Helping Patients Access Their Own Health Data

Meeting with CMS Administrator Seema Verma at the end of the semester

Meeting with CMS Administrator Seema Verma at the end of the semester

Have you ever thought about how you could access your healthcare records, if you ever needed to? Where to find the history of every appointment, every immunization, every emergency room visit you’ve ever had?

Fourteen weeks ago, we were assigned to partner with the U.S. Department of Health and Human Services (HHS) to think of ways to improve healthcare records access, as a five-person student team in a field class at Harvard Kennedy School.

This was the first time some of us ever thought about accessing our own healthcare records—or even contemplated the idea that access to health records could be a challenging process. For us, as healthy, young students, we never really needed access our own health records. And when we started a talking to people on the street as part of our research process, asking them to think about accessing their healthcare records, we quickly realized that for many people, access to their health care records is not top of mind!

As we dug deeper, however, we discovered a very different reality for some people who needed access to their healthcare records urgently in the past but ran into challenges.  Examples include:

  • A patient who fell ill and wanted to see his past medical history to explore treatment options;

  • A patient who recently changed doctors and needed to fill out a list of medical history records but couldn’t remember enough details; and

  • A caregiver who needed to pass her mother’s healthcare records onto to a new provider.

Some of these people were like us—people who never thought there would be one day they would need their healthcare records, nor that it would be so difficult to get access to them. People who also had no idea where to start looking for all the records, what rights they had to access the records they needed, and who to turn to for advice.

Over the course of the semester, our student team realized that helping this group of people when they most need it can potentially have a huge impact. It may not be that everyone will require their healthcare data all the time, but everyone will probably require their data at some point in time in their lives. We want to increase the possibility that these people will get the healthcare data they need with as little hassle as possible. At the same time, we identified a lack of easy access to consumable information about specific healthcare data access rights for both patients and providers as the primary issue we would focus on.

Why is access to healthcare data difficult?

This isn’t a universal issue. Many doctors and health care systems are actually doing a good job in providing patients easy access to healthcare data. However, in cases where patients cannot get the healthcare data they need, the crux of the issue is often about the balance of access and privacy.  The Health Insurance Portability and Accountability Act (HIPAA) is the law that governs how healthcare providers must protect patient healthcare data and also responsibly share it. To us, it was somewhat counterintuitive that same law emphasizes privacy while also emphasizing portability.

Because of how complicated HIPAA is, providers and patients often do not fully understand their responsibilities and rights with healthcare data. Too often, providers focus on securing healthcare data, ensuring patients’ privacy is protected—but often at the cost of allowing patients easier access. On the other hand, patients are not likely to know their rights to access their own healthcare data—and often don’t care until they immediately need access.

Ideas to Help Patients Access Their Data

After researching the issue with residents of the Boston area, prototyping ideas, and testing our solutions with additional residents, we came up with a few resources primarily aimed at helping patients access their data better:

1.      Troubleshooting Guide for Patients

We propose to create a service to help people move past the hurdles they may face when they trying to access and retrieve their records. Through an easy-to-use website with a simple questionnaire, we provided personalized resources to help people access their records more easily, ranging from curated “tips”  to an email template that patients can use to send to their doctors. The guide is targeted to both inform and empower patients to have reasonably easy access their health information whenever and however they wished to.

Video of Carrie, a Medicare beneficary, trying our troubleshooting guide:

2.      Implementing SEO for HHS

Google “how do I access my medical records.” There are many sites claiming to provide answers, but we believe that people should get their information directly from HHS if possible. We would recommend that HHS implement a search engine optimization (SEO) strategy—i.e. make it easier for people searching for information about health records access to find the relevant HHS webpages, focusing on the keywords and questions that people actually use. 

3.      Creating a How-to Checklist

We didn’t know the steps to take to access our healthcare records before this project, and most people don’t either. Clearly defining the steps in a simple checklist could eliminate uncertainty from this process.


