Patient Access to Health Information in the Digital Age
link to page 1 link to page 1 
August 31, 2016
Patient Access to Health Information in the Digital Age
In 2000, the Health Information Portability and
disease management program records, and other
Accountability Act (HIPAA) Privacy Rule established a set
information used by covered entities to make health care
of federal standards for the use and disclosure of personal
decisions about individuals.
health information. The Privacy Rule also gave individuals
the right of access to their health information. In the years
Individuals seeking access to their health information
since the Privacy Rule took effect, individuals have often
sometimes find that providers are reluctant or slow to
complained that health care providers place undue
release it. Patient data is a valuable economic asset, and
restrictions on that access, in violation of HIPAA.
physicians and hospitals likely do not want their
competitors gaining access to it. People stay with their
At the time the Privacy Rule was issued, most health
doctors in part because their information resides with them,
information was recorded and stored on paper. Today, the
and obtaining and sharing health records with other doctors
widespread adoption of electronic health record (EHR)
has traditionally been a challenge. The easier information
systems makes it easier for individuals to access their
moves, the easier it may be for patients to switch providers.
medical data. Under the Medicare and Medicaid EHR
In light of these factors, some health providers may worry
incentive program, which has paid $35 billion to hospitals
that releasing patients’ health information will cause them
and physicians that demonstrate meaningful use of EHR
to lose patients.
technology, patients must be given timely online access to
information maintained in an EHR.
Moreover, some health care providers mistakenly believe
that they own the information and are under no obligation
New requirements for the EHR incentive program will
to share it.
enable individuals to access their health information in real
time using software applications (apps) on their smart
Figure 1. Patient Access to Health Information
phones and other mobile devices. Many health policy
analysts see this as a potential game changer. Instead of
hospitals and physicians controlling their health data,
patients will be able to take charge and more easily use and
share the data to make informed choices about their health.
However, analysts caution that expanding electronic access
to health information faces a number of obstacles—cultural,
economic, legal, and technical—that must be addressed.
HIPAA’s Right of Access
The Privacy Rule gives individuals the right of access to
inspect and obtain a copy of their protected health
information (PHI). This is a legally enforceable right, not a
privilege. Covered entities may deny access only in a very
few circumstances.
The Health Information Technology for Economic and
Clinical Health (HITECH) Act expanded the HIPAA right
of access for electronic PHI (ePHI) maintained in an EHR.
The act gave individuals the right to direct health care
Source: Prepared by CRS
providers, health plans, and others subject to HIPAA—
collectively known as covered entities—to transmit a copy
Electronic Access: View, Download, Transmit
of their ePHI to a third party of their choosing, such as a
Physicians and hospitals must meet a series of meaningful
caregiver or another provider (see Figure 1).
use criteria under the EHR incentive program to receive a
Medicare and/or Medicaid incentive payment and avoid
If an individual requests an electronic copy of information
Medicare payment adjustments (i.e., penalties). One of the
contained in his or her EHR, the covered entity generally
requirements for successfully demonstrating meaningful
must provide it in the format requested if it has the
use supports the HIPAA right of access. Providers must
capability to produce the information in that format.
give patients timely online access to view, download, and
transmit (VDT) to a designated third party certain core data
The right of access covers clinical information, insurance
maintained in an EHR (see Figure 1).
information, billing and payment records, wellness and
https://crsreports.congress.gov
link to page 1 Patient Access to Health Information in the Digital Age
A nationally representative survey sponsored by the Office
However, to ensure the widespread use of open APIs for
of the National Coordinator for Health IT (ONC), within
accessing ePHI, important issues need to be addressed.
the Department of Health and Human Services (HHS),
First, patients and providers need to be educated about their
found that the proportion of individuals offered online
rights and responsibilities under HIPAA and the HITECH
access to their electronic medical records increased from
Act. The HHS Office for Civil Rights (OCR) continues to
28% in 2013 to 38% in 2014, which was the first year that
receive complaints from patients having difficulty accessing
VDT became a meaningful use requirement. Typically,
their information. This year, OCR and ONC have released
access is provided via a proprietary online patient portal.
new guidance, a set of answers to frequently asked
questions, and a series of short educational videos (in
As part of its testing protocol, the national health IT
English and Spanish) to help individuals better understand
certification program tests EHR systems to ensure that they
their right to access their health information.
have a secure online VDT capability that encrypts and
protects the data in accordance with IT security standards.
