Skip to main content
Journal of the American Medical Informatics Association : JAMIA logoLink to Journal of the American Medical Informatics Association : JAMIA
. 2011 Nov 25;19(1):116–120. doi: 10.1136/amiajnl-2011-000261

The challenges in making electronic health records accessible to patients

Leslie Beard 1, Rebecca Schein 2, Dante Morra 1,3,4, Kumanan Wilson 5, Jennifer Keelan 1,6,
PMCID: PMC3240757  PMID: 22120207

Abstract

It is becoming increasingly apparent that there is a tension between growing consumer demands for access to information and a healthcare system that may not be prepared to meet these demands. Designing an effective solution for this problem will require a thorough understanding of the barriers that now stand in the way of giving patients electronic access to their health data. This paper reviews the following challenges related to the sharing of electronic health records: cost and security concerns, problems in assigning responsibilities and rights among the various players, liability issues and tensions between flexible access to data and flexible access to physicians.

Keywords: Electronic health records, health behavior, health communication, health records, patient access to records, patient activiation, personal, public health, social media


In the past few years, there has been a dramatic increase in the number of patients turning to web-based resources and social media sites for health information-seeking and sharing.1 Despite the range of online tools,2–13 electronic health records (EHR) are not typically shared with patients,14 yet many want to share custodianship of their information with their physicians15 in a convenient and timely online platform.

Giving patients access to their EHR is not a novel idea. A few early EHR focused on giving healthcare providers access to patient data,16 merging data between institutions through a common platform,17 and sharing data with patients.18 A variety of other platforms have since been designed. Sharing EHR with patients and/or enabling online communication between patients and healthcare providers has the potential to improve efficiency,15 19 20 quality of care19 21 and patient satisfaction,22 and reduce costs.14 20 23 Examples of these benefits include improved adherence of patients to providers' care plans24 and improved coordination of care by allowing patients to monitor various processes, such as the accuracy of their listed medications.25 In addition, patient access to EHR offers the potential to reduce system use.26

Still unresolved is how access should be granted and how new systems should be designed. Krist and Woolf27 argue that these platforms should have a patient-centred approach effectively to help a lay audience interpret medical information and thus enable patients to act appropriately. There are compelling reasons for both limiting and extending patients' access to their own health records. The success of any new EHR system will depend on the degree to which its design is able to reconcile the concerns both for and against extending access.

This article is written from our perspective as both clinicians and academics, who have independently examined the influence of electronic health media on personal behavior.2–4 In this article, we focus on the diverse obstacles to patient-accessible EHR, each of which demands further exploration and research (table 1). Although these barriers currently impede patient access to EHR, we hope that a focused synthesis of the research could inform subsequent patient-centred design efforts. We have identified four broad research foci that can help organize and inform discussions of patient access: cost and security concerns; problems in assigning responsibilities and rights among the players; liability issues; and tensions between flexible access to data and flexible access to physicians.

Table 1.

Current issues in providing patients EHR access

Issue Impact on patients Impact on providers and quality of care Impact on system
Cost and security concerns
  • Information is fragmented across the system

  • Security of personal data28–31

  • Information is fragmented across the system

  • High initial cost, and unknown time for cost-recovery32

  • Unresolved costs associated with new systems and integration across the system33

  • Potential liability if data are leaked31

Access to and custodianship of information
  • Desire to share custodianship of information15 34

  • Patients have rights to access35 but access is unclearly defined by legislation36

  • Understanding responsibility for secure maintenance of information

  • Varying expectations of what data should be shared for access and custodianship

  • Disagreement among public and physicians around timely access37

  • Potential pushback from providers regarding custodianship38

  • A minority of physicians agree that patients should control what physicians see in their record37

  • Healthcare organizations and providers are usually the custodians38

  • Determining where responsibility lies in shared model is unresolved

Defining ‘expertise’ and medical authority
  • Patients are using the internet for health information1–13

  • Patients may increasingly trust ‘apomediaries’ over conventional medical sources9

  • Physicians and the public may disagree on the value of certain health information sources37

  • Physicians and the public may be informed and influenced by different sources

Determining and including ‘relevant’ health information into the patient-accessible EHR
  • Patients and providers may disagree on what information is clinically relevant39

  • Providers and patients may disagree on what information is clinically relevant39

  • How information should be vetted for relevance is unresolved

  • Legal restrictions prevent certain data from being communicated electronically25

Patients' comprehension of clinical data
  • Patients may not understand the data they view in their EHR

  • Patients could see ‘negative’, inaccurate or incomplete information19 and act inappropriately

