Skip to Main Content

Epic, the largest electronic health record company in the U.S., launched an effort last week to persuade hospital CEOs across the country to fight recent efforts by the federal government to ensure that patients can easily access their electronic health data. In essence, Epic CEO Judith Faulkner asked hospital leaders to make it more difficult for patients to easily access their electronic health data.

By making it easier for people to access their own health data, the federal government aims to help people manage their health and shop for care.

Epic’s position is akin to banking leaders trying to limit your access to your own financial data or restrict your freedom to transfer your funds and saying they are doing it for your own good.


Why is it so important for people to have access to their data? These data are necessary to liberate people to obtain second opinions, transfer to a new doctor, see results, avoid unnecessary testing, correct mistakes, participate in some types of research, and much more. Today, having agency over your own data can be empowering.

At issue is a proposed rule from the Department of Health and Human Services that would require electronic health records from various makers to “talk” to each other and to third-party apps.


We need to get this right. It is an opportunity for an entire consumer-mediated health information economy to emerge, customizing services and information to individuals and enhancing competition based on quality, outcomes, and experience.

The current situation for patients is rather dire. Although laws clearly articulate the rights of people to access their digital health records, few people find that the system really works for them. My research team and I recently conducted a secret shopper study of top U.S. hospitals and found widespread violation of people’s rights to access their health information. We found that hospitals often provide patients conflicting information about requesting their records and, in many cases, give blatant misinformation or limited information. The cost for obtaining a 200-page record was as high as $542, even though a flat rate of $6.50 was proposed for digital records. There were often delays, incomplete records, and limitations in the ways that people could receive their data.

I have personally heard stories about the travails of people who tried to get personal health information. One woman, one behalf of her hospitalized mother, sought copies of her mother’s health information from a major New York City hospital. After much back and forth, she was finally told that she could not get the digital data. Instead, a large box with hundreds of disordered pages showed up, along with a bill for $500.

One hospital executive actually told me that hospitals did not like people easily getting their records because they could more easily transfer their care to other institutions.

Meanwhile, technology is enabling solutions that could be under patients’ control. For example, Apple has touted its ability to connect to health systems and enable data to stream to iPhones. In full disclosure, I started a company, Hugo Health, that helps people connect with their health data and makes a promise that data will move only with their permission. And the number of such options for patients is growing.

Yet there remain impediments, one of which is that people generally aren’t being given access to their entire records, including notes, images, and other important information. This information blocking is just what the law and proposed rule are seeking to address.

The existing lack of data liquidity also stymies innovation, making it hard to accomplish the kind of customer-centered approaches that the digital world now affords in other sectors. These new regulations have the potential to create an app-based marketplace to serve patients and their data, unleashing new approaches and services specifically tuned to patient needs.

Some perceive the increased patient access to their digital records as a threat to existing business models. Epic wrote to health systems that the proposed rules promoting patient access and choices will bring more work and higher cost, even though the transfer of data can be accomplished without much difficulty. The company says the rules will jeopardize health system’s investments in electronic health systems, but that feels strongly self-serving and without basis. Epic also implied that giving data to patients could bring privacy risks. But isn’t it up to patients to decide for themselves what they want to do with their data?

There’s no question that health data is especially sensitive. It’s imperative that companies helping people with their health data must respect privacy, employ strong security practices, and stay transparent about whether they share data with others. People must be informed about what happens to their data and if it is being used by others for commercial purposes. People should be granted greater agency over their data — and be in control of it.

The solution should not be to restrict access.

The new laws and rules have the potential to eliminate the many ways that data holders, like Epic, impose information blocking. People should have access to all their electronic patient record data, as is required in the 21st Century Cures Act, which Congress passed in 2016. These advancements will require EHR vendors, health systems, and others in the health care ecosystem to adapt to new opportunities. The banking industry showed us what is possible when services became available to us digitally. Competition was enhanced and so was convenience. Security was not compromised and banks did not insist that the government require the public to continue to use tellers.

It’s time for health care to catch up. I look to health systems to advocate for patient rights in the digital era and leverage the possibilities of a digital world to achieve higher-quality services at more affordable prices with better experience than their competitors. As HHS Secretary Alex Azar said clearly at the annual meeting of the Office of the National Coordinator, “Scare tactics are not going to stop the reforms we need.” Now is also the time for people who care about patients’ rights to access to support the government to issue final rules that side with patients.

At the same time, vendors of electronic health systems should spend less time lobbying the government to push back on patient access to data and more time producing innovative products that better serve the needs of patients and health care professionals.

Harlan M. Krumholz, M.D., is professor of medicine and of public health at the Yale School of Medicine, director of the Center for Outcomes Research and Evaluation at Yale New Haven Health System, and co-director of the Yale Open Data Access (YODA) Project.

  • It is much too late now. This data has already been monetized and sold, by companies like Alphabet. There is not one example of any benefit to patients. It just was not profitable to give patients their data, after all the lacks of data was more profitable, especially when tests procedures and imaging could be done all over again, for a price. Physician did not bother to ask any questions as long as the data collected could help them avoid liability, not save lives.

    • This isn’t really true. HIPAA covered entities and business associates cannot sell identifiable data. Alphabet/Google has two major pending issues (Ascension and Chicago) where PHI may have been accessed (or planned to be accessed) inappropriately.

      The issue with the ONC rule is that it will open up the door to third party apps accessing streams of identifiable patient data at *scale* which they can turn around and do whatever they want with it (provided they have authorized the app to connect to their health record and agreed to the user agreement terms). There is no regulation on the use or sale of data that patients more or less give to apps. While this happens today regardless, it happens on a much smaller scale.

      There’s a reason why big tech is now urging support for pushing the rule through and it’s got nothing to do with what is best for patients (and those who care for them).

  • The issue though is, as you say, the patient should access their data “and be in control of it” – this rule will force EHRs/providers to share data with entities who have no legal mandate to use that data appropriately/ethically and the patient will not have control over it. No informed consent, no right to be forgotten, no human subjects research reviews, etc. Your app might do these things but that doesn’t mean the others will. Tech has shown that they are incapable of regulating themselves and incapable of voluntarily protecting privacy. And any app that amasses a significant amount of patient data, regardless of how pure their intentions, will be bought by big tech with less pure intentions. The data is just too valuable to expect self-regulation.

Comments are closed.