Sufferers Nonetheless Wrestle With Full Entry to Well being Information

Sufferers today have a better path to securely accessing their digital well being info, thanks largely to developments in sure expertise requirements and an enormous push by federal regulatory insurance policies lately. However obstacles nonetheless stay.

See Additionally: New Assaults. Skyrocketing Prices. The True Value of a Safety Breach.

Regardless of an industry-wide digital transformation, sufferers nonetheless wrestle with conveniently and securely getting access to a unified, built-in view of their well being info from a number of suppliers. Different difficulties contain offering safe and personal entry to data of sure sorts of sufferers, together with these with complicated medical situations, in addition to minors.

“The principle hindrance that I see to info sharing usually, each with sufferers and with different healthcare suppliers, is the proprietary nature of digital well being data or digital medical document distributors and their techniques and agreements,” mentioned privateness legal professional Iliana Peters of the legislation agency Polsinelli.

Laws associated to the dealing with of digital well being info date again to the HITECH Act of 2009, however the Division of Well being and Human Providers’ twenty first Century Cures Act closing rule in 2020 grew to become the inspiration for info sharing. The Cures Act known as on well being IT builders to undertake “safe, standards-based utility programming interfaces” – to make it simpler for sufferers to entry their well being info utilizing cell well being apps.

High priorities of the Cures Act, which was signed into legislation in 2016, had been to advance medical innovation, together with the purpose of enhancing care coordination and affected person outcomes by the assistance of interoperability and safe entry to digital well being info (see: New Regs Goal to Enhance Affected person Data Entry).

“This isn’t a tech downside. It is a belief downside.”


– Deven McGraw, chief regulatory and privateness officer, Citizen Well being

Beneath the hood of these modernization efforts, well being IT builders had been inspired to undertake requirements of their merchandise such because the Quick Healthcare Interoperability Assets, or FHIR, which was created by Well being Stage Seven Worldwide for exchanging healthcare info electronically.

The Cures Act additionally contains insurance policies that promote the safe nationwide alternate of well being info, together with laws to discourage healthcare suppliers and well being IT distributors from illegally “blocking” well being info alternate.

As well as, the sooner HITECH Act of 2009 – which propelled the mass adoption of digital well being document techniques nationwide by clinicians and hospitals – additionally drove many healthcare suppliers to supply portals for sufferers to entry well being info securely on-line.

Most sufferers have embraced on-line entry. For instance, in 2024, 65% of sufferers nationally and 75% of these managing a latest most cancers prognosis accessed their medical data on-line or through a affected person portal, in response to a HHS’ Workplace of the Nationwide Coordinator for Well being IT report launched in July. Proxy or caregiver entry to affected person portals greater than doubled between 2020 and 2024, and that app-based entry to on-line medical data elevated from 38% in 2020 to 57% in 2024, ASTP mentioned.

“I do assume that the HITECH Act and Cures Act have been driving forces in making it simpler for sufferers to entry their data,” mentioned privateness legal professional Adam Greene of the legislation agency Davis Wright Tremaine. “With out these legislative pushes, I don’t assume that sufferers would have the extent of digital entry to data that they’ve as we speak,” he mentioned.

Compliance Points, Roadblocks to Interoperability

In addition to utilizing levers such because the HITECH and the Cures Act to ease entry for sufferers, HHS’ Workplace for Civil Rights is investigating right-to-access claims by sufferers. Over the previous six years, enforcement actions have spotlighted circumstances involving violations of the longstanding HIPAA Privateness Rule provision that offers sufferers – or their private representatives – the proper to request well timed entry to sufferers’ “designated document set” of protected well being info.

A HIPAA “designated document set” contains medical data; billing and fee data; insurance coverage info; medical laboratory take a look at outcomes; medical photographs, reminiscent of X-rays; wellness and illness administration program recordsdata; and medical case notes; and different info “used to make selections about people,” HHS mentioned

Since 2019, as of Friday, HHS OCR has issued not less than 53 HIPAA settlements and fines to regulated entities that did not comply in a well timed method to supply sufferers’ – or their representatives’ – with their well being document units within the requested digital kind or paper (see: HHS Discloses 3 Extra HIPAA Fines Totaling Extra Than $3M).

In a few of these circumstances – which normally begin with a criticism to HHS OCR – sufferers have made a number of requests and waited years to obtain their requested data, and sometimes not till the HIPAA enforcement company launched an investigation.

However whereas most sufferers as we speak have a lot better entry to their well being data electronically, that does not imply the obstacles are gone.

“Regardless of info blocking necessities, many of those distributors of all sizes proceed to make use of each contractual necessities and technical controls to considerably sluggish and someday prohibit altogether in any other case permissible sharing of affected person knowledge,” mentioned privateness legal professional Peters. “And till HHS workouts its enforcement jurisdiction with regard to such practices, it is unlikely that these distributors will change their methods.”

