As patients strive to manage their own health and illnesses, many wonder how to get a copy of their health data to share with their physicians, load into apps, donate to researchers, link to their genomic data, or have on hand just in case. To seek diagnosis or better care (see table), many patients are taking steps outside traditional doctor–patient relationships. Some join 23andMe to obtain genetic information. Others bring data to the Undiagnosed Diseases Network at the National Institutes of Health (NIH). Patients are coalescing with others with the same disease in what the Patient Centered Outcomes Research Institute calls patient-powered research networks. But such patients have found no easy way to get copies of their electronic health records (EHRs).
In 1994, when the World Wide Web was only 2 years old, Massachusetts Institute of Technology computer scientist Peter Szolovits, presaging the consumer health information technology (IT) movement, proposed, in the Guardian Angel Project, using the Web for patient management of health and health data. Yet getting patients electronic copies of their health records has remained an elusive goal. Industry giants have scars to show for their attempts. Why have the barriers been so high? And what is the path to a patient-driven health information economy?
In 1998, we developed the Personal Internetworked Notary and Guardian (PING, later called Indivo), an NIH-funded system for automatically and continuously updating a patient-controlled data repository.1 Indivo downloaded automatic updates from EHRs and enriched them with patient annotations. These repositories, controlled by patients and sharable with others, were meant to drive an ecosystem of third-party apps.2 After we demonstrated Indivo to technology companies in 2006, Google and Microsoft launched similar personally controlled health records — GoogleHealth and Microsoft Healthvault. Walmart and other employers offered Indivo as an employee benefit. Yet today most U.S. patients still don’t have electronic copies of their records.
One explanation is the wider adoption of a competing technology: patient portals, offering a view of a subset of EHR data.3 Many portals are “bolt-on” features from EHR vendors; others are homegrown. In its criteria for achieving stage 2 “Meaningful Use” of health IT, the Office of the National Coordinator for Health Information Technology attempted to promote data access by requiring health care organizations to provide 50% of their patients with timely access after health care encounters. Patients were invited to use portals at all their providers’ practices (a solution that caused a condition sometimes called “hyperportalosis”). Since the measure of success was that 5% of patients “view, download, or transmit” their health information, most implementations defaulted to view-only. Hence, the data are unavailable to patients, other providers, and third-party apps; virtually no apps in the Apple or Google stores have access to health system data.
Federal regulation defining a patient’s right to health data has failed to ensure access. Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has required health care organizations to provide patients with access to any data that are “readily producible,” in the format the patient requests. Organizations haven’t responded. Ironically, HIPAA is one of the most commonly cited reasons for not transmitting patient data. The patient right was reasserted under the Health Information Technology for Economic and Clinical Health Act — with a similarly negligible effect on data sharing.
“Data liquidity” — flow among data generators and customers — carries risks. Competitive intelligence might be released about, for example, high-value markets or hospital-acquired infections. Some organizations fear security breaches or leakage of patients from their provider network. Transferring data to another product may jeopardize the EHR vendor’s business model, as vendors may have trouble retaining customers if exclusivity is broken.
And technological approaches have fallen short. Under the Meaningful Use program, the intended lingua franca for data liquidity was the Consolidated Clinical Document Architecture, but it was never sufficiently standardized to support robust document exchange.4 The Blue Button, a Veterans Health Administration technology that allowed veterans to easily download their EHR data, was ably marketed but never matured.
Now, intersecting trends have set the stage for a fresh start. Nearly two thirds of Americans own smartphones, with online access, apps, and both local and cloud storage of data. As health care reimbursement shifts toward risk-based contracting, providers seek to understand the totality of patients’ experience, which requires aggregating data across care silos. As the clinical research infrastructure accommodates pragmatic studies and incorporates patient-centered outcomes in therapeutics development, patients are increasingly asked to report on adverse events and end points and donate health data to trials. Fortunately, the belief that it’s dangerous to allow patients access to health data is slowly dissolving, with the advent of programs such as Beth Israel Deaconess Medical Center’s Open Notes, in which doctors and patients jointly read and create chart entries.
Moreover, there’s now a huge amount of electronic data (albeit a subset of what’s needed); 95% of U.S. hospitals and 54% of office practices use certified health IT. And EHRs and hospitals are implementing data-access standards such as the Fast Health Interoperability Resources (FHIR) and the Substitutable Medical Applications Reusable Technologies (SMART) Health IT apps interface. Finally, large-scale undertakings such as President Barack Obama’s Precision Medicine Initiative are promising to return participant-level data to study subjects.