We’re now excited about health data! We’re excited for the future where we can collectively feel empowered by our healthcare data. In our day-to-day lives, wouldn’t it be great if we could use our healthcare data and medical history to make better choices for ourselves?

One key insight we had this semester was that health operates on a spectrum. It makes sense once you think about it: we all spend our entire lives moving between healthy and unhealthy. When we are unhealthy, we want to do everything we can to get better. Yet without access to our own health care data, it can make it harder to participate meaningfully in our own care decisions—leaving you feeling helpless and frustrated. There is knowledge and power to understanding your own records and finding the doctor that can best help you.

Think of it this way: Our health records already exist, so why don’t we make some use of them?

Prototyping for Enhancing Access

Have you ever overheard doctors speaking about a patient? They could be breaking the law.

How about viewing a selfie a friend posts from the doctor’s office? That could also be breaking the law.

Or maybe you’ve caught a glance at the receptionist’s papers while at the doctors? That may be a violation too. 

But, did you know that this same law also gives you the right to access your own medical records?

Each of these scenarios is potential violations of the Health Information Portability and Accountability Act (HIPAA). Doctors, nurses, and receptionists have been trying to comply with HIPAA for over 20 years now, yet many patients don't understand it.

Two months ago, our team of Harvard students working with the U.S. Department of Health and Human Services knew very little about how HIPAA works in practice. So, we interviewed Boston residents, doctors, and other health care professionals about their experiences with HIPAA, especially as it relates to accessing medical records. After knocking on doors, visiting hospitals and reviewing survey responses we learned a lot

Narrowing Down Our Ideas

To help patients with HIPAA, we brainstormed a wide range of ideas: a health quiz game, a silhouette marketing campaign, and even a comedy monologue!  

Fig 1: Ideation and brainstorming

Fig 1: Ideation and brainstorming

However, we soon realized that given a limited period of time, we couldn’t pursue every idea to fruition. From our research until now, we knew that people care about their health records when they fall ill and need records to access care. In other time periods, they are not very concerned about their records. In most instances, people who fall seriously ill for the first time in their lives have the toughest time navigating the long, winding maze of accessing health records. While selecting ideas to be explored further, we focused on ideas which would ease the process for these first-time users.

Fig. 2: Healthcare spectrum: How the need for healthcare changes over an individual’s lifespan

Fig. 2: Healthcare spectrum: How the need for healthcare changes over an individual’s lifespan

As described in the figure above, this meant we focused on the set of people who experienced declining health for the first time in their lives and immediately needed doctor’s care. Additionally, we developed a set of criteria to evaluate our ideas such as potential reach, impact, and resources required and scored each idea.  On the basis of these two primary filters, we arrived at a list of consolidated ideas to be pursued further.

Fig, 3: Consolidated ideas (size of the bubble indicates weight assigned to each idea)

Fig, 3: Consolidated ideas (size of the bubble indicates weight assigned to each idea)

Prototyping and Testing

After narrowing down our ideas, we decided to build some rough prototypes. For example, we built a simple question-and-answer system for patients. Many people from our interviews didn’t know about HIPAA or their basic rights to records, but those who did know their rights often had a lot of interaction with the healthcare system. But how do people transition from knowing very little to having substantive knowledge about their rights? We wanted to create a solution that targeted people when they first needed to seriously interact with the healthcare system but still weren’t very informed. This Q&A platform is supposed to be a quick and easy way to get these people up to speed. Check out Bobby explaining versions of the prototype in this video.

Fig, 4: Manasi testing one of our Q/A prototypes in the study centre.

Fig, 4: Manasi testing one of our Q/A prototypes in the study centre.

Over the coming weeks, we will continue prototyping and testing different ideas. Our goal is to build out and test as many of these ideas as we can in this short timeframe. It’s challenging to not play favorites and to stay unbiased as we go. But that’s why it’s important to build and test as many ideas as possible. That way, we can have real data to see whether we are solving the problem. 

