3 Days left! 50% off + FREE Books on select certification training ends 8/31 |  Save Now

When Patients Understand Their Medical Record

When Patients Understand Their Medical Record

Quality care cannot be achieved if your patient portal creates a barrier.

The 21st Century Cures Act requires healthcare providers to give patients access to their medical records upon request. Providers and facilities have been so focused on complying with this law, however, they may not have considered the repercussions: Patient comprehension of the information they are accessing is one concern, and security of that information is another. The undue stress on patients being given timely and complete access to their protected health information (PHI) is an unintended consequence of the 21st Century Cures Act that providers must act on to mitigate.

What Information Can Patients Access?

The 21st Century Cures Act indicates that almost all medical notes must be shared with patients. These notes include:

  • History and physical notes
  • Progress notes
  • Consultation notes
  • Procedure notes
  • Discharge summary notes
  • Imaging narratives
  • Laboratory report narratives
  • Pathology report narratives

There are eight exceptions where documentation or notes can be withheld from shared information. Some exceptions include psychotherapy notes that are separated from the rest of the medical record, information related to a civil, criminal, or administrative action or proceeding, and any note that a doctor perceives may cause harm or danger to a patient.

Causes for Concern

Increased transparency and communication between clinicians and patients are goals of information sharing. Studies show that sharing medical notes with patients who have a chronic condition (e.g., diabetes mellitus) and understand the information in the notes helps them feel more engaged in their healthcare, better understand their medical condition(s), and participate more in their care plans, including taking medications properly.

The key word is “understand.” Unfortunately, it’s more common for patients to not understand what they’re reading in their medical record. The patient may not understand common medical terminology, like obesity related to body mass index (BMI), test results, medication changes, or surgical reports. Patients may be concerned about test results if they are misinterpreted or not explained thoroughly.

Timing of patient access to their information is also a concern. Many systems are set up to notify the patient whenever new information is added to their record, so the patient often sees the information before their physician does. Even if the attending physician is notified at the same time, they may be busy with other patients or other duties and can’t look at a report immediately.

It’s common in online cancer support groups to see a message such as, “I just saw my pathology report online. I can’t reach my doctor until Monday. What does this mean?” Patients are relying on internet research and message boards to answer questions that should be answered by a clinician who is familiar with their case.

A patient’s first indication of their cancer diagnosis should not be reading something on a computer or phone screen. Consider the emotional harm caused to a patient who is first notified of a potentially life-changing diagnosis in such an impersonal manner and then left for days without being able to discuss it with their physician.

Consider the Source

The electronic health record (EHR) is the most common digital form of communication between clinicians and patients. The EHR is a common data repository that serves many purposes. There are many uses of the data stored within the EHR — communication between facilities and payers, sharing clinical research data among providers, and analysis of population health statistics.

The primary purpose of the EHR is for healthcare providers to document patient care and make that information available to other healthcare providers. The common medical terminology used by providers who are communicating peer-to-peer describes the patients’ conditions, provides interpretation of test results, defines surgeries or procedures, and is intended for clinical communication.

When sharing health information with other providers, there may be a discrepancy with how each individual views diagnostic results. While one provider may view results as worrisome, another provider may view the results and determine there is no cause for concern. Some providers feel that they should downplay symptoms when documenting, especially when they know the patient will see what is in the note, and other providers may embellish symptoms. Interpretation may also be skewed if the provider omits certain information from their discussion with the patient or another provider. 

Anyone whose job entails entering data into a patient’s EHR must be aware of how the data is used and who’s using it. No matter who enters data, it’s vital to follow documentation standards and adhere to compliance policies adopted by facilities to help ensure the integrity of the data entered and how that data can be shared.

When communication between the clinicians and patients is via the EHR, facilities need to address questions such as:

  • What is shared between clinicians and patients?
  • How can we meet clinical communication standards and patient understanding?
  • How does the facility follow compliance policies for shared information?
  • How is the patient able to access their information?
  • How can facilities train employees and patients to use information portals?

