Who Moved My Medical Records?
The Past, Present, and Future of Interoperability & Patient Access
Tl;dr →
Interoperability in healthcare might sound arcane, but it’s basically just about exchanging health data. Healthcare providers can deliver better, more informed care when they have access to their patients’ full health data
Over the last 30 years the U.S. has passed several major pieces of legislation around interoperability, but change has been slow. Today individuals can access our health records electronically by signing into online patient portals, but we and our providers still can’t easily see one comprehensive view of our health data
Personal health record (PHR) companies have tried to aggregate patients’ data, but they have mostly failed to gain traction so far
A key barrier to interoperability has been that health systems and electronic health record (EHR) companies aren’t incentivized to share patient data
As parts of the 21st Century Cures Act (2016) are starting to be implemented (e.g., information blocking, TEFCA), it is expected that individuals will be able to access our health data more easily (if the legislation is enforced and implementation goes well)
In anticipation of this, several startups are rolling out consumer-facing products to facilitate individual access. It remains to be seen whether they will fare better than the earlier PHR companies
The Whole Shebang →
When Noga Leviner was diagnosed with Crohn’s Disease, she assumed her doctors would keep a complete, updated file of her medical records and keep each other up to date on her condition. Nope. Instead of focusing on her health, Noga had to fill out request forms, wait in lines, and make dozens of calls to finally get her records.
In January 2014, Noga co-founded PicnicHealth to fix this broken system and help patients take complete ownership of their health.
I. Why Interoperability Matters
Healthcare interoperability and its jargon – C-CDA, FHIR, HL7v2, HINs, HIEs, and the like – can seem as inscrutable as a doctor’s handwriting. But putting aside the cryptic acronyms, interoperability is essentially about exchanging healthcare information – and this matters for just about everyone.
In the U.S., where most people see multiple healthcare providers over the course of our lives, we end up with our healthcare data spread out across many different provider offices and their electronic health record (EHR) systems. Not all providers use the same EHRs, and the different EHRs don’t talk to each other. As a result, most of the time our care providers don’t know the details of the care we received elsewhere – at another doctor’s office, urgent care center, hospital, pharmacy, lab, or imaging center, much less the kind of everyday health data that many of us track on our own with an Apple Watch, Fitbit, Whoop, Oura Ring, or another device.
Without access to this data, our doctors don’t have the full story about what’s going on with our health. This can lead to an incorrect diagnosis, a delay in getting the right diagnosis, duplicative care – like getting a repeat CT scan, colonoscopy, or pap smear because your current healthcare provider doesn’t have information from your prior one – and, as a result, higher healthcare costs. After all, more doctor’s visits, duplicated tests and procedures, and patients being sicker for longer all increase costs to the healthcare system; even worse, they diminish patients’ quality of life.
Having a unified health record for every person would mitigate a lot of these issues. With more comprehensive and timely data, providers could deliver better care to their patients. And as Travis May, co-founder of health data firm Datavant, has written, while today most U.S. healthcare providers are paid “fee-for-service”, or each time they provide care (e.g., per visit, lab test, medication, surgery), better data would make it easier to tie economic incentives to the real value of care for a given patient (e.g., paying $x for reversing a patient’s diabetes, like Virta Health is aiming to do).
At its heart, interoperability is about getting that needed health data to be exchanged so we can take better care of people. As patients and taxpayers, this is something we can all care about.
II. A Brief History of Interoperability
Our government and healthcare institutions have been talking about interoperability for decades, and the going has been slow. There have been two related, but somewhat distinct, major government-initiated efforts around this: one to give patients access to their own healthcare data, and another to create a network for other healthcare stakeholders (like healthcare providers and insurance companies) to exchange data. We’ll focus on the patient access efforts here.
