Patients Still Struggle With Full Access to Health Info

Posted on by

Data Privacy
,
Data Security
,
Healthcare

Tech Standards, Regulatory Levers Have Removed Barriers. What’s Still in the Way?

Marianne Kolbasuk McGee (HealthInfoSec) •
July 25, 2025    

While more patients are accessing their own health information online now than in the past, an assortment of obstacles remain. (Image: Getty Images)

Patients these days have an easier path to securely accessing their electronic health information, thanks in large part to advancements in certain technology standards and a big push by federal regulatory policies in recent years. But obstacles still remain.

See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.

Despite an industry-wide digital transformation, patients still struggle with conveniently and securely gaining access to a unified, integrated view of their health information from multiple providers. Other difficulties involve providing secure and private access to records of certain types of patients, including those with complex medical conditions, as well as minors.

“The main hindrance that I see to information sharing generally, both with patients and with other healthcare providers, is the proprietary nature of electronic health records or electronic medical record vendors and their systems and agreements,” said privacy attorney Iliana Peters of the law firm Polsinelli.

Regulations related to the handling of electronic health information date back to the HITECH Act of 2009, but the Department of Health and Human Services’ 21st Century Cures Act final rule in 2020 became the foundation for information sharing. The Cures Act called on health IT developers to adopt “secure, standards-based application programming interfaces” – to make it easier for patients to access their health information using mobile health apps.

Top priorities of the Cures Act, which was signed into law in 2016, were to advance medical innovation, including the aim of improving care coordination and patient outcomes through the help of interoperability and secure access to electronic health information (see: New Regs Aim to Improve Patient Records Access).


“This is not a tech problem. It’s a trust problem.”


– Deven McGraw, chief regulatory and privacy officer, Citizen Health

Under the hood of those modernization efforts, health IT developers were encouraged to adopt standards in their products such as the Fast Healthcare Interoperability Resources, or FHIR, which was created by Health Level Seven International for exchanging healthcare information electronically.

The Cures Act also includes policies that promote the secure nationwide exchange of health information, including regulations to deter healthcare providers and health IT vendors from illegally “blocking” health information exchange.

In addition, the earlier HITECH Act of 2009 – which propelled the mass adoption of electronic health record systems nationwide by clinicians and hospitals – also drove many healthcare providers to offer portals for patients to access health information securely online.

Most patients have embraced online access. For example, in 2024, 65% of patients nationally and 75% of those managing a recent cancer diagnosis accessed their medical records online or via a patient portal, according to a HHS’ Office of the National Coordinator for Health IT report released in July. Proxy or caregiver access to patient portals more than doubled between 2020 and 2024, and that app-based access to online medical records increased from 38% in 2020 to 57% in 2024, ASTP said.

“I do think that the HITECH Act and Cures Act have been driving forces in making it easier for patients to access their records,” said privacy attorney Adam Greene of the law firm Davis Wright Tremaine. “Without those legislative pushes, I do not think that patients would have the level of electronic access to records that they have today,” he said.

Compliance Issues, Roadblocks to Interoperability

Besides using levers such as the HITECH and the Cures Act to ease access for patients, HHS’ Office for Civil Rights is investigating right-to-access claims by patients. Over the past six years, enforcement activities have spotlighted cases involving violations of the longstanding HIPAA Privacy Rule provision that gives patients – or their personal representatives – the right to request timely access to patients’ “designated record set” of protected health information.

A HIPAA “designated record set” includes medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; and other information “used to make decisions about individuals,” HHS said

Since 2019, as of Friday, HHS OCR has issued at least 53 HIPAA settlements and fines to regulated entities that failed to comply in a timely manner to provide patients’ – or their representatives’ – with their health record sets in the requested electronic form or paper (see: HHS Discloses 3 More HIPAA Fines Totaling More Than $3M).

In some of these cases – which usually start with a complaint to HHS OCR – patients have made multiple requests and waited years to receive their requested records, and often not until the HIPAA enforcement agency launched an investigation.

But while most patients today have much better access to their health records electronically, that doesn’t mean the obstacles are gone.

