Sufferers Nonetheless Battle With Full Entry to Well being Data

Sufferers today have a better path to securely accessing their digital well being data, thanks largely to developments in sure know-how requirements and an enormous push by federal regulatory insurance policies in recent times. However obstacles nonetheless stay.

See Additionally: New Assaults. Skyrocketing Prices. The True Value of a Safety Breach.

Regardless of an industry-wide digital transformation, sufferers nonetheless battle with conveniently and securely getting access to a unified, built-in view of their well being data from a number of suppliers. Different difficulties contain offering safe and personal entry to data of sure kinds of sufferers, together with these with complicated medical situations, in addition to minors.

“The primary hindrance that I see to data sharing usually, each with sufferers and with different healthcare suppliers, is the proprietary nature of digital well being data or digital medical report distributors and their techniques and agreements,” stated privateness lawyer Iliana Peters of the regulation agency Polsinelli.

Laws associated to the dealing with of digital well being data date again to the HITECH Act of 2009, however the Division of Well being and Human Companies’ twenty first Century Cures Act last rule in 2020 grew to become the muse for data sharing. The Cures Act known as on well being IT builders to undertake “safe, standards-based software programming interfaces” – to make it simpler for sufferers to entry their well being data utilizing cellular well being apps.

High priorities of the Cures Act, which was signed into regulation in 2016, have been to advance medical innovation, together with the intention of bettering care coordination and affected person outcomes by the assistance of interoperability and safe entry to digital well being data (see: New Regs Intention to Enhance Affected person Data Entry).

“This isn’t a tech drawback. It is a belief drawback.”


– Deven McGraw, chief regulatory and privateness officer, Citizen Well being

Below the hood of these modernization efforts, well being IT builders have been inspired to undertake requirements of their merchandise such because the Quick Healthcare Interoperability Sources, or FHIR, which was created by Well being Stage Seven Worldwide for exchanging healthcare data electronically.

The Cures Act additionally contains insurance policies that promote the safe nationwide trade of well being data, together with rules to discourage healthcare suppliers and well being IT distributors from illegally “blocking” well being data trade.

As well as, the sooner HITECH Act of 2009 – which propelled the mass adoption of digital well being report techniques nationwide by clinicians and hospitals – additionally drove many healthcare suppliers to supply portals for sufferers to entry well being data securely on-line.

Most sufferers have embraced on-line entry. For instance, in 2024, 65% of sufferers nationally and 75% of these managing a latest most cancers analysis accessed their medical data on-line or through a affected person portal, in response to a HHS’ Workplace of the Nationwide Coordinator for Well being IT report launched in July. Proxy or caregiver entry to affected person portals greater than doubled between 2020 and 2024, and that app-based entry to on-line medical data elevated from 38% in 2020 to 57% in 2024, ASTP stated.

“I do suppose that the HITECH Act and Cures Act have been driving forces in making it simpler for sufferers to entry their data,” stated privateness lawyer Adam Greene of the regulation agency Davis Wright Tremaine. “With out these legislative pushes, I don’t suppose that sufferers would have the extent of digital entry to data that they’ve at present,” he stated.

Compliance Points, Roadblocks to Interoperability

Moreover utilizing levers such because the HITECH and the Cures Act to ease entry for sufferers, HHS’ Workplace for Civil Rights is investigating right-to-access claims by sufferers. Over the previous six years, enforcement actions have spotlighted circumstances involving violations of the longstanding HIPAA Privateness Rule provision that offers sufferers – or their private representatives – the fitting to request well timed entry to sufferers’ “designated report set” of protected well being data.

A HIPAA “designated report set” contains medical data; billing and fee data; insurance coverage data; medical laboratory check outcomes; medical photos, reminiscent of X-rays; wellness and illness administration program recordsdata; and medical case notes; and different data “used to make choices about people,” HHS stated

Since 2019, as of Friday, HHS OCR has issued at the very least 53 HIPAA settlements and fines to regulated entities that didn’t comply in a well timed method to supply sufferers’ – or their representatives’ – with their well being report units within the requested digital type or paper (see: HHS Discloses 3 Extra HIPAA Fines Totaling Extra Than $3M).

In a few of these circumstances – which normally begin with a criticism to HHS OCR – sufferers have made a number of requests and waited years to obtain their requested data, and infrequently not till the HIPAA enforcement company launched an investigation.

However whereas most sufferers at present have a lot better entry to their well being data electronically, that does not imply the obstacles are gone.

“Regardless of data blocking necessities, many of those distributors of all sizes proceed to make use of each contractual necessities and technical controls to considerably sluggish and someday prohibit altogether in any other case permissible sharing of affected person knowledge,” stated privateness lawyer Peters. “And till HHS workouts its enforcement jurisdiction with regard to such practices, it is unlikely that these distributors will change their methods.”

