The fight about a patient’s ability to access his or her digital health data is often fought privately and individually, waged over the phone or at the counter of hospital’s records department. When it does become public, it’s often on a small scale – a social media conversation, one session at a healthcare conference, the occasional local TV station’s “investigative” segment.
That changed this week. According to Politico, an aide to former Vice President Joe Biden recalled a meeting with Epic CEO Judy Faulkner during a January meeting of the Cancer Moonshot. Faulkner asked Biden why he wanted his medical records, as “they’re a thousand pages, of which you understand 10.”
“None of your business,” Biden replied, adding that he would find someone to explain what he didn’t himself understand.
“It went downhill from there,” recalled the aide, Greg Simon, now president of the Biden Cancer Initiative.
Not surprisingly, this brief conversation triggered quite the debate on social media.
Many people jumped to Biden’s defense, including physicians as well as patient advocates. The phrase “give me my damn data” was used more than once. Defenders cited the patient data ownership provisions of HIPAA, along with the meaningful use requirement that EHR systems allow patients to view, download, and transmit their records. It was also suggested that, just maybe, the other 990 pages of the patient record could be less incomprehensible to the average patient, too.
However, Faulkner was not without supporters (or at least sympathizers). There was the free-market argument: Epic is a business and is obligated to serve the interest of customers, not patients. There was the illusion of empowerment: Patient access to records is not the same as patient understanding of records, and providing the former without the latter “is nothing more than a charade.” And there was the thought that no one had provided a “compelling, clear, and meaningful” answer to her original question.
It’s not technology, it’s culture
Epic responded to the Politico story by reiterating its support for patient data access, noting that the primary point of debate between Biden and Faulkner was being able to understand what patient data means.
However, much of the frustration about patient data access focuses on technology – or, more fittingly, a lack thereof: There is still too much reliance on three-ring binders, CD-ROMs, and memory sticks. (If you think a memory stick is cutting edge, show one to the closest teenager.) Suggested fixes abound, whether it’s SMART on FHIR, blockchain, secure messaging, or better patient portals – including Epic’s own untethered Lucy PHR, which is better than most. Tech, it’s argued, will make it easier to put data in the hands of patients, who can then use data to make more informed health and wellness decisions.
That very well may be true, but the terse exchange between Biden and Faulkner, as well as the ensuing debate, suggests that culture, not technology, is the biggest obstacle. After all, the question was why patients want their records, not how patients would get their records. (And let’s be clear – any number of other technology, payer, or provider executives could just as easily have asked the same question.)
The key first step, as we have argued, is to stop treating patients like second-class citizens. This is especially true for complex chronic patients (and their families) whose care decisions are quite literally life or death. They need and rightfully deserve data access – and, as noted above, they need and rightfully deserve the attention of medical professionals who will help them understand that data beyond a simplistic view of numeric vital signs and lab results. (Those not inclined to help should be reminded that patients will then seek answers from – gasp – the Internet.)
Luckily, this first step can occur without substantial technology upheaval; physician and patient support of OpenNotes movement has proven that. Putting culture before technology also lets the industry address the rural, low-income, minority, elderly, and comorbid populations that digital health interventions all too often miss. Will this be easy to achieve? Of course not – but it emphasizes listening to patients, understanding their concerns, and working with them to solve their problems, which is arguably what draws many physicians and nurses to their profession in the first place.
The patient engagement process cannot succeed if patients do not have access to their records, and the capacity to understand them, in some form or fashion. Without this, patients don’t know what has happened to them, what could happen to them, and whether there’s anything they could do differently to change what happens.
In other words, that’s why patients want their medical records. Until healthcare leaders embrace this, the question of how will unfortunately remain irrelevant.
Mr. Eastwood – thank you for writing this article. In the past, when I have requested my medical records, my reports have always been cheerfully handed over. That is, until I was implanted with Boston Scientific’s S-ICD. Cardiac device manufacturers (pacemakers, ICDs, implantable recorders) hoard patient data gathered under the guise of “remote monitoring”? I have encountered incredible resistance to getting access to my data. My question – how is this legal under HIPAA law?
Gretchen, thanks for reading and for asking your question. I took to Twitter and got feedback from some experts (Matther Fisher, David Harlow, Bernadette Keefe, and Lucia Savage) who know HIPAA far better than I do.
The gist of their answers is that external device manufacturers are not HIPAA covered entities, though implanted device makers *might* be. New FDA guidance has given them the OK — but the the requirement — to share device data with patients. Unfortunately, healthcare’s paternalism reigns supreme here.
That said, any device data that makes its way into your EHR *is* covered by HIPAA, so you *should* have access to it.
I hope this helps.
–Brian
Brian – thank you for researching my question. But does the answer make sense? I promise I’m not being sassy 🙂 Does it make sense that the FDA approves medical devices and medical device data systems for the sole purpose of collecting, warehousing and reporting patient data, yet these remote monitoring systems are run by manufacturers (not hospitals) outside of HIPAA privacy laws? Device manufacturers are amassing terabytes upon terabytes of patient data – all of it is inaccessible by patients. How on earth is this acceptable? The FDA and HHS agencies are supposed to protect patients health and data. How did something this BIG slip through the legal cracks? Yes, I am well aware that Business Associate agreements are in place to spell out data obligations – but BAAs are being used to further restrict patient access to our data. The only data we patients get are the highly summarized scraps of patient reports which actually make it into EHRs. Why??? Patient privacy rights are being trampled on. This is a misuse of “designated record sets” – which hospitals and device manufacturers define any way they choose. It’s just not ethical or honest – yet was somehow approved in this highly regulated industry. Any advice on how to fix this arrangement so that patients are treated fairly?
Gretchen, at the risk of being a bit sassy myself, no, the answer doesn’t make sense. The same privacy experts who cited the letter of the law also expressed frustration with the spirit of the law in the same way that you did.
My best guess is twofold. One, that the regulations predate a time when RPM as well as personal wellness devices were transmitting in near-real-time data that would be of interest and use to patients. Two, that no one bothered to consider the wants of needs of patients when devising the regulations around data transmission and ownership, so the default was to let the device makers “own” it, much like the default is that healthcare providers “own” the data in their clinical systems.
As for how to fix things, I advise connecting with a group such as the Society for Participatory Medicine, which aims to help bring patients and physicians together to understand how patients can become more active participants in their care. Members of that group could direct you to resources that would address your problem better than I could, and could also recommend additional organizations / resources to help you along the way. In addition, if you are on Twitter, find me @Brian_Eastwood and I can connect you to some people who are very passionate about solving the very problem you bring up here.
–Brian