Corresponding Author: Samuel Trent Rosenbloom, MD, MPH, FACMI, Department of Biomedical Informatics, Vanderbilt University Medical Center, 2525 West End Avenue, Suite 1475, Office #14106, Nashville, TN 37203, USA (gro.cmuv@moolbnesor.tnert)
Received 2019 Mar 24; Revised 2019 May 2; Accepted 2019 May 15.Copyright © The Author(s) 2019. Published by Oxford University Press on behalf of the American Medical Informatics Association. All rights reserved. For permissions, please email: journals.permissions@oup.com
This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
With advances in technology, patients increasingly expect to access their health information on their phones and computers seamlessly, whenever needed, to meet their clinical needs. The 1996 passage of the Health Insurance Portability and Accountability Act (HIPAA), modifications made by the Health Information Technology for Economic and Clinical Health Act (HITECH), and the recent 21st Century Cures Act (Cures) promise to make patients’ health information available to them without special effort and at no cost. However, inconsistencies among these policies' definitions of what is included in “health information”, widespread variation in electronic health record system capabilities, and differences in local health system policies around health data release have created a confusing landscape for patients, health care providers, and third parties who reuse health information. In this article, we present relevant regulatory history, describe challenges to health data portability and fluidity, and present the authors’ policy recommendations for lawmakers to consider so that the vision of HIPAA, HITECH, and Cures may be fulfilled.
Keywords: HIPAA, patient engagement, consumer health informatics, policy, open notesThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 ushered in a new era for health data privacy, access, and sharing. 1–3 The act enshrined a number of rights for Americans receiving health care, including—through its Privacy Rule—the right of an individual to access their health information in the form and format they prefer, so long as a covered entity can readily produce such information. The HIPAA Privacy Rule was modified as the result of the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009, which updated the individual right of access to include electronic information maintained by covered entities and their business associates. 4 Subsequent and related regulatory decisions have fundamentally changed the landscape for how health data are generated and stored across the country by encouraging widespread adoption of electronic health records (EHRs), patient portals, and application programming interfaces (APIs). 5 Taken together, the Privacy Rule and the HITECH Act have encouraged an environment where Americans should have easy access to their health records. 6
As we eclipse 10 years since passage of HITECH, Two trends are on a collision course: increasingly patients expect access to their health information on their phones, through their computers, and readily available for their clinical needs. 7–14 Meanwhile, health systems grapple with rapidly growing volumes of patient data, compounding long-standing challenges in managing such data for care, research, billing, and fulfilling patients’ information requests. 15 , 16 The broad nature of concepts defined in HIPAA around what should be included in health records released to patients upon request has allowed health care organizations to interpret the definitions differently and apply them inconsistently. 17 These variations have led to discrepancies in the information provided to patients regarding the medical records release process and confusion over how to comply with federal and state regulations. 15
In this article, we present relevant regulatory history, describe challenges to health data portability and fluidity, and present the authors’ policy recommendations for both the administration and the 116 th Congress to consider so that the vision of HIPAA and HITECH may be fulfilled. Authors include members of the American Medical Informatics Associationand the American Health Information Management Association. Policy recommendations are those of the authors, but reflect current principles the respective associations have endorsed.
The passage of HIPAA in 1996 and the subsequent modification made by HITECH marked the culmination of bipartisan efforts to protect Americans’ rights to portable health coverage as they moved between jobs, to ensure the integrity of their health data, and to access their health information in convenient ways. 1 , 3 , 18 , 19 Specifically, HIPAA’s Privacy Rule specifies that a patient has the right to access their protected health information in 1 or more “designated record sets,” (DRSs) maintained by a covered entity. 5 Covered entities are generally health care providers, health plans, and health care clearinghouses. 20 This right to access was extended by HITECH to guarantee that if a patient’s health data are stored electronically, there is an expectation that patients be able to access their health data electronically whenever possible, or when such information is readily producible.
