Healthcare Information Security

Patient Privacy News

ONC Explains Patient Data Access, HIPAA in Latest Report

Patients need a better understanding of HIPAA regulations and how they can access their own health data to help further interoperability.

By Elizabeth Snell

While health IT has made progress on standards and economic incentives, concerns over HIPAA rules and patient data access can be a hindrance on the continued push toward nationwide interoperability, according to a recent report from the Office of the National Coordinator (ONC).

ONC report discusses patient data access under HIPAA

Overall, more hospitals and providers are exchanging electronic health data than ever before, ONC explained. In 2008, 17 percent of physicians and nine percent of hospitals had adopted a basic EHR. By 2015, nearly all hospitals - 96 percent - and approximately three-quarters of physicians had adopted certified EHR technology.

“Programs had a positive or mixed positive effect on quality, safety, and efficiency of care,” the report’s authors wrote. “Health IT has also improved communication among health care providers, as well as increased sharing electronic health information with their patients and their caregivers, by facilitating the electronic exchange of health information.”

It has also become easier for patients to access their own health data.

For example, 24 percent  of hospitals provided patients with the ability to electronically view their information in 2012. In 2015, 95 percent of hospitals allowed patients that capability.

Patients have also been able to download their information at more hospitals, with 87 percent of hospitals in 2015 allowing this, while just 14 percent in 2012 did.

Furthermore, 12 percent of hospitals allowed patients to transmit information in 2013, with 71 percent having that option in 2015.

onc graph of patient data access ability

“This access is vital to their health.” ONC stated. “Research demonstrates that when individuals have access to, and use, their electronic health information, they feel a greater sense of trust in how their health information is being managed and in how providers are protecting their rights as a patient.”

However, false understanding of HIPAA rules and the HITECH Act can hinder patient data access. Individuals “have a nearly absolute right to a copy of their own health records,” ONC explained, and the costs for access are limited by federal regulation.

“Furthermore, health care providers often tell ONC and OCR that HIPAA makes it difficult to share electronic health information,” the report reads. “While erroneous, this misconception about HIPAA is widespread and unfortunate in that it places a needless burden on individuals.”

Under HIPAA, patients have the following rights:

  • Right to access and obtain copies of one's health information for one's own purposes is a right. A health plan or health care provider covered under HIPAA can refuse access only in very limited circumstances.
  • Extending that right to a broad array of data, including laboratory results, images, prescription history, physician notes, diagnoses, and similar information.
  • Right to access an electronic copy of one's health information contained in an EHR or otherwise maintained in an electronic format, whenever an electronic copy is readily producible by the provider or its business associate, not just if they are willing to produce such information.

When individuals understand their full rights and are able to access their own information, that continued growth of knowledge will only be beneficial for interoperability and overall patient care, ONC maintained.

“When individuals get, review, use and share copies of their health information, they are better able to monitor chronic conditions, make sure that their health information is accurate, and share their information with others ensuring that their health information is available at the right place and at the right time.”

Similar concerns were previously discussed by ONC in a fact sheet released earlier this month. Created in conjunction with the Office for Civil Rights (OCR), the agencies reviewed nine hypothetical scenarios in which patient data may need to be shared.

In one example, ONC and OCR said that data may need to be exchanged in the reporting of a disease at a hospital or healthcare provider. The agencies used the pretend Healthy Hospital to explain how information might need to be shared for the benefit of public health.

“Healthy Hospital may use health IT certified by the ONC Health IT Certification program (certified health IT) to disclose PHI to the CDC in response to the request and may reasonably rely on CDC’s request as to the PHI needed,” the fact sheet reads. “Healthy Hospital must meet the requirements of the HIPAA Security Rule if providing electronic PHI to CDC.”

Image credit: ONC

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks