Absence of proxy access means patients and caregivers often share log-in info

For 25% of hospitals in a recent study, caregivers of adult patients did not have the option to create proxy accounts to access patient portals, raising the likelihood that patients and caregivers shared log-in credentials, which can pose privacy and security risks.

“These findings suggest that hospitals and electronic health record (EHR) vendors need to improve the availability and setup process of proxy accounts in a way that allows caregivers to care for patients without violating their privacy,” wrote study first author Celine Latulipe, PhD, a researcher with the University of Manitoba in Canada, and colleagues, in JAMA Internal Medicine.

Approximately 95% of U.S. hospitals offer patient portals, Latulipe and colleagues noted. At the same time, a previous study of adult patients with caregivers found that nearly 80% of such patients wanted caregivers to have access to their digital health information. It is not currently known how many hospitals provide proxy access for caregivers, or how many instead simply encourage patients and caregivers to use the same account.

“Sharing credentials can lead to multiple data security and privacy problems, including revealing more information than the patient intended, and to health care practitioner confusion and mistakes if they do not know with whom they are communicating,” Latulipe and colleagues wrote.

The cross-sectional study included one independent hospital and one health system-affiliated hospital from every state and the District of Columbia, with 102 hospitals ultimately included. Data were gathered by members of the research team, who, while posing as the children of older patients, contacted hospitals seeking information on patient portals.

A total of 69 (68%) of the 102 hospitals reported providing proxy accounts to caregivers, while 26 (25%) did not (the remaining 7 [7%] were unsure). System-affiliated hospitals were more likely to offer proxy accounts than independent hospitals (41 of 51 [80%] versus 28 of 51 [55%]; P=.006).

For hospitals providing proxy accounts, 21 (30%) required both the patient and caregiver to be physically present as the account was created, 20 (29%) required the patient to set up the account onsite but not necessarily with the caregiver present, and 28 (41%) allowed account setup from home.

Of the 94 (92%) hospital personnel who were asked about password sharing, 42 (45%) advised the interviewer to share login credentials, 29 (31%) discouraged credential sharing, and 23 [24%] were noncommittal. Among the 25 hospitals that did not provide proxy accounts, 19 (76%) advised password sharing, compared with 23 of 69 hospitals that did provide proxy accounts (33%; P<.001). Independent hospitals also were more likely to permit password sharing (29 of 47 [62%] versus 13 of 47 [28%]; P=.002) even after researchers adjusted for proxy access (OR 3.1; 95% CI 1.2-7.8; P=.02).

“Almost half of the hospital personnel recommended that patients share passwords with their caregivers, either because doing so was easier than creating a proxy account or because proxy accounts were not available,” Latulipe and colleagues wrote. “However, sharing login credentials has been associated with enormous security risks because people often reuse their passwords for different accounts, such as online banking or social media.”

Among other self-identified limitations, Latulipe and colleagues noted that the results generally reflected practices within independent and system hospitals but weren’t necessarily representative of those categories.

In an editorial accompanying the study, Catherine DesRoches, DrPH, a researcher with Beth Israel Deaconess Medical Center in Boston, and colleagues, none of whom were affiliated with the study, wrote that the findings may bring needed attention to an underappreciated vulnerability.

“Latulipe et al found that only two-thirds of the US hospitals they surveyed offered adult patients the option of granting portal access to a care partner, and among hospitals that did, the process for obtaining proxy credentials was often difficult and time-consuming,” DesRoches and colleagues wrote. “Moreover, their findings highlight a long-standing practice that has troublesome implications for patient privacy: personnel in almost half of the hospitals suggested to the study’s interviewers (who acted as secret shoppers) that the care partner use the patient’s credentials to review health records.”

Acknowledging that “few have perfected this process,” DesRoches and colleagues suggested four overarching steps toward improving the process: simplified procedures, including registration, clearly displayed usernames once logged in, relevant education for patients and caregivers, and changing the Health Insurance Portability and Accountability Act (HIPAA) to cover third-party access to EHRs.

“Few health care organizations have a convenient and straightforward procedure for granting proxy access, and even when EHR vendors offer mechanisms for access, health care organizations appear to give little thought to the information needs of this group,” editorial authors wrote. “Moreover, although circumventing the proxy procedure by using the patient’s credentials seems to be a simple solution to this problem, it presents a host of other issues. Clinicians cannot be confident about whom they are communicating with, care partners may become privy to information a patient may not want to share, and health care organizations may be violating their patients’ right to privacy. In the coming years, proxy access to the EHR will become even more complex as patients’ ability to access their records through third-party applications improves.”

  1. In a recent study, one-quarter of hospitals did not offer patient portal proxy accounts for caregivers of adult patients.

  2. Nearly half of hospital staff interviewed encouraged patients and caregivers to share a single log-in credential—a practice experts said can present security threats.

Scott Harris, Contributing Writer, BreakingMED™

No source appearing in this study disclosed any relevant financial relationship with industry.

Cat ID: 507

Topic ID: 505,507,791,807,507,556,800,730,192,925