The US Department of Health & Human Services defines the DRS broadly as (1) medical and billing records maintained by or for a covered health care provider; (2) health plan enrollment, payment, claims adjudication, and case management records; and (3) other records that are used for medical decision-making. 4 The Privacy Rule further states that the term “record” refers to “any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.” 4 , 21 , 22 Guidance released by the Health and Human Services Office for Civil Rights in 2016 known as the “FAQs on Access Guidance” added detail to this expansive definition stating that the DRS may include, “medical records, billing and payment records, insurance information, clinical laboratory test results, medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals.” 4
Today, defining the DRS is complicated because EHR systems may have different designs, functions, data structures, and interfaces. When HIPAA was enacted in 1996, only a handful of hospitals and few physician offices used EHRs. With the help of HITECH’s more than $34 billion in incentives, nearly all hospitals 23 and roughly 80 percent of physician offices 24 use an EHR system today. Further, the resulting EHR Incentive Program known as “Meaningful Use,” required providers to adopt patient portals, which allow individuals to “view, download, and transmit (to a third party)” their health information. 25 The Office of the National Coordinator’s (ONC) 2015 Edition Health IT Certification Criteria defined the Common Clinical Data Set (CCDS), which included vocabulary and content standards for clinical data exchange, including immunizations, unique device identifiers, assessment and plan of treatment, goals, and health concerns. 26 The CCDS further expanded the accessibility and availability of data exchanged by including enhanced data export and API capabilities. Unfortunately, the CCDS omits valuable information contained in all EHRs (such as clinical notes), falls well short of the DRS definition, and leaves patients without an ability to access most of their health information. The Table 1 indicates the different data contained in the different health record data sets, including CCDS, US Core Data for Interoperability (USCDI), DRS, and electronic health information (EHI).
Specified and Defined Health Data Record Sets. The Common Clinical Data Set (CCDS) is specified by the Office of the National Coordinator’s 2015 Edition Health IT Certification Criteria. The US Core Data for Interoperability (USCDI) is an expanded set of data specifications defined in ONC’s 2019 Notice of Proposed Rulemaking to improve the interoperability of frequently exchanged health data. The Designated Record Set (DRS) is the HIPAA Privacy Rule-specified set of protected health information that a patient has the right to access from a covered entity. Electronic Health Information (EHI) is an expanded set of health data proposed in ONC’s 2019 Notice of Proposed Rulemaking to implement various provisions of the 21 st Century Cures Act.
| Data Type | CCDS | USCDI | DRS | EHI |
|---|---|---|---|---|
| Assessment and Plant of Treatment | X | X | X | X |
| Care Team Members | X | X | X | X |
| Clinical Notes | X | X | X | |
| Goals | X | X | X | X |
| Health Concerns | X | X | X | X |
| Immunizations | X | X | X | X |
| Labs | X | X | X | X |
| Medications | X | X | X | X |
| Patient Demographics | X | X | X | X |
| Problems | X | X | X | X |
| Procedures | X | X | X | X |
| Provenance | X | X | X | |
| Smoking Status | X | X | X | X |
| Unique Device Identifiers for Implantable Devices | X | X | X | X |
| Vital Signs | X | X | X | X |
| Pediatric Vital Signs | X | X | X | |
| Allergies | X | X | ||
| Family History | X | X | ||
| Medical Imaging | X | X | ||
| Specimen | X | X | ||
| Molecular Sequence | X | X | ||
| Wellness and disease management profiles | X | X | ||
| Clinical Case Notes | X | X | ||
| Nutrition Order | X | X | ||
| Vision Prescription | X | X | ||
| Risk Assessment | X | X | ||
| Coverage | X | X | ||
| Coverage Eligibility | X | X | ||
| Enrollment | X | X | ||
| Claims | X | X | ||
| Payment | X | X | ||
| Account | X | X | ||
| Charge Item | X | X | ||
| Contract | X | X | ||
| Explanation of Benefits | X | X | ||
| Insurance Plan | X | X | ||
| Research Study | X | X | ||
| Research Subject | X | X | ||
| Question | X | X | ||
| Evidence Variable | X | X | ||
| Quality Measures | X | X | ||
| Medical records and billing records about individuals maintained by or for a covered health care provider; | X | X | ||
| Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or | X | X | ||
| Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access. | X | X | ||
| Business planning, development and management records that are used for business decisions more generally rather than to make decisions about individuals | X | |||
| A hospital's peer review files | X | |||
| Practitioner performance evaluations | X | |||
| Health plan quality control records | X | |||
| Formulary development records | X | |||
| Any other information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual and is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103, that relates to the past, present, or future health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. | X |
An additional challenge is that while HIPAA defines “covered entities,” federal regulations provide no definition or guidance for those software companies that leverage consumer technologies to produce and manage individually identifiable health information. These companies are known as HIPAA noncovered entities (NCEs). HIPAA NCEs may produce or maintain tools that access individuals’ health data, including medical information, exercise and personal tracking records, dietary logs, social media posts, etc. 27 For example, Apple Health Record and Patients Like Me represent archetypes of NCEs, but Fitbit and Facebook could also be considered HIPAA NCEs. As the line between traditional medical information systems used by covered entities and emerging consumer devices and software provided by HIPAA NCEs continues to blur, policy makers will need to consider whether current consumer protections—generally considered the purview of the Federal Trade Commission—are sufficient. For example, HIPAA’s right to access does not extend to NCEs capturing similar health data. This gap leaves patients without any right to a rapidly growing body of their own personal health data. Further, the HIPAA right of access is but one important provision that NCEs need not adhere to; none of the other Privacy and Security Rule provisions apply either.
