Patient Portal

The patient's window into their own care. The Patient Portal is not a separate read-only mirror of the chart — it is the same global data the clinician sees, surfaced through a patient-facing lens with consent-gated access and a full read-access audit trail. Patients can message their practice, self-schedule appointments with upfront cost estimates, review lab results with plain-language explanations, receive after-visit summaries, export their data via FHIR, manage sensitive-class consent, and grant proxy access to family members — all on a practice-whitelabeled surface where the patient's trust relationship is with their doctor's office, not the platform vendor.

Key Capabilities

Self-Scheduling with GFE / Copay Estimate

The patient sees available appointment slots for their provider, filtered by visit type and insurance status from the Eligibility module. Before booking, the portal surfaces a good-faith estimate (GFE) and expected copay so the patient can make an informed decision. Booking creates an appointment in Scheduling and auto-fires a 270 eligibility check. No phone tag, no surprise bills.

Secure Messaging

Patient ↔ practice threaded messaging with attachments (photos of rashes, wound-healing progress, insurance cards). Messages arrive in the practice's Task Management queue with SLA tracking. Practice staff respond in-thread. Every message is logged against the PortalMessage entity with full audit — sender, recipient, read timestamp, and category (General, Clinical, Billing, Scheduling, Document, Prescription).

Lab Results with Plain-Language Explanation

When a lab result is released, the portal surfaces the numeric values alongside an AI-generated plain-language explanation at a configurable reading level (6th-grade default). The same capability powers the after-visit summary (AVS): diagnoses, medications, follow-up instructions, and care-plan tasks are translated into accessible language with multi-language support (AWS Translate + human-in-loop for clinical accuracy). Patients understand their results without calling the office.

AVS Delivery

At encounter close, the portal auto-generates an after-visit summary that includes diagnoses, medications, follow-up instructions, and care-plan tasks. The AVS arrives in the portal as both a clinician-authored version and an AI-simplified plain-language version. Multi-language translation is available. The patient can download, share, or reference it at any time — no paper handout that gets lost on the way to the car.

Data Export — FHIR Patient Access API

Patients can view their longitudinal record (demographics, clinical facts, care plan), download a CCDA or FHIR Bundle, or transmit data to a third-party app launched via SMART on FHIR. This is VDT (View-Download-Transmit) under HTI-1 §170.315(e)(1) and the 21st Century Cures Act information-blocking rules. Every export action logs a read-access audit entry with the full authorization-chain trace.

Consent Management — 42 CFR Part 2 Enforcement

When the portal renders clinical facts, sensitive categories (mental health, substance use disorder per 42 CFR Part 2, HIV, genetic, reproductive health) require an explicit patient consent action before display. Each category has its own independent consent flag on SensitiveClassGating. The gating is enforced at the API layer — the UI shows a "ready to review sensitive history" prompt, and the data is suppressed until the patient consents. Consent preferences are global: if the patient consents to viewing their mental health data, that consent applies across all practices.

Proxy Access

Parents, legal guardians, and authorized caregivers access a dependent's record through a consent-chain proxy. State-by-state minor-consent rules determine which sensitive categories a minor can gate from the proxy. Every proxy read writes an audit entry with the authorization chain — who authorized the viewer, what scope they were granted, and when. The portal supports tiered data access: demographics always visible (Tier 1), clinical facts consent-gated per sensitive class (Tier 2), billing org-scoped (Tier 3).

Care Plans Gallery

A template gallery of care plans for common chronic and acute conditions — diabetes (DM2), hypertension (HTN), congestive heart failure (CHF), COPD, and asthma — gives clinicians a starting point instead of a blank page. Each template includes: clinical goals (e.g., BP <130/80, HbA1c <7.0), tasks (diet changes, daily walks, BP logging), medications with titration schedules, lab schedules (CMP every 3 months, lipid panel annually), and patient education materials linked from UpToDate Patient Engagement and MedlinePlus. Templates are practice-customizable: the practice manager can adjust default goals, add practice-specific tasks, and swap education links.

The patient sees their active care plan with progress tracking in the portal — goals met, tasks completed, medications on schedule, and upcoming labs. A day-by-day timeline (modeled on the Care Plan Gallery mockups) replaces the static PDF handout. Multi-condition combos (e.g., HTN + DM2 + hyperlipidemia) are rendered as a single combined plan so the patient sees one path, not three conflicting sheets.

Phase 2 — The Care Plans Gallery ships in Phase 2 with AI-generated plain-language care plans, multi-language translation, and progress tracking. Phase 1 delivers a static AVS PDF at checkout with no template gallery.

Persona Connections

Patient — Primary user. Messages the practice, self-schedules appointments, views lab results with plain-language explanations, downloads their AVS, pays bills, exports data via FHIR, and manages sensitive-class consent. The patient IS a user — the Patient and User entities share the same primary key.
Doctor — Responds to clinical messages from the inbasket. Sees AVS delivery confirmation. Reviews patient-uploaded documents that land in the reconciliation queue. Cannot author portal content directly — only responds through the clinical workflow.
Reception — Receives patient messages in the Task Management queue, processes self-scheduled appointments as they arrive in the Scheduling queue, and handles document uploads that route to the intake queue.
Nurse — Triage for clinical-category messages, handles post-encounter care-plan updates, and processes sensitive-class consent changes flagged during patient visits.

