Good question, Grace. To the best of my knowledge, the electronic medical records used by physicians do not include the technical ability to include an addendum from the patient, notwithstanding that for nearly 20 years the HIPAA Privacy Rule has required that physicians append information from the patient (in the event of a dispute over accuracy or adequacy) and communicate that appended data in subsequent sharing.

Typically it is the application making the request, not the patient. Once consent is given, the application submits a data request to the provider's FHIR API to pull the medical record.

Unblock Health (unblock.health/) has fully digitized the medical records request process and captures where a patient may want their records sent, including if they wish to send it to an app of their choosing. As the digital app economy grows, patients will naturally want to be able to designate an app to where their records should be sent. It is important for health care delivery organizations, practices, and physicians to support this workflow as well as to track this information to maintain a pulse on which apps their patient communities are using for a variety of reasons.

If it's a modern app that is using HL7 FHIR standards for data exchange and delegated authorization frameworks such as oAuth it means that the patient remains in control without requiring a middleman. That's the ideal scenario: the relationship for whether to share data is between the patient and the App provider -- without anything or anyone getting in the middle.

Modern standards like oAuth allows patients to grant/revoke consent to any App that they trust for any period of time. As long as the App they choose has earned their trust, patients can decide to reward the App vendor by allowing consent to their information.

Every App that wants access to medical records request should have the ability to connect to EHRs, patient portals, and related clinical tools using OpenID Connect and similar authentication protocols, FHIR and SAML for data exchange, and oAuth for delegated authorization.

Many EHR software vendors have "walled garden" style app stores (like Apple App Store) that allow Apps to register, get approved, and then connect using oAuth or SAML. But, "walled gardens" and custom app stores per EHR vendor have limitations that we should be careful to perpetuate ... namely that there's someone in between the patient and the App provider (i.e. the EHR vendor). Anytime there's someone in the middle, even if it's well-intentioned, it means the patient is not fully in control of their data.

Ultimately, in the long term, fully open but secure validated environments with delegated authorization are the best options.

The AMA, AHA, and other professional societies and organizations that authorize and approve licenses for professionals (e.g. board certifications) could do the same for the App ecosystem in the future.

In the short term, until a fully open, trusted, validated, approach is available the walled garden app stores from EHR and similar vendors will be a reasonable stopgap to grow a safe information sharing app ecosystem.

Send them.

Dr. Victoroff, I think I like your answer best of all! For patients seeking guidance on which apps to use, I can recommend the CARIN Alliance Trust Framework (full disclosure - I am a member of the CARIN Alliance). This Framework is a voluntary effort where apps attest to good privacy practices (and can be held accountable to those attestations by the Federal Trade Commission). A list of apps that have attested to the Code of Conduct can be found at myhealthapplication.com/.

A major factor in this unnecessary "difficulty" is that record custodians never anticipated that sharing would be one of the most important things they had to do with them. This archaic culture persists. The most laughable aspect of this farce is the reliance on FAX as the channel for exchanging health records in the 21st Century. The HIPAA privacy waiver could easily be managed through a national electronic request and fulfillment system that works as well as ordering a book online. More secure and reliable, and 1000x faster than scanning and faxing. But, not recognizing the need, not investing in it, not respecting it have allowed medical facilities and practices to delegate the "information management" department to either an actual or a virtual dusty basement where an overworked and under-resourced clerk has to stand next to a copy machine. The EHR solution has been to "post something on a portal." This is an absolute non-starter of an idea, that requires record seekers to create login credentials on hundreds of systems, and indulge the data censors whimsy about what gets published on the portal. (To be fair, the University of Colorado and a few other organizations have an "open records" policy, that gives patients direct, nearly immediate access to their FULL medical data through their portal -- from that one institution, of course.)