With enactment of the 21st Century Cures Act of 2016, 28 , 29 Congress sought to address a host of complaints related to EHR interoperability and further broaden what data should be available for patients to access. Specifically, Cures defines health data interoperability as (1) enabling secure exchange of electronic health information without special effort on the part of the user; (2) allowing for complete access, exchange, and use of all electronic health information under applicable state or federal law; and (3) avoiding intentional information blocking. In March 2019, ONC announced new policies enacting these provisions of the Cures Act. 28 The new policies included a formal proposal to adopt an expanded version of the CCDS, known as the US Core Data for Interoperability (USCDI), establishment of a new regulatory definition for “electronic health information (EHI),” and a series of policies meant to enable patients to have access to their data through APIs “without special effort” and at “no cost.” 28 , 30 ONC proposes to define EHI in terms that mirror the HIPAA concept of Individually Identifiable Health Information, 31 although ONC does not reference this concept specifically. ONC clarifies that under its proposed definition, EHI is expansive and “may be provided, directly from an individual, or from technology that the individual has elected to use, to an actor covered by the information blocking provisions.” 28 As envisioned by ONC’s proposals, beginning in 2022, EHRs must make data included as part of the USCDI available through patient portals and via APIs. Further, the ONC proposal would require EHRs to provide patients access to all their EHI through an “EHI export,” enforced through newly proposed “information blocking” prohibitions. However, the ONC definition of EHI seems more expansive than the HIPAA-defined DRS, potentially widening the current delta between the HIPAA right of access policy and certified EHR functionality.
In the meantime, growing movements such as OpenNotes have resulted in tens of millions of patients having complete, easy access to clinic notes via patient portals. 32–35 Today, over 30 million Americans have access to their clinical notes as part of the OpenNotes movement. 36 , 37 Studies conducted since the original OpenNotes demonstration project continue to validate the project’s findings that note-sharing helps patients take better care of themselves without creating additional anxiety. 33 , 35 , 38 However, despite this mounting evidence, 39 note-sharing is not universal, and even leading institutions are reluctant to implement the concept in practice. Currently, less than 10 percent of the nation’s 5000 hospitals engage in note-sharing. At present sharing notes is subject to agreement by the health care organization hosting the web portal, and enrollment of patients in using that portal. These factors can lead to confusion among patients and doctors who experience different data availability as they move from one health system to another. While ONC’s proposed rule includes a technical specification that would allow EHRs to better exchange and integrate clinical notes among disparate EHRs as part of the USCDI, these technical updates would not encourage note-sharing directly with patients or their designated caregivers.
We believe that the existing HIPAA policies and strategies around patient access to their health data need refinement. There has been a long-standing discordance between what federal policy requires and what technology and organizational policies have delivered as part of HIPAA’s individual right of access. And while ONC attempts to align EHR functionality with HIPAA’s policy, a concerted effort to operationalize concepts devised by regulators into practice will be needed.
The broad definitions established by HIPAA were developed long before common use of EHRs, mobile apps, and other kinds of health technology that have become commonplace. As more than 96 percent of all hospitals have adopted EHRs, 23 we must rethink how to better ensure individuals’ right of access in a data-centric world. We present specific recommendations for policy makers in Table 2 . If adopted, these recommendations would better align HIPAA’s rules around individual access to health data with the current realities of electronic medical records and the expectations of modern, engaged patients.
Authors’ recommended steps to policy makers for modernizing HIPAA
| Align the HIPAA right of individual access with Health IT Certification | |
| Policy makers should take concerted action to align HIPAA’s right of access with Health IT certification so individuals can view, download, or transmit health information electronically to a third party and access the information via application programming interfaces (APIs). Specifically, lawmakers should revise the definition of the designated record set and require certified Health IT to provide the amended designated record set to patients electronically while maintaining computability. | |
| Extend the HIPAA individual right of access to non-covered entities (NCEs) | |
| Noncovered entities managing individual health data, such as mHealth and health social media applications, should be subject to uniform right of individual access— regardless of covered entity, business associate, or other commercial or legal status. | |
| Encourage electronic medical record data and clinical note-sharing with patients. | |
| Promote efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System and other innovative payment models under the oversight authority of CMS. | |
Federal laws and regulations stemming from HIPAA, HITECH, and Cures have made significant improvements to enshrine individuals’ rights to access their health records and direct how those records are used. However, these policies have not kept pace with advances in technology, diffusion of health IT across diverse sectors of health care, or patients’ expectations that their health information be available to them immediately and electronically. 40 Furthermore, due to ambiguity of how HIPAA and Cures concepts are defined in regulation, covered entities inconsistently implement federal regulations regarding patient access. These inconsistencies create additional confusion on the part of patients and providers. The authors present specific recommendations for policy makers to consider as they look to modernize HIPAA and HITECH. Policy makers must be thoughtful in how they define key concepts meant to deliver this foundational right to patients, and they must ensure that certified technology can operationalize policy.
