Patient access to general practice electronic health information and interaction with their health care team via patient portals

Patient access to general practice electronic health information and interaction with their health care team via patient portals

The Royal New Zealand College of General Practitioners VERSION 1.0 DECEMBER 2014 Patient access to general practice electronic health information and interaction with their health care team via patient portals Guidance for PHOs and general practices The Royal New Zealand College of General Practitioners Expert Advisory Group on Patient Portals

2 Patient Portal Expert Advisory Group Susan Wells (Chairperson) Karl Cole John Morgan Maree Munro Ashwin Patel Matthew Stokes Andrew Terris Jo Fitzpatrick Jeanette McKeogh – Project Sponsor Joanna Parry – Project Administrator

3 Preface Patient access to electronic health records – A consumer view Trust me, I’m a doctor. And we do. Doctors and nurses feature in the 2014 Readers Digest top ten most trusted professions in New Zealand and have been polling this way for many years. As the 2014 commentary states “we place our lives in their hands. We trust them because of their ‘degree of training and dedication to preserve our quality of life.’” This paper provides guidance for health practitioners as they introduce access to electronic information, and a new means of communication and interaction with health services, to their consumers via a patient portal. It is timely to consider the impact of the introduction of a patient portal into a clearly important and trusted relationship for many New Zealanders. First, do no harm… The possible harms are outlined in this paper: concerns over privacy and security; the challenges of health literacy for a lay population; an increase in workload and demand on services for health practitioners; and the possibility of increasing disparities in health as New Zealanders who would most benefit are not able to access this new intervention. These are all legitimate concerns, some better founded than others and they are all able to be addressed to some degree. Consumers trust their health practitioners to see to the IT and technical aspects of privacy and security. The safeguard from a consumer point of view will be found in the transparency of the system – a clear briefing on where their information is stored, its potential uses to deliver quality care for them and others like them, the ability to access their information at any time and most importantly, the ability to see who else has accessed their information. This latter provision is both the most contentious and the most important. It is not that consumers do not trust health practitioners. They want to know who is on their care team and what role those people play. In fact, many consumers are staggered to discover that the ability to share information amongst health practitioners is not widely available. The Shared Care portal in Auckland has this facility and enquiries to date have sought information rather than express outrage or accusation. It is sad that the most publicised breaches of trust have been unauthorised access and use of consumer health information. This provision addresses that issue.

Consumer health literacy is important. The paper reinforces the need for appropriately complex medical terms to address clinical requirements. While that need remains, the much maligned Doctor Google is testament to the fact that people are hungry for health information. Dr Google has no quality controls and leads people down some very strange garden paths. The opportunity provided by a patient portal is to link consumers to trusted sites and reliable consumer health information - which is personally relevant to them and their health. This is likely to increase the quality of health care relationships.

Consumers are aware of the pressures and limitations on their health practitioners. They commonly express concerns about ‘wasting the doctor’s time’ or ‘not wanting to bother the doctor’. Consumers are keenly aware of the time limits imposed on consultation times in primary care. A patient portal

4 encourages the development of a partnership approach. Consumers can follow up and prepare for consultations or gain a greater understanding of their medications, using accurately recorded information rather than relying on memory and impressions of a doctor’s visit. The digital divide is real but decreasing. Recent data (2012) reveals 80% of New Zealand households have access to the internet and there are 4.9 million mobile phones for a population of 4.43 million. (Statistics NZ 2012.) New Zealanders now own more mobile phones than there are people and ownership crosses all population groups. Clearly part of the solution is to ensure access using mobile technology.

The paper does not deal with the harms of NOT offering a patient portal to health consumers – the harms of ‘business as usual.’ Most health consumers and particularly those with long term conditions and/or heavy users of health services have patient stories on ‘business as usual.’ For many consumers, business as usual is:  Old fashioned – appointments need to be made during business hours.  Inconvenient– the need to attend appointments during business hours.  Disrespectful– waiting times are longer than appointment times.  Demanding – prescription refills are a chore, problems need to fill a short time frame.  Tedious – covering the same information with a number of health practitioners or service providers.

 Compartmentalised – dealing with health problems and bits of body not all of me.  Uncoordinated – multiple appointments for different symptoms with the same cause.  Inefficient – the ‘right hand not knowing what the left hand is doing.’  Mysterious – uncertainty about what the pink pills are actually treating, what the doctor meant.  Dangerous – missed or clumsy connections transferring across services. Many health practitioners also share these frustrations. While patient access to electronic information and interaction with health care services via patient portals can’t address them all, they do have the potential to change the face of primary health care and bring consumers and their doctors closer together.

As a New Zealander, my vision is to see doctors in the top three most trusted professions. This paper is a pathway to a better future for us all. A future which is in your hands – uptake of a patient portal is most strongly influenced by a trusted health professional who simply offers them the opportunity to connect and be informed via this medium. The possibilities are great and the journey will be taken in small steps. The first step is for you to offer me access to a patient portal. I trust you will have the courage to do that. Jo Fitzpatrick

5 Contents Contents Preface . . 3 Introduction . . 7 What is the status quo . . 7 What is a patient portal . . 7 Aims of this document . . 8 Scope . . 8 Methods . . 8 Potential benefits and risks of patient portals . . 9 Evidence for patient and provider benefits and risks . . 10 Impact on patient-provider partnership . . 10 Health impacts of portals on patients . . 11 Work impact of portals for providers . . 11 Disparities of adoption . . 12 Getting ready for patients to access medical records . . 13 PHO strategies to support portal implementation . . 13 Health information availability . . 14 Privacy, confidentiality and security of health information . . 15 Significant privacy impacts of patient portals – a guide for practices . . 15 Rule 1. Purpose of collection of health information . . 16 Rule 2. Collection from the source of health information . . 16 Rule 3. Collection of health information from the individual . . 17 Rule 4. Manner of collection of health information . . 17 Rule 5. Storage and security of health information . . 17 Rule 6. Right of access . . 19 Rule 7. Correction of health information . . 19 Rule 8. Accuracy of health information-check before use . . 20 Rule 9. Retention of medical records . . 20 Rule10. Limits on use of health information . . 20 Rule 11. Limits on disclosure . . 22 Rule 12: Unique identifiers . . 22

6 Common issues to be addressed . . 22 Security, registration and authentication . . 22 Informing patients of implications of record access . . 23 Patient sharing record with someone else . . 24 Correction of record-accuracy of record . . 24 Patients contributing to record . . 25 Writing clinical notes . . 25 Laboratory results . . 26 Online communication . . 26 Third party data or other data that the health professional wishes to remain confidential . . 27 Children . . 28 References . . 29

7 Introduction Many consumers have considerable experience with online transactions including shopping, banking, travel reservations and even higher education. However, health care services have been slow to embrace the opportunities afforded by the internet and electronic media to enable people to look after their health in a similar way. Over the last decade, new technologies have been developed to allow patients to view their medical records via secure internet portals. These patient portals have been advocated as a path towards improving the quality and safety of health services. They promote patient engagement in their own care, allow patients to be well-informed of their health care needs and facilitate a more collaborative partnership with their health care team.1,2 The National Health Information Technology (HIT) plan includes the concepts of three portals; a self- care portal, a maternity portal and shared care portal for patients with complex chronic disease.3 The plan has an aspirational goal that by the end of 2014: “New Zealanders will have a core set of personal health information available electronically to them and their treatment providers regardless of the setting as they access health services.” 4 What is the status quo? Patient access to their own health records is a fundamental patient right enacted in the Privacy Act 1993 and Health Information Privacy Code 1994. A patient who requests their health information is given access within 20 working days usually without charge, and in a form that the individual prefers.5 However, as these records have been paper-based or ‘locked up’ within health services’ electronic health record (EHR) systems, patient access has been relatively uncommon due to logistic and structural barriers.

What is a patient portal? Given confusion around the term, we use the same definition from Wikipedia as provided in a recent review of patient portals that have been developed in conjunction with New Zealand GP patient management systems:6 “Patient Portals are health care related online applications that allow patients to interact and communicate with their health care providers, such as physicians and hospitals. Typically, portal services are available on the Internet at all hours of the day and night. Some patient portal applications exist as standalone websites and sell their services to health care providers. Other portal applications are integrated into the existing website of a health care provider. Still others are modules added onto an existing electronic medical record (EMR) system or PMS. What all of these services share is the ability of patients to interact with their medical information via the Internet. Currently, the lines between an EMR, a personal health record, and a patient portal are blurring.” As highlighted in this definition, patient portals are an evolving intervention that allows a patient to interact with their health information and their health care team via the internet. There is a variety of ways a portal can be implemented and the extent of health service data that they have available.