Sensing an opportunity, Silicon Valley has picked up the gauntlet. In 2015, Apple released HealthKit, which provides a simple interface for devices including heart-rate monitors and pulse oximeters, creating a de facto data repository under patients’ control. Companies such as We Are Curious are creating communities of people seeking answers to health questions. Amazon, Microsoft, and Google are collaborating with health care systems to store big data in the cloud.
Patient expectations have finally caught up with Szolovits’s aspirations for a “guardian angel” digital assistant that cares for a patient over a lifetime. Consumers expect to have their data available and sharable. Other industries have embraced similar principles: in response to customer demand, for example, Facebook now enables users to download their own data.
A patient-controlled health-record infrastructure can support the development of highly desirable health system qualities. First, it allows a patient to effectively become a health information exchange of one: as data accumulate in a patient-controlled repository, a complete picture of the patient emerges. If patients can obtain their data wherever they go, they can share them with physicians as needed — rather than vice versa. We believe the Meaningful Use program would have been more successful if it had rewarded clinicians for storing data in patient-controlled repositories rather than in EHRs that fragment data across the health care system.
The need for a copy of one’s data is most obvious in life-and-death situations in which patients have failed to find answers in their health care system. Journeys like Matt Might’s search for a diagnosis of his son’s genetic condition suggest that patients may be among the most sophisticated users of health data.5 Might, a computer scientist, connected with a research team using whole-exome sequencing to discover that his son had two different mutations in the NGLY1 gene. Those invaluable sequence data were extremely difficult to obtain and share.
Such activated patients, however, represent the tip of an iceberg of dissatisfaction with health care and need for greater data access and control. The requisite technology is no longer mysterious or expensive; it’s a set of commodity-level toolkits for data exposure, transfer, and storage. Successful translation of these technologies into a productive health information economy awaits only cooperation from data producers and purveyors.
The government can help stimulate such participation, and Meaningful Use 3 does require providers to make data available for patient access over an application programming interface (API). But whether or not the Meaningful Use program survives the backlash against it, IT purchasers can demand uniform, useful implementation of an open API. Health care providers and patients can advocate for and collaborate in developing key enabling policies and toolkits (see Steps toward Creating a Patient-Driven Information Economy) that leverage an API for patient data access.
Steps toward Creating a Patient-Driven Information Economy
- Both the Centers for Medicare and Medicaid Services and private insurers can offer strong incentives for health care organizations to provide data to patients after encounters through a standardized electronic mechanism — initially one encounter at a time, but eventually with automatic updates.
- Federal health IT policy can promote, and health systems purchasing IT can demand, a uniform, standard, public API for health data that can catalyze the development of an ecosystem of apps, for both clinicians and patients, that run on health data. The Meaningful Use Stage 3 Final Rule is the first major step in this direction, requiring certified EHR technology to provide an API through which patients can have access to their EHR data in a timely fashion.
- The research community and regulatory agencies can vet a set of online reference tools that define, by demonstration as well as specification, how consent can be delivered for global or narrowly defined transfer of patient data to and from patient-controlled data repositories; essential functionality will include roles for guardians and proxies as well as easy ways to change the scope of, or revoke, consent.
- The health care system can adopt a rigorous authentication framework, borrowing approaches from other sectors of e-commerce, so that we can identify patients and allow them to obtain and use their data.
From the Computational Health Informatics Program, Boston Children’s Hospital, and the Department of Biomedical Informatics, Harvard Medical School — both in Boston.
1. Mandl KD, Szolovits P, Kohane IS. Public standards and patients’ control: how to keep electronic medical records accessible but private. BMJ 2001;322:283-287.
2. Mandl KD, Kohane IS. Tectonic shifts in the health information economy. N Engl J Med 2008;358:1732-1737.
3. Halamka JD, Mandl KD, Tang PC. Early experiences with personal health records. J Am Med Inform Assoc 2008;15:1-7.
4. D’Amore JD, Mandel JC, Kreda DA, et al. Are Meaningful Use Stage 2 certified EHRs ready for interoperability? Findings from the SMART C-CDA Collaborative. J Am Med Inform Assoc 2014;21:1060-1068.
5. Mnookin S. One of a kind. The New Yorker. July 21, 2014:32-8.
This Perspective article originally appeared in The New England Journal of Medicine as “Time for a Patient-Driven Health Information Economy?”