Technical Highlights

OAuth2 / SMART-on-FHIR. Third-party app launch uses SMART on FHIR with OAuth 2.0 granular scopes. The app receives a scoped FHIR access token limited to the consented data categories. App launch logs a read-access audit entry. Patients can revoke app access at any time from the portal.
FHIR Patient Access API. The portal exposes the USCDI v3 data classes via the FHIR R4 Patient Access API per the 21st Century Cures Act. Every clinical fact in the patient's global record is available through standard FHIR resources — Patient, Condition, Observation, MedicationRequest, AllergyIntolerance, Immunization, Procedure, DocumentReference, and more.
42 CFR Part 2 consent enforcement. Sensitive-class consent gating is enforced at the API layer, not just the UI. When the FHIR Patient Access API receives a request, the response builder checks SensitiveClassGating for each sensitive category. If IsConsentedBool = false, data in that category is suppressed from the FHIR Bundle — the third-party app never sees it. Consent is not a UI toggle; it is a data-access gate.
USCDI v3 export. The VDT download produces a FHIR Bundle conforming to USCDI v3 data classes: patient demographics, allergies, medications, conditions, lab results, vital signs, procedures, immunizations, care plans, clinical notes, imaging, and social history. The bundle is a point-in-time snapshot of the patient's global record.
Tiered data access model. Tier 1 (demographics) always visible to authenticated patient. Tier 2 (clinical facts) consent-gated per SensitiveClassGating. Tier 3 (billing) org-scoped — the patient sees only the billing data for the org context of the current portal session.
Deterministic Short GUID URL routing. Patient-facing URLs use /patient/{ShortGUID} — the 22-character Base62 encoding of PatientID. URLs never contain the patient's name to prevent leakage through browser history, referrers, or screenshots.

Delivery Phases

Phase 1 — Phone & Paper Baseline + Basic Portal Shell
Patients interact with the practice primarily by phone and paper forms. The portal shell ships with secure messaging (patient → practice), self-scheduling with copay estimates, and document upload. Bill pay is available via integrated payment processor. VDT is a manual export button (CCDA download). Sensitive-class consent gating is live for the five mandatory categories (mental health, SUD, HIV, genetic, reproductive health). Proxy access supports parent/guardian with consent-chain tracking. WCAG 2.2 AA conformance on all portal pages. AVS is a static PDF delivered at checkout — no AI-generated plain-language version yet.

Phase 2 — Full Self-Service Portal + SMART on FHIR
AI-generated plain-language AVS at configurable reading level with multi-language translation. Lab results surface with plain-language explanations. SMART on FHIR app launch allows patients to connect third-party health apps. Pre-visit digital intake — patient completes intake form, verifies imported data, and updates demographics and medications before the visit. VDT upgraded to FHIR Bundle export (USCDI v3). Patient education content linked from AVS (UpToDate Patient Engagement, MedlinePlus). Payment plan enrollment available. Portal adoption target: ≥ 60% within 12 months of go-live.

Phase 3 — Advanced Self-Service & Proxy Management
Self-service proxy consent management dashboard — patients manage their own proxy authorizations with audit trail and expiration tracking. Payment plan financing integration (e.g., CareCredit) for large balances. Specialty-specific portal modules (pediatric growth charts, women's health trackers, geriatric fall-risk dashboards). Telemedicine video visit scheduling from the portal (video session via separate integration). Multi-language portal UI beyond content translation. Advanced analytics on portal engagement, VDT usage, and sensitive-class consent patterns.

Success Metrics

Portal adoption rate: ≥ 60% of registered patients log in ≥ 1×/quarter within 12 months of go-live.
VDT completion rate: ≥ 80% of registered portal users complete ≥ 1 VDT action within 6 months.
Message response time: ≤ 1 business day median for non-urgent patient messages.
Self-schedule completion rate: ≥ 40% of new appointments booked via portal within 12 months.
Bill-pay portal capture rate: ≥ 25% of patient responsibility collected via portal within 12 months.
WCAG 2.2 AA conformance: 100% of portal pages pass automated + manual audit.
Sensitive-class consent gating coverage: 100% of sensitive categories (mental health, SUD, HIV, genetic, reproductive) consent-gated at the API layer.

Module Dependencies

Upstream — Eligibility provides coverage status and copay estimates at self-scheduling. Scheduling provides available slots; appointment reminders push to portal notifications.
Lateral — Clinical Documentation generates the AVS from encounter notes. Task Management receives inbound patient messages as queue items with SLA tracking. eRx / EPCS surfaces medication list and renewal requests.
Downstream — RCM provides outstanding statements for bill-pay; Payment rows reconcile back. Referrals status is visible to patients through the portal's referral-tracking view.

Try This in the Demo

Patient — Portal dashboard →

Developer Reference — Entity schemas (PortalMessage, PatientDocument, Payment, SensitiveClassGating), RBAC, FK diagrams, and functional/non-functional requirements: Patient Portal Dev Spec →