8 For example, some patient portals have been developed as an addition to a GP’s patient management system whereas others allow direct contribution from multiple sites and services (e.g. Shared Care Portal). In USA they are commonly defined as personal health records tethered or connected to a provider’s EHR.7 These portals are usually paired with secure messaging functions and the ability to request an appointment or a prescription refill. Irrespective of their architecture, patient portals represent a new way of patient-clinician interaction and concerns have been raised about their use. Some of these include the privacy and security of online records, patient confusion caused by medical jargon or test results, the potential effect on doctors’ workload and whether disparities in access to electronic media may increase disparities in patient outcomes.

Aims of this document In April 2014, the Royal New Zealand College of General Practitioners (RNZCGP) convened an Expert Advisory Group for patient portals to scope out and develop a resource for general practices. The aim was to provide guidance to PHOs and their general practice teams seeking to implement patient portals and support their patients in the safe use of this technology. Scope This review aimed to find policies, guidelines, clinical protocols or codes of practice for the use of patient portals particularly for primary care services. The generated data was summarised and presented to the Expert Advisory Group at the first meeting. The summary became the basis for discussion and the scope of this document. In particular, this guide will not include the various potential IT architecture or configurations, discuss vendor contracting or the business model that the practices/PHO might adopt for portals. Furthermore, this document will not cover “clinician to clinician” portals such as Summary Care Records or sharing other patient data between health services.

Methods The Chair of the Expert Advisory Group for Patient Portal, Sue Wells, undertook a literature review, searching electronic medical databases for the evidence for the impact of portals on patients, providers and health services. Grey literature was also retrieved. The latter included the websites of professional GP colleges including the American College of Physicians, Royal Australian College of GPs, Royal College of GPs (United Kingdom), Canadian Medical Association, the College of Family Physicians of Canada, as well as websites of the Medical Council of New Zealand, Medical Protection Society, the Office of the Privacy Commissioner, World Health Organisation, the Office of the National Co-ordinator for Health IT (US) and the Department of Health and Human Services (US). To understand the work that had already been conducted in New Zealand regarding shared records and patient portals, the Chair also contacted the National Health IT Board, Patients First, Midland Health Network, Compass Health, Canterbury District Health Board and Pegasus Health. In addition she also communicated with experts in the United States, Australia, United Kingdom, Denmark and Sweden.

9 Potential benefits and risks of patient portals The adoption of patient portals imposes a significant change to ‘usual’ primary care practice and work flows. There are set-up and on-going costs with implementation and licensing as well as the initial burden of work involved for patient registration. Once portals are up and running in the practice, what are the expected potential benefits and risks? Table 1 includes the majority of the claims (potential benefits and risks) noted in the literature which are relevant to the New Zealand health care context. They are categorised according to positive or negative claims and whom these most affect – consumers, health professionals, population health/funders.1,2,8-13 Table 1: Potential benefits and risks of patient portals for consumers, health professionals, funders and society Potential benefits of patient portals Potential risks, concerns and challenges from patient portals Consumer, patients and their caregivers  Support wellness and self-management activities  Improve understanding of health issues  Increase sense of control over health  Increase control over access to personal health information  Support timely, appropriate preventive services  Support health care decisions and responsibility for care  Strengthen communication with providers  Improve relationship with providers  Verify accuracy of information in provider records  Support home monitoring for chronic diseases  Support understanding, appropriate and continued use of medications  Support continuity of care across time and providers  Avoid duplicate tests  Reduce adverse drug interactions and allergic reactions  Reduce hassle through online appointment scheduling and prescription refills  Increase access to providers via e-visits  Increase in patient confusion  Increase in patient anxiety  Risk of breaching privacy and security  Risk if patients use this mode of communication in times of emergency Health professionals  Improve access to data from other providers and the patients themselves  Increase knowledge of potential drug interactions and allergies  Avoid duplicate tests  Improve medication adherence  Provide information to patients for both health care and patient services purposes  Improve efficiency in providing patients with specific information or services (e.g., lab results, Rx refills, e-visits)  Improve documentation of communication with patients  Increase in workload with initial implementation  Increase in health professional workload with patient concerns and messaging queries  Increase in litigation  Risk of privacy and security breaches

10  Improve customer service (transactions and information)  Support wellness and preventive care  Improve workforce productivity  Encourages a more open and honest relationship with patients Funders/ Societal/ Population Health Benefits  Support wellness and preventive care  Improve workforce productivity  Promote empowered health care consumers  Strengthen health promotion and disease prevention  Improve the health of populations  Expand health education opportunities  Increase disparities due to differential uptake especially if do not address health literacy issues, special needs (visual, cognitive or physical limitations) and access to internet  Increase health care utilisation (e.g. GP visits, hospitalisation and ED visits.) Evidence for patient and provider benefits and risks. Given the potential benefits and risks, evidence was sought from the literature looking at the impact of portals on patients and providers. Six recent systematic reviews were retrieved that focused on patient access to their electronic health records and e-communications with their health care team.9,14-18 The majority of the literature to date has come from qualitative analyses, cross-sectional surveys, or descriptive cohort studies. The most recent systematic review15 identified 20 randomised controlled trials published between 1970 and 2013. The patient population of interest for nearly half of the controlled studies were patients with chronic diseases including diabetes, cancer, heart failure and high blood pressure.15 Existing literature showed that most patients are highly enthusiastic and positive about the opportunity to access their health records through patient portals.19 However, health professionals are far more reticent and usually express concerns that patients may be confused and overwhelmed by the medical jargon or that they will be bombarded by patients sending messages to them.20,21 Internationally and from early experiences in New Zealand, these concerns have not eventuated.28,29 Of note, Davis Giardina et al.(2014) found that there was no “evidence to substantiate any negative patient outcomes resulting from access to health information.” 15 In particular, access to a portal was not associated with an increase in patient anxiety. From the Open Notes project conducted in three large US health care organizations, the majority of patients viewing at least one visit note reported that they:20  understood their health conditions better (77-85%)  remembered their care plan better (76-83%)  felt in more control of their care (77-87%)  were able to take better care of themselves (70-72%)  were better prepared for visits (69-80%)  would take medications better (60-78%). Impact on patient-provider partnership W. Edwards Deming (1900-1993), one of the pioneers of quality improvement, argued that “97% of what is important isn't measured or isn’t measurable.” Only proxy measures therefore are available to look at the impact of portals on the patient-provider partnership.

11 The most consistent finding is that allowing patients to read medical records leads to improved patient-provider communication.2,20 Patients being able to access their GP records have reported feeling that they have more trust and confidence in their doctor and that it helped them feel like partners in health care.22 Accessing their health information online also:  helped patients prepare for consultations;  helped to clarify complex communication that occurred during consultations; and  being able to review the record at home after a consultation assisted their memory, understanding and self-reported adherence to their care plan. 20,22 Doctors who were involved in the Open Notes project where visit notes were opened up as well as other portal functionalities commented that it “strengthened relationships with some of their patients (including enhanced trust, transparency, communication, and shared decision making) and that participation was easier than expected or seemed to make no difference to their work lives.” 20 Health impacts of portals on patients The randomised controlled trials to date have investigated the effect of patient portals on various patient outcomes such asphysiological outcomes (e.g. BP control or HbA1c), psychological outcomes (e.g. depression, quality of life), health behaviours, adherence, patient satisfaction and self-efficacy. The evidence from these studies is promising but mixed. While some have shown improvements, others have found no impact. While evidence is sparse, there is data suggesting that the use of secure messaging can improve glucose outcomes in patients with diabetes and increase patient satisfaction.17 Furthermore, Goldweig et al. (2012) found that secure messaging as part of a web- based management program was more effective than secure messaging alone.17 Several factors regarding the literature for the above patient outcomes need to be taken into account. Firstly, the current data available represents very mixed, heterogeneous study populations, differing portal designs, mixed interventions, different measured outcomes and mostly very short time frames (one year or less). Most of the literature comes from the US where compared to non- users, the majority of portal users have private insurance, higher incomes and are mostly white. As such, these people may have better health outcomes anyway and access to a portal might be too weak an intervention to show improvements compared to controls. Secondly, the design of patient portals may be a crucial factor for patient engagement and the ability to get the most value from this technology. Studies have noted the lack of portal design and content for chronic disease management, 18,23 and low use of the portal as a natural hub for multidisciplinary care co-ordination and case management.23 Work impact of portals for providers Evidence for portal use and time and resource efficiency has been largely descriptive. A recent qualitative study of US health care institutions indicated physician acceptance of this technology occurred as it made their indirect care work easier and that physicians found this form of communication “just saved time.”21 The major time saver was losing the ‘telephone tag’ and automatic documentation of patient-provider asynchronous communications.21 In the Open Notes project, very few doctors (0-5%) reported longer consultations as a result of patients reading their visit notes. Furthermore, few reported having to spend more time addressing patient concerns outside of the consultation (0-8%).20