The first major legislation impacting patient access was the 1996 Health Insurance Portability and Accountability Act (HIPAA). While even NFL football players have heard of HIPAA, the law isn’t always well-understood. HIPAA was a big deal because it gave patients the right to request our own health information from providers and payers, and to share it with anyone we want. Today, when we ask our doctor’s office to send our medical records to another healthcare provider or elsewhere, we typically complete a form (like this one in NY State) authorizing the provider to release our healthcare information under HIPAA. HIPAA also sets security standards for providers to ensure patients’ data isn’t shared willy–nilly; as a result, healthcare providers tend to be cautious about sharing patient health information.
Since almost no healthcare providers stored patient records electronically back in the 1990s, healthcare data was mostly exchanged on paper. The 2009 HITECH Act changed this by financially incentivizing healthcare providers to store their patients’ healthcare data in electronic health record (EHR) technologies, thus leading to massive adoption of EHRs. HITECH also included a provision for providers to give patients access to access certain health data electronically. This is why today we can access our health data through patient portals. As we have seen, however, different providers often use different portals and they don’t all talk to each other. So while electronic exchange is happening, we still haven’t had integrated health records.
The latest in this multi-decade series of interoperability legislation is the 21st Century Cures Act, which was signed into law in 2016. While the law covers many different areas of healthcare, implementation of the interoperability pieces was delegated to the U.S. government health IT czar – the Office of the National Coordinator for Health Information Technology (ONC). ONC took this mandate and turned it into the Cures Act Final Rule, published in 2020. The rule reinforces HIPAA by prohibiting healthcare providers and health IT providers from “information blocking”, or “interfering with access, exchange, or use of electronic health information [EHI]”, and by expanding the scope of the EHI that must be shared, from a certain defined set to all of it (with some exceptions). The rule also improves on shortfalls from the HITECH Act by better standardizing the content and format of sharing EHI, including a requirement that patients be able to access all of their EHI through smartphone applications.
What’s so revolutionary about this latest regulation? Not much, some say. As Brendan Keeler, author of the Health API Guy blog, wrote in an excellent set of blog posts on interoperability, “Information blocking requirements do not reinvent HIPAA; they serve as a brute force, a last resort cudgel to pummel those who would resist the principles that HIPAA outlined…They don’t fundamentally change a whole lot, given the exceptions [to the new law], and really just reinforce HIPAA rights that already existed. They’re broad and unprescriptive to such an extent that it will be subject to chronic misunderstanding.”
Moreover, the new regulations have been slow to come to life. As Micky Tripathi, the head of ONC, commented during a fall 2022 panel on healthcare interoperability, “It’s infuriating that the 21st Century Cures Act was passed in 2016 and we’re still here trying to get it done.”
Since 1996, Americans have gone from having minimal access to our own healthcare data to requesting and storing our health records on paper (HIPAA) to accessing them electronically (HITECH). With the implementation of 21st Century Cures, we might be able to access more data than before, and via our smartphones. But we’re still stuck logging into a fragmented set of patient portals (if we can find our passwords). There is no one place where we or our healthcare providers can see a single view of our health, let alone use that information to guide our care.
III. Snacktime: Carrots and Sticks
If interoperability has so many benefits, why aren’t we there yet?
In short, U.S. healthcare hasn’t had the incentives in place to make interoperability a reality. EHR adoption took off because the U.S. government made it financially untenable for providers not to implement EHRs. There hasn’t yet been an analogous carrot or stick for interoperability, and major stakeholders such as healthcare systems and EHRs believe interoperability isn’t in their best (financial) interest.
As a reminder, our system is “fee-for-service”, meaning that every time a healthcare provider delivers a service, they get paid. (This underpins many challenges in U.S. healthcare, not just interoperability). In a capitalist economy where growth in revenue and profit are the yardstick of a company’s success, healthcare providers are incentivized to deliver more services so they can collect more revenue. For a health system, this typically means it is beneficial to get patients to come in to see their doctors more often. If a patient can’t easily move their health data, that can help to keep the patient within the health system. Beyond the question of patient retention, interoperability can enable better, more coordinated care – which ultimately should result in less care, which slows the fee-for-service revenue flywheel. Yep, it sounds icky – and it’s the business of healthcare.
