In the world of liability exposure, patient portals can be a blessing or a curse.

That is because they close gaps in communication that often lead to complaints and lawsuits but they also create updated standards that have to be met.

For example, through the use of a portal you can get information or inquiries from patients faster and more reliably, but once a communication from a patient has been received into your system you are charged with dealing with it and so you must have a way to bring it to your attention promptly.

The critical issue to remember, however, is that while portals change the operational nature of patient communication in ways that require new accommodations, they do not change your ordinary duties as far as communication with patients: to make sure that you have current and accurate information from the patient and to convey information to patients accurately and promptly.

To ensure that you can fulfill those duties within the new system, your first step must be to create an agreement of how the portal will be used that binds both you and the patient.

A Patient Portal Policies and User Agreement lays out the rules and requirements for the use of the portal and obtains the patient’s statement of proven understanding of those terms and of his or her willingness to abide by them. It also, like the process of informed consent, presents the patients with a reasonable statement of the benefits and the risks involved in portal use and obtains his or her proven acceptance of those facts.

This agreement should, like any other contract, only be entered into by people with legal capacity. It should therefore never be offered to adult patients whom you believe are impaired or to unemancipated minor patients even if a parent or guardian offers to sign for them.

The Agreement should include the following:

1. General matters

i. The portal is offered by your practice as a courtesy and is limited to current patients only.

ii. The portal is an option and all standard methods of communication with your office remain available.

iii. An explanation of the sign-up process

These points deal with the problems of complaints by former patients attempting to access prior records, patients who might assume that your office has switched over to a new system exclusively and patients who would assume that they are automatically enrolled.

However, the fact that you have stated the limitation of access to current patients does not relieve your or your staff of the responsibility to promptly delete all patients who leave the practice from the system or to be alert (discussed in greater detail below) for use by non-patients.

iv. What information is available through the portal (lab reports, clinical summary, billing matters, patient education materials, etc.)

v. A copy of records available through the portal may be requested.

vi. If the patient has any questions about information received through the portal system, they should contact the office

These points deal with the problems of complaints by patients who either claim that they were denied information or that information was just dumped on them without adequate explanation.

vii. The patient is responsible for keeping all their contact information current and accurate

This point, while obviously essential to defend against a claim based on non-response, does not, however, relieve you or your staff of the necessity to follow up by conventional means if your answer to the patient through the portal system bounces back as undeliverable.

2. Use of the portal

These are the points that go directly to the single most important issue in terms of portal-related liability: the reasonability of the patient’s perception of what the portal system offers.

i. The portal does not provide diagnostic or triage or other medical care services and any educational resources provided through a patient library do not constitute medical advice. Any such services require an office appointment

ii. The portal is only to be used for non-emergency communications

iii. Appointment requests must be confirmed by the staff

iv. A statement of the expected time to receive a response to a communication or appointment request, noting that this may be longer in some cases and that it is the patient’s responsibility to monitor their e-mail for a response and to contact the office if a response is not received by the end of the expected period

v. Only non-narcotic medication renewals can be processed through the portal

vi. A statement of the expected time for a renewal request to be called in to the pharmacy, noting that this may be longer in some cases, and that it is the patient’s responsibility to check with their pharmacy and to to contact your office if the renewal is not available by the end of the expected period.

These points are directed towards preventing complaints or malpractice claims by patients who believed that the portal communication was a substitute for an office visit or that it would act like an IM and result in immediate service or that it would cover matters that it does not cover, and who therefore did not make needed appointments or who stayed home waiting for a response while getting sicker or who let a vital prescription run out.

Of course, now that you have set up the criteria, you have to meet them from your side.

For example, if you say that 48 hours is your turn-around time on a message or a prescription renewal, you have to make sure that it is the rule, not the exception. Remember that your communications will have time and date recordings on them, so these matters are traceable.