12 The implementation of patient portals has not been associated with increased litigation.20,24 It has been reported that around 28% (17-35%) of all visits do not require face-to-face appointments25,26 and the premise is that online messaging may substitute for some consultations. Indeed an assessment of the impact of patient-provider electronic communication indicated that office visits could be reduced by 10-20% in integrated settings.27 However, studies of the actual impact of patient portals on health care utilisation are mixed. Conducted in different US regions, three studies documenting experiences within Kaiser Permanente are notable.28-30 The first two found that implementing a patient portal linked to the Kaiser EHR, reduced primary care visits by 6.7% in one study30 and by 25.3% in the other.28 However, the third study found a marked increase in all health care utilisation.29 Matching for age, sex, utilisation frequencies, and chronic illnesses, they categorised patients as portal users or non- users. Then they compared individual patient utilisation of services in the year after they registered on the portal to the previous year. Compared to non-adopters, they found that adoption of a patient portal was associated with increased telephone contacts (+0.3 per member/year) office visits (+0.7 per member/year), emergency department visits (11.2 per 1000 members/year) and hospitalisations (19.9 per 1000 members/year). No explanation was given for possible reasons for this increase. It will be important to follow-up these cohorts in the longer term to investigate whether the pattern of utilisation continues. For all three of these studies, confounding may still be a problem.31 Utilisation will need to be monitored in New Zealand. As yet, these findings have not been mirrored in early experience of portal use here.

Disparities of adoption All new technologies and interventions have the capacity to increase disparities in health outcomes due to differential uptake. In fact many have raised concerns about portals exemplifying the inverse care law32 – those with most need would be least able to access and use them. Indeed, patients that adopt portals in the US have been reported to be very different from non-adopters by age, gender, ethnicity, socioeconomic status and presence of co-morbidities.33-37 The differences vary whether the measure is ‘getting registered’ or ‘active accounts’ (i.e. patients use the portal once registered). The reasons given for the differences include no provider encouragement to register, lack of patient need (young healthy people may not see the value), health literacy issues, special needs (visual, cognitive or physical limitations), language barriers, no internet, no computer, lack of computer literacy and patient fears or mistrust of the system.

However, differences in uptake are likely to be an issue for high risk populations with chronic disease. Compared to the ‘healthy’, these patients have greater information needs, often complex care plans, multiple providers and poly-pharmacy requiring co-ordinated and sustained care over time. Experience in the US is that patients with chronic disease are less likely than healthy adults (62% vs. 81%) to have internet access.38 However, this is rapidly changing with the rise in the adoption of smart phone technology.39 Indeed, once chronic disease patients have internet access, they are more likely to seek health information online38 and also to adopt portals than those without chronic disease.37,40 Portal adoption will need to be monitored carefully in New Zealand. The availability of smart phone apps is likely to be important for reducing disparities in uptake due to lack of computer access.

13 Getting ready for patients to access medical records This section looks at an overall approach for primary health care organisations (PHOs) to consider if they are embarking on implementing patient portals in their member practices. The discussion then looks more at the practice and health professional level regarding readiness for enabling record access, privacy and security concerns and other key issues raised by patients and health professionals. PHO strategies to support portal implementation It is not in the scope of this document to discuss IT architecture, or to guide vendor contracting or the business model that the practices and/or PHOs adopt for portals. However, should PHOs wish to support their practice to implement portals, recent research indicates that the following steps facilitate implementation success – both with health professional acceptance and patient uptake.21 1. Have a vision. With patient involvement, work out how patient portals could be a part of the PHO strategic priorities. For example, some PHOs might have a vision of better supporting the patient and their whanau and strengthen the partnership with their health care team. For another PHO, the portal might be a vehicle to achieve evidence-based care such as appropriate CVD risk management for all those who have been risk assessed. In Midlands Health Network, the portal fits into their overall transformational plan – The Model of Care. 2. Articulate the PHO vision widely and in what way the portal might be pivotal to the envisioned change.

3. Gather a governance group and identify consumer and frontline health care staff who are interested. As the portal is a whole of practice intervention – include patients, nurses, receptionists, practice managers as well as GP leaders. The first task of the governance group should be to check whether the vision is one they all support and how the portal can support this vision. This group then works to ensure the privacy and security standards (including a Privacy Impact Assessment) are in place and maintained, the extent of the initial pilot and how practices will be supported. There should be ongoing governance of patient portals in order to manage maintenance of the standards put in place at the time of implementation and to ensure that the portal continues to function as intended.

4. Have a communication plan. Provide patient education and information during the portal registration process. There needs to be careful advertising and printed material available for patients to understand how the portal will work and what security measures will be in place. Having pamphlets to hand out to patients to start the conversation as well as when they register along with posters for the practices are really useful. 5. Start small. For example, one practice, one doctor. Depending on circumstances, the practice might start with a subset of the portal functions and gradually introduce more. 6. In the early adopting pilot sites, conduct two work process design projects. One on how to register patients to the portal and a second on how implementing the portal can be incorporated to make practice work easier. International experience is to formally map the work flows in practice processes where a portal will bring about a change in the status quo.21 This will typically include prescriptions, telephone queries, appointments and how laboratory test results are communicated. Process flows will clearly show what is currently happening and where the bottlenecks are. Then repeat the process by mapping how they will occur with the portal.

14 7. Communicate the stories of the early adopting pilot sites to other practices. A useful strategy internationally was having champions – patients who tell their story of the importance of the portal for them and members of the health care team (GP, nurse, receptionist, practice manager) who visit other practices, discuss issues and concerns and bring their own ‘tried-and- tested’ experiences in early adopting practices.21 8. Train practice teams on the use of their patient portal system. For registration, one of the keys to patient uptake is that everyone in the practice team has a role in letting patients know about the portal and signing them up. Furthermore, all practice members need to be comfortable navigating the portal so that they can guide patients and their queries. Consider scripting roles of each of the practice team.

9. Set targets. For example, Midlands Health Network in a Model of Care practice set a target of 50 patients signed up to the portal per month. International evidence suggests that the most successful strategy for portal adoption is if their trusted health professional encourages them to do so.21 10. Monitor uptake and actively seek feedback from practices on issues that arise. 11. Communicate to practices and to patients what is happening, what the problems have been and how they have been addressed. Celebrate success and continue to monitor. Health information availability The most common functions and features available to patients through portals connected to their health care team are listed below. 9,23,41,42  Problem list  Medications  Allergies and alerts  Record of visits (time/date/provider)  Immunisations  Laboratory results  Provision of condition-specific information and helpful links to other websites that have patient friendly education resources to help understand medical terms and care  Clinical summary record  Pathology and radiology results  Family history, social and lifestyle history  Visit consultation notes  Operation notes  Secure patient-provider messaging functionality  Prescription refill requests  Appointment requests and in some cases the ability for patients to self-schedule appointments  Patient reminders (for preventive care or appointments)

15 The functions most commonly used by patients internationally are viewing laboratory results, requesting an appointment, messaging their health care team and requesting a prescription refill.23 Most portals internationally provide links to trusted consumer educational resources from all aspects of data (e.g. weblinks from each diagnosis or each laboratory test.) There are a variety of approaches that a general practice could consider with respect to offering record access and online transactions. New Zealand is in an early phase of implementation of portal technology and what we do will emerge and mature over time. Advice from other health systems is to consider a staged approach – introducing access to some of the data and functionality available and then gradually extend access as patients and health professionals develop confidence.21,43 Therefore, while the patient can always request access to their full set of notes, initially only a subset of these is made available online. It is in essence an alternative way for patients to be more informed and involved in their care. Opening up functions and health information gradually allows the practice to sort out their work flow processes, new roles and responsibilities and adapt to this new way of working. Some practices may wish to make consultation notes available and if so may decide on a start date going forward rather than all notes from all times in the past. However, all decisions about what data is available should be made in agreement with the patient.

