Introduction

The digitalization of health care is increasing rapidly, changing the way patients communicate and collaborate with health care providers. The importance of access to and use of digital health data became even more evident during the COVID-19 pandemic [], including the use of online patient portals and patients’ online record access (ORA) []. The Nordic countries are, together with the United States, forerunners in providing their residents with online tools that enable interaction not only with health care but also with the patient’s own health data []. ORA has become a key means to these ends [-]. National patient portals have been implemented in all Nordic countries, enabling residents to access different health-related e-services, for example, patient-accessible electronic health records (PAEHRs). In the United States, legislation mandates patients to have ORA []. provides an overview of key concepts related to patients’ ORA that will be used in this paper.

Textbox 1. Key terminology.

Electronic health record (EHR)

The World Health Organization defines EHRs as “shared patient records that contain historical data about a patient that are compiled from all local Electronic Medical Records” [].

Patient-accessible EHR (PAEHR)

PAEHRs are online services providing patients secure access to view and sometimes edit or comment on their electronic health records (EHRs) made available by their health care providers [], that is, online record access (ORA).

European Health Data Space (EHDS)

The EHDS is a health-specific ecosystem comprising rules, common standards and practices, infrastructure, and a governance framework [].

Open notes

Online access to the visit note summaries, or the narrative, free-text entries, written by clinicians about patient health.

ORA

ORA has been used as a “solution-neutral” concept to describe the phenomenon of patients’ online record access []. ORA can be implemented through a PAEHR or any other technical system that gives patients access to their health records online.

Patient portal

Patient portals are online portals that can be provided locally by a specific health care provider or nationally, as is the case in the Nordic countries. Patient portals are increasingly used to provide patients with ORA. In some patient portals, a PAEHR is provided as a specific service [], whereas others may have more seamlessly integrated ORA through different patient portal functions. In a local patient portal, patients often have ORA to only 1 specific EHR system, whereas national patient portals can provide ORA to several EHR systems.

In many countries, ORA is considered a logical extension of patients' already existing legal rights to request copies of their health records. ORA provides a rapid and convenient method of accessing the information held by clinicians that increases the total number of patients who read their records. Considering the growing body of evidence presenting the benefits of ORA for the individual (in terms of improved health outcomes and self-management) [-,,], we argue that health organizations in other countries can learn from the Nordic experience and should also consider striving to provide patients’ ORA [].

In parallel with the increased use of digital health services, the importance of accessible and structured health data has also been highlighted by policy makers internationally. In the United States, a federal rule in the 21st Century Cures Act mandates that US health care providers offer patients access, with few exceptions, to all the health information in their electronic medical records without charge []. The 21st Century Cures Act is also motivated by the idea of a health app economy, and it is mandated that patients’ health information be available in a form that is downloadable to third-party apps. In Europe, the proposal for an EHDS aims to both empower people to control and use their health data in their home country or other member states, as well as offer “a consistent, trustworthy and efficient framework to use health data for research, innovation, policy making, and regulatory activities, while ensuring full compliance with the EU's high data protection standards” []. Furthermore, the EU has adopted the NIS directive (EU 2022/255), which sets requirements for security in networks and information systems. The rules cover providers of socially important services and certain digital services where health care is a designated sector [].

Despite growing international evidence that ORA has the potential to empower patients and yield many health benefits, its implementation has not always been straightforward [,]. Not all patients use online portals [,,,], and ORA remains controversial among providers [,]. Health care professionals have raised concerns regarding patient ORA in several contexts where it has been implemented [,-]. The concerns include that patients might misunderstand what they read and become worried, and that clinicians’ workload will increase as patients ask more questions, both during and between appointments. Within mental health care, such concerns have been especially prominent [,,].