Rridhee, David, Jen, Manasi, and Bobby

Is access to healthcare records a problem?

Did you know that HIPAA (the Health Insurance Portability and Accountability Act) not only protects your healthcare records privacy, it also protects your access to your healthcare records in a safe and easy manner? If you did not, you are not alone. Unfortunately, despite having this law in place, some patients encounter significant hurdles when they try to access their healthcare records. Our team of 5 students from Harvard University is working with the Department of Health and Human Services (HHS) to streamline the process of helping patients access their health records. (read more about our project here).

Our first instinct was to try and understand this problem from people who have the most frequent interactions with the healthcare system — patients (especially those who require long term or frequent care), healthcare providers (doctors, hospital administrators, etc.) and patient advocates — to understand their experience with the healthcare records system. However, as we started to talk more amongst ourselves about what healthcare record access meant to us individually, we began to notice that within our group, some of us cared much more than others about having easy access to our healthcare records. We began to recognize that this could be reflective of the broader society, which made us realize that we should talk to people who do not have frequent interactions with the healthcare system; people who rarely thought about having access to their healthcare records.

People We Talked To

To explore the experience of the “average” person, we talked with people who were at South Station, shopping malls and areas around Harvard Square. We also reached out to friends at school and relatives who lived in different states. We ended up talking to many people from different demographics, professional backgrounds and different levels of engagement with the healthcare system, which gave us wide range of viewpoints to think about.

To understand the view point from within the medical community, we talked to legal experts, patient advocates and doctors. Some of the experts we talked to include:

Daniel Sands  MD Co-founder, Society for Participatory Medicine

Daniel Sands MD Co-founder, Society for Participatory Medicine

Regina Holliday,  Patient rights advocate

Regina Holliday, Patient rights advocate

Deven McGraw  Chief Regulatory Officer, Ciitizen

Deven McGraw Chief Regulatory Officer, Ciitizen

Finally, to expand our reach, we leveraged the power of the internet to conduct an online survey that asked people what they thought about their healthcare data. With the help of friends on Twitter, we received over 180 responses in the first two weeks.


After three weeks of talking to people and analysing the online survey results, we’ve gained a lot of unique insights from talking to people with a wide range of different perspectives. Here are 5 key takeaways we had: 

1. There’s a general lack of engagement and understanding surrounding health data.

“UPMC sends so much stuff to be honest. The information is there all of the time. I don’t really know and I don’t have any interest to be frank.” 

For many people we spoke to, especially those who were young and had little pre-existing healthcare conditions, the thought of accessing their healthcare records only crossed their minds when they were asked for it (i.e. when they moved, for school, etc.). These requests tend to be one-off requests. While many acknowledged that the process could be tedious, long-drawn and painful, they usually just went through it once and forgot about it.Many people were not aware what rights they had to access that information. 

2. People are concerned about their data being used for employer and insurance discrimination and identity theft.

“A hospital can get screwed no problem [in regards to losing health data].”

Understandably, many people are worried about having sensitive information leaked and for the world to see. However, beyond the point of keeping personal information and medical records private, many people were much more worried about the downstream implication of that healthcare data leak — would someone be able to use that information to discriminate against them? 

3. There is power in knowing your rights under HIPAA.

“If you can’t see the data, you can’t make choices.” 

When patients don’t know what rights they are entitled to - for example, that they can request their providers email them their healthcare records - they interact with the healthcare system in a very passive manner, accepting whatever restrictions placed upon them with little idea of what a reasonable alternative could be. If patients are aware of the rights they have under HIPAA, they are likely to feel more confident using them to make certain requests when they speak to their doctors. This gives them more agency over their own healthcare. 

4. Health operates on a spectrum.

“I’ve only had like two surgeries in my lifetime. I just kind of rely on the doctors.”