Complicating issues is that many sufferers obtain well being companies from a number of suppliers. Which means data held by medical specialists that are not a part of a sufferers’ main care group are saved in lots of locations, making it tough for sufferers to entry a unified, built-in view of their data.

ASTP’s examine discovered that almost 60% of sufferers nationally had a number of on-line medical data or affected person portals in 2024, however solely 7% reported utilizing a “portal organizing app” to mix medical data from completely different portal sources or on-line medical data into one place.

“Many issues have helped us advance to better entry by sufferers – extra clear steerage on the HIPAA proper of entry from HHS, the emphasis on affected person entry within the twenty first Century Cures Act and the way main suppliers, community directors and a few medical report corporations are starting to ‘lean in’ on facilitating affected person entry,” stated lawyer Deven McGraw, chief regulatory and privateness officer at Citizen Well being.

However hurdles stay. “Sufferers who’ve a number of suppliers battle with remembering the person names and passwords for all of their supplier portals and lack a unified, usable view of all of their data in a single place, until they’ve related their portals to an software,” she stated.

Greene means that sufferers think about using client apps that hook up with a number of healthcare suppliers’ techniques by APIs, permitting sufferers to obtain and set up data from a number of suppliers. “The most important challenges with such apps, although, are that it falls on the affected person to verify that the app has good privateness and safety safeguards, and navigating supplier’s APIs will be difficult,” he stated.

Citizen Well being supplies a know-how platform and companies to assist sufferers with uncommon situations accumulate and entry their well being data from a number of sources with an built-in view.

McGraw stated the power of a affected person to attach an app to a portal account – and to have the choice of creating that connection persist in order that data are routinely refreshed – can be nonetheless a problem.

“Take the persistent token subject – the know-how exists to create tokens that persist. But suppliers usually set the timeframes for a way lengthy they stick with very brief intervals,” she stated. “This implies the affected person would not have that seamless connection for the app, even in circumstances the place the affected person desires a ‘set it and neglect it’ strategy.”

Moreover, there are sometimes data that aren’t obtainable by FHIR APIs – reminiscent of medical photos – that forces sufferers to acquire the recordsdata through a HIPAA medical report request to a radiology places of work. “This course of remains to be usually tough for sufferers,” she stated.

“This is a matter that hits sufferers with complicated well being situations significantly exhausting, as a result of they usually have a number of portals they should go to,” stated McGraw, a former official at each HHS OCR and ONC throughout President Barak Obama’s second time period and the primary administration of President Donald Trump’s administration.

“These of us who’ve lengthy supported the power of sufferers to make use of instruments to consolidate their data – like private well being report apps and platforms, together with however not restricted to Citizen Well being – see this as an answer that’s already on the market to assist sufferers with this,” she stated.

“Digital medical report distributors might additionally assist by permitting for a consolidated view of their portals, however this could possible require the consent of their prospects – healthcare suppliers – which suggests we would have to beat the hurdle of actual or perceived authorized threat at exhibiting knowledge to sufferers that was generated from different suppliers,” she stated.

“This isn’t a tech drawback. It is a belief drawback,” she stated.

“Suppliers have expressed issues about having iron-clad assurances {that a} affected person knowingly engaged an app, understands and accepts what meaning for his or her knowledge, that the affected person is who they declare to be – identification proofing, and that the affected person consented to report assortment from a selected supplier – and within the case of community entry, that they’ve matched the affected person to the fitting report, which isn’t a difficulty for portal/FHIR API entry,” she stated.

“There are technical options that exist to deal with all of those – however I feel suppliers nonetheless have lingering uncertainty about whether or not these options are ‘ample’ to deal with their issues.”

Different Challenges

Within the meantime, there are nonetheless different entry points involving sure kinds of sufferers, such a minors, Greene stated.

“A high problem dealing with each sufferers and suppliers is adolescent data,” he stated.

“It is extremely difficult for suppliers to supply dad and mom or guardians with real-time entry to details about their adolescent youngsters to which they’re entitled whereas blocking entry to confidential entry to which they aren’t entitled,” he stated.

“This will likely end in a healthcare supplier excluding adolescents’ data from its affected person portal, leading to annoyed dad and mom having to undergo extra formal release-of-information processes to acquire entry to such data.”

Whereas obstacles nonetheless stay, sufferers and healthcare suppliers are lastly understanding that affected person entry to their very own healthcare data is critically essential. “I can nonetheless bear in mind when affected person entry was far much less of a precedence – and I can bear in mind extra folks saying that sufferers would not want entry to their data if suppliers would simply do a greater job of exchanging knowledge,” McGraw stated.

“The extra we do to knock these obstacles out of the way in which, the extra we are going to see these entry numbers improve. The win-win side of affected person entry is more and more being realized throughout the healthcare ecosystem.”