“Despite information blocking requirements, many of these vendors of all sizes continue to use both contractual requirements and technical controls to significantly slow and sometime prohibit altogether otherwise permissible sharing of patient data,” said privacy attorney Peters. “And until HHS exercises its enforcement jurisdiction with regard to such practices, it’s unlikely that these vendors will change their ways.”

Complicating matters is that many patients receive health services from multiple providers. That means records held by medical specialists that aren’t part of a patients’ primary care organization are stored in many places, making it difficult for patients to access a unified, integrated view of their records.

ASTP’s study found that nearly 60% of patients nationally had multiple online medical records or patient portals in 2024, but only 7% reported using a “portal organizing app” to combine medical information from different portal sources or online medical records into one place.

“Many things have helped us advance to greater access by patients – more clear guidance on the HIPAA right of access from HHS, the emphasis on patient access in the 21st Century Cures Act and how leading providers, network administrators and some medical record companies are beginning to ‘lean in’ on facilitating patient access,” said attorney Deven McGraw, chief regulatory and privacy officer at Citizen Health.

But hurdles remain. “Patients who have multiple providers struggle with remembering the user names and passwords for all of their provider portals and lack a unified, usable view of all of their information in one place, unless they’ve connected their portals to an application,” she said.

Greene suggests that patients consider using consumer apps that connect to multiple healthcare providers’ systems through APIs, allowing patients to download and organize records from multiple providers. “The biggest challenges with such apps, though, are that it falls on the patient to check that the app has good privacy and security safeguards, and navigating provider’s APIs can be challenging,” he said.

Citizen Health provides a technology platform and services to help patients with rare conditions collect and access their health records from multiple sources with an integrated view.

McGraw said the ability of a patient to connect an app to a portal account – and to have the option of making that connection persist so that records are automatically refreshed – is also still a challenge.

“Take the persistent token issue – the technology exists to create tokens that persist. Yet providers often set the timeframes for how long they persist with very short intervals,” she said. “This means the patient doesn’t have that seamless connection for the app, even in cases where the patient wants a ‘set it and forget it’ approach.”

Additionally, there are often records that are not available through FHIR APIs – such as medical images – that forces patients to obtain the files via a HIPAA medical record request to a radiology offices. “This process is still often difficult for patients,” she said.

“This is an issue that hits patients with complex health conditions particularly hard, because they often have multiple portals they need to visit,” said McGraw, a former official at both HHS OCR and ONC during President Barak Obama’s second term and the first administration of President Donald Trump’s administration.

“Those of us who have long supported the ability of patients to use tools to consolidate their records – like personal health record apps and platforms, including but not limited to Citizen Health – see this as a solution that is already out there to help patients with this,” she said.

“Electronic medical record vendors could also help by allowing for a consolidated view in their portals, but this would likely require the consent of their customers – healthcare providers – which means we’d have to overcome the hurdle of real or perceived legal risk at showing data to patients that was generated from other providers,” she said.

“This is not a tech problem. It’s a trust problem,” she said.

“Providers have expressed concerns about having iron-clad assurances that a patient knowingly engaged an app, understands and accepts what that means for their data, that the patient is who they claim to be – identity proofing, and that the patient consented to record collection from a particular provider – and in the case of network access, that they have matched the patient to the right record, which is not an issue for portal/FHIR API access,” she said.

“There are technical solutions that exist to address all of these – but I think providers still have lingering uncertainty about whether those solutions are ‘sufficient’ to address their concerns.”

Other Challenges

In the meantime, there are still other access issues involving certain types of patients, such a minors, Greene said.

“A top challenge facing both patients and providers is adolescent records,” he said.

“It is very challenging for providers to provide parents or guardians with real-time access to information about their adolescent children to which they are entitled while blocking access to confidential access to which they are not entitled,” he said.

“This may result in a healthcare provider excluding adolescents’ records from its patient portal, resulting in frustrated parents having to go through more formal release-of-information processes to obtain access to such records.”

While obstacles still remain, patients and healthcare providers are finally understanding that patient access to their own healthcare records is critically important. “I can still remember when patient access was far less of a priority – and I can remember more people saying that patients wouldn’t need access to their records if providers would just do a better job of exchanging data,” McGraw said.

“The more we do to knock these obstacles out of the way, the more we will see these access numbers increase. The win-win aspect of patient access is increasingly being realized across the healthcare ecosystem.”