In 2013 our pediatrician’s practice was acquired by Stanford Children’s Health which, at the time, seemed to be a positive move. The pediatricians at the hospital where both our kids were born was part of the same group and they were great.

Indeed, the actual doctor part hasn’t really changed beyond the introduction of computerized records (believe it or not they were still using paper records until around a year ago). What did change though was how we pay the bills. Initially, there was some confusion as the billing was moved from the old system over, which, while not really acceptable, is at least understandable as a temporary problem.

Finally though, the bills were being sent out as Stanford Children’s Health bills, and to pay them online we need to login to their MyChart system – something that appears to have been licensed from Epic Software. Quite why this is necessary I don’t understand; all the other medical bills I’ve ever paid allowed me to simply go to a payment portal, enter the details of the bill and pay it without needing an account. But, SCH requires an account at MyChart. And that is where the confusion starts.

Account Holder

Obviously, the patients in this case are not paying the bills, so the account needs to be created in an adult’s name, and associated with the patient. The first to receive a bill under the new system was my daughter, following a visit when my wife took her. But I pay the bills. When the account was created, I entered the magic code from the bill, and my email address. But somehow the record had been created with my wife’s name on it, so now the account is in her name, with my email address. Unfazed, I just paid the bill and left it; it doesn’t really matter much.

Next to visit was my son, so now I have a bill for him. And here is where MyChart falls apart. It would seem that nobody at Epic ever considered the possibility that a family might have more than one child. I can’t create a new account for him because my email address is already associated with an account (I guess I could use a different email address, but I don’t want to deal with two accounts for this either). And I can’t see his bill on the existing account because that account is associated with a different patient (my daughter). And there is no way for me to link him to the existing account. Which means there is no way to pay the bill online. Total failure!

Customer Support

So, I called their customer support. The gentleman who answered immediately understood the problem, took all the details and promised to have my son’s information added to the account within 24 hours. That was July 9 – almost 2 weeks ago. He also said he would have the account name fixed to be mine so it was consistent with the email address & the insurance details (which are apparently also associated with the account, and are in my name, but I can’t even see that in the portal).

Neither of those things happened.

No Progress

On Tuesday morning of this week, over 10 days after I first called, I called again. This time a lady answered, took all the details and went away to check. When she returned she asked for a number so she could have the MyChart team call me back that afternoon and resolve the problem directly as there was nothing she could do herself.

Nobody called.

Still the account shows only my daughter; still the name on the account is my wife’s. Still my son’s bill is unpaid because they cannot provide a way for me to pay it online.

Tomorrow I will be calling again, but I am starting to think that the reason nothing has been fixed is because they can’t work out how to link the two children in one account either. Something that shouldn’t even require a customer support call if the software was designed properly in the first place.

Change Password?

Another thing that seems to be missing from the MyChart site is the option to change your password. That seems pretty fundamental for any web service with a user account feature, but especially for one that could contain sensitive information. How did they ever let this site go into production without an option to change the password?

Layout and Styling

You would also expect the site to look correct on desktop Safari, and perhaps these days on an iPad too. The snippet to the right shows the login form on my laptop’s screen. The iPad one doesn’t look much better.

Once you get through the login, the rest of the site has similar issues; overlapping text in the footer, poorly aligned buttons and text, and confusing UX elements (such as the ‘Back to the Home Page’ button on the home page).

While on the subject of the home page, for some reason it seems to be set to show the Preferences -> Personalize page as my home. Why I do not understand. The most likely things I would want to do are the first two top level menu items (view my records or view billing information). Starting on a preferences page makes no sense at all; much like the rest of the site makes no sense.

Update 1

I tried to submit something through their website contact form to see if that has any more success than calling. Having typed up the message, entered the annoying captcha string and hit submit, I was greeted by this:

Actually, I was only greeted with about the first two thirds of it too – the remaining third was covered by the “Find Doctors, Services and Health” search box (what does “Find Health” mean?).

Look closely at that list. Apparently proper grammar is unacceptable (“my son’s account” is not permissible because of that apostrophe). If you believe that list, nor are commas and semi-colons (though it did accept both of those). When I look back though, it does seem to have accepted an apostrophe that I missed, so maybe it just wouldn’t accept the ‘=’ in the URL for this page. Luckily, bit.ly URLs don’t need special characters, so I just substituted it with that (which has the added bonus of also telling me if anybody there clicks on it).

Update 2: July 23, 2015

After several phone calls with an advocate from Stanford Children’s, it looks like things are well on the way to being fixed (though not fixed as I type this). But, the process has also highlighted a number of weaknesses in the system:

• There was no way to change the account guarantor information from my wife’s information to mine on the existing account. That in itself would not have been a problem apart from the fact that when I visit the doctor, my information would need to be in a separate account again, with a different email address.

  The solution? Create a new account in my name, using a new email address, and move the children’s accounts over to that new account.

• Thinking I could just change the email associated with the existing account to something temporary, and then re-use my preferred email address for the new account highlighted the fact that you actually cannot change the username for the account (which is your email address). I can change the email address they send me notifications on, but not the “email address” used to sign in.

  How amateur are the folks at Epic if they use a person’s email address as the account username, but do not allow that address to be changed? I suspect a large number of people are using email addresses from their ISP; change ISP and they get a new address. Are they going to remember their old address when they need to login to MyChart?

• Changing passwords came up too. The way they suggest that I change my password is, rather than going to the place with all my account details and clicking a change password option, to sign out and click the ‘Forgot password’ link. Then follow the instructions in the email they send out to change the password. Hopefully they will use the notification email address for that and not the “username” one (might try that later if I get a moment).

The mere fact that I cannot connect both my children to one account easily suggests that this system was poorly designed. I suspect it was designed around the assumption that each patient would have their own, private account. Children’s accounts were probably not considered when it was designed and have been hacked into the data model later with only (very) limited support in the front end.

However, the lack of an option to change an email address that is being used as a username, or to change a password properly from within the site, cannot easily be excused as something that might not have been considered. Even the adult use case, with a single patient per account would require both of those to be implemented to be a proper system.

Alternatively, if you don’t want to support changing the username (which is probably, incorrectly, a primary key in the data model), don’t use the email address as the username. Other places that want to avoid that issue simply assign (or let their users choose) usernames. All of my financial institutions do that, as does our company HR portal (it actually assigns a user ID and allows us to choose our own as well if we want to as an alternative). All of those places also allow me to change my password from the account details page rather than having me go through the forgotten password flow.

Two Factor

If this Epic system was in any way secure, they would also have an option for two factor authentication (either with an app controlling access, or an SMS option). If services like Google and Twitter can manage it, software that costs as much as this does should be able to. Admittedly, banks are not great at this either (though my UK HSBC account does require it now, and they even sent me a little code generator gadget since their app is not available to non-UK residents). There is a great list of websites that support multi-factor authentication at twofactorauth.org for those who are interested.

With the increase in online access to medical information, it would be nice to see the security aspects of these systems being regulated better. At the very least, they should be required to implement multi-factor authentication, and, if they allow third party access to the account for any reason, an OAuth style system where a token is supplied to the third party that can be revoked at any time, does not provide them with the account username & password and limits what the holder can do. (I’d like to see the same OAuth systems for banking too so that services like Personal Capital and BillGuard, both of which I love, also do not need to collect account username & password information to be able to offer their services.