The Patient Data Bill of Rights

While the United States is generally viewed as one of the great nations with a bill of rights, views differ considerably regarding whether the country has an enlightened approach to healthcare; especially contentious is the ability to provide universal, cost-effective access. I believe all patients in the United States should have basic inalienable rights regarding their personal health information. Therefore, I propose this Patient Data Bill of Rights, and believe it should be mandated by law.

Article 1: Patients shall receive unrestricted and immediate access to their health data, except when doing so could cause harm.

A study, “Physician Time Spent Using the Electronic Health Record During Outpatient Encounters: A Descriptive Study,” found that “physicians spent an average of 16 minutes and 14 seconds per encounter” using electronic health records (EHRs). Patients should have unrestricted access to that data, except when that could harm them (such as psychotherapy notes), to communicate with other care providers and for their own maintenance and education. Most people are interested in reviewing and learning more about the results and details of their medical encounters, and unrestricted access to their data will make that possible. 

Article 2: Patients shall have the right to extend (and optionally later, revoke) their Article 1 rights to any software or third party they choose.

Software and third-party professionals who can help patients manage their health should be able to access patient data on the patient’s behalf at the patient’s explicit request. There are many examples of software and services that can help with all aspects of health management, such as day-to-day maintenance, treatment for an injury or illness, preparing for and recovering from a procedure, or providing guidance to family members and caregivers on the day of surgery. They can help patients interpret their medical history and help medical professionals and caregivers provide care, especially as patients age and it’s increasingly difficult for them to take care of themselves. If the patient wants to use these systems, they should not be restricted from doing so. Similarly, if the patient wishes to remove this access, they should be allowed to revoke access to the data at any time.  

Article 3: Patients shall have access to a self-service portal to send their entire health record to any licensed medical provider. 

Patients should be able to request their entire medical record be sent to a new provider and the turnaround time for this should be less than five minutes. This should simultaneously support a bulk data dump of historical data plus live access to get updates in the future.

Article 4: Patients shall receive confirmation that the data they sent has reached the intended audience.

If a patient sends data to a medical office from their own records or requests that it be sent by another medical office, the data should be delivered to a location where the intended audience regularly receives and accesses such data, and the patient should receive confirmation regarding such events. 

It may seem that something so simple is already in place, but in most cases, it is not. Patients send or authorize data to be sent to a medical office and then learn the data either was not received or is not accessible for discussion during a subsequent medical appointment. 

The intention is not to force medical professionals to view the data at a specific time or take a specific action; it is only to confirm that the data were received and are accessible by the intended audience.

Article 5: All of the above articles are made possible on top of government-sponsored data standards. 

None of the above would be practically valuable if the data are provided in vendor-specific data formats that cannot be interpreted easily. As of the time of writing, I believe the right standard for this is FHIR (live APIs to power Article 2 and standardized bundles to power Article 3), and the right dataset to implement is the USCDI v3. 

Article 6: Patients shall have a legal and technical support system to ensure they have access to their data. 

If patients or their healthcare providers are unable to access, view, or send current or historical medical data, the U.S. government should provide technical and legal support. The legal support would involve initiatives such as ensuring that healthcare providers are complying with mandated support for the FHIR data format and API standard that enables the exchange, integration, and interoperability of health information among different health systems and providers.

A Patient Data Bill of Rights with the above articles mandated by law will save lives; improve outcomes, reviews, and communications; and result in better-informed patients and healthcare professionals regarding a patient’s health, medical history, and treatment. And they can be implemented today — there is no reason to wait. Especially with the presence of the technical and legal support provided via Article 6, patients will have all the support needed to see to it that these common-sense initiatives are provided reliably and consistently.

About Matt Hollingsworth
Matt Hollingsworth is the CEO and co-founder of Carta Healthcare, provider of AI-powered clinical data abstraction technology and services. Matt holds an MBA from Stanford University and studied high-energy physics, performing his research at CERN (European Organization for Nuclear Research) as part of the team that discovered the Higgs boson. Prior to CERN, Matt co-founded a technology startup, Global Dressage Analytics, and provided technical leadership for another startup, Deepfield, which provides telecom analytics. He also proposed, won, and managed projects for the Department of Defense and managed projects for various Internet of Things (IoT) applications at Samsung.

ai
electronic health record
ehrs
iot
software
healthcare
medical