Do you know what’s in your medical records?

In 1996, Congress enacted HIPAA (the Health Insurance Portability and Accountability Act), which was designed, in part, to give patients the right to access their own medical records. Twenty years later, much has improved, but patients still have trouble prying their personal information out of hospitals and health care systems. 

“It continues to be quite difficult for patients to navigate the records request process, and particularly, to obtain digital copies of their health information,” says Erin Mackay, coordinator of Get My Health Data, an initiative based in Washington, DC that advocates for patient access to digital health records. “I think there’s a lack of understanding of the rights patients have to this information and providers’ responsibilities to make it available.”

Big tech companies like Apple and Google are working to make access easier for patients, as are a number of small startups, says Christina Farr, senior writer at Fast Company in San Francisco.

“Apple, which you wouldn’t haven’t associated with health care even a few years ago, has made a big push into trying to get medical information to patients,” Farr says. “They’ve released things like HealthKit, which is one of their interfaces that aims to bring together the medical information that you might get from a provider, like your lab history and so on, and combine that with the types of information that patients are now collecting themselves. So, if you have an accelerometer on your iPhone or you’re collecting your blood pressure or heart rate, all that information can now be combined together on a smartphone.”

Unfortunately, a lot of patient information generated by doctors and hospitals can’t be read by a personal computer or smartphone — and that continues to be a major source of frustration. A few smaller startups have caught on to this, and a market is growing for apps that will read many different data formats and allow patients to download information.

One of these is called PicnicHealth. Patients pay the company a fee, and it will “try to get all of your medical records from all of the different hospitals and health systems that you’ve ever been to you throughout your life,” Farr says. “But that doesn’t mean it’s going to be perfectly aggregated information, because [a doctor or hospital] still might claim that they’ve lost your record or they can’t find it.”

On the one hand, it’s great to see technology companies addressing this issue, Farr says, but on the other hand, "patients have the right to this information. We shouldn’t have to pay someone else to go out and find it for us."

Mackay agrees. “Patients unequivocally have a right to a copy of their medical record and other health data, and that now includes a digital copy of that information, if the doctor has the capability to produce it electronically,” she says. “Patients aren’t asking their doctor for a favor. … They are simply asking for what they have a right to. I would also note that empowering patients with this kind of information to help them make decisions, to set and track goals, to share information they have about their health status and their symptoms, is particularly important.”

However, internet security remains a significant challenge. Doctors don’t want to be responsible for having their patients’ medical records compromised, and patients fear hackings, too.

“This is a serious consideration,” Farr says. “I was recently invited by an IBM security team to take a tour of the dark web, which is a place hackers can go to do not very legal things … and I saw a lot of medical records up for sale. Medical records are the new credit cards. Hospitals have not been rated particularly highly in the past for their security practices, and I think in the next five years, we’re going to see increasing pressure for them to be as secure as other industries that manage sensitive information, like the financial sector.”

All of this said, the records situation for patients is improving, and Mackay encourages people to learn how to access and store their medical information.

“First, it’s important to have an understanding of what your rights are,” she says. “Then, very importantly, what to do once you get [the] data … Once you understand your rights, once you make the request and successfully receive your data, you need to be thinking about a safe and secure place to store it. There are a lot of apps on the market that either will go out and make the request for you or provide a place for you to store and organize your data, but there’s a lot of variation in how apps or medical devices use, share and protect health information.”

“So, I think it’s important that we start doing a better job telling patients about these apps and about data-sharing policies and practices in a transparent and understandable way, so that consumers can make these decisions and feel confident that they have easy and secure access to their data when they need it,” Mackay says.

This article is based on an interview that aired on PRI’s Science Friday with Ira Flatow.