on adolescent access to patient portals,3, 5 as well as complementary work outlining important considerations for managing adolescents’ medical record data,11,12,14 we surveyed CMIOs at a national medical informatics workshop, whose organizations serve pediatric populations. The survey gauged the current state of health IT access for adolescent patients and the need for formal guidelines to establish adolescent privacy policies. Our findings show a wide range of variability with regards to how each medical organization interprets adolescence and whether online access to electronic health records (e.g., through a patient portal) is available to patients or their parental proxies.
The decision-making process involved in the implementation of an adolescent patient portal system is complicated and resource dependent. This is due to many issues, such as varying state laws pertaining to adolescent privacy, differing cultural acceptance of adolescent autonomy over online health information, and varying patient health care needs. Decisions need to be made regarding parental proxy access and control, adolescent age determination and the granularity of control of information, among others. There is a lack of formal guidance on how to manage this implementation process and therefore there is great variation in privacy features.
This variation in adolescent privacy features has strong implications for the adolescent patient, the patient’s family, and the health care team. Specific choices related to access, transparency, and controlled sharing of electronic health data, for both adolescents and parental proxies, can shape adolescents’ engagement in health care.1,13 There have been multiple studies demonstrating the importance of privacy control to the adolescent patient seeking sensitive health care.2,15-19 If the adolescent finds inconsistency in privacy protection, it could undermine their trust in the medical system, resulting in withholding important medical information or in avoidance of appropriate medical care. If the parent of the adolescent patient encounters inconsistent access or feels that the clinician is unaware of the access policies, this results in frustration and could interfere with essential family co-management of complicated health care. It is important for the clinician to be aware of current medical center policies regarding portal access and privacy control for the adolescent patient. This could prevent inadvertent lapses in privacy control, disobedience of state or federal law, and potential endangerment of the adolescent patient.
It is essential for the medical care team to be aware of electronic health record privacy features for the adolescent patient and have an understanding of the relevant privacy issues. Bergman and colleagues found that parents and teens look to clinicians to take a role in educating them on confidentiality issues and concerns.20 These issues need to be addressed, understood and communicated to all people involved in the care of the patient—including the clinical staff, the patient, and the family.
A majority of survey respondents agreed that formal guidelines pertaining to adolescent privacy would be helpful and many commented on inflexibility in current EHR systems. These guidelines can be developed through the synthesis of multiple perspectives from varied stakeholders, including pediatricians, adolescent specialists, privacy experts, parents, patient advocates, and other professional entities and interested parties. The AMIA Symposium, along with the broader AMIA community, can play a vital role in forming this coalition and taking action to develop nationwide Health IT initiatives to advance guidelines, policies, and best practices in implementation.
Conclusion
Through a survey study with key informants that examined knowledge of adolescent privacy policies and common approaches in managing health information technology for adolescent patients, we found a wide range of institutional policies regarding adolescent patient privacy. Many health IT executives we surveyed did not have knowledge of access policies for online health records or account management for patient portal accounts during adolescence. The majority of survey respondents agreed that it is important to develop formal guidelines pertaining to adolescent health record privacy. Guidelines should be based on multiple perspectives, including those of pediatricians, adolescent specialists, privacy experts, parents, patient advocates, and other professional entities.
Our study has limitations. By surveying a variety of CMIOs and other informants to gather baseline data about portal account availability for adolescent patients, our study did not focus on the intricacies of enabling access control by patients or parents. We included a relatively small number of participants. Scheduling the survey during the AMIA CMIO workshop allowed us to take a synchronous, nationwide pulse to gather preliminary baseline data about whether or not access exists now, and whether or not there is a need for adolescent access guidelines. The disadvantage of relying on a scheduled survey meant that the respondents might not have had time to check with others at their home institutions when they could not answer questions. Our future work will use complementary qualitative methods to further verify the findings we presented here, and to investigate decision-making processes that contribute to portal policies, as well as legal, economic, social, clinical, and technological factors associated with access to adolescent health records.
Acknowledgments
We thank our study participants, and the chairs of the 2017 AMIA CMIO Workshop.8 We thank Elaine Schertz for assisting in preliminary survey testing and data analysis. This study is supported in part by AHRQ K01 HS 021531 (PI: Ancker) and NSF 1652302 (PI: Wilcox).