ONC also has developed an online patient engagement
playbook for health care providers, based on best practices
API-Enabled Access to Electronic Health Data
and real-world solutions, to help providers use health IT to
The next stage of meaningful use adds an important
inform and engage their patients.
component to the VDT requirement—the use of application
programming interfaces, or APIs.
Second, the widespread use of open APIs raises privacy and
security concerns. Some experts worry that open APIs
An API is a set of programming instructions and standards
could lead to the unauthorized use and disclosure of patient
that allows one software program to access the services of
information unless adequate privacy and security
another. If a software developer makes an API publicly
safeguards are in place.
available, other developers can use it to design apps that
communicate with that software. For example, many apps
To address these concerns, ONC last fall established an API
use the Google Maps API to request, retrieve, and display
Task Force. In May 2016, the Task Force released a report
customized Google Maps.
that generally supported the use of open APIs, provided
they are properly managed, and appropriate standards and
The most recent set of regulations for the national
infrastructure are in place. The report made a series of
certification program require EHR vendors to make their
recommendations on such topics as app registration and
APIs and accompanying documentation public (i.e., open
certification, patient authorization, identity proofing, user
APIs) as a condition of maintaining product certification.
authentication, and auditing and accounting of disclosures.
Using these open APIs, software developers are then able to
design apps that interface with EHR systems.
Third, open APIs must be standardized, with transparent
terms of use, policies, and developer fees. Proprietary APIs
Beginning in 2017, hospitals and physicians—most of
and a lack of transparency regarding the costs and policies
whom will be participating in the new Medicare Merit-
associated with their use pose a challenge for start-ups
based Incentive Payment System (MIPS)—must ensure that
seeking to partner with EHR vendors and develop new
patients have the ability to view, download, and transmit
apps. While a single standard is not yet in place, an
data from an EHR using an API-enabled app of their choice
industry-led, market-driven effort—Project Argonaut—is
(see Figure 1).
working to accelerate the adoption of a standard that can be
applied to web-based mobile apps for EHR data sharing.
These apps must provide sufficient information to uniquely
identify the patient and allow the patient access to (1) view
In February 2016, the nation’s largest EHR vendors and
and download some or all of the data elements from a
private health care systems, and more than a dozen leading
common set of clinical data maintained in his or her EHR,
professional associations and stakeholder groups, pledged
and (2) transmit the data to a designated third party using
to use standardized APIs so that mobile medical apps that
either a secure (encrypted) method of electronic
are compatible with one another can easily be developed
transmission or unencrypted email, if the individual chooses
and marketed. Also, ONC is offering cash prizes for
to accept the risk.
innovative and user-friendly apps for consumers and
providers that use open, standardized APIs.
Unlocking the Potential of Health Care APIs
API-enabled apps will give patients and their caregivers
Finally, health policy experts question whether the current
easier access to ePHI and allow them to control its use and
payment environment provides sufficient financial
exchange (i.e., consumer-directed health information
incentive for providers to engage and share information
exchange). Open APIs will make it easier for developers to
with patients. As already noted, health care providers will
create apps that patients and caregivers can use to retrieve
soon be subject to payment adjustments under the EHR
ePHI from multiple EHRs and consolidate it in a single
incentive program (hospitals) and MIPS (physicians) if they
location. For providers having difficulty using their EHR
fail to provide VDT access using API-enabled apps and are
systems, open APIs will allow them to build customized
not actively engaged with patients.
interfaces in-house or shop around for an interface better
than the one that came standard with their EHR system.
