Although efforts to provide patients with increased access to their medical information through personal health records (PHRs) have accelerated in recent years,1 legal, ethical, and technical challenges have significantly impeded a meaningful implementation of PHRs among minor patients and dependent adults. Furnishing patients with an updated list of problems, medications, clinic notes, as well as laboratory and diagnostic studies results will undeniably improve transparency and allow patients to become better informed and involved in managing their own health care. However, although most PHRs are personally managed and individually maintained, the PHRs for children and dependent adults are not. Contingent on their developmental maturity or intellectual capacity, these patients require proxies to help access their PHR and manage their health information, and the control of the record may be either shared by both the patient and proxy or solely managed by the proxy. For children and adolescents this proxy role is generally provided to parents who retain this responsibility until the patient reaches legal adulthood (in most states at 18 years of age or emancipation) and is able to fully embrace complete ownership of his or her own health information. For dependent young adults this role is frequently filled by parents or other relatives, whereas for elderly patients this role may be carried out by a spouse, adult children, other relatives, or an unrelated caregiver.
The configuration of most currently available PHRs allows both the patient (where appropriate) and his or her designated proxy complete access to the available data contained in the PHR. However, in many circumstances, some information in the record should be considered private and confidential, having never been intended to be shared with others. For instance, adolescent patients can consent to their own health care in select circumstances such as reproductive health, sexually transmitted illnesses, as well as substance abuse and mental health and have a legal right for this information to be kept confidential.2 Health care providers are legally obligated to keep records related to these visits private, including the occurrence of the visit itself, and are not routinely allowed to share this information with parents.3 Conversely, parents may share information with providers about themselves or family members such as information related to domestic abuse or paternity that they may not want the adolescent patient to know. Similarly, a parent may not want his or her adult children to be privy to all the data contained in his or her record, such as information regarding a previous abortion or substance abuse.
Currently, this information is scattered throughout a patient’s electronic heath record (EHR) and, if released to the PHR, is readily available to anyone with appropriate access credentials. This situation impacts essentially every type of health data, including medication lists (eg, oral contraceptives), problems lists (eg, pelvic inflammatory disease), notes, visit summaries, appointments (eg, a confidential visit for sexually transmitted illness), laboratory and diagnostic study results (eg, HIV result, pelvic ultrasound for pregnancy confirmation), family and social histories, and hospital bills (eg, for confidential visit and treatment).
To overcome these challenges to protecting confidentiality, several deficiencies in the current construct of PHRs and EHRs need to be addressed. First, EHRs have not been suitably designed to allow all types of information that require special consideration to be flagged as sensitive, whether automatically by predetermined logic (eg, HIV results) or individually as specified by a provider (eg, a portion of a clinic note containing a detailed sexual history that the adolescent should be able to see, but not the parent). The information is thus indistinguishable in the EHR and cannot be handled any differently than nonsensitive information when released to the PHR. Second, PHRs must be designed with different access roles, so that users may have different views of the data based on what categories of data they are permitted to view.
Unfortunately, with the rapid adoption of PHRs, these shortcomings have either been ignored, as has been the case for dependent adults, or workarounds have been created, as has been the case for adolescents. This situation unacceptably undermines the rights and needs of these individuals. In the case of adolescents, most health care centers have chosen to either discontinue access to the parent of adolescents (usually around age 12 or 13), leaving access to the adolescent alone, to suppress health information, or to discontinue access to both the parents and adolescents, revoking all access to the PHR.4 These approaches limit the risk of disclosures at the cost of discriminating against this population by impeding access to their health information. Many adolescents with chronic medical conditions require ongoing help managing laboratories, medications, and appointments from their parents who would greatly benefit from continued access to the PHR. Some health care centers have implemented a process in which the adolescent consents to share access to all of the information in the PHR with his or her parents and the adolescent assumes the responsibility of notifying the PHR administrator if parental access needs to be disconnected due to a confidential visit. This approach results in a high risk of inadvertent disclosures and places an undue burden on the adolescent to both remember to disconnect the parental access and to explain to the parents why they can no longer access the PHR.
The EHR should be designed to manage sensitive information, and the PHR should be able to differentiate between who is logging in and flex the data available to be viewed on the basis of the individual’s access type. This differential access solution would allow a parent who logs in to a PHR to see all the general medical information, but the parent would not see the oral contraceptives on the medication list or the Chlamydia test sent as part of confidential visits. The adolescent, on the other hand, would be able to see all of this information but not that he or she was adopted or the parent’s previous struggle with alcoholism, which her parent had asked not to be disclosed to the adolescent.5
We agree with current efforts to equip patients with PHRs but regret that there has been minimal attention to these privacy issues, which represent significant obstacles to implementation, and that insufficient effort has been applied to address the changes needed to both EHRs and PHRs to overcome these barriers. Some may argue that patients and families were able to request paper copies of their full medical record from their Health Information Management departments before the advent of digital PHRs with minimal attention given to sensitive information. However, the convenience of PHRs and the breadth of adoption have considerably expanded the scale of users accessing health information, thereby also exponentially increasing the risk of disclosing confidential information. We encourage readers to insist that their EHR and PHR vendors focus on the need to provide the tools needed to appropriately protect privacy and confidentiality in this era of sharing. Every patient was a child at one time requiring parental assistance, and most patients will require assistance again at some point as they get older. Meeting the design requirements to adapt EHRs and PHRs to conform to the privacy and confidentiality essentials of these populations will, admittedly, require significant modifications to the current architecture but is indispensable in appropriately addressing the needs and rights of individuals during vulnerable times in their lives.
- Accepted December 22, 2014.
- Address correspondence to Fabienne C, Bourgeois MD, MPH, Division of General Pediatrics, Boston Children’s Hospital, 300 Longwood Ave, Boston, MA 02115. E-mail:
Dr Bourgeois conceptualized the content of the manuscript and drafted the initial manuscript; Drs Nigrin and Harper reviewed and revised the manuscript; and all authors approved the final manuscript as submitted.
FINANCIAL DISCLOSURE: The authors have indicated they have no financial relationships relevant to this article to disclose.
FUNDING: No external funding.
POTENTIAL CONFLICT OF INTEREST: The authors have indicated they have no potential conflicts of interest to disclose.
- 3.↵Committee on Bioethics, American Academy of Pediatrics. Informed consent, parental permission, and assent in pediatric practice. Pediatrics. 1995;95(2):314–317
- Bourgeois FC,
- Taylor PL,
- Emans SJ,
- et al
- Copyright © 2015 by the American Academy of Pediatrics