Wyden pushes EHR vendors to adopt data privacy features

Diving brief:

• An influential legislator is pushing electronic health record providers to adopt features that give patients more control over their medical data in an effort to strengthen cybersecurity.
• In a letter sent to 10 health IT and EHR companies, Sen. Ron Wyden, D-Ore., highlighted a feature adopted by Epic, the nation’s largest EHR vendor, that notifies patients which health organizations have access to their medical records and allows them to opt out of data sharing.
• Wyden asked providers if their patient portals had similar features and if they would commit to rolling out those features. “While interoperability improves care by enabling better data sharing, it must be balanced with strong privacy protections for sensitive health information,” he wrote in the letter shared with Healthcare Dive.

Dive overview:

Interoperability – a long-term challenge for the healthcare industry – is essential to ensuring that patients receive coordinated, quality care, regardless of provider, Wyden wrote in the letter sent to companies including Athenahealth, Oracle Health and Meditech.

But health data is often sensitive and coveted by cybercriminals, who have increasingly targeted healthcare establishments in recent years.

In 2024, a cyberattack on Change Healthcare, the payment processor owned by UnitedHealth, exposed the data of nearly 193 million people in the largest healthcare data breach ever reported to federal regulators. And this year, breaches have compromised the information of millions of people, including incidents at Yale New Haven Health and dialysis company DaVita.

While improved interoperability can be a boon to health care delivery, widespread access to health data could leave many patients vulnerable to breaches, wrote Wyden, a ranking member of the influential Senate Finance Committee.

“Currently, the sensitive health data of the vast majority of Americans is accessible to health care providers in states across the country, whether those providers are actually treating the patient or whether the patient has ever set foot in their state,” he wrote. “Such widespread access exposes patients to the threat of inappropriate access, theft and leak of their sensitive health information. »

National security could also be affected, allowing spies to more easily access the health data of military and intelligence personnel, he added.

But the features Epic implemented at Wyden’s request could help patients control the flow of their information, he said. The feature lets users know which organizations have access to their health records, prompts them to confirm their preferences when receiving sensitive care, and allows them to opt out of sharing records, according to the letter.

The legislature asked providers whether their patient portal or interoperability framework had similar features, such as allowing patients to opt out of records sharing or giving them a list of healthcare organizations using the same EHR that accessed their records. Suppliers must respond to the letter by January 20.

A spokesperson for Netsmart, one of the vendors that received the letter, told Healthcare Dive that it would respond directly to Wyden and “remains engaged in industry discussions related to patient access, consent and data governance.”

Meditech is preparing a formal response and “sharing [Wyden’s] commitment to privacy and patient empowerment,” a spokesperson said in a statement.

Joe Ganley, vice president of government and regulatory affairs at AThénaSantéalso confirmed having received the letter.

“We share Senator Wyden’s view that interoperability frameworks can be developed in ways that ensure freer flow of health data while protecting patient rights and data security. We look forward to working with his office on this important issue,” he said in a statement.