Ron Wyden is asking major electronic health record companies to add tools that let patients decide who can access their health information.
Senator Ron Wyden of Oregon has sent letters to ten major electronic health record vendors asking them to add features that allow patients to control how and with whom their medical records are shared. Wyden said current interoperability models allow records to be accessed across state lines even when there is no direct treatment relationship, which can expose sensitive information beyond what patients expect. His request follows recent updates by Epic Systems that notify patients when their records are shared, prompt confirmation during sensitive care, and allow users to opt out of broader data exchange. Wyden asked other vendors to confirm whether they offer similar controls and to respond by January 20, 2026.
Federal policy over the past decade has focused on expanding interoperability to improve care coordination and patient access. Laws passed in 2009 and 2016 required health information to move more freely between systems and gave patients the right to access records through portals and applications. While these changes reduced information silos, Wyden argued that they did not give patients meaningful visibility or control over secondary access to their records. In his letters, he warned that providers in distant states may be able to view records without patient awareness and that current systems often rely on default sharing rather than informed choice. He said patient controlled permissions could preserve interoperability while reducing unnecessary exposure.
Wyden said Americans should be able to decide which entities can view their health information and under what circumstances. He described Epic’s new patient facing controls as a positive step and said similar functionality should be available across the industry. In the letters, he also framed unrestricted access to sensitive health data as a broader security issue, particularly for military and intelligence personnel whose records could be misused. Wyden asked vendors to outline what controls they already offer, what tools are in development, and whether they are willing to commit to giving patients direct control over record sharing.
According to Healthcare Dive, several major EHR vendors have begun responding publicly to Senator Ron Wyden’s inquiry. Netsmart said it would reply directly to Wyden and that it “remains engaged in industry discussions related to patient access, consent, and data governance.” Meditech also confirmed it is preparing a formal response, adding that it “shares [Wyden’s] commitment to patient privacy and empowerment.” Athenahealth acknowledged receipt of the letter as well, with Joe Ganley, its vice president of government and regulatory affairs, saying the company agrees that “interoperability frameworks can be developed in ways that ensure healthcare data flows more freely while also protecting patient rights and data security,” and that it looks forward to working with Wyden’s office on the issue.
Interoperability frameworks are designed to support continuity of care when patients receive treatment in different locations, which enables providers in other states to access records if systems are connected.
Patients can request restrictions in some cases, but many systems rely on default sharing settings that do not require explicit approval for each access event.
Health data can reveal sensitive personal, financial, and operational details, and broad access increases the risk of misuse by insiders or foreign actors.
He is asking for patient facing tools that show who can access records, prompt consent during sensitive encounters, and allow patients to limit or opt out of broader sharing.
Wyden and regulators have said controls should be designed to protect privacy while still allowing necessary access for treatment, emergencies, and lawful public health uses.