Getty Images
Key Considerations for Patient Data Access, Patient Engagement
In addition to providing patient data access, healthcare organizations need to consider the role of patient-generated health data and data-sharing consent.
Most experts agree that patient data access is crucial for strong patient engagement.
Although most patient engagement strategies also incorporate principles of patient-centered care, patient education, and social determinants of health, patient data access remains at the center. It is difficult to practice strong patient engagement when a patient can’t see their own health data.
To that end, patient data access has been regulated as an aspect of quality healthcare.
The 1996 HIPAA law outlines that patients have a right to access their own medical records. Meanwhile, the Medicare and Medicaid EHR Incentive Programs (meaningful use) mandated patient portal access in the early 2010s. Following up on that, the information blocking rule in the 21st Century Cures Act requires providers to grant patients access to their clinical notes.
But patient data access isn’t as simple as letting patients look at their medical records. Health information managers need to stay apprised of different rules that regulate the flow of health data as well as protect it from a privacy and security standpoint. Moreover, they must confront a shifting landscape as more consumer-facing technologies allow patients to generate data outside the clinic or hospital.
Below, PatientEngagementHIT outlines key considerations for patient data access and how providers can navigate the complexities of information sharing with patients.
Patient Data Access, OpenNotes Fuel Engagement
Regulatory requirements aside, patient data access has serious benefits for patient engagement.
It’s been generally accepted that an informed patient is more likely to engage in their care than a patient without access to their health information, and studies have confirmed that. A 2019 literature review in the Journal of Medical Internet Research showed that patient portal access helped patients flag medical errors, improved medication adherence, and facilitated patient-provider communication.
That is likely because the patient was able to reference her care plans within the patient portal, which in addition to displaying medical records can also support care management and secure direct messaging. When patients can return to that information after the office visit, they are better equipped to follow through on self-management activities.
Patient activation holds true when looking at patient access to clinical notes, or the notes their providers leave within the EHR. A practice championed by advocacy group OpenNotes, open clinical notes is mandated as part of the information blocking rule under the 21st Century Cures Act.
OpenNotes has done ample research into the benefits of open clinical notes, finding that patients are better equipped to flag medical errors, remain adherent to their medication plans, and even agenda-set before an appointment. Some providers have voiced concerns about how open clinical notes can impact the patient-provider relationship, but OpenNotes research has shown that those concerns have mostly not come to fruition.
Of course, patient data access and patient portals are not a silver bullet for patient engagement. Most patients, particularly ones without a chronic illness, don’t regularly look at their patient portals or medical records. But patient data access can be supportive when a health event does arise, so long as the patient can truly access their health data.
Organizations Behind on Patient Data Access
Despite the regulatory requirements for patient data access and the potential clinical benefits, patient data access falls woefully behind patient expectations.
A June 2022 survey showed that around nine in 10 patients agreed that having unfettered access to their health data was important to managing their health. However, 42 percent of patients said they have a hard time getting their medical records from the patient portal, while 45 percent have trouble getting their records from their providers during a time of need.
Moreover, patients have a hard time sharing medical records with their loved ones, with about half of respondents saying they can’t seamlessly share all or part of their medical records with family or caregivers.
A separate survey from Propeller Insights and Carta Healthcare showed that patients need better information about their rights to their medical records. Some 15 percent of patients said they aren’t even sure if they have access to their health data, and more than two-thirds said they aren’t sure where their medical records are stored after an appointment.
Respondents also said health data ownership is murky, with fewer than half (47 percent) correctly noting that they own their health data.
It’s up to healthcare organizations to make sure health information is accessible to patients and that patients are aware of their rights to health data. According to the Office of the National Coordinator for Health IT (ONC), healthcare organizations can leverage patient portal marketing strategies to empower patient data access.
In the agency’s Patient Engagement Playbook, ONC recommends that healthcare organizations offer patient portal access in multiple languages to all patients, ensure the tool is mobile-optimized, and check that it is user-friendly.
Considerations for Records Requests
While the patient portal is the default tool for patient data access, there are some instances in which a patient might need to request their entire health record from their provider.
Under the HIPAA privacy rule, the patient is legally allowed to do this. Providers must offer the medical record in a paper or digital format in a reasonable amount of time for a reasonable fee that mostly covers the cost of materials and labor.