Despite clinicians’ concerns and the need for a more fine-grained policy concerning, for example, proxy access (when an informal caregiver, such as a family member, has ORA on behalf of a patient) [], psychiatric care [], and ethical exemptions from ORA [], mounting international experience challenges clinicians’ skepticism and evinces the benefits to patients of this practice innovation []. Nonetheless, as the shift toward giving patients more autonomy over their health data is underway, there is an urgent need to address more contested aspects of ORA. Doing so may simultaneously offer guidance to other countries, where implementation is currently lagging behind. We argue that to ensure the full realization of its potential in the short and long term, there is a pressing need to study patients’ ORA from a cross-disciplinary, technical, clinical, humanistic, and social science perspective that looks beyond narrow technical aspects of implementation []. A project that aims to do this is the NORDeHEALTH research project, launched in 2021 []. NORDeHEALTH focuses on studying novel digital services and innovation, exploring different ways to make national patient portals and patients’ ORA more useful to both patients and health care professionals, supporting person-centered care, patient self-management, and empowerment, as well as collaboration.

In this viewpoint paper, we will summarize the key policy changes in the EHDS with relevance to ORA and discuss the proposed changes in the context of the latest research findings from the Nordic Region through the NORDeHEALTH project.

The European Health Data Space and Patient Online Record Access

The EHDS proposal aims to “improve access to, and control by, natural persons over their personal electronic health data in the context of health care (primary use of electronic health data), as well as for other purposes that would benefit the society such as research, innovation, policy-making, patient safety, personalized medicine, official statistics or regulatory activities (secondary use of health data)” []. “Natural person” is a legal term used to signify an individual human being, distinguishing them from a “juridical person,” which can encompass other entities too. We will use “person” in our text to signify a “natural person,” unless in a direct quote from the EHDS proposal. Negotiations among EU member states have been completed, and in April 2024, the European Parliament adopted the EHDS proposal. Once the new EHDS regulation is formally adopted, which is expected to be in autumn 2024, it will become applicable in different stages according to use case and data type, allowing member states time to adapt to the regulation [].

Primary use of electronic health data is the main focus of patients’ ORA and is further defined as the processing of personal electronic health data for the provision of health services to assess, maintain, or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation, and provision of medicinal products and medical devices, as well as for relevant social security, administrative, or reimbursement services.

Embedded within the EHDS Chapter 2, Primary use of electronic health data, Section 1, Article 3 describes the “rights of natural persons in relation to the primary use of their personal electronic health data” []. In our analysis of the EHDS proposal, we have identified 5 key principles of high relevance for patient ORA, where results from the NORDeHEALTH project may contribute to the design and implementation of the EHDS across Europe. The five principles we have identified are (1) the right to access, (2) proxy access, (3) patient input of their own data, (4) error and omission rectification, and (5) access control.

Overview of the NORDeHEALTH Research Project

The NORDeHEALTH project, funded by NordForsk (grant 100477), has research partners in Sweden, Norway, Finland, Estonia, and the United States. The goal is to enable further digitalization of the public health sector by providing concrete feedback to the national authorities in the respective countries and providing guidelines and frameworks for the design, implementation, and evaluation of patients' ORA as well as other eHealth services.

The foundation for the NORDeHEALTH research project is a sociotechnical analysis of the context in the respective country using a model proposed previously [,]. The model defines eight dimensions that are essential to consider when designing and implementing sociotechnical systems in health care: (1) hardware and software, (2) clinical content, (3) human-computer interface, (4) people, (5) workflow and communication, (6) internal organizational policies, procedures, and culture, (7) external rules, regulations, and pressures, and (8) system measurement and monitoring []. Key focus areas in the NORDeHEALTH research project have included policy and regulations for patients’ ORA in mental health care [-], ORA for adolescents and parents [,], and ORA within oncology, specifically focusing on multidisciplinary team conferences. The project also investigates benchmarking for the usability and acceptance of national patient portals and patients’ ORA [,], which iteratively feeds into the co-design of novel ORA and patient portal functionality.

