HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Selecting records to include in patient portals

Email This Post Print This Post


Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: With the implementation of patient portals, there is concern over accessibility of certain information. My organization does not include minors’ records in its portal, but we are uncertain about whether to include other records. For example, is including incapacitated individuals’ information in the portal acceptable? If so, how do we determine who has access to these patients’ records? Can the portal include information pertaining to mental health, HIV, STDs, etc.? What can/should a CE restrict when storing patient information on a portal?

A: Making information on minors available through a patient portal can be rather complex with the overlay of state minor laws, so excluding the records of minors from your portal is acceptable. Generally, a patient signs up to access a patient portal. You do not need to limit the health information that can be accessed through the portal, even in instances of specially protected classes of information such as an HIV/AIDS diagnosis.

You may or may not know whether a patient is incapacitated. If you are aware that a patient is incapacitated and you receive a request from a personal representative to access the portal, obtaining documentation showing that the personal representative is authorized to access the portal is a good idea. For example, obtain a copy of the power of attorney before granting access.

It’s also a good idea to include a disclaimer stating that if a patient elects to share his or her password with others, the organization is not liable for damages. An organization is responsible for securing its portal, but not for the actions of patients. Be prepared to shut down access if a patient reports unauthorized access to the portal.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A

Leave a Reply