Privacy, confidentiality and security of health information For both patients and health professionals, it is vital that privacy and confidentiality of health information is maintained. To maintain trust in their GPs, patients need to continue to have confidence that their health information will not be inappropriately shared or accessed. Practices should have a policy on access to patient portals which is compliant with the Privacy Act 1993 and the Health Information Privacy Code 1994. A formal Privacy Impact Assessment (PIA) is an ideal place to gain an understanding of the impact of the portal on each of 12 rules of the Health Information Privacy Code 1994.44 The Advisory Group believes that the capacity to conduct the PIA is likely to be at the PHO rather than at the practice level. The practice’s patient portal should provide a secure environment which enables patients to view their clinical summary and medication list, laboratory test results and to interact with their practice (including messaging the practice team, making appointments and requesting a repeat prescription). Functionality of the patient portal should meet current accepted standards for security (e.g., HISO standards), access, auditability, information ownership and use.

Patient portals use the internet and patient information is sometimes stored on a web-based server (i.e. separate to the practice systems). Having an internet connection is a genuine security risk and all practices are encouraged to review their IT risk management. This includes assigning responsibilities for IT security, having policies and procedures in place, ensuring access control and other risk management measures. Significant privacy impacts of patient portals – a guide for practices Each PHO or group who are considering implementing Portals will need to work through a privacy impact assessment for themselves. The following guide sets out significant impacts, but is not intended as a replacement. Differing portal architecture or implementation of other data sharing (for

16 example Clinician-to-Clinician portals with summary care records) will require consideration and adaptation of the guidance given here. This section has been adapted from the Privacy Impact Assessments conducted by Midlands Health Network Ltd45 and Compass Health46 and provides acknowledgement where segments of these documents have been used. In addition, guidance has been drawn from documents published by Medical Council of New Zealand47 and the Office of the Privacy Commissioner.44 The impact a portal might have on each of the 12 rules of the Health Information Privacy Code 199444 has been identified. For each rule we outline its intent, describe in general how the rule is applied currently and then describe what impact a patient portal might have. The portal architecture that is used to frame this assessment relates to those connected to a GP’s patient management system. Current instances of this type of portal are ManageMyHealth [MedTech], Health 365 [My Practice] and Accession Patient [Intrahealth]. In this scenario, the portal connects patients through a password protected internet connection directly to a subset of their electronic health records either stored as an extract from the practice in a separate database or retained within general practice electronic systems. It allows patients access to their health records or to an agreed subset of their health information and provides patients with the ability to electronically communicate with the practice with queries and various other functions such as prescription refills or appointment requests.

Rule 1. Purpose of collection of health information Health information must only be collected for a lawful purpose that is related to the function or activity of the health agency. How the rule is currently applied: All health professionals collect and record patient health information and decisions made about their medical care. The purpose is to provide a record of a patient’s medical history and on-going treatment as well as meeting medico-legal requirements to describe and support the management of the patient’s health care. Information is also collected for the purpose of sharing with other health professionals such as for referrals or to ensure continuity of care for the patient. The information may also be recorded for statutory or statistical purposes. Impact of a patient portal: The portal does not change the current purpose of collecting health information Rule 2. Collection from the source of health information In most cases, health information must be collected directly from the person who the information is about. However, sometimes it is acceptable to collect information from other people instead. For example, where the patient has authorised you to collect the information from someone else. How the rule is currently applied: In almost all circumstances in general practice, information is collected directly from the patient or from parents, guardians, or caregivers. Impact of a patient portal: The portal provides a new collection opportunity for the patient (and/or their authorised representative) to send information electronically to their general practice team that may be able to be incorporated into their electronic medical record.

17 Rule 3. Collection of health information from the individual When a general practice collects health information from an individual, it has to take reasonable steps to make sure that person is aware of the information flows and the purpose of those flows. The individual needs to know that data will be collected, why it is being collected, who will get the information, who will be storing the information and that they have right to access it. They also need to know whether they have to supply the information or if it is voluntary and what will happen if the information isn’t provided.

How the rule is currently applied: Usually these steps are carried out at the time of patient enrolment into a practice/PHO with the patient signing an enrolment form with specially designed privacy statements. The practice may well also have pamphlets that the patient can take home with them and notices on waiting room walls. The supply of information from a patient to their health care professional is nearly always voluntary with the patient choosing to disclose what they wish. Impact of a patient portal: Although patients will have signed an enrolment form, it will be necessary to confirm with the patient the impact of registering with the portal in terms of where it is stored (e.g. depending on the portal product this may be a view the patient has into the local practice PMS system or a secure web server that uploads patient information from the patient management system), who has access to the information and the voluntary nature of the process. Rule 4. Manner of collection of health information Health information must be collected in a lawful, fair and not unduly intrusive manner. How the rule is currently applied: Health professionals deal with sensitive personal information on a daily basis and have processes in place for the collection of health information. These processes are already governed by professional quality standards such as those outlined RNZCGP Foundation Standard 20 – Continuity of care is facilitated by the registration of new patients; and Standard 21 – Patient records meet the requirements to describe and support the management of health care provided.

Impact of a patient portal: Although the portal provides a new opportunity for exchange of information between the patient and their health care team, the manner it is collected should not change. Rule 5. Storage and security of health information Agencies holding health information must ensure that there are reasonable safeguards in place to prevent loss, unauthorised access, misuse or disclosure of health information. How the rule is currently applied: A patient’s medical history and other related health information is usually stored within the practice’s patient management system. As outlined in the Compass Health Privacy Impact Assessment,46 “Almost all general practices are connected to the internet, usually by a broadband internet connection. This internet connection is used primarily for the use of normal business email, web browsing and for creating secure messaging gateways to communicate electronically with other health professionals (most often using the HealthLink product). The terminology “surface area” is often used to describe how much potential there is for threats to attack the security of a system. Having an internet connection is a genuine security risk. The

18 associated surface area for attack it provides is extremely minimal if it is configured correctly. Having an internet connection has a high business benefit which outweighs the associated risks.” 46 The Health Information Security Framework (HISO 10029.1) provides recommendations for health agencies on safeguarding health information so that it is “produced, stored, disposed of and shared in a way that ensures the information’s confidentiality, integrity and availability.” 48 Impact of a patient portal: Some portals utilise the internet and patient information is stored on a secure web-based server (i.e. separate to the practice systems). In addition it will be important to review Privacy Statements and Security measures relating to each portal vendor’s product in terms of encryption during transmission and within the portal webserver.

The following text has been excerpted from from the Privacy Impact Assessment conducted by Compass Health.46 It relates to the ManageMyHealth portal but the advice is pertinent to the other instances of PMS-linked portals currently available. “At present the data is secured with a single-factor authentication mechanism, requiring anyone wishing to access it to have a matching pair of username and password. The risk with the most likelihood of occurring is one where a patient or provider compromises the system security by inadvertently or deliberately giving others their username and password. To mitigate this, it will be important within the patient information to stress the importance of keeping their username and password safe and to only give it to other people that are acting as their guardian or advocate if they wish to. It will also be important to ensure that health professionals are educated fully as to their responsibilities and measures that they need to take to ensure the safety of the system. Organisations will also be asked to ensure that their network, processes and procedures meet a minimum security standard (based on HISO recommendations.)” 48 There is also a risk that a web-based portal can be compromised by software vulnerabilities. In particular, developers need to ensure that sites are robust against cross-site scripting attacks, which may provide unintended access into an underlying database. Therefore, any patient portal should be subject to a robust information security risk assessment before it is loaded with live data. The Privacy Commissioner has also advised that passwords are (a) often compromised, and (b) usually not strong. Passwords are also particularly vulnerable to socially engineered password resets (i.e. calling the helpdesk and requesting a password reset). Password reset protocols need to be robust against attackers who are likely to know important facts about people (such as estranged family members or investigators).

