Skip to Content

Give Me My Data!

On Monday night, a website called went live.  The site promotes better access to one’s own health data, and serves as a portal where individuals and entities can endorse/support A Declaration of Health Data Rights. “We the people,” the site asserts: 1) Have the right to our own health data; 2) Have the right to know the source of each health data element; 3) Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be available in that form; 4) Have the right to share our health data with others as we see fit. 

Having access to one’s own health data is already a right – just not one that is well known or enforced.  Under the HIPAA Privacy Rule, individuals have a right to obtain a copy of their health data.  They can also get this copy “in the form or format requested” (e.g. electronic format), if it is “readily producible” in that format.  There are some exceptions to this right, including health data compiled for the purpose of a civil or criminal proceeding.  Also under the Rule, covered entities have 30 days to comply with an individual’s request (and this can be extended to 60 days).  Entities can charge a reasonable fee for copying the health record, the limits of which are set by state law.  Notwithstanding this legal right, failure to provide individuals with access to their data is one of the top 5 HIPAA-related complaints received by the U.S. Department of Health and Human Services (HHS) — the agency responsible for enforcing the HIPAA Privacy Rule.

Congress took steps to strengthen this right in the recent economic stimulus legislation.  Entities using electronic health records must provide individuals with an electronic copy upon request and individuals can have that copy sent directly to a Personal Health Record (PHR).  The entity cannot charge more than its labor costs for the copy. This provision goes into effect February 18, 2010. But whether this will result in greater patient access to data is uncertain.  Why is gaining access to one’s health data such a problem?  Still too many patients and providers do not know that this right exists.  In addition, still too many physicians are uncomfortable with providing patients access to their medical record.  Likewise, too many patients still rarely question the authority of their physicians, and may be afraid to ask for their health data for fear of undermining this authority.  Recently enhanced HIPAA penalties for failure to comply with the Privacy Rule may help – but may not be enough to dislodge entrenched assumptions about the proper roles of doctors and patients.

There is clearly a need to raise awareness about the right of individual access to health data under HIPAA.  CDT endorses and applauds the efforts of its organizers to draw attention to patients’ rights to their data.