Health Data Portability for Patients: Sharing Records Across Providers

Health data portability is the principle — and increasingly the legal requirement — that patients can move their medical records from one provider to another without barriers, delays, or unreasonable fees. Federal rules finalized between 2020 and 2021 transformed what was once a paper-heavy favor granted at a provider's discretion into a structured right with enforceable standards. For anyone managing a complex condition across multiple specialists, switching insurance networks, or simply moving to a new city, understanding how this works is the difference between continuity of care and starting from scratch.

Definition and scope

Health data portability, in the US regulatory context, refers to the patient's right to access, receive, and direct the electronic transmission of their health information in a usable format. The two primary legal frameworks governing this are the HIPAA Privacy Rule — administered by the HHS Office for Civil Rights — and the 21st Century Cures Act's Interoperability and Information Blocking rules, enforced by the Office of the National Coordinator for Health IT (ONC).

HIPAA gives patients the right to inspect and receive a copy of their records within 30 calendar days of a request, with one possible 30-day extension (45 CFR §164.524). The ONC's 2020 Cures Act Final Rule goes further, prohibiting "information blocking" — practices by health systems, health IT developers, or health information networks that interfere with the access, exchange, or use of electronic health information. Penalties for information blocking violations can reach $1,000,000 per violation for health IT developers (ONC, 45 CFR Part 171).

The scope covers what regulators call "Electronic Health Information" (EHI) — essentially anything in a patient's designated record set that exists in electronic form. This includes clinical notes, lab results, imaging reports, medication histories, and increasingly, data from patient-facing apps connected through standardized application programming interfaces (APIs).

How it works

The practical mechanism has three layers worth understanding separately, because they operate on different timelines and involve different actors.

The HIPAA request pathway is the baseline. A patient submits a written request — most health systems now accept a form on their patient portal — and the provider must respond within the 30-day window. The format must be "readily producible" electronically if that's what the patient asks for. Providers can charge a reasonable cost-based fee, but the HHS guidance updated in 2023 made clear that fees for electronic copies should generally be minimal or zero when the data is already stored digitally.

The FHIR API pathway is newer and faster. Under the Cures Act rules, certified EHR systems must offer a standardized HL7 FHIR (Fast Healthcare Interoperability Resources) API that allows patients to connect third-party apps — a health records aggregator, a new provider's portal, a personal health app — and pull their data directly. No fax machines, no paper forms, no waiting. This is how apps like Apple Health connect to hospital systems and surface your vaccination history, lab trends, and visit summaries in one place.

Direct provider-to-provider exchange happens when a patient authorizes one provider to request records from another. This often runs through Health Information Exchanges (HIEs), regional or national networks that route clinical data between participating organizations. The Office of the National Coordinator maintains a directory of state-designated HIE entities.

For patients navigating the intersection of privacy rights and record-sharing, the HIPAA patient privacy rights framework explains what providers can and cannot share without explicit authorization.

Common scenarios

The following situations represent the most frequent triggers for health data portability requests:

  1. Specialist referral — A primary care physician refers a patient to a cardiologist who uses a different EHR system. Without active data-sharing infrastructure, the specialist receives a PDF summary at best, or nothing at all. FHIR-based interoperability is designed to close this gap, though adoption is uneven across health systems.

  2. Insurance network change — When a patient's employer changes insurance plans, they may lose access to their current providers and need to re-establish care elsewhere. A complete records transfer prevents redundant testing and gaps in chronic disease management (chronic disease management services often depend heavily on longitudinal record access).

  3. Hospital discharge to post-acute care — Patients moving from a hospital to a rehabilitation facility or skilled nursing facility require timely record transfers. Discharge planning services typically coordinate this, but the legal obligation for timely data transfer applies regardless of care setting.

  4. Second opinion — Requesting a second opinion from a specialist at an academic medical center requires sending imaging, pathology reports, and prior treatment records. Second opinion services function most effectively when full records accompany the consultation.

  5. Pediatric-to-adult care transition — Adolescents aging out of pediatric systems need their complete developmental and clinical history transferred. This is one of the more structurally complex portability scenarios because systems, consent frameworks, and even data models differ substantially.

Decision boundaries

Not everything flows freely, and the rules draw some deliberate lines.

Mental health and substance use records carry heightened protections. Substance use disorder treatment records are governed by 42 CFR Part 2, which imposes stricter consent requirements than HIPAA and limits re-disclosure. Psychotherapy notes — distinct from general mental health records — are also explicitly excluded from the standard HIPAA right of access and require separate authorization.

Exceptions to information blocking rules are narrow but real. ONC recognizes 8 defined exceptions, including privacy protections, preventing patient harm, and infeasibility. A provider cannot, however, use vague "security concerns" as a blanket excuse to withhold data that a patient has the legal right to receive.

Patient portals vs. complete record sets are not the same thing. What appears in a portal — often a curated subset of notes and results — may omit historical data, scanned documents, or records from affiliated but technically separate entities. Patients who need their full designated record set should submit an explicit written request, not rely solely on portal downloads.

The broader ecosystem of patient data rights — including the right to correct errors in one's record and to request restrictions on certain disclosures — is documented across patient rights and responsibilities frameworks that vary by state and institution. The National Patient Services Authority home resource provides orientation across the full range of patient service categories that intersect with records and data access.

References

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

HIPAA and Patient Privacy Rights: What Your Health Information Protections Mean This page examines what HIPAA actually does and doesn't protect, how its rules operate in practice, where the law gets... Chronic Disease Management Services for Patients This page covers the structure, mechanics, and real tensions inside chronic disease management programs, from how they're... Discharge Planning Services: Preparing Patients to Leave the Hospital Federal law requires Medicare and Medicaid participating hospitals to provide discharge planning evaluations, making this one...