Too Many Don’ts and Not Enough Do’s? A Survey of Hospitals About Their Portal Instructions for Patients



Patient portals present the opportunity to expand patients’ access to their clinicians and health information. Yet patients and clinicians have expressed the need for more guidance on portal and secure messaging procedures to avoid misuse. Little information is currently available concerning whether and how expectations of portal and messaging usage are communicated to patients.


To identify the information made available to patients about patient portal use, and to assess ease in accessing such information.


A national survey of publicly available portal information from hospital websites. The study team followed up with phone calls to each hospital to request any additional patient-directed materials (e.g., pamphlets) not located in the web search.


A random sample of 200 acute-care hospitals, 50 from each of four US Census regions, selected from the US Centers for Medicare & Medicaid Hospital Compare dataset.

Main Measures

Availability of patient portals, secure messaging, and related functionality; the content and ease of access to patient-directed information about portals.

Key Results

Of the hospitals sampled, 177 (89%) had a patient portal; 116 (66%) of these included secure messaging functionality. Most portals with secure messaging (N = 65, 58%) did not describe appropriate patient messaging conduct. Although many included disclaimers that the service is not for emergencies, 23 hospitals only included this within the fine prints of their “Terms and Conditions” section. Content analysis of additional patient-directed materials revealed a focus on logistical content, features of the portals, and parameters of use. Of the three categories, logistical content (e.g., creating an account) was the most thorough.


Although most of the sampled hospitals had patient portals, many fail to educate patients fully and set expectations for secure messaging. To improve patient engagement and minimize harm, hospitals and clinicians need to provide more information and set clearer guidelines for patients.


Adequate access to healthcare, clinicians, and health information is a problem for many patients. Patient portals represent one mechanism for expanding such access. Patient portals are password-protected websites and platforms that give patients 24-h access to their personal health information.1 Many portals also have a messaging function for patients to contact their healthcare teams securely.

The Health Information Technology for Economic and Clinical Health (HITECH) Act provided financial incentives for US hospitals to adopt patient portals. As of 2018, 90% of healthcare leaders indicated that their organization offered a patient portal.2 Both patients and clinicians have expressed the need for guidance on portal use, and especially secure messaging.3, 4 Portals lack real-time mechanisms for assessing patient understanding of the information in their medical records and the messages received from their clinicians. Helping patients understand the information communicated to them may help to identify information needs and to realize the full benefits of patient portals.

Patient adoption of portals has increased significantly over the last 15 years, as access to the portals has increased. The proportion of Americans who were offered online access to their medical records (a key function of patient portals) rose more than a third from 2013 to 2014.5 Over 80% of patients who accessed their patient portals considered the information useful.5 Although earlier studies found the association between portal adoption and clinical outcomes to be varied,6, 7 more recent studies have observed improvements in patient satisfaction and disease control, especially when focusing on specific disease outcomes, such as diabetes mellitus, and specific portal functions, such as secure messaging.8,9,10,11

Despite the benefits, clinicians have expressed concern about patients’ “misuse” and “misunderstanding” of portals, especially secure messaging.4 This is particularly concerning because the use of secure messaging is increasing and it is unclear if expectations of portal use are communicated to patients. In 2011, Osborn et al. published an in-depth analysis of the policies and procedures governing the patient portal of Vanderbilt University Hospital, and advocated for explicit guidelines to develop safe and effective patient portals.12 This study examines available guidelines and sought to identify how hospitals convey information about portal use, to describe the information available to patients regarding patient portals, to assess ease in accessing this information, and to highlight areas of need and improvement in hospitals’ education of patients about their portals.


We reviewed information available to patients regarding patient portals at a random sample of hospitals in the USA. This study was declared not human subjects research and exempt from review by the Indiana University Institutional Review Board.