Patient access is an ever-evolving and complex continuum of endless possibilities. Too many patient access workflows are poorly organized, primarily manual, and paper-based, with zero empathy while simultaneously lacking real-time communication. HIPAA is too often misunderstood by individuals at HDO or physician practices and erroneously cited as the reason why patient and carepartner records requests cannot be fulfilled. It’s no surprise that patients and their carepartners face severe information blocking! Unblock Health has meticulously mapped the spectrum of unique types and combinations of medical records requests and created a digital solution for hospitals, health systems, practices, and physicians to transform their patient access medical records workflows. As a digital patient access front door, Unblock Health connects patients with their health systems and care teams as well as removes administrative burden and outdated workflows. Here's more on some of the variety of ways patients request records and information: unblock.health/blog/20-ways-pa...

All health institutions, large and small, are businesses and in many respects their patients and family members are customers plus their referral partners could also be treated as customers in some requests. Every business should have a customer service department and that department should have IT and other tools for managing customer service requests -- sort of like a "help desk".

Many healthcare providers use their practice management system or patient portal/EMR/EHR software as a customer service tool but those are retrospective documentation management tools not customer service tracking tools for patients (the "customers").

If incoming phone calls, faxes, records requests, requests for educational records, requests for vaccination histories, etc. were all treated the same ... and put into a customer service software tool as is done for every industry other than healthcare... then, the practice and health system staff would have one place to know what the requests were, route them to billing, the EMR, the practice management system, and other departments through a unified approach.

By treating incoming requests uniformly and choosing a single tool to do the job, it would ease burdens considerably.

A personal anecdote which I am certain reflects the experience of other patients. I had just been diagnosed with endometrial cancer, an appointment was scheduled with the gyn onc surgeon. I didn't have access to my records. I spent 3 hours in waiting room with stress and anxiety--already at a high level!--going up and up waiting for my records to be faxed over from the referring doctor.

There are many impacts, in addition to stress. Another one is that, when you remove the patient from the "proofreading" loop, both they and providers lose the opportunity to correct errors and omissions in a timely way.

Because we've all been through it, it's easy to understand that patients are annoyed when they cannot get their medical records easily. What's less understood is that many patients that do not get timely access to records cannot access specialty care for second opinions and other consults. That goes beyond mere irritation and annoyance.

Lack of timely access to second opinions and specialty consults can result in accelerated deterioration of a medical condition in some cases, actual bodily harm or injury due to delayed care in other cases, and in extreme cases ... death.

Access to medical records is not, as many believe, an administrative issue. It's truly a clinical / care issue -- without timely access to accurate and complete medical records patients can suffer true harm in measurable ways.

Access to Medical Records is literally a matter of life and death in many circumstances. Patients require records for specialists, second opinions, and continuous management of conditions where a patient requires a new doc. The time to get records can have a very real impact on a successful outcome.

When patients don't have access to their medical records, it leaves the floodgates wide open for potential harm to them, in addition to the monetary and emotional stressors it can cause to the patient and their families. In my case I was first seen in the ER for abdominal pain where I was discharged without treatment. I followed up with OB-GYN practice "A". My medical records did not follow. When I left practice A due to poor service, I began seeking treatment from Practice "B" where a new set of medical records were formed, that excluded all previous records of the problem and its under-treatment. While at Practice B, I sought a second opinion from a separate family physician they did not have access to my medical records. This led to an incorrect diagnosis. This continued with several other doctors that I sought additional opinions from before ultimately discontinuing care at Practice B as my primary source of OB-GYN services. At which point I was in a medical crisis that required physical therapy and hormone treatment. In short, if I had access to my records I could have avoided painful injection therapy and living in crippling pain for over three years.

100% not an administrative issue but an overlooked, long-too-ignored essential step in an individual's care or the care of their loved one.

