Lawmakers Urge EHR Vendors to Enhance Patient Data Control
Key Initiative by Senator Ron Wyden
An influential lawmaker is advocating for electronic health record (EHR) vendors to implement features that grant patients greater control over their medical data, aiming to enhance cybersecurity. Senator Ron Wyden, D-Ore., addressed a letter to ten health IT and EHR companies, highlighting a feature utilized by Epic, the largest EHR vendor in the nation. This feature notifies patients about which healthcare organizations have access to their medical records and provides an option to opt out of data sharing. Wyden inquired whether similar functionalities exist in the vendors’ patient portals and if they would commit to adopting these features.
Balancing Interoperability and Privacy
In his correspondence, Wyden emphasized the importance of interoperability in the healthcare sector. He noted that improved data sharing is essential for providing coordinated and quality care across different providers. However, he expressed concern regarding the sensitive nature of healthcare data, which has become a target for cybercriminals. The letter was sent to companies such as Athenahealth, Oracle Health, and Meditech.
Recent incidents, including a significant cyberattack on UnitedHealth-owned Change Healthcare in 2024, exposed the personal data of nearly 193 million individuals, marking it as the largest healthcare data breach reported to federal regulators. Additional breaches this year, affecting institutions like Yale New Haven Health and dialysis provider DaVita, have further highlighted the vulnerabilities in healthcare data security.
Risks of Widespread Data Access
Wyden warned that while enhanced interoperability benefits patient care, it also increases the risk of breaches. He noted that health data from a majority of Americans is accessible by providers across the country, regardless of whether those providers are directly involved in the patient’s care. This unrestricted access raises concerns about improper access, theft, and potential leaks of sensitive health information. Wyden also mentioned potential national security implications, suggesting that it could allow unauthorized access to health data related to military and intelligence personnel.
Proposed Features to Empower Patients
Wyden pointed out that features implemented by Epic, following his recommendations, could empower patients in managing their information flow. These functionalities inform users about which organizations have access to their health records, prompt them to confirm their preferences during sensitive care, and allow them to refuse record sharing. The senator requested the vendors to confirm whether their patient portals or interoperability frameworks include similar features, such as the ability for patients to opt out of record sharing or view a list of healthcare organizations that have accessed their records.
Vendor Responses and Commitments
EHR vendors are expected to respond to Wyden’s letter by January 20. A representative from Netsmart, one of the recipients, stated that the company would reply directly to the senator and remains engaged in discussions concerning patient access, consent, and data governance. Meditech is preparing a formal response and expressed alignment with Wyden’s commitment to patient privacy and empowerment. Joe Ganley, Vice President of Government and Regulatory Affairs at Athenahealth, confirmed receipt of the letter, stating their shared belief that interoperability frameworks can be designed to facilitate data flow while safeguarding patient rights and security.