What’s in my electronic health record (EHR) and who can access it?
Understanding and harnessing the powerful potential of EHRs
The U.S. and much of the world is undergoing a profound transformation in how medical and health records are created, stored, used and shared. The digitization of health records has been a huge and expensive undertaking, but at least in the U.S., almost 99% of health systems, hospitals and medical groups now use some type of electronic health record (EHR) or electronic medical record (EMR) system.
The reason behind this transformation is driven partly by the promise of potential improvements in healthcare and health outcomes. Many health IT proponents believe that with more data available in digital form, we’ll be able to more quickly improve our health systems, diagnostics and treatment. Digital records also bring us closer to the promise of precision, personalized medicine.
What is an EHR?
An EHR, or electronic health record, is a digital compilation of your health information. But EHR is much more than just a digital version of your medical charts. In fact, they’re much more than just medical records.
EHR is much more than just a digital version of your medical charts. In fact, they’re much more than just medical records.
EHR vs. EMR
Many people, even healthcare industry people, often use the term EHR and EMR interchangeably. But there is an important distinction between the two terms, which has not always been clear or recognized.
In the past, your medical records were probably the only health records you had. But as people began generating more health- and wellness-related data – that were not technically medical records – the distinction between EHR and EMR has become more apparent and important.
Strictly speaking, EMR refers to your patient records, typically produced every time you were a patient at hospital, health clinic or doctor’s office. However, the term EMR also applies to any information and data you generated when interacting with a healthcare professional – even when you weren’t in a healthcare or medical facility:
- Paramedic. For example, when you are treated by paramedics, they routinely complete a report about the care they provided, regardless of whether they brought you to a hospital. Their reports typically become part of your EMR.
- Home visits. Many homebound and elderly patients receive in-home care from caregivers and medical practitioners. The patient records they produce from those home visits also become part of your EMR.
- Telehealth. Many health plans and medical systems are increasingly turning to telehealth or telemedicine services to lower expenses, by lowering the instances of unnecessary hospital visits. Trained healthcare professionals, usually nurses, nurse practitioners or even doctors, staff these phone calls to answer questions and even write prescriptions. Patient records produced by these telehealth sessions also become part of your EMR.
Hopefully, this gives you an understanding of how broad the definition of medical records and EMRs have become.
But how does EMR compare with EHR?
Simply put, your EHR includes your EMR – plus many other health-related data not produced by hospitals or medical professionals. From your exercise and diet records to data from your wearables and medical devices, today’s EHR can encompass much more data than traditionally found in medical records.
What can I find in my EMR?
Continuing the focus on your medical records, here are more items you’ll find in your EMR file:
- Administrative and billing data: from your provider and insurance companies. This allows you to trace back your visits and review your claims history.
- Patient demographics: this includes your date of birth, gender, and contact info. This allows your providers to identify you, as well as making it easy for them to contact you.
- Progress notes: this includes everything your physician documents about you; details about your visit, your doctor’s observations, and management plan(s).
- Vital signs: this includes your basic health parameters; blood pressure, body temperature, heart rate and breath rate
- Medical histories: this includes any prior doctor visits, hospitalizations, treatments or surgeries you may have underwent.
- Diagnoses: any of your active or prior diagnoses, the treatment plan for each and their outcome.
- Medications: the list of medications that you are currently on or have previously been prescribed.
- Immunization: all the immunizations you have received, as well as reminders of any upcoming shots you need to take.
- Allergies: this makes note of all the food and drug allergies you have, as well as any previous allergic reactions, and how they were managed.
- Radiology images: this may include X-rays, MRIs, PET and CT scans that your physician ordered.
- Lab and test results: this encompasses any lab tests ordered by your healthcare provider, this can include your complete blood count, metabolic and lipid panels, liver and kidney function tests.
PHR vs EHR
While EMRs form only a part of EHRs, a more apt comparison exists between personal health records (PHR) and EHR. In fact, your EHR is essentially the electronic version of your PHR.
