Dive Brief:
- An influential lawmaker is pushing electronic health record vendors to adopt features that allow patients more control over their medical data in a bid to boost cybersecurity.
- In a letter sent to 10 health IT and EHR firms, Sen. Ron Wyden, D-Ore., pointed to a feature adopted by Epic, the nation’s largest EHR vendor, that notifies patients about which healthcare organizations have access to their medical records and lets them opt out of data sharing.
- Wyden asked the vendors if their patient portals have similar functionality and whether they’d commit to deploying these features. “While interoperability improves care by enabling better data sharing, it must be balanced with strong privacy protections for sensitive health information,” he wrote in the letter shared with Healthcare Dive.
Dive Insight:
Interoperability — a long-term challenge for the healthcare industry — is key to ensuring patients receive coordinated and quality care, regardless of provider, Wyden wrote in the letter, which was sent to companies like Athenahealth, Oracle Health and Meditech.
But healthcare data is often sensitive and coveted by cybercriminals, who have increasingly targeted healthcare organizations in recent years.
In 2024, a cyberattack on UnitedHealth-owned payment processor Change Healthcare exposed the data of nearly 193 million people in the largest healthcare data breach ever reported to federal regulators. And this year has included breaches that compromised the information of millions, including incidents at Yale New Haven Health and dialysis firm DaVita.
Though improved interoperability can be a boon for care delivery, widespread access to health data could leave many patients vulnerable to breaches, wrote Wyden, the ranking member of the influential Senate Finance Committee.
“Currently, the sensitive health data of the vast majority of Americans can be accessed by health providers in states around the country, regardless of whether those providers are actually treating the patient, or whether the patient has ever stepped foot in their state,” he wrote. “Such widespread access exposes patients to the threat of improper access, theft, and leaking of their sensitive health information.”
National security could also be affected, allowing spies to more easily access health data on military and intelligence personnel, he added.
But features put in place by Epic at Wyden’s urging could help patients control the flow of their information, he said. The functionality lets users know which organizations have access to their health record, prompts them to confirm their preferences when they receive sensitive care and allows them to decline record sharing, according to the letter.
The lawmaker asked the vendors whether their patient portal or interoperability framework had similar features, like allowing patients to opt out of record sharing or give them a list of healthcare organizations using the same EHR that have accessed their records. Vendors should respond to the letter by Jan. 20.
A spokesperson for Netsmart, one of the vendors that received the letter, told Healthcare Dive it will respond directly to Wyden and “remains engaged in industry discussions related to patient access, consent, and data governance.”
Meditech is preparing a formal response and “shares [Wyden’s] commitment to patient privacy and empowerment,” a spokesperson said in a statement.
Joe Ganley, vice of government and regulatory affairs at Athenahealth, also confirmed it had received the letter.
“We share Senator Wyden’s view that interoperability frameworks can be developed in ways that ensure healthcare data flows more freely while also protecting patient rights and data security. We look forward to working with his office on this important issue,” he said in a statement.