Empirical data in the project is gathered by exploring the needs of specific patient and demographic groups using the current implementations of PAEHRs as a case; patients with mental health disorders, patients with cancer, and adolescents and their caregivers. Most research into patient ORA to date collects data from one country or region [-,], making it difficult to compare results across contexts. In the NORDeHEALTH project, we therefore designed an international cross-sectional survey study, and in 2022, data were collected simultaneously in Sweden, Norway, Finland, and Estonia []. The survey aimed to study patients’ experiences with the PAEHR provided through the national patient portals in the respective countries.

provides an overview of how the NORDeHEALTH research contributes to the patient ORA principles we have identified in the EHDS proposal: (1) the right to access, (2) proxy access, (3) patient input of their own data, (4) rectifying errors and omissions, and (5) access control. In the next sections, we further deepen the analysis of the 5 principles.

Textbox 2. Online record access (ORA) principles in the context of recent research from the Nordics.

The right to access

Despite the many similarities, ORA implementation varies in the Nordic region.Patients’ experiences depend on platform usability.

Proxy access

Current regulations for parental and adolescent proxy access greatly differ between the Nordic countries.Proxy access other than parental has even greater variation, and is not allowed in, eg, Sweden.

Patient input of their own data

Despite the advanced stage of ORA in the Nordic countries, patient input is not widely available.Nordic patients have expressed repeated interest in the ability to contribute to their record.

Error and omission rectification

A high number of Nordic patients find serious errors in their records through ORA.Some groups of patients report more errors than others.At present, only a minority of Nordic patients attempt to rectify the errors.

Access control

A minority of Nordic patients have reported unwanted access to their electronic health records
The Right to AccessThe Proposal

The EHDS proposal clearly states that “natural persons shall have the right to access their personal electronic health data” immediately, free of charge, and in an easily readable, consolidated, and accessible form []. This is not limited to electronic health records (EHRs) data, but considering the EHR's core role for documentation in health care, patients' ORA must be considered essential for EHDS. Article 3, paragraph 2, continues to declare that:

natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format […] of at least their electronic health data in the priority categories referred to in Article 5 [].

These include patient summaries, electronic prescriptions, electronic dispensations, medical images and image reports, laboratory results, and discharge reports.

The Research

Many European countries already have legislation stipulating that patients should have ORA []. In Norway, the patient is both the object and the owner of the health record. The Norwegian Patient Rights Act of 2001 states that patients have the right by law to access their health records [], and in 2013, a White Paper stated that patients should have digital access []. Similar legislation is in place in all the Nordic countries [].

In Germany, the Patient’s Rights Act of 2013 stipulates that health care professionals must document diagnosis and treatment promptly and comprehensively. It grants patients the right to fully view their records and attain an electronic copy [], yet progress in implementing patients’ ORA has been slow. In the Netherlands, patients have had the right to a digital copy of all the information in their EHRs since 2020 [], and different types of incentive programs have been implemented to encourage health care providers to provide such access.

Given the current challenges in implementing patients' full ORA across Europe, the EHDS proposal is ambitious. Mandating patients’ ORA is to be broadly encouraged, considering the positive experiences reported by patients with full ORA, but experiences show that regulations are often not enough to ensure implementation.

The NORDeHEALTH project has designed and tested a sociotechnical framework for studying and comparing factors that affect the implementation and adoption of patient ORA. The framework was designed based on the existing Sittig and Singh sociotechnical framework []. ORA-specific factors are explored related to, for example, what information patients have access to and when they can access it (immediately or with a delay), what functionality is provided (eg, being able to upload or edit information, proxy access), rules and regulations for ORA (on national or local levels), the usability of the PAEHR, technical infrastructure, and population characteristics (eg, educational levels, digital literacy, and diversity). An in-depth understanding of the local sociotechnical context is essential for comprehending the impact of ORA and being able to design successful interventions for implementing ORA. A study on the implementation of ORA in Sweden and the Netherlands identified resistance from health care professionals and technical infrastructure challenges as main barriers, whereas existing national infrastructure and program management, strong leadership, and stakeholder engagement (including both patients and health care professionals) were identified as success factors [].