This is where really knowing your system is essential. For example, the portal may send messages that have to be manually processed or it may generate targeted messages that go directly to the relevant EMR features. You therefore need to be familiar with what your system is doing with issues like renewals that have to be dealt with in a timely manner.

vii. What the permissible topics for portal communications are (e.g.; updates on medical history, questions about medication or lab results, routine follow-up’s, billing issues).

viii. Communications must be brief and outside lab results, images and articles are not to be appended. If a matter is complicated the patient should make an appointment

These points address potential abuse of the system by patients who will try to use it as a substitute for a visit, including foisting material on you without proper context, and then seek to hold you liable for any lapses that occur as a result

3. Privacy issues

i. All portal communications will be encrypted

ii. The patient should keep their access code securely and should also not contact the portal through a non-personal computer or hand-held device because these may not be secure

These two points address the fact that you will hold up your end of the privacy issue but the patient must hold up theirs.

iii. Persons other than a named addressee may read and respond to messages so as to provide optimal patient care

This point is an explicit recitation of what patients already understand through the HIPAA releases that they sign: that facts about their health can be shared with those involved in their care, including your office staff or consulting physicians. It puts the patient on notice that the same rules apply when a portal is used to convey health information to your practice.

Nevertheless, you must remain sensitive to privacy concerns and so-instruct your staff. If a message comes in that specifically requests that only one person have access to it, that should be honored insofar as medically possible.

iv. Topics that may not be communicated through the portal (e.g.; HIV issues, mental health issues)

This point indicates your compliance with statutory privacy requirements.

v. A statement that your office is committed to full HIPAA compliance as regards the portal system.

Of course, now that you have stated your compliance you must follow through.

For example, just as HIPAA (and common law privacy) require that you not permit patient charts to be accessible to unauthorized individuals, your staff should not have a shared password and you and your staff should log-off from work stations when not present, and the work stations themselves should have automatic log-off functionality so that no unattended portal carrying private patient communications remains open.

Similarly, while you can offer the patient the option of specifying someone else they authorize to use the portal you should still get a standard HIPAA release as to that person.

Another HIPAA-related issue would be the ascertaining of identity. There is no difference between a phone call or a letter or a conventional e-mail and an e-mail sent through a portal with regard to the fact that you can generally rely on the person being whom he or she claims to be. On the other hand, suspicious features such as language that suddenly seems different or unfamiliarity with facts the patient should know should be met with a query as to the communicating person’s identity. If you are still unsure, just message back that a personal call or an office visit will be needed, exactly as you would do in any other setting where you are not sure that you are dealing with an authorized person.

Likewise, just as with any other HIPAA-covered communication, you must make sure that portal responses from your office go only where permitted, just as you would ordinarily have to make sure that a phone call or a letter or an e-mail containing confidential information only goes where it should. Therefore, be careful that the “to” field is properly filled out when you send a portal e-mail.

vi. A statement that all electronic communications carry some level of risk and that the patient should consider this when deciding whether to use the portal.

This is the parallel to the “risk” portion of an informed consent discussion.

It puts the patient on notice that problems can occur even in a well constructed and maintained system.

However, like informed consent for a medical procedure, it does not absolve your office of the duty of due care. Therefore, you must keep your system appropriately updated as to security matters, such as installing patches offered by the manufacturer. You should, of course, keep a record of such that you can proffer if the adequacy of your security is challenged in a complaint.

Beyond the Use Agreement, there are three additional liability issues for you to consider:

1. The law will presume that when you responded to a patient via the portal that you did so with full access to their record, and if your system has an active audit trail function it will show if you actually looked at the record.

Therefore, do not respond to portal communications unless you can get access to patient records, and actually then do look at those records when you answer.

2. The usual rule of thumb that “if you don’t document it, it never happened” applies to communications received through the portal.

You should therefore transfer any new clinical information into the medical record. It would be advisable to add a note of your own about it to serve as evidence that you personally saw it and evaluated it.

3. If you disable a part of your system that has application to liability, such as the audit trail function, your credibility can be called into question in a lawsuit.

Therefore, if your system is running poorly because of such functions, deal with your IT person about it – do not “self-help”.

In summary: Patient portals are an excellent marketing tool for a practice. They are also a great way to free staff up for direct patient care and to increase office efficiency. However, as a new entrant into the mechanics of the doctor-patient relationship, they carry liability risks. A well-drafted User Agreement and common sense practices can reduce those very significantly.