Avoiding Liability with Patient Portals

Avoiding Liability with Patient Portals
Author Information (click to view)

Dr. MedLaw

Dr. Medlaw is a physician and medical malpractice attorney. This article originally appeared on SERMO, which retains all rights to it.


Dr. MedLaw (click to view)

Dr. MedLaw

Dr. Medlaw is a physician and medical malpractice attorney. This article originally appeared on SERMO, which retains all rights to it.


The good thing about EMR patient portals is that they decrease your liability risks. On the other hand, the bad thing about EMR patient portals is that they increase your liability risks. This is because while they close gaps in communication that can lead to complaints and lawsuits, they create new standards that have to be met.

Using a portal, patients can:

  • update their own chart
  • request refills and schedule appointments or be reminded to do so
  • exchange messages with you and your staff
  • read their own records that you have made available
  • read patient education materials

This process obviously has both an up-side and a down-side as far as liability. For example, you get information from patients faster but are then also held to the standard of actual knowledge of that information once it is in your system and of then acting on it in a timely manner.

The main issue to understand, however, is that nothing has actually changed as to your predicate duties in patient communication: (1) to make sure that you have current information, and (2) to convey information to patients accurately and promptly. The portal simply changes the method of communication in some new ways that you have to deal with.

Your first step must therefore be to set up a legally binding arrangement with the patient as to the portal’s proper use insofar as these issues. A Patient Portal Policies and User Agreement lays out how the portal is to be used and obtains the patient’s statement of proven understanding of those terms and of  his or her  willingness to abide by them.

The Agreement should address the following:

  1. a. The portal is offered as a courtesy and an option

This lets the patient know that the portal should not be abused and is not the only way to communicate with the practice.

  1. Only current patients and their designees may use the portal

A patient can specify someone else they authorize to use the portal on their behalf as long as they execute a proper HIPAA release but may not submit or inquire on behalf of someone who is not your patient.

  1. Explanation of the sign-up process, including setting up a password or access code

This prevents a patient from believing that they are automatically enrolled once they sign the Agreement.

  1. It is the patient’s obligation to keep their contact information current

This goes to the problem of the patient claiming that you did not respond to them when the information that you had was actually outdated.  However you must bear in mind it does not relieve you of your responsibility to follow up by a different method, such as a phone call or standard mail, if your response bounces back as undeliverable.

  1. The portal is solely to be used for non-emergency communications
  2. Appointment requests will not become actual appointments until confirmed by the staff

6.a. Only non-narcotic renewals can be processed through the portal

  1. How long it will usually take for the renewal request to be called in to the pharmacy after  being received through the portal, noting that there may be delays in some cases
  2. Average time to receive a response to a question, noting that this may be longer in some cases, and that it is the patient’s responsibility to monitor for a response
  3. The portal does not provide diagnostic or triage or other medical care services and any educational resources provided do not constitute medical advice.  Any such actual care services require an office appointment

These last five sections jointly address a critical issue as far as malpractice liability – the reasonability of the patient’s expectations.

A patient who believes that the portal communication is a substitute for an office visit or phone contact or that it will result in instant service and so does not make a needed appointment or stays home waiting for an answer while getting sicker or lets a vital prescription run out is a lawsuit waiting to happen so you must be clear from the outset that the portal is a very limited method of access to you and your staff.

Meeting the Criteria

Of course, now that you have set up the criteria, you have to meet them. For example, if you say that 48 hours is your turn-around time on a message or a renewal, you have to make sure that that is the rule, not the exception.  Remember that your communications will have time and date recordings on them, and so the logistics must be kept in good order because they will form an actionable basis for liability and proof of a breach if there is a failure.

  1. What specific information you are granting access to (lab reports, clinical summary, etc.) and that a copy may be requested
  2. If the patient has any questions about their results they should contact the office

These two points jointly go to a patient either claiming that they were denied information or that information was just dumped on them as a non-medically trained person without access to you or your staff for explanation.