Viewpoint

We argue that simply enabling ORA is not enough to ensure that all patients can use it. Usability is a key factor in the adoption of ORA []. Therefore, the NORDeHEALTH project strives to benchmark PAEHR usability [] and investigate how it affects the acceptance and adoption of PAEHRs among different patient groups.

Proxy AccessThe Proposal

In the EHDS proposal, proxy access is described in Article 3, paragraph 5. Member States shall:

establish one or more proxy services enabling a natural person to authorize other natural persons of their choice to access the electronic health data on their behalf [].

This includes guardians and other representatives, either automatically or upon request.

The Research

With a growing population of older people (>60 years) seeking health care services, many of whom are likely to have (multiple) chronic conditions, the demands on health and social care services are increasing []. However, the time that individuals with chronic conditions seek health and social care represents only a fragment of their 24/7 lived experience of coping with a chronic disease. As we grow older, we often become increasingly dependent on psychosocial and physical support outside of formal health care services, but this is far from only an issue for older people. Patients with cognitive or physical disabilities often rely on family or informal caregivers for support in managing their health. Parents, especially of children with chronic or life-threatening conditions, have an instrumental role in their children’s care and report great benefits from ORA [] when it is available. Having a (strong) social network and informal caregivers (eg, family and friends), especially in times of life-changing illness, could mean the difference between survival and death []

Despite informal caregiving being an essential part of health care, it is rarely given a lot of credit. In fact, the vast majority of caregiving is informal, and it is undertaken by family members free of charge and with no support provided for them, often at great burden [,]. Thus, health care outcomes highly depend on the competence and ability of informal caregivers. Still, informal caregivers are often left out of the conversation [], not the least when digitalization is introduced, and informal communication needs to be formalized.

In the NORDeHEALTH project, research into proxy access focuses on how parental ORA differs between the participating countries [] and what this could mean for streamlining proxy access across Europe. Further studies on parental proxy access and adolescents’ ability to deny access in certain situations are in process. For general proxy access, there is even greater diversity across countries and even less research available. Internationally, when patients are given online access to their records, they are often given the option to share their records with a proxy if needed, usually a close family member such as a spouse or adult son or daughter []. In a US study, 2 out of 3 surveyed hospitals offered adult patients the option of granting portal access to an informal caregiver, but among hospitals that did, the process for obtaining proxy credentials was often difficult and time-consuming []. In the original Swedish implementation of ORA, patients could assign a proxy to be able to access their records. This function was available after secure log-in to the record, and the patient could assign access to any person in Sweden by adding the social security number of the person and choosing what parts of the PAEHR to share []. Despite this flexibility of the solution, the Swedish Authority for Privacy Protection requested the function be shut down, and after several appeals from Region Uppsala, the Supreme Administrative Court in Sweden finally decided to prohibit the function where patients can share their information with others, finding it to be in conflict with the Patient Data Act (a part of the Swedish Data Protection Act (2018:218) and the Swedish Data Protection Regulation (2018:219) that entered into force on May 25, 2018 []), which refers to allowing only patients themselves direct access to their medical records—not someone else [].

Viewpoint

In order to implement the EHDS proposal, it will be essential to streamline regulations for, and implementation of, proxy access across Europe. Acknowledging that different types of proxy access exist and come with their own set of challenges will also be important, distinguishing, for example, parental proxy access from other forms of proxy access.

Rectifying Errors and OmissionsThe Proposal

The EHDS proposal, Article 3 §7, stresses that Member States shall ensure that:

natural persons can easily request rectification online []
The Research

In a US study of 22,000 patients who read their notes, 1 in 5 reported finding an error, and 40% of those perceived the error to be serious []. The most common errors were related to diagnoses, medical histories, medications, test results, notes on the wrong patient, and notes pertaining to the wrong side of the patient’s body (left vs right). Erroneous records may contribute to diagnostic errors that are common in health care []. Between 1 in 20 and 1 in every 6 medical consultations results in missed, wrong, or delayed diagnoses []. Most diagnostic errors relate to common conditions such as congenital heart failure, pneumonia, and urinary tract infections []. Research also shows repeated, missed opportunities to detect cancer [,].