Sample of US Hospitals

We used the US Centers for Medicare & Medicaid Services (CMS) Hospital Compare dataset to compile a list of acute-care hospitals in the USA as of July 2018. The dataset provided overall quality indicators and hospital characteristics including geographic setting and hospital ownership. We stratified the list by four CMS-defined geographic regions (Midwest, Northeast, South, and West) and, using a computerized random-number generator, randomly sampled from each region until we reached our target sample size of 200 hospitals (50 in each region). Although this list excluded the US Department of Veterans Affairs (VA) hospitals, we intentionally abstracted information about a Midwestern VA hospital that uses the VA’s nationwide portal system, because the VA represents a large US healthcare system of interest.

Given the exploratory nature of this project, the targeted sample size was not driven by statistical power to test hypotheses, but rather to be descriptive. We sought to include enough hospitals to achieve variation and thematic saturation in the content analysis. Whenever possible, we noted when hospitals in our random sample belonged to the same health system.

Data Collection

We reviewed hospital web sites and administered a telephone-based survey to collect information about each hospital in the sample. Two research assistants (CW and SB) recorded the information on a structured form.

Web Review

The search began on the hospital’s homepage, but search terms were also used if a portal was not identified from the homepage. If a portal was available, we collected information about its functions as presented (e.g., whether the portal has a scheduling function) and information presented about the portal (e.g., whether technical assistance was presented). We also collected information about the ease of accessing the portals for a new user, defined as the number of mouse clicks from the hospital’s main webpage to the portals’ login or home page. Whenever secure messaging was listed as a function of the portal, we collected available guidance about how secure messaging is to be used, including frequently asked questions.

Telephone Survey

Members of the study team (CEW and SB) contacted each hospital in our sample that offered a patient portal, to request patient-directed materials (e.g., brochures and pamphlets) about the patient portals, and secure messaging in particular. A maximum of three attempts were made. We identified ourselves and our institution by name and stated that we were attempting to obtain information given to patients about patient portals, and secure messaging in particular. Additionally, if questions about a hospital’s portal arose during the web search (e.g., ascertaining which of several patient portals affiliated with the hospital was the current system), the telephone survey was used to clarify these issues when possible.


We report our results using descriptive statistics with means and proportions, quantifying portal features of each hospital. The features of interest were identified prior to data collection and were iteratively refined during the collection period, prior to analysis. These included portal functionality, accessibility, language, and the types of guidance provided. We also conducted qualitative analysis of available secure messaging information. For the patient-directed information collected from the phone survey, the data team (CEW, SB, JLL) first identified content areas of interest from our own experience to draft a coding scheme. Then, using a preliminary sample of 20 hospitals, we analyzed content using this draft scheme. The coding scheme was then revised for the final analysis. During the final analysis, a round of consensus coding was done to test and generate final agreement and utility of the coding scheme.


We began the project with 200 hospitals. Table 1 describes the characteristics of the hospitals in the study sample, and the hospitals from which the sample was drawn (“national population”), according to Hospital Compares.13 The sample was similar to the national set except in geographic distribution, because we intentionally sampled from all four regions evenly.

Table 1 Hospital characteristics

Patient Portals

The Office of the National Coordinator for Health Information Technology first introduced the concept of “meaningful use,” defined by the use of certified electronic health record (EHR) technology in a meaningful manner, such as for electronic prescribing.14 According to the Hospital Compare data, all but 3 hospitals from our sample of 200 met basic CMS Meaningful Use standards. However, our data abstractors could confirm the presence of a patient portal for only 177 (89%) of the hospitals. Of these, 116 (66%) had secure messaging as a function. Of the portal systems identified among 177 hospitals, Epic’s was available most commonly (N = 64, 36%), followed by Cerner’s (N = 30, 17%). The other hospitals used either a homegrown portal system (N = 53, 30%) or a portal system from other vendors (N = 30, 17%). Table 2 summarizes the common functions of patient portals according to descriptions found online. Although a patient portal, by definition, provides patients access to personal health information online, only 85% of hospitals with portals listed access to medical records as a function. No individual feature was listed by all hospitals with portals; 21 hospitals (12%) did not catalog or otherwise describe any of the functions of their portals. Portals may offer more functions than what is listed on the web.