Patients having registered to a portal can allow other health professionals (and indeed whoever they wish) access to the health information that has been transferred to the portal. This scenario is likely to be useful when patients travel and need to seek health care from other health professionals not usually involved in their care. However, as an additional security measure, audit functionality for the patient is highly recommended. Depending on the product, it will be important to check whether the portal provides audits of access to the system and what the audit entails (e.g. displays date, time,

19 type of access and who accessed the information). In addition, check with vendors regarding blocking access with repeated failed attempts to log on. Rule 6. Right of access Patients have a right to access their own health information upon request. Health agencies are required to deal with such a request within 20 working days and in general, give the information without charge and in a form that the individual prefers. General practices can refuse to give access in some situations. For example, if giving the information would endanger patient safety, prevent detection and investigation of criminal offences or involve an unwarranted breach of someone else’s privacy.44 How the rule is currently applied: Currently, if patients want to view their health information they need to make contact with their general practice and request this. This is usually given as a print-out of the electronic information or provided face-to-face with their health professional. General practices have existing processes if there is a need to withhold the information. Impact of a patient portal: The portal substantially facilitates access to a patient’s own health information. Patients who have registered to the portal will have daily access to their health information uploaded from the patient management system to the portal. However, this is unlikely to be the complete health record but a subset that is agreed upon by the GP and the patient as well as the technical capabilities of the portal product. The GP still retains the ability to withhold information by making a judgement call on the appropriateness of the information to be uploaded. The patient still retains the right to request and receive access to all their health information at their general practice using the standard process as set out in the Privacy Act.

Rule 7. Correction of health information Patients share their health information with their doctor to better their own health care. Comprehensive and accurate records are integral to providing quality care. Patients have the right to ask the general practice to correct the information held about them, if they think it is wrong. The health professional has an obligation to correct the information when it is wrong. Or if they feel it is inappropriate to do so, they are obligated to attach a note to the patient record outlining the request, the patient’s view about what the correct information is and the subsequent refusal. How the rule is currently applied: At the present time any request for correction would have generally come from a patient viewing their own health records either as a print-out or face-to-face with their health professional. The practice might arrange an appointment with the patient and the health professional responsible for the information. The health professional would then either be able to correct the information, or decide that the information was accurate and not need correction. In the latter case, they would usually make a note within the PMS daily record, as to the patient’s request, subsequent refusal and grounds for not changing the information. Impact of a patient portal: The portal substantially facilitates access to a patient’s own health information and also usually allows the patient to communicate directly through the portal to their health care professional if they see an error or gap in the health information and ask for correction/addition to the source data (i.e. the electronic health record located in the patient management system). Furthermore, the patient has the ability to review whether the correction has

20 occurred. Therefore the presence of a portal is likely to improve the accuracy and completeness of health information. Rule 8. Accuracy of health information-check before use Before using or disclosing health information, an agency must take reasonable steps to check that information is accurate, complete, relevant, up-to-date and not misleading. The more important the information is, the more rigorous the steps to ensure accuracy. How the rule is currently applied: Both from a medico-legal and duty of care perspective, all health professionals need to collect and record health information as accurately as possible and in enough detail to back their clinical decisions. At times they also need to share this data with other health professionals (e.g. referral to other services). They are required to ensure the information is up-to- date, complete and the context of the health information is also often given to assist care delivered by other health professionals. However the data is also reliant on the health professional asking and on the patient providing all relevant information. Sometimes the information may be wrong or incomplete as at the time of documentation.

Impact of a patient portal: All health professionals will continue to take reasonable steps to ensure accuracy and completeness of data. Rule 9. Retention of medical records Agencies can only keep health information for as long as is necessary to carry out the purpose for which the agency got the information in the first place. In terms of the general practice setting, it is a core repository of a patient’s medical history and needs to be kept for on-going future care. The Health (Retention of Records) Regulations 1996 requires that health information must be retained for a minimum of ten years from the day after the last treatment or care of that individual by the agency holding the information.47 How the rule is currently applied: With electronic records a general practice would hold a copy of a patient’s file often indefinitely even if the patient has transferred to another practice or if the patient has deceased.

Impact of a patient portal: Medical records will still be retained within a practice’s patient management system. However, in some instances the portal information is held on a separate database and patient generated data might be uploaded and stored there. Therefore the portal component of retention or transfer will need to be addressed. Rule10. Limits on use of health information Agencies must use health information for the same purpose for which they obtained that information. How the rule is currently applied: in general, patients are given a PHO enrolment form which outlines the purpose and use of their information. The information is primarily used to support the provision of clinical care. It is also used for reporting on health service performance and for health statistics. The practices are obligated to provide this data to their PHO and the PHO is also obligated to use the information in a defined manner. This is usually at an aggregated and non-patient identifiable level. The practice team and the PHOs are the guardians of the use of the health information.

21 Impact of a patient portal: The patient can now allow access to other health professionals or other people. The patient therefore becomes an additional guardian on the use of this health information. Therefore, the patient information given to a patient at the time of portal registration should stress the importance of keeping their username and password safe and to only give it to other people that are acting as their guardian or advocate if they wish to. In US health care organisations, all patients who register to a portal are asked to give a unique e-mail address rather than having a shared family email. This protects individual family members from their information being shared within the family. If having unique email addresses is unrealistic and family members share email addresses, login details and password reset, then communications processes should be robust for this likelihood.

In addition if the patient allows a wider group of health professionals to access their data in the course of their care, measures will have to be put into place to ensure the health information will be used for the appropriate purpose. Here too, the audit function may be useful. Secondly, it would be prudent to check the privacy statements that vendors have with regard to health information held on their web server. In this area the Compass Health privacy impact assessment46 had some recommendations: “…it will be prudent for the PHOs, on behalf of the general practices to reach a contractual arrangement that allows MedTech Global to use the information only for the purpose of serving that information to authorised users (providers or patients) in a patient-centric summary medical record, and in an anonymous form for marketing of their product.

It should be explicitly forbidden for information contained within ManageMyHealth to be used for the purposes of providing to any party population health statistics at a national or regional level. Such a process could undermine General Practice’s trust in supplying information for monitoring and contractual reporting purposes. A breakdown in trust may adversely affect a health professional’s willingness to record and send information to ManageMyHealth. This function is presently carried out through PHOs and the status quo should be maintained here. There is often a high degree of analytical processing that needs to go into providing population health statistics to ensure the highest possible level of data quality. This is particularly important when using routine clinical data that is not being recorded for population health reasons as the data often requires high degrees of normalisation and cross-checking before being presented in a reasonable form. PHOs also have mechanisms in place in which to feed information back to their member practices prior to reports being released to funders or into the public domain, as a matter of courtesy.” The Advisory Group have adopted the view that contracts with vendors should prohibit the use of information for providing population health statistics. Such use of information risks undermining widespread adoption of patient portals. However this may change as over time as users become more comfortable with health statistics being drawn from portals and EHRs. Further, it is not contrary to the HIPC because the information will not be used in a form where individuals will be identified (in accordance with rule 11(2)(c)).

22 Rule 11. Limits on disclosure According to Stevens 201347 , “Disclosures which were anticipated and intended when the information was obtained can proceed as planned. Other disclosures can be made with the authorisation of the individual. A further group of exceptions applies to allow other disclosures where it is not desirable or practicable to obtain the individual’s authorisation, and the situation fits into one of the limited exceptions set out in the full rule. Examples of this group are where the disclosure is directly related to the purpose for which the information was obtained, where the disclosure is for a professionally recognised accreditation or quality assurance programme, or where the disclosure is for statistical or approved research programmes. The rule against disclosure applies to health information about individuals until twenty years after their deaths.” How the rule is currently applied: Information collected is disclosed to other health professionals at the time of referral or telephone conversations. Other forms of disclosure are outlined in the PHO enrolment form which the patient signs when enrolling.