C. Stephen Redhead, Specialist in Health Policy
IF10461
https://crsreports.congress.gov
Patient Access to Health Information in the Digital Age
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10461 · VERSION 2 · NEW
August 31, 2016
Patient Access to Health Information in the Digital Age
In 2000, the Health Information Portability and
disease management program records, and other
Accountability Act (HIPAA) Privacy Rule established a set
information used by covered entities to make health care
of federal standards for the use and disclosure of personal
decisions about individuals.
health information. The Privacy Rule also gave individuals
the right of access to their health information. In the years
Individuals seeking access to their health information
since the Privacy Rule took effect, individuals have often
sometimes find that providers are reluctant or slow to
complained that health care providers place undue
release it. Patient data is a valuable economic asset, and
restrictions on that access, in violation of HIPAA.
physicians and hospitals likely do not want their
competitors gaining access to it. People stay with their
At the time the Privacy Rule was issued, most health
doctors in part because their information resides with them,
information was recorded and stored on paper. Today, the
and obtaining and sharing health records with other doctors
widespread adoption of electronic health record (EHR)
has traditionally been a challenge. The easier information
systems makes it easier for individuals to access their
moves, the easier it may be for patients to switch providers.
medical data. Under the Medicare and Medicaid EHR
In light of these factors, some health providers may worry
incentive program, which has paid $35 billion to hospitals
that releasing patients’ health information will cause them
and physicians that demonstrate meaningful use of EHR
to lose patients.
technology, patients must be given timely online access to
information maintained in an EHR.
Moreover, some health care providers mistakenly believe
that they own the information and are under no obligation
New requirements for the EHR incentive program will
to share it.
enable individuals to access their health information in real
time using software applications (apps) on their smart
Figure 1. Patient Access to Health Information
phones and other mobile devices. Many health policy
analysts see this as a potential game changer. Instead of
hospitals and physicians controlling their health data,
patients will be able to take charge and more easily use and
share the data to make informed choices about their health.
However, analysts caution that expanding electronic access
to health information faces a number of obstacles—cultural,
economic, legal, and technical—that must be addressed.
HIPAA’s Right of Access
The Privacy Rule gives individuals the right of access to
inspect and obtain a copy of their protected health
information (PHI). This is a legally enforceable right, not a
privilege. Covered entities may deny access only in a very
few circumstances.
The Health Information Technology for Economic and
Clinical Health (HITECH) Act expanded the HIPAA right
of access for electronic PHI (ePHI) maintained in an EHR.
The act gave individuals the right to direct health care
Source: Prepared by CRS
providers, health plans, and others subject to HIPAA—
collectively known as covered entities—to transmit a copy
Electronic Access: View, Download, Transmit
of their ePHI to a third party of their choosing, such as a
Physicians and hospitals must meet a series of meaningful
caregiver or another provider (see Figure 1).
use criteria under the EHR incentive program to receive a
Medicare and/or Medicaid incentive payment and avoid
If an individual requests an electronic copy of information
Medicare payment adjustments (i.e., penalties). One of the
contained in his or her EHR, the covered entity generally
requirements for successfully demonstrating meaningful
must provide it in the format requested if it has the
use supports the HIPAA right of access. Providers must
capability to produce the information in that format.
give patients timely online access to view, download, and
transmit (VDT) to a designated third party certain core data
The right of access covers clinical information, insurance
maintained in an EHR (see Figure 1).
information, billing and payment records, wellness and
https://crsreports.congress.gov
link to page 1 Patient Access to Health Information in the Digital Age
A nationally representative survey sponsored by the Office
However, to ensure the widespread use of open APIs for
of the National Coordinator for Health IT (ONC), within
accessing ePHI, important issues need to be addressed.
the Department of Health and Human Services (HHS),
First, patients and providers need to be educated about their
found that the proportion of individuals offered online
rights and responsibilities under HIPAA and the HITECH
access to their electronic medical records increased from
Act. The HHS Office for Civil Rights (OCR) continues to
28% in 2013 to 38% in 2014, which was the first year that
receive complaints from patients having difficulty accessing
VDT became a meaningful use requirement. Typically,
their information. This year, OCR and ONC have released
access is provided via a proprietary online patient portal.
new guidance, a set of answers to frequently asked
questions, and a series of short educational videos (in
As part of its testing protocol, the national health IT
English and Spanish) to help individuals better understand
certification program tests EHR systems to ensure that they
their right to access their health information.
have a secure online VDT capability that encrypts and
protects the data in accordance with IT security standards.
