Senator Urges EHR Vendors to Strengthen Patient Data Control Amid Rising Cyberattacks

Meta Description: Senator Ron Wyden is demanding greater patient control over electronic health records to bolster cybersecurity, following a surge in healthcare data breaches.

A growing push for enhanced patient control over sensitive medical data is underway in Washington, as Senator Ron Wyden is urging electronic health record (EHR) vendors to adopt features that empower individuals to manage who has access to their information. The move comes as healthcare organizations face an escalating wave of cyberattacks, threatening the privacy of millions of Americans.

In a letter sent to ten leading health IT and EHR firms, Senator Wyden, D-Ore., highlighted a successful model implemented by Epic, the nation’s largest EHR vendor. This feature proactively notifies patients about which organizations currently have access to their medical records and provides a clear mechanism to opt out of data sharing. Wyden has requested that the vendors confirm whether their patient portals offer similar functionality and, if not, commit to deploying these crucial features. “While interoperability improves care by enabling better data sharing, it must be balanced with strong privacy protections for sensitive health information,” he wrote in the letter shared with Healthcare Dive.

The Interoperability Paradox

The call for greater patient control arrives at a critical juncture for the healthcare industry. Interoperability – the seamless exchange of health information between different systems – is widely recognized as essential for delivering coordinated, high-quality care, regardless of the provider. However, this increased connectivity also expands the potential attack surface for cybercriminals.

The risks are no longer theoretical. In 2024, a devastating cyberattack targeting UnitedHealth-owned payment processor Change Healthcare exposed the protected health information of nearly 193 million individuals, marking the largest healthcare data breach ever reported to federal regulators. This year has already witnessed numerous other significant breaches, impacting institutions like Yale New Haven Health and dialysis provider DaVita, compromising the data of millions more.

Wyden, the ranking member of the influential Senate Finance Committee, warned that widespread access to health data creates vulnerabilities. “Currently, the sensitive health data of the vast majority of Americans can be accessed by health providers in states around the country, regardless of whether those providers are actually treating the patient, or whether the patient has ever stepped foot in their state,” he wrote. “Such widespread access exposes patients to the threat of improper access, theft, and leaking of their sensitive health information.”

The potential ramifications extend beyond individual privacy. Wyden also raised concerns about national security, suggesting that readily accessible health data could be exploited by foreign adversaries to gather intelligence on military and intelligence personnel.

Epic’s Model as a Blueprint

The features implemented by Epic, at Wyden’s urging, offer a potential solution. The system not only informs users about data access but also prompts them to confirm their preferences during sensitive care episodes and allows them to actively decline record sharing.

Wyden’s letter specifically asks vendors whether their existing patient portals or interoperability frameworks include comparable features, such as the ability to opt out of data sharing or receive a comprehensive list of healthcare organizations utilizing the same EHR that have accessed their records. Vendors have been given a deadline of January 20th to respond.

Initial reactions from the industry have been positive. A spokesperson for Netsmart, one of the companies that received the letter, stated the company will respond directly to Wyden and “remains engaged in industry discussions related to patient access, consent, and data governance.” Meditech affirmed its commitment to patient privacy and empowerment, stating it is preparing a formal response. Joe Ganley, vice president of government and regulatory affairs at Athenahealth, echoed this sentiment, noting, “We share Senator Wyden’s view that interoperability frameworks can be developed in ways that ensure healthcare data flows more freely while also protecting patient rights and data security. We look forward to working with his office on this important issue.”

The Senator’s initiative underscores a growing recognition that balancing the benefits of data sharing with robust privacy protections is paramount in the evolving landscape of healthcare technology. The responses from EHR vendors in the coming weeks will be closely watched, as they will signal the industry’s commitment to safeguarding patient data in the face of increasingly sophisticated cyber threats.