Impact of a patient portal: This is a new mechanism of disclosure. Although patients will have signed an enrolment form, it will be necessary to confirm with the patient at the time of registering to a portal that their data could be shared in this way. Furthermore they need to know where it is stored (e.g. where this is a secure web server that uploads patient information from the patient management system), who has access to the information and the voluntary nature of the process. In addition, it would be important to check the privacy statements that vendors make with regard to information disclosure.

Rule 12: Unique identifiers This rule limits the abilities of health agencies to assign unique identifiers to patients. How the rule is currently applied: Each New Zealander has a national health index number (NHI) assigned to them that is used to document each health service interaction and details on the NHI database are able to be updated at each contact but usually at the time of patient enrolment in primary care and at hospital admission. Currently health professionals use this NHI number as the unique identifier.

Impact of a patient portal: All portal vendors will continue to use the NHI as the primary identifier. Common issues to be addressed Security, registration and authentication A valuable resource for identifying key issues to be addressed for portals was the Royal College of GP (UK) guidelines on Record Access.43 In it there is a recommendation that assurance of the identity of the patient is a prerequisite for registration. Until there is a robust online process available (such as RealMe in New Zealand), they recommend that registration should be in-person with the extent of identity checking (e.g. photo-ID, plus household bills) supplemented or combined with the practice’s existing knowledge and relationship with the patient.43 In New Zealand, each patient will have already been formally enrolled in a practice and therefore will be known or ‘checked’ through this process.

23 For portals, secure message delivery involves two processes-encryption and authentication. Encryption means that the data is scrambled so that it cannot be read unless decrypted and authentication means that the sender can be verified (using electronic signatures). It is important to review privacy statements and security measures relating to each portal vendor’s product in terms of encryption during transmission and within the portal webserver. All portals should use an acceptable method of authentication (e.g. login and passwords) and secure web browser connections. For health consumer portals, serious consideration should be given to providing users with the option of two-factor or two-step authentication (the most common consumer implementation involves sending a text to a mobile phone). Storage of data in a separate data centre (external to the patient management system) should be secured by Extended Validation SSL, the highest standard.

There is always a risk that an unauthorised user might guess a provider’s username and password combination. Passwords are also particularly vulnerable to socially engineered password resets (i.e., calling the helpdesk and requesting a password reset). Password reset protocols need to be robust against attackers who are likely to know important facts about people (such as estranged family members or investigators). A further risk arises where a patient or provider compromises the system security by inadvertently or deliberately giving others their username and password.46 To mitigate this, the patient information at time of registration needs to stress the importance of keeping passwords safe and to only give it to other people that are acting as their guardian or advocate if they wish to. It will also be important to ensure that health professionals are educated fully as to their responsibilities and measures that they need to take to ensure the safety of the system.

Key documents in this area include the RNZCGP IT Risk management checklist and Health Information Security Framework (HISO 10029.1) which provides recommendations for health agencies on safeguarding health information so that it is “produced, stored, disposed of and shared in a way that ensures the information’s confidentiality, integrity and availability.” 48 Failure to meet HISO standards could be considered a breach of Rule 5 (storage and security of health information) To enhance privacy, patients who access their own information through the patient portal should be able to check their portal activity (even just to know if their caregiver, who they authorised to be able to access, has logged in and viewed). For example, some online banking applications clearly display the last login date/time prominently to the user when they next log on. Furthermore, access to a patient’s information through the portal should be blocked following repeated failed login attempts.

Informing patients of implications of record access Patients should be apprised of all the relevant information about portal use including advice to the patient about keeping login and passwords secure, the use of the internet, where data is stored (e.g. external secure web server that uploads patient information from the patient management system), who has access to the information and the ability to audit who accesses their record. As some patients may not be able to or may not wish to use this technology, they also need to be informed about the voluntary nature of the process. Patient should also be given advice about what to do if

24 they are concerned about the security of their records (e.g. someone has their password). As recommended in the RCGP Guidelines for Record Access,43 there should be a mechanism for patients to change their minds about having access, the parts they access and the access rights granted to others. Patients should also be given information on the risks and benefits of accessing their health information via the portal. Until patient portals become part of routine care, they are qualitatively different from e-referrals, and to some extent shared care as it is the first time consumers are accessing their health information in this way. It is important that this is signalled along with impressing upon patients the importance of their role in protecting access and security rights. During the registration process, patients should be well-informed and educated about the online health portal including the benefits and risks of using the portal. The most important matters (such as don’t share your password and who the health information may be shared with) should be provided up front to the individual with more detail elsewhere (such as on a web page). Patient information should be available in the practice and on the portal at all times. We note that providing information as ‘terms and conditions’ during an online registration process may be ineffective because people have become too used to just clicking the “I agree to the terms and conditions” button as part of such processes. As health information is only being disclosed back to the individual concerned or the individual’s representative, the individual’s consent is not required under the HIPC. Patient sharing record with someone else Patients may wish to share their online health information with family or other caregivers. That is their prerogative but they need to be aware that they are responsible for any consequences arising from their decision to share data. Internationally, it is generally discouraged for patients to give their family members their own login and password details and for family to use the same email address. However, in reality it is not unusual for family members to share email addresses and therefore, login, password reset, and communications processes should be robust for this likelihood. Another possibility is to allow patients to authorise other family members or caregivers (after suitable assurance of identity) to be able to access their health information or subsets of it using a separate email address and password. The patient also has a right to stop this access at any time. Some patients may live in an abusive relationship where individuals may be forced to share their records. If this is suspected then the health professional should discuss this with the patient with a view to avoiding patient registration or stopping portal access.

Correction of record-accuracy of record Access to the electronic medical record by the patient may encourage better record-keeping. Small descriptive studies of giving patients their own records to view in general practice found that 12-25% of patients found incorrect or missing information in their notes.49,50 Indeed patients bring a highly motivated second set of eyes to support their care. When a patient identifies an error or something incomplete in the notes the usual circumstance is for them to message or contact their health care team. As per Rule 7 of the Health Information Privacy Code 1994,44 patients have the right to ask the general practice to correct the information held about them, if they think it is wrong. The health professional has an obligation to correct the information when it is wrong. Or if they feel it is inappropriate to do so, they are obligated to attach a note to the patient record outlining the request, the patient’s view about what the correct information is and the subsequent refusal.

25 Patients contributing to record Patient home monitoring (e.g. blood pressure, glucose, peak flow, weight, pedometer steps and seizure frequency) and patient diaries have been used for some time to monitor chronic conditions. At present these are usually paper-based records that are scanned or manually uploaded as required. With portals, such data can be sent by the patient as a secure message to the practice. Into the future a patient may be able to enter their own data into specific patient fields in the portal so that the provenance is always clear. Telemonitoring with wireless devices that automatically upload data to the patient’s medical record is also being piloted but these are not as yet in routine use. Writing clinical notes All health professionals collect and record patient health information and decisions made about medical care. The purpose is to provide a comprehensive and accurate record of a patient’s medical history and ongoing treatment as well as meeting medico-legal requirements to describe and support the management of the patient’s health care. Information is also collected for the purpose of sharing with other health professionals such as for referrals or to ensure continuity of care for the patient. The RCGP Guidelines for Record Access has some salient advice about the written clinical notes including speculation in the record and this has been excerpted below: 43 Language and interpretation The need for clinical accuracy for health professional communication may also involve highly technical information, which must not be made less informative simply for the patient’s ease of understanding. On the other hand, if the record is to become useful for patients, the clearer and more straightforward the writing the better. These can appear to be competing claims, but in many situations there is no conflict.

Nevertheless, in some situations, information will have to remain technical and the patient will need to rely on any information linked to the record for explanation. When writing care plans, there should be less need for technical terms, so these could be written using the patient’s own words. Advice for health professionals  Write as accurately, clearly and honestly as possible.  Always assume that the patient will have access to what you write. This applies whether the patient has electronic contemporaneous Record Access or not and is good clinical practice in any case.

 Avoid local abbreviations or jargon if possible, provided that this does not detract from the clinical message or the way the record is coded, or significantly extends the time taken to enter information into the record.  Using the patient’s own words may be useful, provided that they add meaning and do not affect the clinical quality of the record.  If the record has to be technical, so be it. Where possible, there should be links to patient-friendly explanations.