Table 2 Portal features listed at 177 institutions’ websites

Regarding ease of use, 76 (65%) patient portals had links that were easily found, defined as links accessible within 2 clicks from the home page. Sixty-eight percent (121) offered the portal as a mobile app in addition to the website. Fifty-three (48%) of the portals were available in another language, most commonly Spanish, in addition to English.

Secure Messaging

We examined the language that hospitals used to describe the attributes and functions of online secure messaging and organized them by theme (Table 3). Secure messaging was most often described as a way for patients to “securely” communicate with their clinicians, including asking questions, although few descriptions elaborated on what made the features secure.

Table 3 Notable themes of secure messaging descriptions among 116 hospitals with secure messaging

Regarding the parameters of use for secure messaging conveyed by hospitals, 90 hospitals with secure messaging capability (78%) indicated that secure messaging should not be used for urgent situations; the remainder (23) either indicated this only in the “Terms and Conditions” section or not at all. Seventy-six hospitals (67%) provided an expected turnaround time for responses to secure messages. All but one of the hospitals with response times indicated one within 3 business days; the one exception had a response time of within 4 business days. The wording about the timing varied, with examples such as “1–2 business days” (N = 19, 25%), “1–3 business days” (N = 28, 32%), and “within 3 days” (N = 19, 25%). Many (N = 64, 55%) encouraged patients to keep their login information secure and to change passwords on a regular basis. A minority of hospitals (N = 47, 42%) described expected patient conduct regarding messaging. Of those, 32 hospitals defined inappropriate behaviors, most often found under “Terms and Conditions”; 15 hospitals provided examples of appropriate or expected uses. Table 4 highlights notable examples of expected messaging conduct.

Table 4 Examples of expected messaging conduct

The “Terms and Conditions” sections of some hospitals detailed patients’ responsibilities when using the secure messaging systems. In particular, several noted that hospital systems would not be liable for patients’ use of portals. Some hospitals specified liability for under $1000, while others assume no liability “even if [Hospital] knew or should have known of the possibility of such damages, claims, demands, or actions.” Another noted the possibility of information use, and loss, noting that the hospital “assumes no responsibility for how you use the information you obtain from [patient portal],” and “you agree to hold harmless [Hospital] should any information be lost while communicating online.”

Brochures and Pamphlets (Telephone Survey)

Our telephone calls to hospitals yielded additional information from 36 hospitals. Another ten hospitals (beyond the 36) said that they had brochures for patients but would not share these with the study team. The hospital staff who answered the research team’s telephone calls often had difficulty identifying who would have a brochure available to share. We were directed to, and received information from, hospital staff in many different roles, including the communications and media offices, the patient portal helplines, nurses, and hospital administrators. The information from the hospitals, in the form of brochures and other printed documents emailed to the research team, focused on the features of patient portals, the logistics of accessing portals (e.g., how to create an account), and the parameters of use. Of the 36 with printed information available, 13 (36%) of the brochures presented information that was not found through the web review. This was often the case for hospitals whose portal links led to a login page without additional information. The additional information included more details of the portal’s functions, how to create an account, and information in print about expected conduct that was only listed in the “Terms and Conditions” section of the website. Of the hospitals with printed materials, 34 (94%) provided information including a point of contact for patients—most provided both telephone number and email address—and 32 (88%) provided instructions on how to log in to the portal. Fewer than half (N = 15, 41%) included parameters on when or how to use the portals beyond stating that secure messaging should not be used for emergencies.

My HealtheVet: the VA Portal

Although the VA is excluded from the Hospital Compares list,13 we opted to gather information about the VA’s portal system from a Midwestern VA hospital. The VA portal webpage listed common portal functions, including accessing medical records, sending messages, scheduling appointments, and refilling prescriptions. Paying bills online is mentioned in the “Frequently Asked Questions (FAQ)” section, but done through a separate system. The FAQ section, in both print and online (the web version is more extensive), is significantly more detailed than comparable sections in other portals examined. The section explains not just how to sign up for secure messaging, but how it differs from email, how patients can tell whether a message has been read, and who would respond to patient messages. Beyond simply providing an expected turnaround time (three business days), the guide includes a definition of business hours, noting that they are “Monday through Friday from 8am to 5pm” and “do not include after hours, weekends, or federal holidays.” Moreover, the guide recommends that patients should “first, talk to your VA health care provider to determine if secure messaging would be a good way to communicate with them about your health care.” The guidance also instructs patients on what to do if they do not understand a message from their care team.


Despite federal incentives for healthcare institutions to adopt patient portals, patient interest, and emerging evidence that secure messaging is associated with positive health outcomes,10, 11, 15 we found that patient portals and secure messaging are not available in all of the hospitals that we sampled. Eleven percent of our sample of 200 hospitals appeared to have no portal, and 34% did not appear to provide secure messaging. While most hospitals with portals had easily discoverable online portal pages and provided other accessible features like mobile apps and languages other than English, these features were not universally present. This suggests areas for improvement and greater understanding of patient needs.

Good communication between patients and their care team is associated with many positive health outcomes,16, 17 including functional status, symptom management, and adherence to treatment. The secure messaging function of patient portals offers an opportunity to extend the care relationship and facilitate patient-clinician communication beyond office visits. Yet doing so requires a willingness from the healthcare organizations that provide the patient portals, the patients who use the portals, and clinicians who would be responding to their patients via the portals. Such concerted efforts require a shared understanding from all parties about the benefits and limits of portal use, and perhaps improved communication skills.4, 18 Our study found that when secure messaging is available to patients, it is not always clearly explained to patients. Guidance for patients most often detailed what not to do (e.g., not engage in harassing or defamatory behavior, and not substitute messaging for in-person consultation) rather than what to do (e.g., be factual and concise). Further, some guidance required a high degree of literacy, such as the recommendation that messages “not [be] frivolous in nature or frequency.” A high burden potentially limits the usefulness of the guidance to a broad patient population. Likewise, placing guidance in the “Terms and Conditions” sections limits the usefulness of the guidance for patients. This focus on curtailing behavior, and the hurdles placed on finding and understanding guidance suggest that some hospitals may be prioritizing reducing liability over improving the patient experience with portals. Yet overlooking the patient experience limits the usefulness of the portal for patients and may in turn lead to disinterest or even misuse.

This study fits within a large body of work examining patient portals in the past decade and reflects the yet unmet need for more detailed guidance for patients on how to use portals. Researchers have identified portals, particularly secure messaging, as a platform through which medical care is being sought by patients and delivered by clinicians, in specialties such as general internal medicine,19 pediatrics,20 and surgery.21 Given that care is conducted via portals, care guidelines should inform clinician interactions with patients via the portal. Similarly, patients should be informed about how to engage in activities endorsed by health systems to seek care via portals. Studies examining patients’ and clinicians’ experiences with portals have identified such needs from user perspectives,3, 4 and found that even among users of patient portals, nearly half (47%) reported at least one barrier to portal use, including informational barriers (e.g., “I am not sure what is available on the portal,” or “It is too complicated to use the portal”) that could potentially be addressed by detailed guidance from hospitals and clinicians.22 For clinicians, many clinician guidelines governing online interactions and electronic communications with patients are outdated.23 This analysis contributes to our understanding of this need from examining the available guidance. Like the parameters for clinician behaviors, they often focus on medicolegal issues over positive behaviors patients should adopt.

Although our findings suggest much room for improvement for hospitals and health systems in educating patients about the use of patient portals and secure messaging, we also saw noteworthy examples of more complete and more informative patient guidance. Beyond the VA, other notable practices we observed were hospitals that provided additional context for what constituted “urgent scenarios,” and how to contact the clinic by phone. Others provided detailed, specific instructions aimed at guiding patients not familiar with navigating portals, including instructions on what buttons to click, and provided examples of the types of questions that are appropriate for secure messaging. Future studies will examine the relationship between hospital characteristics and portal features, as well as the amount of information provided to patients.


