Info Blocking

Why is giving patients access to their health data important?


By Meghan Franklin
May 11, 2021

First, a story (or two)

Anil Sethi traveled around the country with his younger sister, Tania, seeking expertise and treatment options that might help her defeat metastatic breast cancer. In Tania’s last six months of life, Anil and Tania saw 23 specialists across 17 institutions, none of which had Tania’s full health history. Sadly, Tania died in September 2017.

After his sister’s death, Anil learned that Tania’s health data contained information that could have extended her life.

Personally, my father was recently seen by an oncologist for a second opinion about why a long-term chemotherapy drug he was on no longer seemed to be effective. When the appointment began, the physician asked, “How can I help you today?” He didn’t have my father’s medical record, so didn’t know his medical history, medication list, recent blood work results, etc.--all things that would have been helpful when preparing to recommend alternative treatment options.

You likely have a story, too, about how ineffective or nonexistent data sharing between clinicians or institutions impacted your or a loved one’s care.

How different would healthcare look if patients controlled how their health data is shared? What if you could easily provide a physician from whom you’re seeking a second opinion with the data they need to make the best recommendations possible?

The team at Ciitizen is working to transform patients’ relationships with their health data. As the Founder and CEO of Ciitizen, Anil Sethi has made it his mission to put patients in control of their health data and empower them to take a more active role in their care.

Ciitizen Co-Founder and Chief Regulatory Officer Deven McGraw, J.D., MPH, believes getting data into the hands of patients is critical if we want to improve clinical outcomes and healthcare in general.

The criticality of sharing health data with patients

As the former Deputy Director, Health Information Privacy at the Office for Civil Rights (OCR), U.S. Department of Health & Human Services, McGraw was in the office in charge of enforcing the Health Insurance Portability and Accountability Act (HIPAA). In that role, McGraw saw how patients struggled to get their data; she said data withholding was one of the top five complaints OCR received about potential violations of the HIPAA Privacy Rule. In 2016, OCR issued guidance to make it clearer to patients what their rights were and to better communicate the scope of obligations for entities covered by the HIPAA Rule.

When McGraw joined Ciitizen in 2017, she assumed that entities covered by the HIPAA Rule had incorporated the OCR guidance into their operations, and she expected patients were having an easier time accessing their data. McGraw’s experience at Ciitizen sourcing medical records for patients, however, left her dismayed that patient data access hadn’t improved.

While she understands privacy concerns and believes that healthcare data should be shared carefully, McGraw said she wonders if privacy concerns are too often used as a smokescreen for anti-competitive concerns. Things are getting better, McGraw said, but it’s still not easy for patients to get their data.

McGraw said that providers have been operating under the assumption that data sharing creates risk and that they should share data cautiously.

“Essentially, what the info blocking rule says to providers is that their presumption that data sharing is dangerous needs to shift,” McGraw said.

And while McGraw recognizes there are risks to sharing data, there are also risks to safeguarding data too closely. “There needs to be a balance between caution and giving people the data they need,” she said.

From a public health perspective, McGraw said, safeguarding health data too closely results in a health system that knows too little about what treatments are most effective for various populations.

From a personal health perspective, when patients don’t have access to their health data, they lose. Having access to their health data--beyond what’s available in most patient portals today--helps patients take a more active role in their care, share data to get a second opinion and refer back to past results/treatments when needed.

“You have the right to so much more data than is often provided to you in your patient portal--the type of information that’s actually really helpful as you try to manage your care,” McGraw said. “Even if you’re pleased with your treatment, get your records. If you have a recurrence of cancer years down the road, for example, doctors aren’t required to keep your records forever.”

While how long your doctor is required to keep your medical records varies by state, in some states, doctors’ offices do not need to keep records for more than five years from the date they were created.

The bottom line: Patients need to assume that no one else has a vested interest in keeping and tracking their health data over the long haul.

How patients can help safeguard their health data

In an age of improved interoperability and more data sharing, McGraw said she thinks patients will increasingly turn to apps to store and curate their health data.

Apps may provide the “path of least resistance” for patients to get their health data, McGraw said, but they also live outside what she called the “HIPAA bubble.” Thus, patients should pause before granting an app (or anyone, for that matter!) access to their health data.

Here are two things McGraw recommends patients can do to help safeguard their health data:

  • Read the privacy policy: Oftentimes, consumers just click through the privacy policy text. “I know it’s painful,” McGraw said, “but it’s really important to read it.” You need to know what a company is going to do with your data: Do they sell it? Do they use it to advertise to you?
  • Vet apps before sharing data with them: McGraw recommended a couple of ways patients can determine who they want to trust with their health data:
  • Check to see if an application has attested to the CARIN Code of Conduct, a set of industry-leading best practices applications can voluntarily adopt to protect and secure patients’ health information. You can find a list of applications that have attested to the CARIN Code at myhealthapplication.com and learn more about the code of conduct here.
  • Determine if an app is AHIMA dHealth™ Approved. Digital health solutions with this designation have been vetted by AHIMA-certified experts and proved to safely and securely manage patient health data. You can find a list of solutions that are AHIMA dHealth™ Approved here, upon registering for an AHIMA dHealth™ account. (If you are a digital health company, you can also apply for the designation here).

How easy is it for you to obtain your health records?

Many patients assume that obtaining their health records when they need them will be easy.

Spurred by the realization that many patients have difficulty accessing their health records, the team at Ciitizen developed a Patient Record Scorecard. The goal of the scorecard is to show how medical record providers comply, or fail to comply, with the HIPAA Right of Access based on patient requests.

Scoring is an ongoing process, and medical record providers receive a rating ranging from “Not compliant--records not sent” to “HIPAA Compliant Patient Focused.”

McGraw said she believes that ease of access to medical records should be one factor patients consider when choosing a practitioner. “Patients should ask: ‘How can I access my medical records? How easy is it for me to get my medical records?’” McGraw said.

Ultimately, when there is more of a demand from patients for access to data, many healthcare organizations will need to reevaluate how they are meeting that demand.

Enabling patients to easily access their health data is one way organizations can empower patients to become more active players on their care team.



About the expert: Deven McGraw, J.D., MPH, directed U.S. health privacy and security policy through her roles as Deputy Director for Health Information Privacy at the Health and Human Services Office for Civil Rights and Chief Privacy Officer (Acting) of the Office of the National Coordinator for Health IT. Considered one of the foremost privacy experts in the country, McGraw is now Co-Founder and Chief Regulatory Officer at CiitizenCorporation.

About the author: Meghan Franklin is a writer and strategic communicator with an M.A. in Rhetoric and a deep background in healthcare. As a former healthcare IT project manager and communications specialist at one of the nation’s leading children’s hospitals, she loves delving into healthcare topics. She values working with individuals and organizations on a mission to do something good.


← Back to blog



Subscribe for updates



Are you prepared for the info blocking rule? Take our free compliance assessment