    11.a. Permissible topics  (e.g.; updates on medical history, questions about medication or lab results, routine follow-up’s, billing issues) and impermissible topics (e.g.; mental health or HIV issues)

  1. Questions must be brief and outside lab results, images and articles are not to be appended.  If a matter is complicated the patient should make an appointment

This section covers:

  • your insistence on compliance with statutory privacy matters
  • preventing abuse of the system by patients who will try to use it as a substitute for a visit and then seek to hold you liable for any lapses that occur as a result
  • that you cannot accept the liability exposure of having unsolicited material sent to you without proper context.
  1. All portal communications will be encrypted
  2. The patient should keep their password or access code securely and should also not contact the portal through a non-personal device

These two points show that you will hold up your end of the privacy issue but that the patient must hold up theirs.

  1. Other staff members other than the specific addressee may read and respond to messages so as to provide optimal patient care

Although your staff are your agents for patient care and so can, as a general rule, access the records of anyone in the practice, a patient may still want to communicate a matter to only one person. Based on this statement patients will now understand that this cannot be guaranteed when using the portal as it could be by a personal phone call or e-mail to a personal address or by an office visit where they pick who to speak to. A patient who still uses the portal after reading this section cannot now claim a privacy breach if, for example, your nurse reads a communication that the patient preferred that only you see.

  1. A statement that your office is committed to full HIPAA compliance but that all electronic communications carry some level of risk and that the patient should consider this when deciding whether to use the portal

Knowing the System

OK – now that the Agreement is signed and the patient is using the system, the responsibility is yours to be aware and to be prudent.

First, “aware”:  Know your system.

For example, the portal may send messages that have to be manually processed or it may generate targeted messages that go directly to the relevant EMR features. You therefore need to be familiar with what your system is doing with issues like renewals that have to be dealt with in a timely manner.

Now, “prudent”:  Remember that just because something is electronic does not change your standard duties.

For example, consider privacy issues:

There is no difference between a phone call or a letter or a conventional e-mail and a message sent through a portal with regard to the fact that you can generally rely on the person being whom he or she claims to be.  On the other hand, suspicious features such as language that suddenly seems different or unfamiliarity with facts the patient should know should be met with a query as to the communicating person’s identity.  If you are still unsure, just message back that a personal call or visit will be needed.

The converse is that you must make sure that responses from your office go only where the patient has specified that they should go, just as you would ordinarily have to make sure that a phone call or a letter only goes where it should.  Therefore, be very careful that the “to” field is properly filled out when you send a portal message.

Protecting Patient Information

Similarly, just as HIPAA and common law privacy require that you not leave patient charts lying around where they can be seen by unauthorized individuals, you and your staff should log-off from work stations when not present, and work stations should have automatic log-off functionality so that no unattended portal remains open.

There are three additional liability issues to consider:

  1. The law will presume that when you respond to a patient via the portal that you do so with full access to the record to base that answer on if needed, and if your system has an active audit trail function it will show if you actually looked at the record. Therefore, do not answer patients unless you can get access to their records and actually look at them when you answer should you need to.
  2. The usual rule that “if you don’t document it, it never happened” still applies. You must therefore transfer any new information from a patient into the medical record with a note of your own indicating that the patient sent it in and when and any relevant matters about it.
  3. If you disable a part of your system that has application to liability, such as the audit trail function, your credibility can be called into question in a lawsuit so if your system is running poorly because of such functions deal with your IT person about it – do not “self-help”.

In summary, a patient portal is just a new way to do what you have always been doing.  Following simple rules that reflect that will keep it a useful adjunct to your practice rather than a source of liability.

1 Comment

  1. Hello. I am a private practice manager and I am trying to find out information on revoking a patients asses when they are still active patients and after discharge/transferring care. What are the laws and limitations?
    Samantha Toth


Submit a Comment

Your email address will not be published. Required fields are marked *

seven + 18 =