This was an exploratory and descriptive study of the information that hospitals provide regarding their portals. Thus, it is not an exhaustive survey of all information that hospitals provide, or a survey of all hospitals. Instead, the information analyzed was limited to only what was accessible, available, and found by the research team. Hospitals might have additional portal resources for patients that were not available online. Although the research team followed up with each hospital up to three times to gather additional information, we were limited by what the hospitals chose to provide the study team. Our data collection also only focused on information available to patients outside the portal, and not on patient interactions with, or within, the portals. Thus, we cannot comment on patient awareness and understanding of instructive information inside the portal, or use of the information provided.


In this study, we found that 58% of hospitals in our sample had portals with secure messaging features. Hospitals advertised secure messaging as a way of connecting patients to their clinicians electronically, but many did not offer details of how to use secure messaging appropriately. Many hospitals included information about expected secure messaging behaviors in the fine print of the “Terms and Conditions” sections and not anywhere else. Our findings have direct implications for clinicians, as well as hospital and health system leaders. For clinicians, a better understanding of the information directed towards patients from hospitals can identify areas where more guidance can be helpful, and areas that may be helpful to highlight for patients during in-person visits—such as conversations about how best to contact the clinician with questions about their condition, in ways that are accessible and preferable for both the patient and the clinician. For hospitals, this study highlights areas for improved clarity and comprehensiveness. Much more can be done to help patients optimize the use of portals, and for hospitals to enhance the value of the investment they have made in implementing such systems.


  1. 1.

    Office of the National Coordinator For Health Information Technology. What is a patient portal? 2017; Accessed 23 Jul 2018.

  2. 2.

    Medical Group Management Association. MGMA Stat: Most practices offer a patient portal. 2018; Accessed 02 Apr 2019.

  3. 3.

    Haun JN, Lind JD, Shimada SL, et al. Evaluating user experiences of the secure messaging tool on the Veterans Affairs’ patient portal system. J Med Internet Res. 2014;16(3):e75.

    PubMed  PubMed Central  Article  Google Scholar 

  4. 4.

    Sieck CJ, Hefner JL, Schnierle J, et al. The Rules of Engagement: Perspectives on Secure Messaging From Experienced Ambulatory Patient Portal Users. JMIR medical informatics. 2017;5(3):e13.

    PubMed  PubMed Central  Article  Google Scholar 

  5. 5.

    Patel V, Barker W, Siminerio E. Trends in Consumer Access and Use of Electronic Health Information. ONC Data Brief, no. 30 2015; .

  6. 6.

    Atherton H, Sawmynaden P, Sheikh a, Majeed a, Car J. Email for clinical communication between patients / caregivers and healthcare professionals (Review). Cochrane Database of Systematic Reviews. 2012;2012(11):Art. No.: CD007978.-Art. No.: CD007978.

  7. 7.

    Goldzweig CL, Orshansky G, Paige NM, et al. Electronic patient portals: evidence on health outcomes, satisfaction, efficiency, and attitudes: a systematic review. Ann Intern Med. 2013;159(10):677–687.

    PubMed  Article  Google Scholar 

  8. 8.

    Kruse CS, Argueta DA, Lopez L, Nair A. Patient and provider attitudes toward the use of patient portals for the management of chronic disease: a systematic review. Journal of medical Internet research. 2015;17(2):e40.

    PubMed  PubMed Central  Article  Google Scholar 

  9. 9.

    Kuo A, Dang S. Secure Messaging in Electronic Health Records and Its Impact on Diabetes Clinical Outcomes: A Systematic Review. Telemedicine and e-Health. 2016;22(9):769–777.

    PubMed  Article  Google Scholar 

  10. 10.

    McInnes DK, Shimada SL, Midboe AM, et al. Patient Use of Electronic Prescription Refill and Secure Messaging and Its Association With Undetectable HIV Viral Load: A Retrospective Cohort Study. J Med Internet Res. 2017;19(2):e34.

    PubMed  PubMed Central  Article  Google Scholar 

  11. 11.

    Shimada SL, Allison JJ, Rosen AK, Feng H, Houston TK. Sustained Use of Patient Portal Features and Improvements in Diabetes Physiological Measures. J Med Internet Res. 2016;18(7):e179.

    PubMed  PubMed Central  Article  Google Scholar 

  12. 12.