All authors contributed equally to the text and perspectives expressed in this manuscript, and all authors reviewed and approved the final drafts.
1. Public Law 104—191—Health Insurance Portability and Accountability Act of 1996—Content Details—PLAW-104publ191. https://www.govinfo.gov/app/details/PLAW-104publ191/summary. Accessed March 18, 2019.
2. Statement on Signing the Health Insurance Portability and Accountability Act of 1996 | The American Presidency Project. https://www.presidency.ucsb.edu/documents/statement-signing-the-health-insurance-portability-and-accountability-act-1996. Accessed March 18, 2019.
3. Atchinson BK, Fox DM.. From the field: the politics of the health insurance portability and accountability act . Health Aff (Millwood) 1997; 16 3 : 146–50. [PubMed] [Google Scholar]
4. Office for Civil Rights (OCR). Health Information Privacy Division. Individuals’ Right under HIPAA to Access their Health Information; 2016. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. Accessed March 18, 2019.
5. Office for Civil Rights (OCR). The HIPAA Privacy Rule. The HIPAA Privacy Rule; 2008. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html. Accessed March 18, 2019.
6. Patel V, Johnson C. Individuals’ Use of Online Medical Records and Technology for Health Needs 17 (2018). https://www.healthit.gov/sites/default/files/page/2018-03/HINTS-2017-Consumer-Data-Brief-3.21.18.pdf; Last accessed on Jan 3, 2019.
7. Anderson K, Burford O, Emmerton L.. Mobile health apps to facilitate self-care: a qualitative study of user experiences . PLoS ONE 2016; 11 : e0156164. [PMC free article] [PubMed] [Google Scholar]
8. Haun JN, Patel NR, Lind JD, Antinori N.. Large-scale survey findings inform patients’ experiences in using secure messaging to engage in patient-provider communication and self-care management: a quantitative assessment . J Med Internet Res 2015; 17 : e282. [PMC free article] [PubMed] [Google Scholar]
9. Adu MD, Malabu UH, Malau-Aduli AEO, Malau-Aduli BS.. Users’ preferences and design recommendations to promote engagements with mobile apps for diabetes self-management: multi-national perspectives . PLoS ONE 2018; 13 : e0208942. [PMC free article] [PubMed] [Google Scholar]
10. Benham-Hutchins M, Staggers N, Mackert M, Johnson AH, de Bronkart D.. ‘I want to know everything’: a qualitative study of perspectives from patients with chronic diseases on sharing health information during hospitalization . BMC Health Serv Res 2017; 17 : 529. [PMC free article] [PubMed] [Google Scholar]
11. Zulman DM, Jenchura EC, Cohen DM, et al. How can ehealth technology address challenges related to multi-morbidity? Perspectives from patients with multiple chronic conditions . J Gen Intern Med 2015; 30 8 : 1063–70. [PMC free article] [PubMed] [Google Scholar]
12. Ali SB, Romero J, Morrison K, Hafeez B, Ancker JS.. Focus section health IT usability: applying a task-technology fit model to adapt an electronic patient portal for patient work . Appl Clin Inform 2018; 9 : 174–84. [PMC free article] [PubMed] [Google Scholar]
13. Reading M, Baik D, Beauchemin M, Hickey KT, Merrill JA.. Factors influencing sustained engagement with ECG self-monitoring: perspectives from patients and health care providers . Appl Clin Inform 2018; 09 : 772–81. [PMC free article] [PubMed] [Google Scholar]
14. Ancker JS, Witteman HO, Hafeez B “ You get reminded you’re a sick person”: personal data tracking and patients with multiple chronic conditions . J Med Internet Res 2015; 17 : 1–12. [PMC free article] [PubMed] [Google Scholar]
15. Lye CT, Forman HP, Gao R, et al. Assessment of US hospital compliance with regulations for patients’ requests for medical records . JAMA Netw Open 2018; 1 6 : e183014. [PMC free article] [PubMed] [Google Scholar]
16. Jaspers AW, Cox JL, Krumholz HM.. Copy fees and limitation of patients’ access to their own medical records . JAMA Intern Med 2017; 177 4 : 457–8. [PubMed] [Google Scholar]
17. Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges. 68 (National Committee on Vital Health Statistics). https://ncvhs.hhs.gov/wp-content/uploads/2018/05/NCVHS-Beyond-HIPAA_Report-Final-02-08-18.pdf; Last accessed on January 3, 2019.
18. Cohen IG, Mello MM.. HIPAA and protecting health information in the 21st century . JAMA 2018; 320 3 : 231–2. [PubMed] [Google Scholar]
19. Tang PC. An AMIA perspective on proposed regulation of privacy of health information . J Am Med Inform Assoc 2000; 7 2 : 205–7. [PMC free article] [PubMed] [Google Scholar]
20. Office for Civil Rights. Covered Entities and Business Associates;2015. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html. Accessed April 30, 2019.
21. AHIMA Policy and Government Relations Team and G. R. Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers. Final Rule Stand. Priv. Individ. Identifiable Health Inf. What Rule Covers AHIMA Am. Health Inf. Manag. Assoc. (2001). http://bok.ahima.org/doc?oid=60936; Last accessed on January 3, 2019.
22. HIPAA Privacy Rule and Its Impacts on Research. https://privacyruleandresearch.nih.gov/pr_12.asp. Accessed March 18, 2019.
24. Percentage of office-based physicians using any electronic health record (EHR)/electronic medical record (EMR) system and physicians that have a certified EHR/EMR system, by specialty: National Electronic Health Records Survey, 2017. https://www.cdc.gov/nchs/data/nehrs/2017_NEHRS_Web_Table_EHR_State.pdf; Last accessed on January 3, 2019.
25. Blumenthal D, Tavenner M.. The “meaningful use” regulation for electronic health records . N Engl J Med 2010; 363 6 : 501–4. [PubMed] [Google Scholar]
26. 2015 Edition Common Clinical Data Set - 45 CFR 170.102. 17. https://www.healthit.gov/sites/default/files/topiclanding/2018-04/2015Ed_CCG_CCDS.pdf; Last accessed on January 3, 2019.
27. Kim Y, Lee B, Choe EK.. Investigating data accessibility of personal health apps . J Am Med Inform Assoc 2019; 26 5 : 412–9. [PMC free article] [PubMed] [Google Scholar]
30. The USCDI is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. https://www.healthit.gov/sites/default/files/draft-uscdi.pdf.
31. Office for Civil Rights (OCR). Summary of the HIPAA Privacy Rule;2008. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed March 18, 2019.
32. Leveille SG, et al. Evaluating the impact of patients’ online access to doctors’ visit notes: designing and executing the OpenNotes project . BMC Med Inform Decis Mak 2012; 12 : 32. [PMC free article] [PubMed] [Google Scholar]
33. Delbanco T, Walker J, Bell SK, et al. Inviting patients to read their doctors’ notes: a quasi-experimental study and a look ahead . Ann Intern Med 2012; 157 7 : 461–70. [PMC free article] [PubMed] [Google Scholar]
34. Walker J, Darer JD, Elmore JG, Delbanco T.. The road toward fully transparent medical records . N Engl J Med 2014; 370 1 : 6–8. [PubMed] [Google Scholar]
35. Mishra VK, Hoyt RE, Wolver SE, Yoshihashi A, Banas C.. Qualitative and quantitative analysis of patients’ perceptions of the patient portal experience with OpenNotes . Appl Clin Inform 2019; 10 : 10–8. [PMC free article] [PubMed] [Google Scholar]
36. OpenNotes: How the Power of Knowing Can Change Health Care. NEJM Catalyst (2017). https://catalyst.nejm.org/opennotes-knowing-change-health-care/. Accessed March 18, 2019.
37. See Who’s Already Sharing Notes! Open Notes. https://www.opennotes.org/join/map/. Accessed March 18, 2019.
38. Wright E, Darer J, Tang X, et al. Sharing physician notes through an electronic portal is associated with improved medication adherence: quasi-experimental study . J Med Internet Res 2015; 17 10 : e226. [PMC free article] [PubMed] [Google Scholar]
39. The Research Continues. Open Notes.https://www.opennotes.org/on-research/. Accessed March 18, 2019.
40. Lee BS, Walker J, Delbanco T, Elmore JG.. Transparent electronic health records and lagging laws . Ann Intern Med 2016; 165 3 : 219. [PMC free article] [PubMed] [Google Scholar]
Articles from Journal of the American Medical Informatics Association : JAMIA are provided here courtesy of Oxford University Press