  • If patients have to wait until data are vetted, they may not be received in a timely manner26

  • Patients could see ‘negative’, inaccurate or incomplete information19

  • Viewing data may cause patients distress38

  • Patients and providers speak different languages when it comes to clinical information

  • Patients could see ‘negative’, inaccurate or incomplete information19 and act inappropriately

  • Data are not designed for patient viewing and is presented for clinicians in language patients typically do not understand

  • Effective communication will require special attention40

Liability issues
  • Patients may have increased expectations of providers31

  • Patients may have increased expectations around electronic communication20

  • Unforeseen technical problems and security breaches could compromise data31

  • Patients may have increased expectations of providers31

  • Potential new liabilities regarding online communication20

  • May be difficult to review everything in the EHR

  • Liability threats if data security is compromised31

  • Unforeseen technical problems could compromise the integrity of data31

  • Could have implications for malpractice31

  • Liability risks of electronic systems versus paper records are unclear

Tensions between flexible access to data and flexible access to physicians
  • Patients may demand more flexible access to their providers (eg, e-mail)20

  • Physicians' varying proficiency with technology could be problematic20 21

  • Time and resources required to engage with patients online is of concern20 21

  • If providers do not or cannot respond to requests, will there be a negative impact on the patient–provider relationship?

  • Many jurisdictions are not equipped with models to compensate for EHR use, electronic communication, etc

EHR, electronic health record.

Cost and security concerns

Urowitz et al32 found the greatest barrier to adopting EHR in hospitals is a lack of financial resources. The cost of integrating patient access to existing EHR is unclear, but it seems likely that ‘retrofitting’ systems not originally designed for lay use would entail significant costs. Predictive or operational modeling could provide estimates of some of these potential cost implications.

Further complicating matters is that many EHR are not shared among healthcare organizations, resulting in the fragmentation of individual patients' health information across the system. Various consumer-driven, stand-alone personal health record (PHR) platforms (eg, Microsoft HealthVault) could help address this challenge41 42 as they typically use cloud computing to aggregate data and present them to the patient in one platform.33 The cost benefit and profit potential of these PHR, however, remains unclear as data are typically pulled from multiple information sources and systems. Therefore, there is not a gold standard for funding these platforms.33

Tethered platforms, such as Kaiser Permanente's (KP) PHR, allow patients to view aspects of their healthcare organization's EHR.28 33 In 2008, KP reported that more than 12 000 KP physicians (out of 13 000) were enrolled in the system,28 and in 2009 approximately three million of its nearly nine million patients used the system's PHR.43 KP is unique in that it is both the provider and insurer of health services—as such, KP is able to pay its own providers and directly realizes savings from reduced system use resulting from PHR use.33 The cost and reimbursement models for many tethered systems that rely on third-party insurers or government payment are undeveloped.

Privacy of patient data is also of significant concern, particularly if the data are accessible outside healthcare institutions and are available on the internet worldwide. Leaked digital clinical data could compromise patients on a variety of levels and expose medical practitioners to lawsuits related to negligence in the care of patients' data. The US Department of Health and Human Services, which enforces national standards for confidentiality and security of electronic health information (the HIPAA security rule), has received 445 claims since 2009 that the security rule was violated.29 In response to security concerns, new security architecture for EHR including multiple data-protection features, such as encryption, remote and protected data storage, monitored exchanges between computer systems, digital signatures, authentication processes and usage audits have been created.44 Several of these security protocols have already been applied to online consumer interfaces such as internet banking.

In addition, models such as the American Medical Association's guidelines for physician–patient electronic communications provide frameworks beyond security architecture for maintaining privacy, such as communicating privacy risks to patients when they engage in online communication.30 Clear rules and regulations around the flow of clinical data (who has access and mechanisms to give permission for access) must be communicated effectively to all players so they understand the privacy implications of online information networks.44

Problems in assigning responsibilities and rights among the various players

Access to and custodianship of health information

Although several countries support patients' right to access their health information,35 legislation can give providers broad latitude to interpret when and how reasonable patient access should be provided. For example, although individuals in Ontario, Canada, legally have the right to request access to their personal health information, the legislation notes that health information custodians may deny a request the provider deems ‘frivolous’.36 Such laws can block patients from timely access to the information they desire thus limiting their capacity to make use of health records in their own medical decision-making. While recent data indicate that the majority of the public and physicians tend to agree that patients should be able to access their health data online and share them with their physicians, these groups do not necessarily agree on the timeliness of access (as demonstrated in the legislation noted above): 67% of the public versus 59% of physicians believe physicians should share test results electronically with patients immediately.37

In addition, custodianship is usually held by healthcare providers and institutions,38 and as a result, information can be fragmented across multiple health services. The adoption of continuity of care records standards support data-sharing among providers and various healthcare organizations.45 As a result, a variety of health professionals will be able to share custodianship of the same information. EHR could thus reduce this fragmentation of information.