    Osborn CY, Rosenbloom ST, Stenner SP, et al. MyHealthAtVanderbilt: policies and procedures governing patient portal functionality. J Am Med Inform Assoc. 2011;18 Suppl 1:i18–23.

    PubMed  PubMed Central  Article  Google Scholar 

  13. 13.

    Centers for Medicare and Medicaid Services. What is Hospital Compare? 2019; Accessed 13 May 2019.

  14. 14.

    Centers for Disease Control and Prevention. Public Health and Promoting Interoperability Programs (formerly, known as Electronic Health Records Meaningful Use). 2017; Accessed 02 Apr 2019.

  15. 15.

    Kruse CS, Bolton K, Freriks G. The effect of patient portals on quality outcomes and its implications to meaningful use: a systematic review. J Med Internet Res. 2015;17(2):e44.

    PubMed  PubMed Central  Article  Google Scholar 

  16. 16.

    Haynes RB, McDonald HP, Garg AX. Helping patients follow prescribed treatment: clinical applications. Jama. 2002;288(22):2880–2883.

    PubMed  Article  Google Scholar 

  17. 17.

    Stewart MA. Effective physician-patient communication and health outcomes: a review. CMAJ: Canadian Medical Association journal = journal de l’Association medicale canadienne. 1995;152(9):1423–1433.

    CAS  PubMed  Google Scholar 

  18. 18.

    Vermeir P, Vandijck D, Degroote S, et al. Communication in healthcare: A narrative review of the literature and practical recommendations. International Journal of Clinical Practice. 2015;69(11):1257–1267.

    CAS  PubMed  PubMed Central  Article  Google Scholar 

  19. 19.

    Hogan TP, Luger TM, Volkman JE, et al. Patient Centeredness in Electronic Communication: Evaluation of Patient-to-Health Care Team Secure Messaging. J Med Internet Res. 2018;20(3):e82.

    PubMed  PubMed Central  Article  Google Scholar 

  20. 20.

    Steitz B, Cronin RM, Davis SE, Yan E, Jackson GP. Long-term Patterns of Patient Portal Use for Pediatric Patients at an Academic Medical Center. Appl Clin Inform. 2017;8(3):779–793.

    PubMed  PubMed Central  Article  Google Scholar 

  21. 21.

    Shenson JA, Cronin RM, Davis SE, Chen Q, Jackson GP. Rapid growth in surgeons’ use of secure messaging in a patient portal. Surgical endoscopy. 2016;30(4):1432–1440.

    PubMed  Article  Google Scholar 

  22. 22.

    Reed ME, Huang J, Millman A, et al. Portal Use Among Patients With Chronic Conditions: Patient-reported Care Experiences. Med Care. 2019.

  23. 23.

    Lee JL, Matthias MS, Menachemi N, Frankel RM, Weiner M. A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations. J Am Med Inform Assoc. 2017.

Download references


We would like to express our gratitude to Rachel Gruber for her comments and copyediting that greatly improved the manuscript.


This project was funded in part by the Indiana Clinical and Translational Sciences Institute, by grant numbers UL1TR001108 and UL1TR002529 from the National Institutes of Health, National Center for Advancing Translational Sciences, Clinical and Translational Sciences Award.

Author information



Corresponding author

Correspondence to Joy L. Lee PhD, MS.

Ethics declarations

This study was declared not human subjects research and exempt from review by the Indiana University Institutional Review Board.

Conflict of Interest

The authors declare that they do not have a conflict of interest.


Dr. Weiner is the Chief of Health Services Research and Development at the Richard L. Roudebush Veterans Affairs Medical Center in Indianapolis, IN. The views expressed in this article are those of the authors and do not necessarily represent the views of the U.S. Department of Veterans Affairs.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Lee, J.L., Williams, C.E., Baird, S. et al. Too Many Don’ts and Not Enough Do’s? A Survey of Hospitals About Their Portal Instructions for Patients. J GEN INTERN MED 35, 1029–1034 (2020).

Download citation


  • patient portals
  • electronic health record
  • patient provider communication
  • informatics