Commercial risk will be a critical catalyst of progress – it’s complicated, but is it possible? We think so.

Blog Post

New policy can give patients better access to their health data—but challenges remain

By Eunice JeongTy Aderhold

June 17, 2021

So far, 2021 has brought in new regulations around patient data and interoperability designed to open up patient data access in a way that could potentially transform the patient experience for the better permanently. However, there are concerns around patient interest, privacy, and security to overcome before health data (and health care in general) can truly become more patient-centric.

Access your information blocking toolkit

The changes 2021 brought us

Providing patients with easier access to their health data has been a long-standing challenge in health care. This year, as new policy makes easier access into more of a reality, there are still several obstacles remaining that might prevent any truly impactful change.

Let’s begin with an overview of the recent changes to health data policy. Patients have had legal access  to their data since the early 2000s thanks to HIPAA, but there were hurdles preventing easy access, namely information blocking and inconvenient data storage. To help address these barriers, CMS and the Office of the National Coordinator for Health IT (ONC) created final rules on interoperability, patient data access, and information blocking that went into effect on April 2021.

Pertaining to patient data, the rules require (among other things) that patients be able to easily access and download their health data through third-party consumer apps at no cost with the use of FHIR-standard Application Programming Interfaces (APIs). The patient can then take their data to any provider, making data patient-centric as opposed to provider-centric. Consumer apps such as Apple Health Record, CommonHealth, and others are already in the market for this purpose.

There are potential benefits to open access for providers, patients, and researchers. Easy access to patient data can allow providers to be more efficient and accurate with patient care, lowering misdiagnoses and duplicate testing. Patients and caregivers can feel more involved in the care journey, which is a strong predictor of health outcomes. Researchers can also benefit by letting patients easily opt in to sharing their data and samples with studies, contributing to faster and more economically efficient solutions. 

However, there are still major obstacles preventing the full benefits of patient-centered data from being realized. Here are several potential challenges that health industry leaders should consider as they move forward.

Potential concerns

1. Patient awareness

Even if patients legally have access to this data, they may not end up using it. Many patients won’t think to access their data because they are not aware of their HIPAA rights. This study found that most patients did not use Apple PHR to access their data, even when they were able to – only about 0.7% of people logged into their patient portal downloaded medical records to their device. However, patient awareness could improve through the future with the increased popularity of telemedicine and other digital health tools.

2. Privacy, security, and literacy

Patient data on third-party apps have the potential to be sold or used for marketing. In 2020, organizations like the American Medical Association and the American College of Obstetricians and Gynecologists warned that letting apps handle medical records could lead to potential misuse. Consumer apps are not regulated by HIPAA, so it is unclear how they would use patient data once they have access to it. Privacy around app use would depend on each individual apps’ terms of service. This is a concern because many users don’t properly read terms and conditions or might not understand the language of the terms. To remedy this, groups are developing a Model Privacy Notice, to help developers clearly instruct users on privacy policies.

3. Hacking

All consumer apps are vulnerable to malicious hacks or security breaches, which provider partners have little control over. Health systems could face negative consequences such as bad press or loss of patient trust if the apps they partner with experience hacking or misuse.

4. Provider hesitancy to use patient data

The information blocking provision elevates the conversation around how patients share health information with providers, especially once they are able to access data across health systems more easily. If patients bring third-party data with them, providers could have questions about how to approach clinical decision making using data that originated from an external source. Those providers who are concerned about data integrity and accuracy may be less willing to incorporate third party data into the EHR. That means health system leaders must first address any provider hesitancy around external data before they can realize the benefits that come with having more complete data about a patient’s health from across care settings.

Our best information blocking resources

informationThe ONC information blocking provision took effect on April 5, 2021. As with any set of new regulations, there's a lot of detail to unpack. You’ll need to figure out your compliance strategy, identify gaps in your policies and processes, and have ongoing conversations to address data blocking concerns. Use our toolkit to get started.

Get the toolkit

Have a Question?


Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.