In order to avoid any penalties, healthcare information managers will want to familiarize themselves with the rules for medical records requests. Regulations to consider include:
- HIPAA, which grants patients the rights over their medical records, including to request transfer of medical records to another provider or to themselves or a designated individual
- American Recovery and Reinvestment Act
- Health Information Technology for Economic and Clinical Health (HITECH) Act and meaningful use, which called for digital patient data access
- The Health Information Bill of Rights (HIBOR), a non-binding document that asserts patients should be able to access their medical records while in the hospital rather than after discharge
- The 21st Century Cures Act
Health information managers should also consider strategies for coordinating a medical records request. In some cases, managers will have to consolidate records from disparate locations, especially if a patient visited the clinic or hospital before the organization digitized records into an EHR. In the name of patient engagement, health information managers might also assume the role of patient navigator to ensure the process of retrieving medical records is transparent.
As noted above, healthcare organizations might charge fees for these medical records releases. Fees generate from the cost of duplicating records, the cost of record storage, the staff’s labor, and coordinating records releases when records are stored in multiple locations.
Under HIPAA, healthcare organizations can only charge a fair and reasonable fee, but fees can still sometimes be prohibitive. In some cases, fees may leave patients without the medical record access they need and have a right to.
There can also be negative consequences for organizations that charge excessive medical record copying fees. In September 2022, the Georgia-based Ciox Health reached a $1.85 million settlement for a class-action lawsuit alleging the organization charged exorbitant fees for medical records requests.
Data Integration & Patient-Generated Health Data
Patient data isn’t just created during clinical encounters. As healthcare consumers adopt more digital tools, like wearables or self-management apps, they themselves are creating health data. This type of health data is considered patient-generated health data.
Defined by ONC as “health-related data created, recorded, or gathered by or from patients (or family members or other caregivers) to help address a health concern,” PGHD can technically come from many different sources, ranging from patient wearables to narrative health histories. However, wearables are the most common source.
PGHD can be helpful because it gives providers a glimpse into patient well-being outside the four walls of the hospital. In chronic disease management, it helps providers understand how patients fare between visits. In some cases, PGHD can also alert providers and patients to an issue that needs early intervention.
However, that’s only possible with adequate data integration.
A 2019 JAMIA article found that the inability to integrate PGHD within the EHR gets in the way of using the data. Integration issues are compounded by limited digital health literacy and access to the digital tools that produce PGHD, the researchers said.
The Agency for Healthcare Research and Quality (AHRQ) recommends that healthcare organizations select devices for a PGHD strategy based on their ability to share information through application programming interfaces (APIs). Organizations should also consider whether the tools are regulated by the FDA or are HIPAA compliant.
Information Sharing Consent Management
The question of health information sharing doesn’t start and end with patient data access. Industry leaders are also grappling with questions about the other parties with whom patient data gets shared and how patients can consent to that sharing.
“Although HIPAA does not require that health care entities offer patients a choice about the sharing of their PHI, many entities and states have adopted policies or laws that require patient consent,” according to ONC. “HIPAA is designed to work in tandem with more privacy protective policies, so in those states the entity is required to get the patient’s basic consent preference (e.g., the entity must document if the patient wishes to opt-in or opt-out of electronic exchange).”
Patient data-sharing consent is important as more healthcare research uses real-world evidence (RWE). Perhaps most notably, the National Institutes of Health (NIH) All of Us Research Program uses RWE derived from medical records and other digital tools.
The question of patient consent has also become paramount as patients use more digital tools that contribute to PGHD. For instance, a medication management or period tracker app will generate medical data about a patient, leaving the healthcare industry questioning how this data is shared between other apps, provider entities, and researchers.
Data in JAMA Network Open has shown that patients are comfortable with data sharing but with some caveats. For one thing, patients said they need informed consent to feel comfortable sharing their health data, and privacy protections are vital.
But getting patient consent is more complex than that, the researchers found. The team found that patients were more willing to share their data when they knew it was for research purposes than for other clinical uses or marketing.
Achieving that informed consent is a bit of a catch-22. Although patients said they want to be able to opt into data sharing and want to know how the data is being shared and for what purpose, it’s generally accepted that most consumers simply “tap through” the terms and conditions when using certain apps or tools.
The JAMA researchers suggested the onus is on app developers and other health IT leaders to make these terms and conditions readable and understandable for users.
“Given the growing complexities of data sharing, unpredictable future uses of data, and the infeasibility of repeatedly acquiring consent for new uses, one approach to protecting consumer privacy is to implement a combination of individualized and early consent with collective and ongoing governance,” the researchers recommended.
“Such a model would reduce individual burden while maintaining protections. Moreover, transparency and comprehensibility must apply both to the specific data being shared as well as how the data were collected and used.”
As more digital technologies enter into the healthcare consumer space, the more complex patient data access and patient data sharing are likely to become. Healthcare information managers should stay apprised of federal regulations regarding right of access and data sharing to ensure patients are supported.