26 Including speculation in the record Speculation is an important part of medical records and is clinically essential in structuring diagnostic tests and treatments. Health professionals are sometimes concerned about patients seeing their thoughts and speculations about differential diagnoses. Speculative data added during a consultation process gives health professionals the opportunity to place information in context, and explain the likelihood and timescales. An example would be explaining ‘it is more than likely that you have X but I need to record all possibilities in your record, so do not be alarmed that I have entered Y’.

Experience shows that Record Access does encourage honesty, which can lead to occasional uncomfortable conversations with patients. However, experience also confirms that many patients welcome and expect openness, and that health professionals are best advised to share these options and decisions with patients. Advice for health professionals  Include speculation in the record where relevant.  If possible, share potential alternative diagnoses with patients, explaining likelihood and timescales.  The record should make it clear when speculation is being expressed. Laboratory results An important decision to make in general practice is timing of release of laboratory results through the portal and that patients are informed and so have realistic expectations about time to feedback. Giving patients their laboratory results is one area where there is marked diversity across differing health systems. Some give patients their results at the same time as the health professional receives them. Other organizations prefer the ‘annotate and release’ method. This means that test results can be released only after the health professional has screened them, written a small note beside it and allowed release to the portal. Typical comments may be ‘cholesterol coming down well, repeat in 3 months’ or ‘kidney function is stable’. The value of this method is that normal and abnormal depends on the context and usually needs a health professional to interpret this for the patient. Others have a varied approach depending on the test and the patient. The only tests which were invariably never released through the portal were HIV results.

Online communication Online communications and response times to queries represent another important area where there needs to be shared understanding and expectations for both the practice and the patient. Thought should be given when setting up this service in a practice with clear information given to the patient regarding expectations and conditions for use of this service. Medical Council NZs Statement on use of the internet and electronic communication is useful for guidance. 52 In addition, the Canadian Medical Association have a very useful policy document51 with suggestions that might assist practices in a secure messaging portal environment. These have been shortened and adapted below.

27 Table 2: Managing expectations and conditions of use (Canadian Medical Association Physician guidelines for online communication with patients)51 Mechanisms that might assist in clarifying and communicating expectations, and generally managing email traffic:  Establish reasonable response times —different enquiries may warrant different response times; account for responses during times of practice closure (weekends, vacations, and statutory holidays).  Automatically acknowledge receipt of communications and indicate the protocol for response.  Provide instructions about access to alternatives in case of emergency or urgent situations.  Encourage or require the provision of a subject heading.

 Triage messages according to subject heading and establish a procedure for responding to each type.  Limit time required to read and respond to patient communications by encouraging or requiring limited text from patients; restricting communications to single or simple issues; encouraging or requiring office visits for complex matters.  Use templates to encourage or require standardized communication (with possible benefits regarding storage and linkage.)  Publicise response times (on the physician’s website, in an automated reply, in initial instructions to patients, in an agreement with patients); include instructions regarding emergencies or urgent instructions or in the event a response is not received within the specified time. It is advisable to ensure that patients know the rules and limits of online communications and, where possible, formally consent to these conditions. Conditions of use might include:  Acknowledgement of the permitted purposes of online communications and agreement to use online communications only for those purposes.

 Knowledge of and consent to office staff’s access to online communications.  Acknowledgement of the alternative sources of communication in specific circumstances, such as emergency or no response.  Agreement to abide by established protocols with respect to such matters as subject headings, length of text and use of templates.  Verification of the patient’s email address and agreement on the patient’s responsibility to prevent unauthorized access to his or her own system.  Recognition that the communication might become part of the patient’s record.  Agreement to refrain from using offensive language.

 Agreement to refrain from using online communication for frivolous or commercial purposes.  Acknowledgement that permission to use online communication may be withdrawn for failure to abide by the terms and conditions of use.  Agreement to receive periodic communications from the physician with respect to such matters as drug recall, alerts, health promotion and disease prevention. Third party data or other data that the health professional wishes to remain confidential As per the Privacy Impact Assessment, Rule 6 Right of Access, the general practitioner still retains the ability to withhold information by making a judgement call on the appropriateness of the information to be uploaded to the portal. The patient still retains the right to request and receive access to all their health information at their general practice using the standard process as set out in the Privacy Act.

28 Children Most instances of portal implementation in New Zealand have been for adults over 18 years. When it comes to children requesting access to their own health information or parents or guardians requesting access to their children’s health information via patient portals, the same considerations apply as the status quo. The Health Information Privacy Code 199452 (HIPC) recognises the competing interests of the doctor’s primary ethical duty to their child patient, a patient who may not be competent to consent to treatment, and parents or guardians who want to know about their child’s clinical situation.

Access rights of children All individuals, including children, have the right of access to their own health information (Rule 6 of the HIPC). If a child makes a request for information, the health agency is obliged to consider this as they would for an adult. In other words, agencies should deal with such a request within 20 working days and in general, give the information without charge and in a form that the child prefers. The information may well be made available by a patient portal. General practices may refuse to give access if, in the doctor’s judgement, the disclosure of the information would be against the child’s interests (Section 29(1)(d) of the Privacy Act).

Requests by parents and guardians A parent, guardian or caregiver may request access to a child’s health records. As with any other request for access, general practices are obliged to take reasonable precautions to ensure that the person making the request is properly authorised to obtain the information. For those children under the age of 16, a child’s parent or guardian may request access to their child’s health information (under Section 22F of the Health Act 1956 read together with Rule 11(4)(b) of the HIPC). There is discretion to refuse a request where the child does not wish the information to be disclosed or where disclosure would be contrary to the interests of the child. These withholding grounds allow doctors to exercise their judgement. Matters to consider in withholding information might include:  the nature of the health information (e.g. sensitive and personal information, information about another individual);  the child’s health condition;  whether access would harm the child’s physical or mental health;  the views of the child;  the purpose for accessing the information;  the rights of access that the parent has as the child’s representative;  the child’s living arrangements;  the relationship between the child’s mother and father and any custody arrangements; and  whether you are the appropriate person to decide whether to release the information (e.g., it might be inappropriate for laboratory staff to disclose laboratory results). It may be that only certain information is withheld.

Once a child turns 16 their parents or guardians have no special right to access their health information. However, GPs may give health information to a principal caregiver or near relative where it is not practical or desirable to get the patient’s permission (e.g., they are very unwell or not

29 competent) and the patient has not vetoed the disclosure. The information must be given in line with recognised professional practice (Rule 11(2)(b) HIPC). What does this mean in practice and what implications would this have for patient portals? In practice, it is often parents who request health information about their children. The portal substantially facilitates a parent’s access to the health information of a child under the age of 16. Parents who have registered to the portal will have access to the health information uploaded from the patient management system to the portal. This will usually be a portion of the child’s health record that is agreed upon by the GP and parent. In the case of very young children, there would seldom be reason to withhold the information from a parent as a representative of the child. However, tensions might arise where children, particularly older children, do not wish their parents to know sensitive personal information. GPs are able to withhold some or all of the information by exercising their judgment taking into account the individual child’s situation. In situations where some information is withheld, parents are still able to exercise their right to request access to the remaining health information held by the general practice under the Privacy Act. If a child requests access to their own health information via a patient portal, the GP may use their discretion about the appropriateness of information to be uploaded. It might also be appropriate to ensure someone is able to assist the child in interpreting the information and to answer any of their questions.

References 1. Honeyman A, Cox B, Fisher B. Potential impacts of patient access to their electronic care records. Informatics in Primary Care 2005;13:55-60. 2. Ross SE, Lin C-T. The effects of promoting patient access to medical records: a review. Journal of the American Medical Informatics Association 2003;10:129-38. 3. IT Health Board. National Health IT Plan Update (DRAFT) 2013 – 2014. Wellington2013. 4. National Health IT Board. National Health IT Plan: enabling an integrated health care model. Wellington: http://www.ithealthboard.health.nz; 2010.

