October 31, 2024
Your health records are coming to new apps. Here's why
It's about to get a lot easier for patients in the U.S. to access their own medical records.

The eponymous sign outside Epic headquarters in Verona, Wisconsin.

Source: Yiem via Wikipedia CC

It’s about to get a lot easier for patients in the U.S. to access their own medical records. 

Health-care software vendor Epic Systems on Thursday announced that individuals will be able to securely release their health data to different apps they choose to use, meaning they will have more direct control over their medical information than ever before. 

For instance, if patients are using a health coaching app or an app that reminds them to take their medicine, they can choose to import their records directly into those platforms. All they need are the credentials they use to sign into Epic. 

This seemingly simple feat is actually a major technological leap for the health-care sector, and it reflects the beginning of a new standard of data-sharing practices that are set to take shape across the nation. 

Epic is one of the organizations that has been helping the federal government establish the Trusted Exchange Framework and Common Agreement, or TEFCA. It launched in December, and aims to iron out both the legal and technical requirements for sharing patients’ data at scale.

Health-care data in the U.S. has historically been siloed and difficult to move around. Clinics, hospitals and health systems can store their information in a variety of formats across dozens of different vendors, and there hasn’t been a trusted nationwide mechanism in place for transporting it securely. This means if a patient moves to a different state or visits a new hospital, their medical records may not always follow them. 

Several companies and information exchange networks have cropped up in the private sector to try and address this problem, but none of them have managed to completely resolve it on their own. TEFCA was designed to help bring all these different actors together.  

TEFCA falls under the purview of an office in the U.S. Department of Health and Human Services. Patients can think about TEFCA like they think about using their cellphone, said Micky Tripathi, assistant secretary for technology policy and national coordinator for health information technology at HHS. 

If one person uses Verizon as their phone carrier, a second person uses AT&T and a third person uses T-Mobile, they are all still able to call and text one another. The same playbook applies to TEFCA.

“The idea was, ‘We really ought to just have that user experience that wherever I am, whichever system I’m using, I know that it’ll connect to every other network, whichever network I’m on,'” Tripathi told CNBC in an interview. 

‘It’s going to be revolutionary’

The US Department of Health and Human Services building is shown in Washington, DC, 21 July 2007. 

Saul Loeb | Afp | Getty Images

The main groups that participate in health-data exchanges through TEFCA are called qualified health information networks, or QHINs. These networks volunteer to take part – they are not paid – and they have to go through a two-step approval process to ensure that they are eligible and have the necessary technical infrastructure. 

Seven QHINs, including Epic, are live within TEFCA now, and Tripathi said a couple of others are nearing the finish line. To help contextualize the kind of scale TEFCA requires, Tripathi estimated that Epic’s own network facilitates more than 10 million to 12 million data transactions each day. 

“Remember, this is about connecting up networks that are already up and running,” he said. 

In order to participate in TEFCA, QHINs have to support six different “exchange purposes,” which are the reasons why an organization is allowed to request health data. These purposes include treatment, payment, health-care operations, public health, government benefits determination and individual access services.

Most exchange networks have previously supported “treatment” exchange purposes, which means the recipient, like a doctor or hospital, is providing care to the person whose records they are requesting. But by introducing other approved exchange pathways, TEFCA may manage to avoid some disagreements, like those that have arisen this year over what exactly counts as treatment. 

Individual access services, for instance, is a new exchange purpose that will allow people to easily request all of their records and bring them to one app. This means patients can choose see their complete history of doctor visits and hospital stays at once, as long as all the necessary vendors are connected to TEFCA. 

“I think it’s going to be revolutionary over the next couple of years,” Steve Yaskin, CEO of Health Gorilla, which is a QHIN within TEFCA, told CNBC. “If you look at every other industry, they’re utilizing data to benefit that industry, right? From banking to telcos to any industry that is deeply rooted in understanding the data.”

A person using their smartphone.

Kohel Hara | Getty Images

Since TEFCA is so new, many QHINs are still working to get all six exchange purposes set up. Epic’s announcement Thursday means they are officially ready to support the individual access services pathway. 

Rob Klootwyk, Epic’s director of interoperability, said individual access took some time to implement because it needed to be done thoughtfully. He said TEFCA needed to establish guardrails that could outline how patients would be authenticated, how they could be educated about whether they should release their data to an app and how apps could be held accountable to consumers. 

Now, those questions have been answered, he said. 

“We think and our community thinks that those pieces are now lined up and TEFCA is the right pathway for this,” Klootwyk told CNBC in an interview. 

For instance, after a patient enters their Epic credentials to try and release their data to an app, they’ll be prompted with a patient education screen, according to Matt Doyle, a software developer on Epic’s interoperability team. The screens outline which information the patient would be disclosing and ensure they’re comfortable with that decision. 

Patient data is inherently sensitive and valuable, and it’s protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires a patient’s consent or knowledge for third-party access. But while some apps are required to comply with HIPAA, many are not. 

As a result, HHS decided that apps can volunteer to participate in TEFCA as long as they agree to comply with HIPAA, even if they are not legally mandated to. This means QHINs like Epic will be able to inform users about whether an app is a HIPAA-covered entity, if it is part of the federally endorsed data exchange network or none of the above. 

“We say, ‘Hey, we’re not saying they’re a bad group, we just don’t know what their policies are around these. You should make sure that you’re educated and informed before you choose to share this,'” Doyle told CNBC. 

In essence, whether individuals are interested in using apps to support their care, or they just want an easy place to look at their information, TEFCA aims to establish the baseline of trust necessary to make that happen, Klootwyk said. 

It will take around two weeks for Epic customers to deploy these new features, though it will likely take more time before individual access services are widely used across the nation at large. 

Tripathi of HHS said now that TEFCA’s framework is in place, the QHINs and the broader market just need get on board. 

“This is the next really important step for a patient to be able to access their own information through an application of their choice to be able to participate more directly in their own health care,” Tripathi said.

Don’t miss these insights from CNBC PRO