Call to Action for Providers: Respond to Patient Requests for Health Data

For the past few years, we’ve been connecting digital health leaders, like Virta, Oscar, and Invitae, to our national health data network. Their goal is to 1) retrieve complete clinical data to better facilitate treatment, 2) track outcomes for patients who use a clinical product or intervention, and 3) adopt risk in their business models, only recognizing revenue if patients get healthier. There is a tremendous opportunity for digital health developers to apply patient data, securely and under HIPAA, to improve the delivery of care.

However, if patients want to access their medical records from the same channels that providers and developers use, they can’t. It turns out that hospitals are not obligated to share patient data through our network partners, like CommonWell and Carequality, if it’s not for treatment purposes. When a patient submits a query to retrieve their own health information, it pings thousands of hospitals and vendors across the country and requests that their data be sent back for “Patient Access” purposes. For every query we sent, no data was returned.

Then, we received the email below from a large health system that apparently received our “Patient Access” ping:

“We are receiving patient queries from Health Gorilla. We are rejecting all of these queries because of invalid meta data. The only permissible reason of use (in metadata) is ‘treatment’. However, requests from Health Gorilla contain the phrase ‘Request of the individual’. I am not certain whether this actually complies with the XCPD and related protocols, but I do know that all other organizations from many different EMR systems all use the text “treatment” as the stated reason of use. All other request reasons will be rejected. I cannot verify this myself, but I would assume that if all of your messages are coded with the same metadata, then all your queries to Epic EMR organizations around the country are failing.”

This email told us quite a bit about the state of health information exchange today.

  1. Hospitals and/or EMRs have a policy in place to reject “Patient Access” queries.
  2. There is a lack of awareness that “Patient Access” was a permissible reason to request data.
  3. Other use-cases for clinical data, like “Research” or “Payment”, would most likely be rejected as well.

We fundamentally believe patients should have easier access to their health data from different vendors and hospitals. The age of information silos is over. A modern infrastructure already exists that allows the ecosystem to exchange structured health information securely. Patient health record (PHR) apps and other consumer tools need to tap into these data networks under the “Patient Access” use-case, but can’t today. Therefore, patients are stuck pulling together their medical records through fax machines, thumb drives, and CDs. To solve this, CMS has proposed a Trusted Exchange Framework and Common Agreement (TEFCA) to form a single “network or networks” that permits secure data access for key stakeholders across the ecosystem, including patients. The second draft of TEFCA was published early last year and we anticipate it being finalized later this year. We believe TEFCA is a critical step forward to empower patients with access to their data through modern channels, technologies, and standards.

Many of our customers have built the technology, and now they need the data. We’d like to see more providers and hospitals respond to data requests other than treatment, which would accelerate progress in areas like consumer access, clinical trials, and patient risk scoring. We’re committed to working with developers and health information networks to push patient access forward. If you’re developing apps to accelerate innovation in healthcare, we’d love to hear from you.

For more information, visit or follow us on Twitter @healthgorilla.