As we note in our deep dive into PHRs, your PHR is the collection of available information, data and statistics about your health. As such, your PHR and EHR includes an array of health-related data that is often not found in your EMR:
- Annotations. Your own personal notes and annotations to your medical files are part of your PHR and EHR, but not your medical records.
- Health diary. Similar to annotations, your health journal or diary are part of your PHR and EHR.
- Apps. Whether you’re using the Weight Watchers or the Nike Training Club, these apps generate a stream of tracked data, which are usually not part of your EMR.
- Fitness devices. Fitness devices like Fitbit and Apple watches likewise generate a lot of health and wellness data, which are typically not included in your EMR.
- Medical devices. Patients with medical devices like home blood pressure monitors and glucose monitors produce data that may be included in your EMR, but is often not.
These are just a few of the non-EMR data that can be included in your PHR and EHR.
Metadata and analytics
Using an electronic records system generates significantly more data than a similar paper chart. When your healthcare provider used to complete your patient charts by hand, your medical record was limited to whatever was manually recorded into your patient file.
The advent of digitization, however, added metadata and analytics to your medical and health records:
- Metadata. When data is added to your EMR today, your EMR also records metadata information such as IP addresses, server timestamps, GPS locations, identities of everyone who views your file (even if they don’t add anything), revisions, deletions and even where previous deleted versions can be found.
- Analytics. Digitized data makes advanced analytics and even machine learning possible. Comparing your data with the records of millions of other patients can uncover important warning signs about your personal health that isolated medical providers may not easily realize. This can produce recommendations and health programs tailored for specific individuals.
Metadata and analytics results are typically not part of your EMR. But they are important elements for advanced EHR systems.
Today, almost all new medical records produced in the U.S. are in electronic form.
The digitization of health records
According to the Office of the National Coordinator for Health Information Technology (HIT), which is part of the U.S. Department of Health and Human Services (HHS), 96 percent of hospitals and 78 percent of physicians’ offices use EHRs – as of 2016!
Today, almost all new medical records produced in the U.S. are in electronic form.
This transformation is partly the result of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. At the time that HITECH was passed, fewer than one in 10 hospitals and 17 percent of physicians used EHRs.
HITECH was passed as part of the larger American Recovery and Reinvestment Act and represented the first time that the American government had committed federal resources to accelerate the pace of healthcare technology. The federal government used financial incentives to encourage EHR adoption, including direct subsidies.
Who Gets To Access and View My EHR?
First, let’s answer this question by focusing on just your medical records – the EMR portion of your EHR.
To begin, you have access to your EMR. In fact, your healthcare providers are required by federal regulations to provide you with copies of your medical records in the format you request (i.e. paper or electronic).
Your healthcare provider also has access to the patient medical records they have on file for you. As we discuss later, the fact that they generated your patient data implies some degree of ownership. This means that almost everyone in that health system could have access to your EMR file kept by that health system.
Practically speaking, however, the Health Insurance Portability and Accountability Act (HIPAA) calls on any entity that has controls health data to limit access to that information. Only employees and personnel who have a valid reason for accessing and viewing that medical record should do so.
HIPAA also requires healthcare providers and other covered entities handling medical and health data to inform patients how their records are being used.
Sharing My EMR Data
According to HIPAA, healthcare providers must first get permission from the patient before sharing medical and health records with a third party. Here are common examples of third-party medical records sharing:
- Second opinions. If you want to get a second opinion from a specialist at a different health system or network, you would need to request and authorize the sharing of your EMR.
- New providers. Many companies switch health plans (and provider networks) every few years. If you switch to a new healthcare provider or primary physician, you may need to authorize the transfer of copies of your EMR to your new provider.
- Personal data release. If you want a relative or friend to access your health records, particularly in case of emergencies, you will need to authorize such releases as well.