It is critical that we recognize the important work that patients and their carepartners need to do in order to get the care that's needed. Patients and their carepartners may need access to medical records in order to:
· schedule a 2nd or 3rd opinion
· to organize a tumor board
· to research & enroll in clinical trials
· to ask the proactively prepare for appointments and ask informed questions
· to pick the right doctor or hospital
· to fight an insurance denial
· to engage in a peer-to-peer and expedite care needed themselves
· to make an informed decision about an upcoming surgery or procedure
· to prevent a medical error from happening
· to fight an exorbitant medical bill
· to understand their diagnosis and treatment enough to know it wasn’t too early for palliative care
· to know that it is time for hospice

This is just a sampling of the reasons why patients and their carepartners need seamless access to medical records, often times, immediately rather than waiting the 30 days turnaround as per HIPAA. Knowing all these examples, imagine the harm that may result when patients can not get access to the information they need? The realities I see in my advocacy work are devastating.

Lack of interoperability at its finest. I'm so very sorry you experienced this Kistein. Keep sharing your story. We must continue to amplify the good that may happen with improved patient access to medical records.

Great question, Celine - Federal law almost always overrides state laws where there are conflicts but it would be good to understand which state law might be different than HIPAA to give a more accurate answer.

Anyone who cites HIPAA as a concern when releasing health information is usually doing so because they do not understand the purpose of HIPAA or does not have good patient consent systems in place.

The "P" in HIPAA is for "portability" and health insurance would not be able to be portable without releasing health information between parties. Organizations that have good patient consent systems in place worry less about releasing information; institutions that do not have good consent tracking systems usually are worried (and should be).

Patients are guaranteed access to their own records so that's the easy part. If a patient wants their record, health institutions must provide it. If a patient's spouse or others wants a patient's record then consent and tracking kicks in.

HIPAA is a framework that encourages sharing of patient records with those that have both the consent of the patient and a need to access the records. We should encourage everyone to stop using HIPAA as an excuse for denying access broadly. Sometimes access should be denied but that's because of lack of consent or need, not due to HIPAA.

We often run into deep misunderstanding of HIPAA among office staff and practitioners. This is a constant education battle.

HIPAA causes enough confusion and state laws are the cherry on top for misinformation. Technically entities must follow that which grants patients more access to their medical records. For example, if a state law makes it harder for a patient to access their health information, the section of the state law restricting access will not apply. The AMA Patient Access Playbook does a great job of clearly explaining common misunderstandings and nuances regarding how HIPAA, state laws, interoperability requirements, and how federal rules around substance use disorders all fit together ama-assn.org/system/files/2020....

These are good comments by the experts - where patient access to their own information is concerned, HIPAA is more often than not the standard you must follow, particularly with respect to fees that can be charged. A few states mandate that patients get copies for free (or one free copy a year), and in that case the state law controls. But often I see physician practices relying on state law in setting fees for copies, even for patients - and more often than not, those fees are higher than what HIPAA would allow, so following state law risks a HIPAA violation.

Patient access to medical records and health information is a unifying common denominator as a barrier that all too many patients and their carepartners face while trying to be proactive in health care. The records request processes and workflows are outdated, rely heavily on manual work, paper-based systems, fax machines, poor communication, and lack of empathy. Health care delivery organizations, practices, and physicians must meet patients where they are and stream-line the medical request processes so ALL patients may get seamless access to their health information.

I would reorder that slightly. Patient access to information about their own health/condition is paramount. Access to medical records should support patients in understanding their diagnosis.

I would say that making records "open," (that is, not giving access to a censored data set on a portal, but letting patients view and submit addenda to their charts) is the easiest and most efficient way to establish a culture of bona fide engagement. It's critically important, and requires less effort than almost any other intervention. It produces more genuine benefit than almost any other intervention.

The changes made to HIPAA regulations due to COVID19 is a perfect example of how critical it is to regulatory changes pertaining to patients medical records and access after the pandemic or in light of the pandemic. Pre-COVID, I interviewed patient advocate Sneha Dave who shared her own experiences with issues she faced with accessing her medical information across state lines.

The issue is quite complex but is solvable through policy provisions centered around the patient and their care teams.

Sneha Dave: instagram.com/p/B2wu-_HgHlE/?i...

Agree they are both so critically important Gwen! Patients and their carepartners need access to their medical records now to schedule appointments with specialists for 2nd opinions, participate in peer-to-peers to overturn insurance denials, to apply for SS disability benefits (or appeal denials), and now, during COVID, to prepare for telemedicine encounters, as well as to prepare advance directives. Seamless, actionable access to medical records is essential to perform the work that comes with life with a diagnosis or multiple diagnoses.

From the patient and carepartner perspective, one of the most common pushbacks and concerns is that patients won't know what to do with them. People need to be taught about the power of their health information and medical records. Individuals need to know where they can turn to for help with their medical records, whether its requesting them, correcting errors within them, understanding them, and how to use the knowledge base to both navigate and hack the health care ecosystem.

Absolutely, Grace. This reflects many structural and medical culture barriers and issues. Ongoing paternalism in the system about what patients know/can understand, fragmentation of care. Many of us, particularly those who have, or have had, serious illness have received care in multiple health care systems.

In my experience, the greatest current barrier to ANYONE using patient records (including providers and researchers) is that the quantity of data is too great to consume without summarization -- and there is currently no technology for automating that. The VAST majority of the patient chart is stupid, erroneous or irrelevant transactional data with no value after the patient has left the facility. It's "volatile." The tiny amount of "enduring" data that has value to subsequent providers (and the patient) is often lost, incomplete, incorrect, inconsistent, or camouflaged inside a mass of ridiculous metadata. Currently, there is no technology for filtering the litter out of the patient record. And, it's growing faster than any other kind of information. Frankly, getting access to the "full record" is less and less useful, the bigger it grows. What's needed -- and is rarely available -- is an expert summary of the case. If the patient is lucky enough to come across one of these, it's value is beyond gold.

Great points Grace, Gwen and Michael!

When dealing with information access we only have three choices: (a) reduce or limit access further than is available today, (b) maintain the same level of access as today, or (c) increase the level access from where it is today.

Since there's a strong desire to promote (c) and increase access there's a well intentioned question that comes up: "won't the patient be overwhelmed"? Let's assume the answer is "yes" and that patients will be overwhelmed ... does that mean we should restrict the data or limit it in some way? The answer is "of course not!" because there is no reasonable scenario when more information about their own medical records writ large is worse than less information about their healthcare data writ large.The inverse is very true though - lack of information can kill.

That's why I believe there is no legitimate concern about increasing patient access to their own health information when they choose to seek it.

As a person who works in the world of conversational AI, text summarization, sentiment analysis, natural language processing, and similar computational fields I already see many tools that can take large amounts of information and create rudimentary automated summarization. The tools we have are nascent right now but will improve over time as more data is fed to them.

We should assume that more information, not less, is always best and that human and computer experts will take care of the information overload problem over time.

I agree Michael (and also got a good chuckle out of "VAST majority of the patient chart is stupid, erroneous or irrelevant transactional data"). I have found that many patients living with chronic illnesses, multiple co-morbidities, or the primary carepartners of those with life-altering & life-limiting conditions are master curators of their medical records, often meticulously reviewing their records and constructing actionable summaries and timelines. Seamless patient access is the most powerful patient engagement strategy we have yet to fully unlock and realize.
Interestingly, once individuals DO have access, they inevitably find errors and omissions in their records. This is a great opportunity to engage patients and their carepartners in further curating their records by supporting digitized medical records addendum processes. This step is a matter of patient safety that is essential for care coordination, continuity of care, outcomes, and control of costs.

In my business of record "curation and summarization" for people with complex conditions, we have been talking for >10y with IBM, Nuance, Google, Microsoft, et al. about computer-assisted summarization. This is where the answer currently lies. It's a human, expert task that no algorithm can currently perform. However, I enormously respect the development and research work being done in computational linguistics and NLP. I absolutely trust that in some future, automated (or at least largely automated) data distillation will begin to be applied to my email inbox, my legacy medical records, my correspondence and other pain sources. The quantity of "data" will only increase. We are living now in the era of coal-fired informatics; tremendously imbalanced in terms of the ease with which we can flood ourselves with byte-effluent, versus the ease of ingesting and digesting it.