References
- 1.Carlisle J, Shickle D, Cork M, McDonagh A. Concerns over confidentiality may deter adolescents from consulting their doctors: A qualitative exploration. Journal of Medical Ethics. 2006;32(3):133–137. doi: 10.1136/jme.2004.011262. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.Ford CA, Millstein SG, Halpern-Felsher BL, Irwin CE. Influence of physician confidentiality assurances on adolescents willingness to disclose information and seek future health care: A randomized controlled trial. JAMA. 1997;278(12):1029–1034. [PubMed] [Google Scholar]
- 3.Hong MK, Wilcox L, Feustel C, Wasileski-Masker K, Olson TA, Simoneaux SF. 2016. Adolescent and caregiver use ofa tethered personal health record system. In AMIA Annual Symposium Proceedings, American Medical Informatics Association; pp. 628–637. [PMC free article] [PubMed] [Google Scholar]
- 4.Bush RA, Connelly CD, Perez A, Chan N, Kuelbs C, Chiang GJ. Physician perception of the role of the patient portal in pediatric health. The Journal of ambulatory care management. 2017;40(3):238–245. doi: 10.1097/JAC.0000000000000175. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Sharko M, Wilcox L, Hong ML, Ancker JS. Variability in adolescent portal privacy features: how the unique privacy needs of the adolescent patient create a complex decision-making process. Journal of the American Medical Informatics Association. 2018 Aug;25(8):1008–1017. doi: 10.1093/jamia/ocy042. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6.Guttmacher Institute. 2018. An Overview of Minors Consent Law 2018. [Google Scholar]
- 7.Wisk LE, Gray SH, Gooding HC. I thought you said this was confidential? Challenges to protecting privacy for teens and young adults. JAMA Pediatrics. 2018;172(3):209–210. doi: 10.1001/jamapediatrics.2017.3927. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 8.Fu P. 2017. Chief Medical Information Officer (CMIO) Workshop, AMIA Pre-Symposium Workshop, American Medical Informatics Association. [Google Scholar]
- 9.Blythe MJ, Adelman WP, Breuner CC, Levine DA, Marcell AV, Murray PJ, O’Brien RF, Del Beccaro MA, Schneider JH, Weinberg ST, et al. Standards for health information technology to ensure adolescent privacy. Pediatrics. 2012;130(5):987–990. doi: 10.1542/peds.2012-2580. [DOI] [PubMed] [Google Scholar]
- 10.Bayer R, Santelli J, Klitzman R. New challenges for electronic health records: confidentiality and access to sensitive health information about parents and adolescents. JAMA. 2015;313(1):29–30. doi: 10.1001/jama.2014.15391. [DOI] [PubMed] [Google Scholar]
- 11.Bourgeois FC, Taylor PL, Emans SJ, Nigrin DJ, Mandl KD. Whose personal control? Creating private, personally controlled health records for pediatric and adolescent patients. Journal of the American Medical Informatics Association. 2008;15(6):737–743. doi: 10.1197/jamia.M2865. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 12.Bourgeois FC, DesRoches CM, Bell SK. Ethical challenges raised by OpenNotes for pediatric and adolescent patients. Pediatrics. 2018;141(6):e20172745. doi: 10.1542/peds.2017-2745. [DOI] [PubMed] [Google Scholar]
- 13.Østerlund CS, Dosa NP, Arnott Smith C. 2005. Mother knows best: medical record management for patients with spina bifida during the transition from pediatric to adult care. In AMIA Annual Symposium Proceedings, American Medical Informatics Association; pp. 580–584. [PMC free article] [PubMed] [Google Scholar]
- 14.Mandl KD, Simons WW, Crawford WCR, Abbett JM. Indivo: a personally controlled health record for health information exchange and communication. BMC medical informatics and decision making. 2007;7(1):25. doi: 10.1186/1472-6947-7-25. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 15.Lehrer JA, Pantell R, Tebb K, Shafer M. Forgone health care among us adolescents: associations between risk characteristics and confidentiality concern. Journal of Adolescent Health. 2007;40(3):218–226. doi: 10.1016/j.jadohealth.2006.09.015. [DOI] [PubMed] [Google Scholar]
- 16.Cheng TL, Savageau JA, Sattler AL, DeWitt TG. Confidentiality in health care: a survey of knowledge, perceptions, and attitudes among high school students. JAMA. 1993;269(11):1404–1407. doi: 10.1001/jama.269.11.1404. [DOI] [PubMed] [Google Scholar]
- 17.Ford CA, Thomsen SL, Compton B. Adolescents interpretations of conditional confidentiality assurances. Journal of Adolescent Health. 2001;29(3):156–159. doi: 10.1016/s1054-139x(01)00251-8. [DOI] [PubMed] [Google Scholar]
- 18.Berlan ED, Bravender T. Confidentiality, consent, and caring for the adolescent patient. Current Opinion in Pediatrics. 2009;21(4):450–456. doi: 10.1097/MOP.0b013e32832ce009. [DOI] [PubMed] [Google Scholar]
- 19.Reddy DM, Fleming R, Swain C. Effect of mandatory parental notification on adolescent girls use of sexual health care services. JAMA. 2002;288(6):710–714. doi: 10.1001/jama.288.6.710. [DOI] [PubMed] [Google Scholar]
- 20.Bergman DA, Brown NL, Wilson S. Teen use of a patient portal: a qualitative study of parent and teen attitudes. Perspectives in Health Information Management/AHIMA, American Health Information Management Association. 2008;5:13. [PMC free article] [PubMed] [Google Scholar]