There’s a debate raging in healthcare about whether patients should have control over their own health data. It’s the kind of transformational discussion upon which the future of medicine depends.

Proponents argue that patients must be empowered with information if they are ever to manage their own health and if the industry is to truly realize the Triple Aim of improving patient experience, improving population health and reducing the per capita cost of care.

However, patient-controlled data remains an elusive goal—at least in the current healthcare environment dictated by the information hegemony of providers. As pressures grow on healthcare organizations to optimize care, CIOs and other HIT executives will be involved in data ownership debates within organizations, and then face the challenge of executing each organization’s strategy.

Despite the fact that HIPAA affords patients the right to access their data, the federal regulation has not resulted in the free flow of information from providers to patients. Likewise, despite the widespread adoption of EHRs industry-wide, significant barriers remain for patients to electronically access copies of their health records.

What’s needed is a patient-controlled health record—updated after each medical encounter—that would provide a complete view of the patient, in contrast to that available in institution-specific EHRs. So argue Kenneth Mandl, MD, director of the Computational Health Informatics Program (CHIP) at Boston Children’s Hospital, and Isaac Kohane, MD, CHIP faculty and chair of the Department of Biomedical Informatics at Harvard Medical School

Isaac Kohane, M.D.

In a new perspective article published in The New England Journal of Medicine, Mandl and Kohane contend that new types of data repositories, in which patients can store, track and manage their own health data, are the answer to the problem of patient access. Such repositories would provide a better solution to patient access to information, compared with current access through provider-based EHRs and associated patient portals.

According to the authors, a patient-controlled health record infrastructure on an individual level would enable a patient to effectively become a “health information exchange of one” so that—as data accumulate in a patient-controlled repository—a complete picture of the patient emerges.

“If patients can obtain their data wherever they go, they can share them with physicians as needed—rather than vice versa,” write Mandl and Kohane. “We believe the Meaningful Use program would have been more successful if it had rewarded clinicians for storing data in patient-controlled repositories rather than in EHRs that fragment data across the healthcare system.”

In their article, Mandl and Kohane make four recommendations to foster the creation of what they envision as a patient-driven health information economy:

  • Formalization of strong incentives from the Centers for Medicare and Medicaid Services and private insurers for healthcare organizations to provide data to patients.
  • Development, backed by federal healthcare IT policy and demand from purchasers of health systems, of uniform, standard public application programming interfaces (APIs) to catalyze the development of an ecosystem of health data apps for providers and patients.
  • Creation of tools by which patients can set permissions and consents for who can access their health data and for what purposes.
  • Adoption of rigorous authentication frameworks akin to those in the e-commerce industry to provide data security and accountability.

“Data flowing from health systems to patients is something that has been long awaited—for several decades, including about two decades of federal legislation trying to make it happen—and we’re still waiting,” comments Mandl.

Few consumers offered access to online medical records

“The good news is we’ve built a lot of the parts of the bridge to get to that state, but there are a few pieces that are missing,” adds Kohane. “The last mile—so to speak—is to actually enable push-button delivery of a complete and formatted repository of all of a patient’s data.”

Harvard Medical School research faculty member Josh Mandel, MD, wholeheartedly supports this kind of proposed patient-centered data liquidity. “I have been working hard towards these goals through my participation in the development of standards, software tools and public policy,” says Mandel, who is currently co-chairing a joint Health IT Policy-Standards Committee task force on APIs.

As Mandl and Kohane point out, the Meaningful Use Stage 3 final rule requires that certified EHR technology provide an API through which patients can have access to their data in a timely fashion.

John Halamka, MD, CIO of Boston’s Beth Israel Deaconess Medical Center and a critic of the Meaningful Use program, contends that the one part of MU Stage 3 that should go forward is public APIs for patients. “The challenge is the change management needed to get there, given existing regulations and healthcare workflow,” he says.

In particular, Halamka sees tremendous potential for progress in the Argonaut Project to accelerate the development and adoption of HL7’s Fast Healthcare Interoperability Resources (FHIR) API. Yet, before patients can leverage APIs to access their healthcare data, there are privacy and security issues that must be addressed, Mandel contends.

Information is power, and now that patients are generating their own medical data—and will be doing much more so in the years ahead—a major power shift is getting off the ground.

Deborah Peel, MD, founder of Patient Privacy Rights, which advocates for patient control over personal health information, applauds the Mandl and Kohane article and commends the authors for their “powerful call to action.”

“This vital work at Boston Children’s Hospital is an important step toward restoring individual control over PHI in the U.S. and further building pressure for technology that serves and protects human rights worldwide,” says Peel, whose organization supports the right to what it calls information self-determination. “Technologies that serve and protect people’s fundamental rights to control personal data must replace current legacy systems, designed to serve government’s and industry’s interests in collecting and exploiting the personal data of every individual.”

According to Eric Topol, MD, director of San Diego’s Scripps Translational Science Institute and a Scripps Clinic cardiologist, what’s needed in healthcare is a fundamental shift in who controls medical data and health information—a transfer of power from doctors to patients. The problem, he argues, is that most physicians don’t want to give patients access to the data.

However, Topol’s 2015 book, “The Patient Will See You Now: The Future of Medicine is in Your Hands,makes the case that widespread adoption of smartphones and other mobile devices will effectively “democratize medicine,” giving patients control of their data, which has historically been the exclusive domain of physicians.

“Information is power, and now that patients are generating their own medical data—and will be doing much more so in the years ahead—a major power shift is getting off the ground,” concludes Topol. “I’ve been writing about this for a few years, and it is the theme of [my book]. It’s great to see these highly regarded Harvard researchers [Mandl and Kohane] on board, too.”

Nonetheless, Topol takes it one step further, saying that patient “control” is not enough and that patients must ultimately “own” their health data. “They should have their data, and they ought to own their data. And, some day they will.”

But patient interest in their healthcare data has been limited, says Micky Tripathi, CEO of the Massachusetts eHealth Collaborative. “New Hampshire is the only state in the union where patients own their records, and that hasn't changed patient or provider behavior in any way,” contends Tripathi, who is also manager of the Argonaut Project. “HIPAA right of access provides all the authority we need. The real issue is that patient demand just isn’t that high yet. Once it is, we'll see the market respond more.”

Likewise, Mandel doesn’t think ownership is the issue—access is. “Providers can legally take up to 30 days—or 60 if they use an extension—to respond to a patient’s data request,” he says. “This isn’t a fast enough timeframe. Of course, [view, download, and transmit] requires faster access, but for a limited slice of data.” Similarly, Mandel emphasizes that APIs generally focus on a smaller amount of data—often just the computable “summary” parts. “This is helpful, but patients need liquid, automated access to full text narrative, too. APIs can and should do both.”

Mandl and Kohane envision an ecosystem of third-party apps in the future based on APIs enabling greater patient access to data, regardless of whether or not the Meaningful Use program survives in its current form including Stage 3. They assert that providers and patients can advocate for and collaborate in developing key enabling policies and toolkits that leverage APIs. The question remains: will they?

“It’s really not a technical challenge or even a legal or regulatory challenge. It’s just a matter of is there a will, and do the market forces now exist to make it happen?” concludes Kohane.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access