Risk Management Tip: The Proper Use of Patient Portals

MLMIC Risk Management Tip #22 addresses medical professional liability risks related to “The Proper Use of Patient Portals.”

The Risk
Patient portals are an effective tool to actively engage patients in their care to improve health outcomes. However, healthcare professionals must be aware of the potential risks presented by this technology. Some of these risks include: reliance on the patient portal as a sole method of patient communication; patient transmission of urgent/emergent messages via the portal; the posting of critical diagnostic results prior to provider discussions with patients; and possible security breaches resulting in HIPAA violations. Implementing appropriate policies and procedures in the use of portals will enhance patient communication and mitigate liability risks for the practice.


  1. Develop comprehensive patient portal policies which include:
    • patient username and password requirements (minimum number of characters including capitals and non-alphabet characters);
    • a privacy/confidentiality statement on all outgoing messages;
    • encryption updates;
    • account lockout after a specified number of failed login attempts;
    • a mechanism to ensure termination of user access when indicated (e.g., the patient leaves the practice, death, inappropriate use of the portal, etc.);
    • timeframes for responding to patient communication;
    • designated responsibility for replying to patients when the primary provider is not available;
    • utilizing a two patient identifier system for importation of diagnostic studies into the patient portal;
    • monitoring patient access to posted diagnostic results;
    • a follow-up system for patients that do not access the portal; and
    • a mechanism to notify patients if the portal is not functioning properly. A notification should be placed on the practice’s website, and also included on any prerecorded telephone message.
  2. Advise patients of the reporting mechanism for:
    • email address changes;
    • questions regarding portal use;
    • potential errors in their information; and
    • suspected breaches of privacy.
  3. Providers should not use the portal as the means to communicate critical/significant diagnostic results. Diagnostic results should not be posted to the portal until this communication occurs.
  4. Instruct patients that the portal is not to be used to evaluate and treat new problems.
  5. Utilize a disclaimer on the portal that clearly states it is not to be used for emergencies/urgent problems and include instructions for patients to call 911 or go to the nearest emergency department.
  6. Consider the use of a patient portal user agreement that:
    • defines the information patients may access (e.g., appointments, medication refills and referral requests, form downloads, routine appointment reminders, and laboratory reports);
    • prohibits requests for narcotic medication refills;
    • states that the patient portal is the only permissible method of electronic communication with the practice; and
    • includes the disclaimer statement regarding urgent/emergent/new problems.

Have staff educate patients regarding the use of the portal and the contents of the portal user agreement upon patient sign-up and as necessary.

This MLMIC Risk Management Tip is available here as a PDF: “The Proper Use of Patient Portals.