ONC also has developed an online patient engagement
playbook for health care providers, based on best practices
API-Enabled Access to Electronic Health Data
and real-world solutions, to help providers use health IT to
The next stage of meaningful use adds an important
inform and engage their patients.
component to the VDT requirement—the use of application
programming interfaces, or APIs.
Second, the widespread use of open APIs raises privacy and
security concerns. Some experts worry that open APIs
An API is a set of programming instructions and standards
could lead to the unauthorized use and disclosure of patient
that allows one software program to access the services of
information unless adequate privacy and security
another. If a software developer makes an API publicly
safeguards are in place.
available, other developers can use it to design apps that
communicate with that software. For example, many apps
To address these concerns, ONC last fall established an API
use the Google Maps API to request, retrieve, and display
Task Force. In May 2016, the Task Force released a report
customized Google Maps.
that generally supported the use of open APIs, provided
they are properly managed, and appropriate standards and
The most recent set of regulations for the national
infrastructure are in place. The report made a series of
certification program require EHR vendors to make their
recommendations on such topics as app registration and
APIs and accompanying documentation public (i.e., open
certification, patient authorization, identity proofing, user
APIs) as a condition of maintaining product certification.
authentication, and auditing and accounting of disclosures.
Using these open APIs, software developers are then able to
design apps that interface with EHR systems.
Third, open APIs must be standardized, with transparent
terms of use, policies, and developer fees. Proprietary APIs
Beginning in 2017, hospitals and physicians—most of
and a lack of transparency regarding the costs and policies
whom will be participating in the new Medicare Merit-
associated with their use pose a challenge for start-ups
based Incentive Payment System (MIPS)—must ensure that
seeking to partner with EHR vendors and develop new
patients have the ability to view, download, and transmit
apps. While a single standard is not yet in place, an
data from an EHR using an API-enabled app of their choice
industry-led, market-driven effort—Project Argonaut—is
(see Figure 1).
working to accelerate the adoption of a standard that can be
applied to web-based mobile apps for EHR data sharing.
These apps must provide sufficient information to uniquely
identify the patient and allow the patient access to (1) view
In February 2016, the nation’s largest EHR vendors and
and download some or all of the data elements from a
private health care systems, and more than a dozen leading
common set of clinical data maintained in his or her EHR,
professional associations and stakeholder groups, pledged
and (2) transmit the data to a designated third party using
to use standardized APIs so that mobile medical apps that
either a secure (encrypted) method of electronic
are compatible with one another can easily be developed
transmission or unencrypted email, if the individual chooses
and marketed. Also, ONC is offering cash prizes for
to accept the risk.
innovative and user-friendly apps for consumers and
providers that use open, standardized APIs.
Unlocking the Potential of Health Care APIs
API-enabled apps will give patients and their caregivers
Finally, health policy experts question whether the current
easier access to ePHI and allow them to control its use and
payment environment provides sufficient financial
exchange (i.e., consumer-directed health information
incentive for providers to engage and share information
exchange). Open APIs will make it easier for developers to
with patients. As already noted, health care providers will
create apps that patients and caregivers can use to retrieve
soon be subject to payment adjustments under the EHR
ePHI from multiple EHRs and consolidate it in a single
incentive program (hospitals) and MIPS (physicians) if they
location. For providers having difficulty using their EHR
fail to provide VDT access using API-enabled apps and are
systems, open APIs will allow them to build customized
not actively engaged with patients.
interfaces in-house or shop around for an interface better
than the one that came standard with their EHR system.
C. Stephen Redhead, Specialist in Health Policy
IF10461
https://crsreports.congress.gov
Patient Access to Health Information in the Digital Age
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10461 · VERSION 2 · NEW