 As we engaged with more healthcare advocates and empowered patients, it became increasingly clear that we all transition along the spectrum between healthy and unhealthy throughout our lives. Most people, in the healthier years of their lives, rarely think about needing access to their healthcare records. However, as they or their loved ones fall ill, or grow older, interacting with the healthcare records system—and learning how to navigate the complexities — becomes increasingly difficult to avoid. 

5. The world is complex and so is the Electronic Health Records (EHR) infrastructure.

“We have a topsy turvy system. No other country has this. No other country has what we are going through.”

The social, cultural and political complexities of our reality are mirrored in the intricacies of our EHR infrastructure. As healthcare providers shift to digitized records, the EHR systems hospitals put in place may not always be connected to one another because of how complicated the whole process is: getting the EHR systems up and running, to transferring piles and piles of medical data from converting physical copies into digital ones, and to ensuring there is sufficient security for data protection.

Some Parting Thoughts 

The one key insight for our team was that health operates on a spectrum.People transition between healthy and unhealthy states throughout their lives, and this affects how they care about many things, including healthcare. Even if they don’t care about healthcare now, it is likely that they eventually will have to. While this is an obvious point, it frames how we need to approach solutions. 

Having this point made clear during our user research made us rethink the ambivalence some of us felt earlier about having easy access to our own healthcare records. It is true; many of us are healthy and young, and we may not see a need to access our healthcare records now. But what happens when we eventually fall ill at some point in time in our lives, and suddenly need all the past medical data that we thought was insignificant? Would we know where, or how, to get them? Would we be able to anticipate the difficulties we might face in getting them, especially under time pressure? 

Thinking along these lines helped us uncover a group of people that overlapped between the two initial groups that we identified — people who were transitioning from being healthy to being sick, and may need to start access and transferring their healthcare records more frequently — and we decided that it might be interesting to follow this thread and think about ways we could help to make this transition easier for them.

Bobby, David, Jen, Manasi, Rridhee

Does the Healthcare privacy law work in practice?

Have you ever tried to get your personal health care information from a health care provider, only to be frustrated by consent forms, lack of electronic communication, or simply outright refusal to comply? Often such excuses are devolve into ‘We can’t do [your request here] because of HIPAA’, and such misinterpretations of the law are more common than you think.

Even if you’ve been spared from such experiences, you’ve probably still visited the doctor’s office at some point in the last 15 years and interacted with this piece of legislation. Remember that form they asked you to sign but you just skimmed (or didn’t read at all)? Most of us know it as ‘that privacy rights thing’, and it’s actually a small part of a big piece of legislation called the Health Insurance Portability and Accountability Act (HIPAA).

What exactly is HIPAA? To start, it’s legislation, passed by congress in 1996, finalized in 2003, substantially amended in 2009 and further augmented in 2013, designed to protect and improve the healthcare system for all Americans. From its beginning, HIPAA has been marred by skepticism from the healthcare industry. Some skeptics saw it as another bureaucratic barrier to providing efficient healthcare, while others wondered how these complex rules and regulations could be effectively enforced. In the intervening years, the healthcare industry has had time to adapt but many of the early criticism still stand, and now joined by a growing list of tech-related complications.

How HIPAA is often perceived in our cultural consciousness. Cartoon retrieved from:

How HIPAA is often perceived in our cultural consciousness. Cartoon retrieved from:

In fact, HIPAA constitutes five titles, but most people focus on Title II: HIPAA Administrative Simplification. Title II seeks to establish a national standard for the transfer of electronic records and  ensure healthcare information databases are secure. This part of HIPAA is where most of the criticism is directed towards. It is also where we come in.

The Harvard Team

From Left to Right: Jen, Bobby, Amy, Manasi, Rridhee, David. Not pictured: Shannon, Benno

From Left to Right: Jen, Bobby, Amy, Manasi, Rridhee, David. Not pictured: Shannon, Benno

We are a team of five Harvard students in DPI-663: Technology and Innovation in Government, a Harvard Kennedy School field course designed where students conduct original research to solve real problems in government. This Spring, we are partnering with Amy Gleason, Shannon Sartin, and Benno Schmidt, three members of the Digital Service at the U. S. Department of Health and Human Services. Together, we will be tackling the challenge of helping both patients and providers navigate this oft-misunderstood legislative labyrinth. 