Overall, health systems generally have little to lose from the interoperability status quo. As Brendan Keeler wrote in 2021, “The incentives for data transfer and sharing are core to other industries – banks that can’t send and receive money with many institutions tend to fail, whereas healthcare organizations can focus locally or even internally and skate by, dealing with the occasional out-of-network patient.”
The big electronic health record companies (EHRs) are similarly disincentivized to share data, as doing so could make it easier for healthcare providers (EHRs’ customers) to switch to a different EHR vendor, and because there are profits to be made from monetizing data sharing. A 2021 study in the Journal of the American Medical Informatics Association reported that many EHRs interfere with electronic sharing of patient data by setting unreasonably high prices for providers to access the data.
Even if health systems and EHRs didn’t have these incentives to block health data exchange, they tend to use antiquated IT systems that would require significant, costly investments to enable data exchange. For example, when the 2020 Cures Final Rule was published, health IT developers pushed back vehemently on the rule’s expansion of the set of health data that needed to be shared with patients. In response, ONC revised the rule, allowing health IT developers to start by sharing a limited set of health data known as USCDI and allowing more time for developers to expand access to all EHI.
If health systems and EHRs are acting in accordance with their best interests, perhaps our interoperability woes are a symptom of something larger than these companies. American society is known for its deep individualism in contrast to the more communitarian values of many other societies. Might a society that places greater value on the community do more to look out for the health of its citizens? In fact, public health interoperability leader Theresa Cullen, reflecting on an international trip, suggested just this in the aforementioned panel discussion on interoperability. As a society, we have allowed profit maximization to take precedence over public health. If we truly want to use data to improve people’s health, we will need to reckon with our collective values; we will need to change the fundamental incentives that maintain the status quo.
IV. A New Hope
Since HITECH legislated electronic health access to health records, several companies have tried to aggregate electronic medical records on behalf of patients. Some of the best known patient health record (PHR) efforts have come from big tech companies such as Google Health, Microsoft HealthVault, and Apple Health, as well as startups such as OneRecord and Picnic Health, among others. But PHRs have largely been viewed as a failure: Google Health announced that it was shutting down in 2011 after failing to attract users, and Microsoft HealthVault shuttered in 2019. (OneRecord was purchased by an insurtech company called Milliman Intelliscripts and Picnic Health is still a private company, so it is difficult to know how much traction they have generated).
In speculating on the lackluster consumer adoption of PHRs, Brendan Keeler notes that extremely sick patients are the greatest beneficiaries of PHRs, followed by fitness junkies, and these segments of the population are relatively small compared to the number of healthy people at any given time. For the majority of people, perhaps PHRs simply don’t add enough value relative to the friction of connecting each health system’s patient portal to the PHR. Meanwhile, Epic, the market leader in EHRs, has made some improvements here; its patient-facing MyChart portal now connects patient MyChart accounts across health systems (one would think this would have been the default always, but no), and its provider-facing Care Everywhere feature allows healthcare providers who use Epic to access patient records from other healthcare institutions that also use Epic.
One promising development in this space is the idea of a national health information network (HIN) that would pull patient health records from across providers in real time and allow a patient to access their consolidated health record simply by verifying their identity once, with the network. This could eliminate a lot of the friction in today’s system in which patients have to log in to each patient portal separately.
In fact, ONC intends to create such a solution as a separate part of the implementation of the 21st Century Cures Act, known as the Trusted Exchange Framework and Common Agreement (TEFCA). While some HINs already exist in the U.S. as non-profit organizations, they only respond to requests from healthcare providers seeking health information for the purpose of treating a patient. (Under the information blocking regulations, HINs are actually required to respond to requests for individual access, but they have not yet begun complying, according to a 2023 white paper from Particle Health). TEFCA is leading to the creation of a new set of HINs that will be qualified under the federal government’s requirements. To meet the requirements to be approved as a Qualified Health Information Network (QHIN), an organization will be required to respond to requests for individual access to health information after verifying the individual’s identity.
