The Next Chapter in Democratizing America’s Health Data

October 6, 2022

A federal rule requires providers to start giving patients easier access to much more of their health care data, but it’s fraught with implementation challenges and privacy risks.

Scroll down to listen to the full episode, read the transcript or get more information.

If you want more deep dives into health policy research, check out our Research Corner and subscribe to our weekly newsletters.

Note: This transcript has been created with a combination of machine ears and human eyes. There may be small differences between this document and the audio version, which is one of many reasons we encourage you to listen to the episode!

Dan Gorenstein: Federal officials, hospitals and tech companies have spent more than a decade and billions of dollars on digitizing our health care records.

Micky Tripathi: Before that, we were the laggards of the industrialized world.

DG: We’ve come a long way, but a lot of critical data are still locked away in old systems.


DG: If you request your health records from a hospital, you might wait weeks only to end up with something called a ‘CD-ROM’ and hundreds of pieces of paper. 


DG: Starting today, October 6th, a federal rule says that’s no longer good enough.

Hospitals and doctors must start giving patients a whole lot more data quickly and electronically. 

Much easier said than done.

Today, a conversation with Micky Tripathi, the federal health official in charge of democratizing the country’s health care data.

From the studio at the Leonard Davis Institute at the University of Pennsylvania, I’m Dan Gorenstein. This is Tradeoffs.


Dan Gorenstein: Micky Tripathi’s official title is National Coordinator for Health Information Technology. And he definitely does a lot of coordinating. He also does a lot of coaxing. At a basic level, his job is to get highly competitive hospitals, insurers, doctors and tech companies to play nice — agree on rules and systems for sharing patient data.

When that doesn’t work, you need Congress.

Rep. Paul Ryan: What a day. What a moment. I could not think of a better way to end the year than by signing this bill.

DG: The year — 2016 — and lawmakers were congratulating themselves for passing what’s called the 21st Century Cures Act.

Sen. McConnell: You know, this is a classic example of incredible bipartisan cooperation.

DG: Tucked deep in the bill was a ban on bad behaviors where hospitals, doctors or tech companies make it harder to share patient data.

Sen. Alexander: Some of the doctors call this data blocking

Karen DeSalvo: Health information blocking 

Rep. Lieu: Data blocking  

DG: For more than a decade, data blocking has left dangerous gaps in patient health records, forcing doctors to fill them with tedious phone calls, redundant and expensive tests or even educated guesses. 

The federal ban on information blocking finally began to take effect last year. The latest phase kicks in today, October 6th, and Micky and his team at the Department of Health and Human Services are in charge of overseeing it.

A quick note: We spoke to Micky from his 80-something year old mom’s house, where he’s helping her recover from a broken hip.


DG: So you might hear her making lunch using the microwave.


DG: Or her old grandfather clock striking the hour.

Micky Tripathi: I’m gonna pause here for a second. There’s a grandfather clock. Enjoy the music.


DG: Oh, we did. Onto the episode.

So Micky, at a super high level — in just two sentences — why is October 6th a big day?

MT: October 6th is a big day because we’re saying if data is electronically accessible meaning it’s on a computer system somewhere in your hospital you’re required to make it available electronically. Patients deserve more health care data, right? That’s the basic premise. We’re saying it is electronic. It’s digitally there. So make it available.

DG: Can you give us a really tangible example, Micky? What’s a patient going to be able to do on October 6th that they could not have done on October 5th? 

MT: Yeah, so it’s gonna vary a lot but conceptually, starting on October 6th, a patient ought to be able to see that what is offered to them or available to them is more than, you know, your first name, last name, your address, your allergies. So for example, you might start to see, oh wow, there’s a whole set of notes — nursing notes or my operative notes from my last surgery or some of the images from my last imaging those are starting to be made available to you electronically. 

DG: Just a quick housekeeping question, Micky. Already on October 5th patients have the right to say, “You need to share my data with me,” right?

MT: Yes, you can walk into that hospital today and say, “I can get all my records.” And what they’ll do is they’ll say, “Well, your patient portal has a whole bunch of it, and then for the rest of it, we will provide you a paper copy.” You’re able to sort of look in and say, alright, I get this little straw, but what I want is kind of the entire river.

DG: The difference between the 5th and 6th is now I get a bigger straw. It’s the Big Gulp straw.

MT: Yes, so that’s the concept and that’s what we want to get to and the reason I’m hedging on that is that we’re starting to get into areas where the data is really not standardized and it’s really messy.

DG: Messy how? 

MT: We’ve made a choice to say, you know what? We can’t wait to have all these data elements neatly and crisply defined, so they fit into that straw. So you could get it in one format from one hospital, in another format from another hospital. And right now we’re saying that’s fine. We have to live with that for now. The important thing is to make it available. 

