What are electronic health records? How can I access my records and health data?

An electronic health record (EHR) is a digital version of the data that doctors and other professionals record about you in a clinical setting. EHRs provide details about your medical and treatment history. They can contain many different types of data including past diagnoses, medications, test results, scans and X-rays. Telehealth consultations will also form part of your EHR if they are recorded. With all of this information in one place and in an accessible format, doctors have a much better view of your health conditions and history. This will put them in a better position to diagnose your conditions and manage your treatments.  

When your health data is captured in an EHR, it is easier for your doctor to share this data with other healthcare organizations that are involved in your care. If you need to be referred to a specialist, your doctor can more easily share your comprehensive medical history with that specialist. Similarly, labs will be able to share test results and imaging facilities will be able to share scans and other images more easily. 

Unfortunately, in the United States, doctors and healthcare institutions experience a number of issues while implementing EHR systems. They are often extremely complex, take up a substantial amount of a healthcare provider’s time and resources, and are not always compatible across different institutions. These challenges ultimately impact patients and their ability to access their own health data.

How does having my data in a digital format help me?

As a patient, you may have experienced a situation in which you feel unprepared when meeting a new physician or specialist because you don’t have access to details from your previous doctors or hospital visits. You may find it very difficult to maintain complete records of your consultations with doctors, prescriptions, tests, and other interactions with the healthcare system. These difficulties become more pronounced as you move to another city or town, change your primary physician, or visit different specialists. If you are a patient with several or serious long term conditions, you might find it difficult to communicate the amount of information that is relevant to your healthcare and treatment to your doctors. 

Having your records in a digital format is incredibly useful to you and your doctor. With applications that allow you to access your electronic records, you are in a better position to manage and keep track of developments in your condition. In the long term, this will help you be a more active participant in your care and treatment. 

Do I have a legal right to access my data?

Yes, if you make a request, health care institutions involved in your care have a legal obligation to provide you with protected health information (PHI) they collect about you. This right extends to many different types of information or data including clinical case notes, medical records, billing receipts, insurance documents, lab test results, X-rays or scans, disease management program files, and more. The records should include data or information used to make decisions about you. The legal term for such records is a ‘designated record set’. These records may be in a digital format and be part of your electronic health record. However, you can also request for records of your data that are maintained by the healthcare institution in paper form.

When you make a request for your data, the healthcare institution does not have to create new information such as material to explain clinical notes or claims, or analysis of your condition that is not already recorded. Further, you cannot access certain records, including personal notes made by your mental health provider and information that your hospital has put together for a civil, criminal, or administrative case involving your data.

You can also make a request to understand when and how your healthcare records were accessed. Healthcare institutions have an obligation to obtain your consent when they use your data for non-routine purposes such as marketing or research.

How do I make a request to access my records?

Before you make a request for your records, make sure to check that the healthcare institution you are seeking data from is regulated under HIPAA as a ‘covered entity’ or ‘business associate’. By way of an example, a doctor or pharmacy that uses electronic methods to process claims is a HIPAA covered entity.  Also make sure that the information or data you are seeking is your ‘protected health information’. 

Healthcare institutions may require you to submit a written or electronic request. They are expected to verify your identity when processing such requests. However, they cannot impose conditions that may make it very difficult for you to make the request or retrieve your data – for example, they cannot ask you to physically come to their office and verify your identity when you have asked for the record to be sent to your home. 

You can request that the data be provided in paper or digital formats. The healthcare institution has to comply with the request as long as it can be easily reproduced in your chosen format. If, for example, you ask for data to be sent to you over email and the healthcare institution finds it difficult to do so, they can suggest certain alternatives, such as a secure file sharing service or a USB drive. The healthcare institution can charge you reasonable fees to process such requests to cover labor, supply, and postage costs. 

Healthcare institutions are expected to respond within 30 calendar days of receiving your requests. If they need more time, they have to inform you and can take 30 additional days in responding to your request. Please see here for more information on your right of access.

Can I make a request to share my electronic health records with another doctor or researcher?

Yes, your right to access your data also allows you to ask the healthcare institution to send your records to any other person or organization. You have to make such requests in writing, authorize the requests, and clearly identify the person or organization to whom you want the records sent. Similar to its obligations when you make a request for your data, the healthcare institution will need to promptly send such records in the format you requested. 

If you want your records from a hospital where you underwent a procedure to be sent to your primary care physician, you can ask the hospital to use its EHR system to transfer them. Similarly, if you would like to contribute to research on a condition that you live with, you can ask your doctors to send your records to a patient registry or a research institution that you have identified and that is looking for patient data for research. When making requests for records to be transferred over EHR systems, the healthcare institution to whom the request is made has to assess if doing so will present cybersecurity risks to its own systems. If a risk is present, they can deny your request for your records to be transferred. 

As a patient advocate, how can I advance the right to access?

The Office of Civil Rights (OCR) within the Department of Health and Human Services is currently responsible for enforcing this rule and ensuring that providers and payers comply when patients request their data. Despite this, many patients are denied access to their data or unaware that they are allowed to request it from providers. Patient advocacy groups should work towards increasing OCR enforcement of this right under HIPAA and better monitoring compliance. This will lead to increased patient awareness of the ability to access their data, enhanced medical transparency, and improved treatment and self-care.