Complicating issues is that many sufferers obtain well being companies from a number of suppliers. Which means data held by medical specialists that are not a part of a sufferers’ major care group are saved in lots of locations, making it tough for sufferers to entry a unified, built-in view of their data.

ASTP’s research discovered that just about 60% of sufferers nationally had a number of on-line medical data or affected person portals in 2024, however solely 7% reported utilizing a “portal organizing app” to mix medical info from completely different portal sources or on-line medical data into one place.

“Many issues have helped us advance to better entry by sufferers – extra clear steerage on the HIPAA proper of entry from HHS, the emphasis on affected person entry within the twenty first Century Cures Act and the way main suppliers, community directors and a few medical document corporations are starting to ‘lean in’ on facilitating affected person entry,” mentioned legal professional Deven McGraw, chief regulatory and privateness officer at Citizen Well being.

However hurdles stay. “Sufferers who’ve a number of suppliers wrestle with remembering the consumer names and passwords for all of their supplier portals and lack a unified, usable view of all of their info in a single place, except they’ve related their portals to an utility,” she mentioned.

Greene means that sufferers think about using shopper apps that connect with a number of healthcare suppliers’ techniques by APIs, permitting sufferers to obtain and manage data from a number of suppliers. “The largest challenges with such apps, although, are that it falls on the affected person to examine that the app has good privateness and safety safeguards, and navigating supplier’s APIs may be difficult,” he mentioned.

Citizen Well being gives a expertise platform and companies to assist sufferers with uncommon situations acquire and entry their well being data from a number of sources with an built-in view.

McGraw mentioned the power of a affected person to attach an app to a portal account – and to have the choice of creating that connection persist in order that data are routinely refreshed – can be nonetheless a problem.

“Take the persistent token difficulty – the expertise exists to create tokens that persist. But suppliers usually set the timeframes for a way lengthy they stick with very quick intervals,” she mentioned. “This implies the affected person would not have that seamless connection for the app, even in circumstances the place the affected person needs a ‘set it and neglect it’ strategy.”

Moreover, there are sometimes data that aren’t accessible by FHIR APIs – reminiscent of medical photographs – that forces sufferers to acquire the recordsdata through a HIPAA medical document request to a radiology places of work. “This course of continues to be usually tough for sufferers,” she mentioned.

“This is a matter that hits sufferers with complicated well being situations notably onerous, as a result of they usually have a number of portals they should go to,” mentioned McGraw, a former official at each HHS OCR and ONC throughout President Barak Obama’s second time period and the primary administration of President Donald Trump’s administration.

“These of us who’ve lengthy supported the power of sufferers to make use of instruments to consolidate their data – like private well being document apps and platforms, together with however not restricted to Citizen Well being – see this as an answer that’s already on the market to assist sufferers with this,” she mentioned.

“Digital medical document distributors might additionally assist by permitting for a consolidated view of their portals, however this is able to doubtless require the consent of their prospects – healthcare suppliers – which suggests we would have to beat the hurdle of actual or perceived authorized threat at displaying knowledge to sufferers that was generated from different suppliers,” she mentioned.

“This isn’t a tech downside. It is a belief downside,” she mentioned.

“Suppliers have expressed issues about having iron-clad assurances {that a} affected person knowingly engaged an app, understands and accepts what which means for his or her knowledge, that the affected person is who they declare to be – identification proofing, and that the affected person consented to document assortment from a specific supplier – and within the case of community entry, that they’ve matched the affected person to the proper document, which isn’t a difficulty for portal/FHIR API entry,” she mentioned.

“There are technical options that exist to handle all of those – however I believe suppliers nonetheless have lingering uncertainty about whether or not these options are ‘enough’ to handle their issues.”

Different Challenges

Within the meantime, there are nonetheless different entry points involving sure sorts of sufferers, such a minors, Greene mentioned.

“A prime problem dealing with each sufferers and suppliers is adolescent data,” he mentioned.

“It is rather difficult for suppliers to supply dad and mom or guardians with real-time entry to details about their adolescent kids to which they’re entitled whereas blocking entry to confidential entry to which they don’t seem to be entitled,” he mentioned.

“This may occasionally lead to a healthcare supplier excluding adolescents’ data from its affected person portal, leading to pissed off dad and mom having to undergo extra formal release-of-information processes to acquire entry to such data.”

Whereas obstacles nonetheless stay, sufferers and healthcare suppliers are lastly understanding that affected person entry to their very own healthcare data is critically essential. “I can nonetheless bear in mind when affected person entry was far much less of a precedence – and I can bear in mind extra individuals saying that sufferers would not want entry to their data if suppliers would simply do a greater job of exchanging knowledge,” McGraw mentioned.

“The extra we do to knock these obstacles out of the best way, the extra we’ll see these entry numbers improve. The win-win side of affected person entry is more and more being realized throughout the healthcare ecosystem.”