DG: This sounds like a very laissez faire approach from the federal government, Micky. Why not be more prescriptive, tell hospitals how you want this data formatted to make sure it’s really useful for people? 

MT: If we end up deciding that, you know what, more regulation is needed to make that happen, well that on an ongoing basis, those are the kinds of things that we always consider. But we also don’t want to overregulate because we don’t want to jump ahead into areas that are still very dynamic. Because we could get it precisely wrong in many ways as the federal government, right? And undoing that is then like, “Oh, great, you’ve imposed a floppy disc 3.5 standard on an industry that has jumped ahead to fiber optics.” So let’s be cautious here and see what the market can do and then be judicious in how we intervene.

DG: What about hospitals? What does October 6th mean for them as systems, these behemoths with massive back office operations? 

MT: Yeah, I mean, it’s definitely very complicated. First thing they need to do is [ask] where is all this patient data? And then how am I gonna mobilize that in as close to real time as possible when Dan comes knocking and asking for that information?

And that’s not an easy problem to figure out because in a hospital system we tend to think about the electronic health record system, Epic, Cerner, whatever it is. But hospital systems also have lots of ancillary systems chemo dosing, cardiology,  anesthesiology systems that could be 10 years old, 15 years old. Those systems were never designed for, “Oh, we have a query coming in from, Dan. We need to immediately have the ability to go and get that information, assemble it with all the other pieces of information and present it back to Dan in the portal in real time.” So thinking through all of those policies, capabilities and workflows [is] complicated. We appreciate that it’s complicated.

DG: What signs of gaming, Micky, are you looking for from health systems? If a hospital wanted to get around the real intent of this rule, how might they do that? And I ask that question because we’ve seen other data laws, like hospital price transparency, and we’ve seen health systems be really reluctant to comply.

MT: It’s a fair question. My office defined eight exceptions that allow a provider organization to say, “Well, I know I’m required to make this information available; however, I can’t for one or a couple of these eight reasons.” One is privacy. Another might be that you’re not able to deliver it to them electronically what we call infeasibility. So there’s certainly opportunity for people to interpret things, you know, more broadly perhaps than is intended. I mean, that is there.

DG: And what’s the stick that you have to beat them back?

MT: In terms of the stick, what is the stick? Well, it’s complicated. 

DG: Is there anything at the Office of the National Coordinator (ONC) that is not complicated?

MT: No, unfortunately. The reality of this is we’re not doing real time monitoring of this. We don’t have the, sort of, exception police. On the other hand, ONC has a portal where you’re allowed to file complaints. And we take those complaints and we do an initial vetting of them and then we send them over to the Office of Inspector General, who’s responsible for enforcement. 

DG: That enforcement is expected to include fines of up to $1 million per incident for vendors like electronic health record companies, with regulatory details out by the end of the year. There’s no stick yet for doctors and hospitals who engage in information blocking. Micky and his colleagues are still figuring out what kind of punishment is best. The timeline for that is TBD.

When we come back, the downside of giving patients all this data and where Micky hopes health records head next.


DG: Welcome back. We’re talking today with Micky Tripathi, the National Coordinator for Health Information Technology at HHS. He’s the federal official charged with digitizing the country’s health data and getting it flowing freely and safely to patients and everyone else that plays a role in our care. 

For the second half of our conversation, I asked Micky to put this October 6th milestone in some larger context for us. We started with a question about the consequences if these efforts fall short. 

MT: I mean, the stakes are that you show up someplace where you need care and information that is critical to that clinician on the ground is not available to them. Showing up in the emergency department and being prescribed penicillin when you’re allergic to penicillin. And you know, right now, how do they figure that out? They ask you. Well, what if you’re in trauma? What if you’re elderly? We never know when we’re gonna be in that situation where a clinician doesn’t know everything about us and they’re making decisions on the fly because they have to go with the best information they have. 

DG: So this October 6th change, it’s the latest phase of a much larger push that the federal government and industry have been making for the last decade to put our health care data to better use.

Micky, can you zoom out for a second here and kind of map this journey for us? Where have we been, where are we now and where are we going next? 

MT: Well, if you just think about this 10 year journey you were just describing, in 2010 we invested as a country — as taxpayers — about $30 to $40 billion moving the whole system from paper based to electronic. An amazing accomplishment over a relatively short period of time. And that’s kind of what we did over these last 10 years, like, let’s just get the electronic health records in place so that everyone has them and create this digital foundation. But now we have the opportunity here to create an open ecosystem as we call it, where data can flow on demand and that systems are interactive in a way that they’re not today. 

DG: What’s an example of that? How can our health data be more, as you say, interactive?  

MT: Think about how Kayak and Expedia work today, right? You log on, you say, “I’m flying to San Francisco and I wanna fly tomorrow.” And it immediately gives you back the information you’re looking for. They don’t have a big honking database of all the airline schedules in the world that they update every night, right? They don’t do that. What they do is in the background, they have interfaces — APIs we call them — that fire off on demand. They go to Jet Blue. They go to American Airlines. Then they bring that information in and present it to you in real time. That’s what we want our health care system to be able to do.

