Photo: David Sacks/Getty Images

More and more often, patients are seeking access to records and information about the scope of their treatment and care. Certain rights under HIPAA promote this concept of access, as does the Open Notes movement, an international movement committed to the idea that when health professionals offer patients and families ready access to clinical notes, the quality and safety of care improves.

Yet despite those factors – and the 21st Century Cures Act, which advanced more extensive access requirements – there are still concerns about privacy and security issues. Real-world experience under these laws and concepts is beginning to accrue, and lessons can be gleaned from some of the processes that have already been implemented – lessons that could help to inform ongoing enhancements to the access picture.

Ultimately, these lessons are necessary to drive a change in culture and focus on collaboration.

Matthew Fisher, general counsel at telehealth platform Carium, will speak more in the issue at the HIMSS 21 annual conference. His session, entitled “The Doors Are Open: Working With Patients on Access,” will take place on August 11 at 10 a.m. PT at Caesar’s Palace in Forum 123.


Patients’ right to access existed under the HIPAA privacy rule from the very beginning, said Fisher. Under HIPAA, patients could theoretically review records at the covered entity’s location or could request a copy be sent to them. But the right to access has often generated confusion, more so when factoring in some of the more stringent state law requirements.

These difficulties, combined with the increasing amount of electronically stored information and a growing public voice among individuals, helped to drive the 21st Century Cures Act, which arguably contained broader rights. Then came the information blocking rules that became effective on April 5, which seek to limit when access can be denied.

“The main privacy and security concerns created by the information blocking regulations – and to some extent, pre-existing rights under HIPAA – are the locations of where data may be sent,” said Fisher. “An individual can request that data about themselves be sent to third party applications, but those applications very likely will not be subject to HIPAA.”

If HIPAA doesn’t apply to those apps, there are concerns that people may find their information exploited, because the privacy policies or terms of service weren’t read, or could be changed after data already resided in the app. 

“Aside from concerns about apps, the longstanding concerns about sending data to unsecure locations, such as free email services, still exist, too,” Fisher said. “It must be remembered though that ultimately an individual may choose where they want their data sent and will bear responsibility for their control of those locations.”

He said that individuals will likely continue to increasingly expect easy and painless access to their own data. Laws and regulations are lining up in that direction, and restricting access will only continue to become more problematic. 

Fisher maintains a sense of optimism that there will be enhanced collaboration between care teams and patients as a result of greater access to data, as well as issues being caught earlier due to data errors or inconsistencies being corrected.

“All sides should collaborate and find opportunity with the still newly-effective regulations,” he said. “It is important to take the time to become educated and accurately comprehend the requirements to avoid repeating past mistakes, too.”


Healthcare privacy expert Deven McGraw, chief regulatory officer for consumer health tech startup Citizen – who previously served as deputy director for health information privacy at the Office of Civil Rights, as well as acting chief privacy officer at the Office of the National Coordinator for Health Information – told HIMSSCast in March that the recent information blocking rules could ultimately be beneficial for providers.

“When you’re on the side of requesting information, all it looks like is opportunity, and I think there’s going to come a time … when even those entities who are subject to the rule will see the opportunity in it in terms of being able to serve new customers,” said McGraw. “Because that opportunity is absolutely there.”

Twitter: @JELagasse
Email the writer: