Senator Pushes EHR Vendors to Give Patients Greater Control Over Health Record Sharing
Senator Ron Wyden (D-OR) is pushing electronic health record (EHR) vendors to add features to their products to give patients greater control over how and with whom their health information is shared.
Digital health records have revolutionized how health information is stored and shared. While there have been data sharing challenges, a concerted effort toward interoperability has allowed different health systems to communicate and exchange health information seamlessly to support the provision of timely, coordinated, and high-quality health care. Congress recognized the importance of electronic health records with the passing of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in 2009. One of the main aims of the HITECH Act was to encourage the adoption of EHRs. Then, in 2016, Congress passed the 21st Century Cures Act to improve the exchange of health information between providers.
The 21st Century Cures Act required health information in EHRs to be accessible and exchangeable across different health systems, also giving patients the right to immediate and free access to their health records via patient portals and apps. The 21st Century Cures Act empowered patients to take a greater role in their own health care, while improving care coordination and supporting innovation by allowing patients to share their health information for research.
While interoperability has important benefits, it also introduces privacy risks. In a letter to ten leading U.S. EHR vendors – Oracle Health, Meditech, Altera Digital Health, Athenahealth, McKesson, Medhost, Netsmart, TruBridge, Veradigm, and WellSky – Sen. Wyden explained that the health records of the vast majority of Americans can be accessed by healthcare providers in states across the country, even if there is no treatment relationship. A patient in New York may travel to California and receive healthcare services, but that patient’s records could be accessed by a California healthcare provider even if the patient never sets foot in the state. Naturally, ease of access needs to be balanced with privacy protections to reduce the risk of unauthorized access, theft, and data leaks.
Sen. Wyden frames the risk of unauthorized data access as a national security threat. Nation-state actors could exploit the interoperability of health records to obtain the sensitive data of Americans for nefarious purposes, especially the health data of U.S. military and intelligence personnel. That risk is not just theoretical, warned Wyden. “An investigation by the Department of Defense (DOD) Inspector General in 2021 found that the health records of DOD personnel could be improperly accessed for purposes of extortion, public embarrassment, or sale to others,” Sen. Wyden wrote. “These issues underscore the need for interoperability frameworks that protect patient rights, ensure data is not misused, and allow essential care to continue without delay or fear of legal consequences.”
Sen. Wyden is pushing EHR vendors to implement features to allow patients to have direct control over the entities that can access their health records. Sen. Wyden said, at his urging, the leading U.S. EHR vendor, Epic Systems, developed a new feature that allowed patients to control the flow of their health data across different healthcare providers. The new feature, which Epic Systems has recently deployed, notifies users about which health care organizations have access to their records, prompts them to confirm their sharing preferences when they receive sensitive care, and gives them the option to opt out of record sharing. “I believe Americans should be able to have direct control over which entities access their health care information. The changes Epic has made to its system are encouraging in building toward this goal,” wrote Sen. Wyden.
Sen. Wyden has asked the ten vendors to confirm whether they have implemented similar functionality into their EHR products, and if not, whether they are willing to commit to implementing similar functions for patients, and what patient-facing functionalities they are currently developing to give patients greater control over the sharing of their health records. The vendors have been asked to respond by January 20, 2026.