5. Medical Protection Society. Requests for health information. New Zealand FactSheet: www.medicalprotection.org; 2014. 6. Patients First and National Institute of Health care Innovation. PMS Review 2 – Sector Briefing on Portals. Wellington: Patients First/NIHI; 2014. 7. Tang PC, Ash JS, Bates DW, Overhage JM, Sands DZ. Personal health records: definitions, benefits, and strategies for overcoming barriers to adoption. Journal of the American Medical Informatics Association;13:121-6. 8. US Department of Health and Human Services. Personal Health Records and Personal Health Record Systems : a report and recommendations from the National Committee on Vital and Health Statistics. Washington: US Department of Health and Human Services; 2006. 9. Archer N, Fevrier-Thomas U, Lokker C, McKibbon KA, Straus SE. Personal health records: a scoping review. Journal of the American Medical Informatics Association 2011;18:515-22. 10. Pyper C, Amery J, Watson M, Crook C. Patients' experiences when accessing their online electronic patient records in primary care. British Journal of General Practice 2004;54:38-43. 11. Pyper C, Amery J, Watson M, Crook C. Access to electronic health records in primary care-a survey of patients' views. Medical Science Monitor 2004;10:SR17-22. 12. The Royal Australian College of General Practitioners. RACGP Position Statement: Personally Controlled Electronic Health Record (PCEHR). Melbourne: The Royal Australian College of General Practitioners; 2012.

30 13. Hassol A, Walker JM, Kidder D, et al. Patient experiences and attitudes about access to a patient electronic health care record and linked web messaging. Journal of the American Medical Informatics Association 2004;11:505-13. 14. Ammenwerth E, Schnell-Inderst P, Hoerbst A. The impact of electronic patient portals on patient care: a systematic review of controlled trials. Journal of Medical Internet Research 2012;14:e162. 15. Davis Giardina T, Menon S, Parrish DE, Sittig DF, Singh H. Patient access to medical records and health care outcomes: a systematic review. Journal of the American Medical Informatics Association 2014;21:737-41.

16. Measuring the impact of patient portals. What the literature tells us. California Health care Foundation, 2011. (Accessed 15/06/2014, at http://www.chcf.org/publications/2011/05/measuring- impact-patient-portals.) 17. Goldzweig C, Towfigh A, Paige N, et al. Systematic Review: Secure Messaging Between Providers and Patients, and Patients’ Access to Their Own Medical Record: Evidence on Health Outcomes, Satisfaction, Efficiency and Attitudes Washington: Deaprtment of Veterans Affairs; 2012. 18. Tenforde M, Jain A, Hickner J. The value of personal health records for chronic disease management: what do we know? Family Medicine 2011;43:351-4.

19. Delbanco T, Walker J, Darer JD, et al. Open notes: doctors and patients signing on. Annals of Internal Medicine 2010;153:121-5. 20. Delbanco T, Walker J, Bell SK, et al. Inviting Patients to Read Their Doctors' Notes: A Quasi- experimental Study and a Look Ahead. Annals of Internal Medicine 2012;157:461-70. 21. Wells S, Rozenblum R, Park A, Dunn M, Bates DW. Organizational Strategies for Promoting Patient and Provider Uptake of Personal Health Records. J Am Med Inform Assoc 2014; Published Online First: 17 October 2014: amiajnl-2014-003055. 22. Fisher B, Bhavnani V, Winfield M. How patients use access to their full health records: a qualitative study of patients in general practice. Journal of the Royal Society of Medicine 2009;102:539-44.

23. Wells S, Rozenblum R, Park A, Dunn M, Bates DW. Personal Health records for patients with chronic disease. Applied Clinical Informatics 2014;5:416-29. 24. Cimino JJ, Patel VL, Kushniruk AW. The patient clinical information system (PatCIS): technical solutions for and experience with giving patients access to their electronic medical records. International Journal of Medical Informatics 2002;68:113-27. 25. DiMatteo MR. Variations in patients' adherence to medical recommendations: a quantitative review of 50 years of research. Medical Care 2004;42:200-9.

26. Vickery DM, Kalmer H, Lowry D, Constantine M, Wright E, Loren W. Effect of a self-care education program on medical visits. JAMA 1983;250:2952-6. 27. Weiner JP, Yeh S, Blumenthal D. The impact of health information technology and e-health on the future demand for physician services. Health Affairs 2013;32:1998-2004. 28. Chen C, Garrido T, Chock D, Okawa G, Liang L. The Kaiser Permanente Electronic Health Record: transforming and streamlining modalities of care. Health Affairs 2009;28:323-33. 29. Palen TE, Ross C, Powers JD, Xu S. Association of online patient access to clinicians and medical records with use of clinical services. JAMA 2012;308:2012-9. 30. Zhou YY, Garrido T, Chin HL, Wiesenthal AM, Liang LL. Patient access to an electronic health record with secure messaging: impact on primary care utilization. American Journal of Managed Care 2007;13:418-24.

31. Bates DW, Wells S. Personal health records and health care utilization. JAMA 2012;308:2034- 6. 32. Tudor Hart J. Commentary: three decades of the inverse care law. BMJ 2000;320:18-9. 33. Ancker JS, Barron Y, Rockoff ML, et al. Use of an electronic patient portal among disadvantaged populations. Journal of General Internal Medicine 2011;26:1117-23.

31 34. Goel MS, Brown TL, Williams A, Hasnain-Wynia R, Thompson JA, Baker DW. Disparities in enrollment and use of an electronic patient portal. Journal of General Internal Medicine 2011;26:1112-6. 35. Roblin DW, Houston TK, 2nd, Allison JJ, Joski PJ, Becker ER. Disparities in use of a personal health record in a managed care organization. Journal of the American Medical Informatics Association 2009;16:683-9. 36. Sarkar U, Karter AJ, Liu JY, et al. Social disparities in internet patient portal use in diabetes: evidence that the digital divide extends beyond access. Journal of the American Medical Informatics Association 2011;18:318-21.

37. Yamin CK, Emani S, Williams DH, et al. The digital divide in adoption and use of a personal health record. Archives of Internal Medicine 2011;171:568-74. 38. Fox S, Purcell K. Chronic disease and the Internet. http://www.pewinternet.org/Reports/2010/Chronic-Disease.aspx: Pew Internet and American Life Project; 2010. 39. Zickhur K, Smith A. Digital differences. http://pewinternet.org/Reports/2012/Digital- differences.aspx: Pew Internet and American Life Project; 2012. 40. Hsu J, Huang J, Kinsman J, et al. Use of e-Health services between 1999 and 2002: a growing digital divide. Journal of the American Medical Informatics Association 2005;12:164-71. 41. Collins SA, Vawdrey DK, Kukafka R, Kuperman GJ. Policies for patient access to clinical data via PHRs: current state and recommendations. Journal of the American Medical Informatics Association 2011;18 Suppl 1:i2-7.

42. Reti SR, Feldman HJ, Ross SE, Safran C. Improving personal health records for patient- centered care. Journal of the American Medical Informatics Association 2010;17:192-5. 43. The Royal College of General Practitioners. Enabling patients to acess Electronic Health Records: Guidance for Health Professionals. London: Royal College of General Practitioners; 2010. 44. Privacy Commissioner Te Mana Matapono Matatapu. A Quick Tour of the Health Information Privacy Code Rules. Wellington: Privacy Commissioner,; 2014. 45. Munro M. ManageMyHealth: Patient portal and Shared Electronic Health Record. Privacy Impact Assessment. Hamilton: Midlands Health Network; 2012.

46. McCrae J. Shared Care Record Privacy Impact Assessment: Compass Health; 2010. 47. Stevens R. Medical records and patient access to information. In: St George IM, ed. Cole's medical practice in New Zealand. 12th ed. Wellington: Medical Council of New Zealand; 2013. 48. Ministry of Health. Health Information Security Framework, Essentials and Recommendations. HISO 10029.1. Wellington: Ministry of Health; 2009. 49. Baldry M, Cheal C, Fisher B, Gillett M, Huet V. Giving patients their own records in general practice: experience of patients and staff. Br Med J (Clin Res Ed) 1986;292:596-8. 50. Jones RB, McGhee SM, McGhee D. Patient online access to medical records in general practice. Health Bull (Edinb) 1992;50:143-50.

51. Association CM. Physician guidelines for online communication with patients. Ottawa: Canadian Medical Association; 2005. 52. Medical Protection Society. Releasing children's records. New Zealand FactSheet: www.medicalprotection.org; 2013. 53. Medical Council of New Zealand. Statement on use of the internet and electronic communication https://www.mcnz.org.nz/assets/News-and-Publications/Statement-on-use-of-th e- internet-and-electronic-communication-v2.pdf. June 2013.

You can also read