The beauty of today’s EMR and EHR systems is that it makes it easier for you to share data as needed. For example, if you’re on vacation and have to visit an out-of-town hospital for an emergency, that hospital can now obtain your EMR file from your primary physician in seconds. As long as your current provider and that out-of-town hospital use EMR or EHR systems that follow established protocols, they can share files over the Internet – with your permission.
However, there are exceptions to this permission requirement. There are, in fact, some cases in which your healthcare provider shares portions of your medical information without obtaining your permission:
- Government agencies. The Centers for Medicare and Medicaid Services (CMS) and the Social Security Administration (SSA) can examine portions of your medical records to ensure you qualify for certain benefits. When you apply for benefits, however, you may receive notification of their intent to gather some of your healthcare information.
- School records. Your child’s school can share immunization and other records with the state repository without your permission, though they will often give you notice.
- Health insurance. You typically give health insurers permission to access portions of your medical and healthcare records when you obtain health insurance. But insurers may share it with other entities as part of their process.
Who can access and view my EHR and PHR?
After reviewing the regulations for medical records above, we can now turn to the bigger picture of EHR and PHR. The answer is that it’s largely up to you, but not completely.
For starters, HIPAA doesn’t apply to most non-medical EHR records. For example, the health data produced by your Fitbit machines or weight loss apps are typically not part of HIPAA. That’s the case with many health and wellness applications.
And as health apps proliferate – they now number in the hundreds of thousands – the question of protecting my health data privacy becomes more urgent.
For now, your non-HIPAA covered health data is essentially protected by you and the agreements you have with your app providers and other data-generating providers. Start by checking the privacy policies and user agreements with your apps. You should also consider how much of your EHR is shared by these different parties, from medical devices to your personal trainer.
As the volume of our non-medical (and non-HIPAA-covered) EHR continues to grow, more of our EHR information could theoretically be more open than we realize. That is why the need for greater protection for health data privacy – and perhaps the expansion of the two-decades-old HIPAA regulations – is becoming more urgent.
Who owns my EHR?
This is a tricky question. There are actually two dimensions to this question worth considering:
- Who legally owns your EHR?
- And who SHOULD own your EHR?
As we noted in the preceding section, the issue of privacy is growing in importance. And data privacy is intertwined with the question of data ownership.
When it comes to medical records, it depends on the state you live in. Only New Hampshire has given patients ownership over the information in their medical records. But 21 other states have passed regulations that gives primary ownership of patient records to the hospital or healthcare provider that produced your medical records.
The majority of state governments are still silent over the question of who owns medical records, let alone EHR.
Who should own our EHR?
In many ways, the U.S. is playing catch-up with Europe and Canada when it comes to data privacy and ownership. Europe’s recent General Data Protection Regulation (GDPR) has shifted the balance significantly in favor of consumers when it comes to privacy for all personal data – not just health information.
Europe and Canada have already started dealing with the question of who should own your personal data. And they are siding with you, the consumer.
U.S. healthcare consumers are currently working under HIPAA, a regulation created before the…
- Emergence of Google,
- Widespread adoption of social media,
- Growth of the Internet of Things (IoT), and
- Evolution of mobile applications
So while the question of who legally owns your medical data is fragmented based on your state, the question of who should own your medical and all your health data is now an issue that all Americans must address and decide.
One way to return control of the healthcare journey back to us, the consumers, is to return control and ownership of health data, especially EHR, back to the patient.
Why ownership of our health data is important
The American healthcare system faces many daunting challenges. Many believe that it is in crisis, with skyrocketing healthcare costs making our current system unsustainable.
We believe that one reason for the current state of our U.S. healthcare system is the current model of our system, which has removed much of the control and decision-making from patients and healthcare consumers. One way to return control of the healthcare journey back to us, the consumers, is to return control and ownership of health data, especially EHR, back to the patient.
There is a growing movement to transform our healthcare system and individual health journeys to one driven by patients and consumers. We invite you to join us in this movement to reshape U.S. healthcare.