DG: On the one hand here, Micky, you’re giving patients easier access to their data, but at the same time, you’re opening the door up to privacy and security questions, at least theoretically. 

It’s easy to imagine a patient unintentionally sharing all their data with some tech company app and all of that information leaks out. And I’m thinking of the recent Dobbs Supreme Court decision, for example. It seems possible that someone’s health record in the wrong hands could be used to figure out whether they’ve had an abortion. 

How’s your team thinking about those kinds of risks and trying to mitigate them?

MT: I mean, those are very real risks. So the first thing I would say is that for patients in particular getting their information, they need to be incredibly diligent about the apps that they’re using for their health care information. Instead of doing what you and I do all the time when we download an app, user agreement, click, click, click, click, click. Just get me to the damned app, please. You know, you can do it for all your other stuff, right? Don’t do it for your financial stuff. But definitely don’t do it for your health information stuff.

Here’s the problem. Once the information leaves the boundaries of HIPAA, it no longer has the kind of protections that, unfortunately, people think it does have. They don’t realize that HIPAA attaches to the data only when it’s in the hands of certain organizations, like a health insurer, like a hospital, like a doctor. But the minute that that gets into an app, it no longer has those protections. 

DG: So you’re basically saying here, Micky, that HIPAA, the main federal law that protects patients’ health care data, just doesn’t apply if a patient, for example, breezes through a user agreement for some third-party app and doesn’t realize they just gave the green light to sell all their health data. They’re outta luck. Are you guys doing anything else to try to protect people?

MT: So what we’re trying to do is first, impress upon everyone the need to educate patients, because we strike a balance here, right? You don’t want to say, well, “We’re not gonna provide information to patients.” We want to be able to say, “We are providing information to patients because we think that they will be in a better position to participate more actively in their own care and benefit from that.” But that benefit comes with certain risks and they need to understand those risks, and there’s an obligation on providers and others to educate patients about it.

DG: But, I mean, this is clear, Micky, this could be a disaster for patients.

MT: So it’s not just health care data. It’s like all other data. We just need to recognize that patients need to be very, very, very diligent and cognizant of the fact that that information now is in a different, you know, sort of status. And they are the ones who actually have the primary responsibility for making sure that it doesn’t get into apps that they don’t trust.

One of the things I think we also need to acknowledge here is that people can make inferences about your health from data that doesn’t live in your electronic health record. Let’s say I wake up with a backache, I reach over, pick up my Google Pixel, do a search on, you know, back strain, and then the next day, you make an appointment with your provider. My Google Pixel phone knows all of that, right? So you get my point. Not to scare you, but you know, all of us need to recognize there’s a lot more information out there that people can make inferences about than we probably appreciate, and your health status is a part of that. 

DG: Too late, Micky. We’re scared.

MT:  Don’t be scared. Be diligent.

DG: There you go. That’s a good note to end on. Micky, thank you so much for taking the time to talk to us on Tradeoffs. Really appreciate it.

MT: Thanks Dan. Really enjoyed it.

DG: Even with this rule in full effect, lobbying over it continues.

Last month, the American Medical Association called on HHS to give doctors more discretion to block patients from seeing certain information too quickly, like a cancer diagnosis, before they’ve gotten enough context.

Just last week, the AMA also signed on to a letter with the American Hospital Association and several other major medical groups asking to delay today’s deadline by another year.

I’m Dan Gorenstein. This is Tradeoffs.

Want more Tradeoffs? Sign up for our weekly newsletter!

Episode Resources

Selected Reporting and Research on Patient Access to Health Records:

Your Medical Test Results Are Available. But Do You Want to View Them? (Danielle Friedman, New York Times, 10/3/2022)

ONC data shows 77% of information blocking complaints involve providers (Heather Landi, Fierce Healthcare, 3/1/2022)

How Sharing Clinical Notes Affects the Patient-Physician Relationship (Rita Rubin, JAMA, 4/7/2021)

Delivering On The Promise Of Health Information Technology In 2022 (Micky Tripathi, Health Affairs, 2/22/2022)

New Data Rules Could Empower Patients but Undermine Their Privacy (Natasha Singer, New York Times, 3/9/2020)

Episode Credits


Micky Tripathi, PhD, MPP, National Coordinator for Health Information Technology, U.S. Department of Health and Human Services

The Tradeoffs theme song was composed by Ty Citerman, with additional music this episode by Blue Dot Sessions and Epidemic Sound.

This episode was produced by Leslie Walker and mixed by Andrew Parrella. Editing assistance from Cate Cahan.

Additional thanks to Julia Adler-Milstein and the Tradeoffs Advisory Board and our stellar staff!