When records are shared, the issue of who controls the data remains an issue. For example, a recent survey suggests that the public and physicians disagree on who should control the patient record. Only 41% of physicians believe patients should control what a new physician sees in the record (compared with 54% of patients).37 Patients' desire to maintain custodianship of their health data34 and to have real-time access to their health records may result in push-back from some providers.38 With changing public expectations, it seems likely that the medical community will eventually need to compromise on access, but doing so will require confidence that an electronic information system is sufficiently robust and practical for the majority of lay users. Clear standards outlining the meaning of custodianship and the responsibilities it confers will need to be agreed upon.38 Other questions surrounding implications of shared custodianship of information (eg, defining legal responsibility) require further exploration.

‘Expertise’ and medical authority

Patients will likely use EHR in tandem with other health information resources on the web, such as online patient support networks or web-based reference materials. Health information online offers a variety of so-called ‘authoritative’ sources, giving patients access to a wide range of ‘expert’ opinions. Eysenbach9 states that intermediaries (eg, healthcare providers or portals that display data only after they have vetted by a provider) provide access to reliable and accurate information, yet can prevent direct user access. New online ‘apomediaries’ help users ‘identify trustworthy and credible information and sources’.9 For example, customer ratings and recommendations on websites such as Amazon can guide users toward appropriate information, help them navigate high quantities of complex information and provide ‘credibility cues’. Eysenbach9 cautions that patients may grow to prefer these tools for seeking ‘trustworthy’ information as they become more accustomed to their autonomy in evaluating the quality of health information and more knowledgeable about their health concerns or conditions.

Furthermore, patients and providers may disagree regarding the credibility of certain information sources. Knowing what information sources patients prefer (eg, healthcare provider versus Web 2.0 tools), what they consider to be expert or trustworthy information, and how they prefer to seek it will inform how apomediaries can be designed to optimize the credibility of information. Healthcare providers need to be aware of these tools and should be actively involved in the designs. Both patients and providers must become partners in information gathering to guide patients further towards the best and most informed advice.

Determining and including ‘relevant’ information in the patient-accessible EHR

Healthcare providers and patients can have different perspectives regarding the clinical importance of particular health information. For example, providers have noted that they expect patients to place less value than they do on certain healthcare processes.39 This tension emerges in a variety of patient–provider interactions and information-sharing contexts. Some experts believe only relevant information should be displayed on patient-accessible EHR, supplemented by educational materials to support the information.38 Because patients and physicians often disagree on what details are important, who decides what information is relevant? In particular, should patients be able to add data to their own health record and should providers be expected to review and use these data?

In addition, there is still no agreement on whether patients' entire or partial health experiences should be accessible to them on EHR and what kinds of agencies or organizations are required to set up guidelines for doing so in a safe and effective manner. Furthermore, the legality of the medical record requires providers to document specific notes, such as a patients' potential to harm themselves or others. Providers will need to maintain this space in any medical record. Careful consideration must be given to patients having (or not having) access to this information.

For these reasons, policies must be created to address why certain information might be excluded from patient access. Communication strategies could help inform patients how clinical relevance is determined.

Patients' comprehension and response to clinical data

Physicians and health systems administrators have noted concerns about patients viewing new clinical data before they have been explained to them, particularly if the results are abnormal or have negative health implications.19 In fact, laws exist that forbid certain test results from being communicated electronically.25 Experts contend that preventing patients from viewing new EHR data until after they have been reviewed by a physician or while in the presence of a provider could prevent or reduce patient distress caused by accessing ‘negative’ clinical data,38 and could help patients better understand the information. On the other hand, waiting to discuss new data with a provider first could prevent patients' timely access to information.25 To avoid this, Halamka et al25 recommend that providers engage in timely review periods to enable verbal, face-to-face discussions about new test results before revealing them to patients through a patient-accessible EHR.

Although having a provider review the information before it is accessible to patients through an EHR is valuable, consumer behavior is pushing this in a different direction—patients are willing to use and pay for online services that connect them with medical consultants in real time and at their convenience.46 47 If a physician's ability to meet with patients is a juggernaut in the timely exchange of patients' clinical information, then consumers may demand that other more accessible healthcare professionals (eg, nurse practitioners) assume this role. For example, because PCASSO delivers results to patients and providers at the same time, the platform was required to have a built-in informed consent process so patients were informed that they might view information that could be confusing or upsetting. Patients could call a project hotline and speak to a biomedical health librarian if they had questions about their data, and any concerns were documented and reported as adverse events.48

Another complication is that clinical documentation is not traditionally recorded for patient viewing, but rather for other clinicians. Consequently, such documents are often written in language that is inaccessible to most people without medical training. Special attention should be paid to the needs of the intended audience to ensure effective communication.40 While it will no doubt be necessary to change the language and presentation of clinical data to make them accessible to lay readers, such changes will likely face strong resistance from medical professionals, who will have to develop a system for translating complex interprofessional medical language and codes into lay language. While this would not be a trivial task, platforms must be designed to communicate information effectively to both patients and providers.

Liability issues

Little has been written in legal literature about liability issues with institutional EHR.31 Unforeseen technical problems that could compromise the integrity of the data and patient records could have implications for malpractice.31 An array of privacy issues surrounding security of data and unauthorized access will also raise complex legal questions as EHR and patient-accessible EHR become more widely adopted.31

Additional liability concerns surround patient access to EHR. Hoffman and Podgurski31 argue that patients may have increased expectations of their providers as EHR could provide them with more thorough information. Liability concerns also arise from online communication that may occur as a result of increased electronic activity among patients and providers.20 The American Medical Association's guidelines for physician–patient electronic communication are aimed at encouraging responsible use,30 thereby potentially reducing risk for professional liability.

Despite these concerns, it remains unclear how these electronic systems may currently be, or may potentially impact liability claims. For example, in 2010, Health and Human Services received 8524 complaints regarding privacy of health information.49 To our knowledge, these data do not differentiate between paper and electronic records. As such, it is difficult to determine how electronic systems may be, or may potentially impact liability claims. At the present time, the literature suggests that early adopters of patient-accessible EHR have not experienced significant liability issues. Further data on the impact of electronic health information systems on malpractice, privacy breaches and other professional liabilities are required to understand the real risk these platforms pose.

Tensions between flexible access to data and flexible access to physicians

Kassirer20 states that as patients increase their use of electronic communications, they will expect their doctors to do the same. A recent survey showed that similar proportions of the public (49%) and physicians (47%) agree that patients should be able to e-mail their physicians. However, the same survey also showed that physicians (36%) were more likely than patients (20%) to disagree that patients should be able to e-mail their physicians.37 Similarly, patients and providers may disagree about the kinds of concerns that can or should be addressed immediately via electronic communication and those best handled via routine visits or scheduled appointments. While such disagreements will no doubt be a challenge, the tension between patients' and providers' expectations could drive some positive changes in the system, allowing more flexible points of contact between patients and providers. For example, through the Danish national health portal, physicians are required to engage in e-mail with their patients, for which they are reimbursed at twice the rate of phone consultations.50

Physicians' varying proficiency and comfort with electronic communication technologies is also a concern.20 21 Some physicians are concerned about time and resource requirements to engage in online communication.20 21 While one-way, non-interactive systems would still provide patient access and would prevent the need for new communication-based compensation schemes, systems that enable electronic messaging between patients and providers show promise for reducing system use26 and merit consideration. Compensation schemes for electronic communication with patients are being explored,23 and some are already underway that account for both messaging and EHR engagement.33 50 In many jurisdictions, however, the reimbursement issue remains unresolved.

Future challenges

Patient access to EHR could carry significant benefits, both for patients and for the health system at large, including improvements in the quality and coordination of care, improved patient adherence and reductions in system use. While the concerns surrounding the development and implementation of this access are complex, continuing to deny patients access is no longer a tenable response to these issues.

The design and implementation of new EHR platforms must be informed by a thorough engagement with the long-standing and complex issues that accompany questions of patient access. Platform developers must work directly with both patients and providers to understand their unique and sometimes contradictory needs and concerns. The valid concerns that are raised should not block access but should inform the design and maintenance of new systems to ensure optimal use for both patients and providers.

Footnotes

Funding: KW is supported by the Canada Research chair in public health policy. JK is supported by a career scientist award (Ministry of Health and Long-Term Care, Government of Ontario).

Competing interests: None.

Provenance and peer review: Not commissioned; externally peer reviewed.

References


Articles from Journal of the American Medical Informatics Association : JAMIA are provided here courtesy of Oxford University Press

RESOURCES