The checklist below, presented in a November 2021 article from the Journal of the American Medical Association (JAMA), can be a helpful tool for patients. Facilities and practices should also consider establishing a patient-clinician liaison who could provide general definitions and information to assist the patient until they can speak with their own physician.

Put Compliance Into Perspective

Sharing health information has both privacy and security concerns regardless of whether the information is being shared with the patient, law enforcement, state health officials, or other healthcare facilities. These concerns are shared by not only the patient but also clinical and administrative staff, healthcare providers, and healthcare facilities, as well as the IT departments of software companies. As such, every healthcare organization should include information sharing policies as part of their compliance plan. Considerations include:

  • Policies and procedures for making sure the patient’s progress reports, medication lists, immunizations, radiology and laboratory reports, and operative notes are uploaded to the patient’s portal in a timely manner.
  • Guidance for what is and isn’t shared.
  • Procedures for ensuring accuracy and that any possible amendments to the patient’s care plan have been noted. Concerns may arise if documents are incorrect, uploaded to the incorrect patient, or if the provider has not reviewed the results to possibly make amendments to the patient’s care plan.

There should be someone in place within the organization, whether it’s clinical or administrative staff, to oversee adherence to these polices and report any violations to the compliance officer.

Education Is Key

Education and training should be provided to not only the staff within the healthcare facility but also the patients. Staff members should be made aware of who is responsible for uploading documents, what types of information are being uploaded, and how to access the information.

Staff should know how to handle any questions or concerns a patient may have regarding their information on the portal. Patients may also need to be educated on how to access the portal, view their medical charts, and send messages to staff with any questions or concerns. Training staff how to handle a patient’s confusion and anxiety toward information viewed in their chart may prevent the situation from escalating and promote better patient care.

When sharing PHI electronically, monitoring and auditing should be performed routinely for early detection of a possible security breach or unauthorized access to a patient’s chart. Security breaches are the largest concern when it comes to patient privacy. Working closely with your EHR vendor and your organization’s IT department is essential for cybersecurity. At the very least, ePHI should be encrypted and unique logins and two-step authentication processes should be used. Monitoring and auditing may also allow the provider to know when the patient reviewed their information, if they sent their information to another specialist, and whether the patient sent the provider a message or comment and is awaiting a response.

Best Practices

Quality patient care and a positive patient experience are both tied to data in modern healthcare. With privacy as the overarching concern, documentation must be compliant and thorough to support continuity of care; compliance policies must be specific and understood by all staff with access to medical records; regular audits should be employed to ensure standards are met; and patients accessing their records online must be instructed on how to use the portal platform and understand what they are seeing.


AAPC Compliance Advisory Committee Members:

Kimberly Garner Huey, MJ, CHC, CPC, CCS-P, PCS, CPCO, COC

LisaRae Roper, MS, MHA, CCS-P, CPC, FAHIMA, AAPC Approved Instructor

Annette Telafor, CPC, CPCO, CDEO, CPB, CPMA, CPPM, CRC, AAPC Approved Instructor

Craig Laursen, CPC, CDEI, AAPC Approved Instructor


Dong Z, Leveille S, Lewis D, Walker J. People with diabetes who read their clinicians’ visit notes: Behaviors and attitudes. Chronic Illness. 2023;0(0). doi:10.1177/17423953231171890

Individuals’ Right under HIPAA to Access their Health Information. 45 CFR Sec 164.524

The Office of the National Coordinator for Health Information Technology (ONC), Cures Act Final Rule: Information Blocking Exceptions

Jin J. What to Consider When Reading Your Medical Notes. JAMA. 2021;326(17):1756. doi:10.1001/jama.2021.16493

21st Century Cures Act. Congress.gov

Leave a Reply

Your email address will not be published. Required fields are marked *