Since connecting to a HIN can require a significant technical lift for a healthcare provider, startups such as Health Gorilla and Particle Health connect to today’s HINs (and in a future state, may become QHINs or connect to the network of QHINs) and provide APIs for healthcare providers to query the HINs for patient health records. On the individual access front, Health Gorilla (which is in the process of becoming a QHIN) and Particle Health announced in 2023 that they are piloting programs where individuals can complete a simple identity verification process (upload a driver’s license photo and a selfie) and then the company will query the HINs for the individual’s health data. I tried this process with both companies in spring 2023 and the verification process was, indeed, pretty simple – but as expected, since today’s HINs don’t respond to individual access requests, Health Gorilla wasn’t able to return any records for me. I signed up for Particle Health’s pilot program in early April and have not yet heard back.
Overall, the success of using networks to give patients access to their records will depend on 1) whether the existing HINs begin complying with individual access requests or 2) whether a critical mass healthcare providers join the QHINs. If providers don’t join QHINs, then querying the QHIN network won’t help individuals get access to much of their health data. Today, providers are not required to participate in QHINs, and as Jonathan Bush, the outspoken founder of Zus Health, has noted, mass participation is unlikely without regulatory carrots or sticks encouraging/requiring it.
Even if individuals and our providers do become able to access our health records more easily, the failures of PHRs suggest there may not be enough incentive for the majority of the population to do so. Some companies are thinking about how to create incentives for individuals to access and share their aggregated health data, such as:
Contributing to research – Women and minorities are notoriously underrepresented in clinical research. Picnic Health pulls individuals’ medical records for free if the patient shares their data for a specific clinical study that Picnic is contracted with. Similarly, Novellia is collecting individuals’ data (with their consent) for use in clinical trials.
Matching patients to clinical trials that could benefit them – Citiizen is a free medical record aggregation service (run by the public company Invitae) for patients with certain cancers and rare diseases, with the goal of helping patients to find new treatments via clinical trials.
Getting life or disability insurance approved faster – These types of insurance typically check a patient’s health history before underwriting an insurance policy, which can sometimes result in months of back and forth between a patient and the insurance company, including mailing health records. Health Gorilla allows consumers to consent to share their health information with life insurance companies to expedite a decision on the insurance policy.
Paying patients for their data – Companies like Trove Health plan to compensate patients for consenting to share their aggregated health records with pharmaceutical companies that may use the data for drug discovery and development.
Whether these companies will be able to engage consumers at scale remains to be seen. In general, it tends to be challenging for companies to scale through engaging one consumer at a time, and the sensitivity of health data and potential security concerns may make consumers hesitant to share. Furthermore, these companies will likely be accessing the same health data sources (HINs/QHINs, patient portals) so there will likely be limited differentiation among them; any company seeking to attract users will likely need to make significant marketing investments.
Fourteen years after HITECH moved health data from file folders to EHRs, data is still siloed and underutilized in care delivery. But we have also seen improvements over time, and more change is in the works. As Barack Obama shared in a 2015 interview with the comedian Marc Maron, “Sometimes the task of government is to make incremental improvements or try to steer the ocean liner two degrees north or south so that, ten years from now, suddenly we’re in a very different place than we were. At the moment, people may feel like we need a fifty-degree turn; we don’t need a two-degree turn. And you say, ‘Well, if I turn fifty degrees, the whole ship turns [over]’”.
We can hope that in ten years, we will be in a very different place.
Note: I am not an investor in any of the companies mentioned here. I have had the pleasure of speaking with some interoperability startups’ management, investors, and/or customers, and of admiring from afar the innovative builders, regulators, and public health officials who are pushing forward interoperability for the good of patients and our society.
Lol “even NFL football players have heard of HIPAA”