Jen Chen is a second-year Master in Public Policy (MPP) candidate at the Harvard Kennedy School (HKS). Jen hails from sunny island Singapore, where she will return to work in the government after graduation. Jen spent four years in East Asia (Beijing and Tokyo), focusing on regional affairs and trade relations. She is now focusing on digital governance and tech development at HKS. 

David Leftwich is a first-year Master in Public Policy (MPP) candidate at the Harvard Kennedy School. Born and raised in Pittsburgh, PA, he graduated from the University of Pittsburgh in the spring of 2018. In the past, David has interned with USAID, the Hudson Institute, and the State Department. David hopes to focus on digital governance and bringing more user-centered design to policy. 

Manasi Maheshwari is a sophomore at Harvard College studying computer science with a secondary in economics. From Fremont, CA, she has interned for CA-D17 Congressman Ro Khanna’s congressional campaigns and as a software engineer improving user experience with chatbots. With a desire to focus on human-centered design in policy, she is interested applying technology to improve government practices.

Rridhee Malhotra is a second year Master in Public Policy candidate at the Harvard Kennedy School. She is from India and before HKS worked for four and a half years with Government of India on the world’s largest digital identity program called Aadhaar to deliver public services and cut down corruption in supply chain. After Kennedy School, she hopes to build systems which effectively manage the trade-offs between risks and opportunities of collecting data. 

Robert ‘Bobby’ Wang is a masters student at the Harvard Graduate School of Design. He came to the USA from his small home of New Zealand six years ago to pursue a degree in industrial design at RISD. Since graduating he has practiced as both a designer and engineer in the tech sector. He’s now in grad school focusing on the intersection of humans and technology.

The Problem

Our client for this semester, the U.S. Department of Health and Human Services, framed the problem this way:

 ‘The HIPAA privacy rule was designed to provide patients with access to their entire medical history, while simultaneously protecting the patient from the unnecessary disclosure of their medical information. HIPAA, however, is often used as the justification for not sharing medical information—even when the patient is requesting their own medical history. From the perspective of patients and clinicians, why is a healthcare policy designed to increase the portability of a patient's medical history also a roadblock to accessible and interoperable medical information?’

Ready, Set, Go.

We wanted to experience potential issues with HIPAA firsthand, and we all attempted to retrieved our own health records. It was surprisingly simple to get our own health records online within minutes. 

However, upon some reflection, we became wary that this ease comes from the privileged positions that we hold. We all have access to top-tier healthcare providers with quick and easy access to personal information. This was confirmed by Amy, our HHS collaborator. She pointed out that most Americans do not have access to such systems and have to call in, or even make in-person visits, to retrieve their medical information. 

More importantly, Amy informed us that these databases are flawed. Often, they contain incomplete patient histories without the details of each doctor’s visit. Further, they do not always include visits to medical providers outside of their health care system. The process of transferring information between caregivers can also be difficult, and HIPAA has commonly been cited as a reason for the reluctance to transfer the patient’s information — even thoughHIPAA allows patient record transfer among physicians, if they are treating the same patient.

The Longwood Medical and Academic Area contains a number of medical and research institutions and will serve as a great resource in our research.Image retrieved from:

The Longwood Medical and Academic Area contains a number of medical and research institutions and will serve as a great resource in our research.Image retrieved from:

Moving Forward

Our next step is to talk with caregivers, administrators, doctors, patients, and researchers. Fortunately, we live in Boston, which has one of the highest concentrations of medical and research facilities in the country. 

Do you have firsthand experience with HIPAA? Have you had challenges getting access to your medical information?  Let us know at

Bobby Chen, David Leftwich, Jen Chen, Manasi Maheshwari, & Rridhee Malhotra