Patients have so far had a marginal role in diagnostic processes, as acknowledged in the US National Academy of Medicine’s report “Improving Diagnosis in Health Care.” The report prompts a deeper discussion about the role of patients in closing feedback loops in care and helping to avoid mistakes that can lead to diagnostic errors, and ultimately patient harm []. Patient ORA is cited as a mechanism for improving diagnostic accuracy [] and has been described by medical safety experts as a “transforming concept” in patient safety []. Emerging research supports these conclusions [,,]. Patient ORA may help patients avoid delays and missed diagnoses by encouraging timely follow-up of recommended tests, results, and referrals []. Patients with ORA who identify and report errors could prevent clinicians from relying on incorrect data that may lead to poor diagnostic or treatment decisions or even legal liability []. A meta-analysis of 20 ORA-related randomized clinical trials (involving 17,387 patients) supports the conclusion that ORA could improve patient safety []. Most research to date on patients’ ORA and documentation errors has been performed in the United States with a remarkably different medico-legal system from the European one. In this respect, the NORDeHEALTH research complements the existing research and provides important evidence for the usefulness of patient ORA in patient safety work in contexts dominated by public health care provision.

In addition, most studies focus on somatic care and exclude mental health care. A recent NORDeHEALTH study made a comparison between patients who had received mental health care (the MHC group) and patients who had not (non-MHC group), regarding their experiences of finding errors or missing information in their online records []. MHC respondents (n=3131) experienced errors (MHC 1586/3131, 50.65% and non-MHC 3311/9203, 35.98%) and omissions (MHC 1089/3131, 34.78% and non-MHC 2427/9203, 26.37%) in the EHR at a higher rate compared with non-MHC respondents (n=9203). The statistically significant differences between the MHC and non-MHC groups remained when comparing a stratified subgroup sample adjusted for age and gender [].

Viewpoint

In the NORDeHEALTH patient survey [], we explore the extent to which patients in Sweden, Norway, Finland, and Estonia find errors or missing information in their PAEHR and the action they have taken in these situations []. The results from these studies will help guide the further implementation of the EHDS with respect to the management of errors and missing information.

Patients’ Input of Their Own DataThe Proposal

Article 3, §6 of the EHDS proposal states that:

Natural persons may insert their electronic health data into their own EHR or in that of natural persons whose health information they can access, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative [].
The Research

Although the Nordic countries are advanced in providing ORA, entering health data into the EHR is not widely implemented. Swedish patients could previously comment in their EHRs [], but this function was removed in 2022 due to technical problems related to the initial implementation of the feature. In Finland, patients can save health data to their personal health record via well-being applications, but the function is in limited use, only certain applications are accepted, and the data are not yet available to health care professionals []. Furthermore, patients in both Finland and Sweden have asked for more interactivity in their health records, such as the possibility to comment on the notes or request corrections [,].

In the NORDeHEALTH project, we explore how patient input to the EHR might become better designed to adequately meet this function. The EHR has traditionally been available to health care professionals only. Patients report many positive effects from accessing their records, yet to fully achieve the potential benefits of digitalization, we need to further explore how EHRs can shift from being solely a documentation tool for health professionals to a tool for secure collaboration and communication with patients and family caregivers. Here, national patient portals and additional digital services will complement the future development of the EHRs into collaborative, person-centered tools.

Viewpoint

As digitalization is about more than making electronic versions of analog work, we investigate different ways to use the power of digitalization, as provided in .

Textbox 3. Different ways to incorporate patient input to the electronic health record (EHR).Patient input to the EHR in narrative form, for example, patients commenting on notes or contributing with descriptions of their symptoms.Patient-created structured data, for example, patient-reported outcome or experience measures—patient reported outcome measures and patient reported experience measures, and Integration of data and services from third-party applications, for example, self-tracking data, and decision support.
Access ControlThe Proposal

Finally, EHDS proposes increased access control for patients. Patients should be able to request that electronic health data are made accessible to actors in the health or social security sector, and they should also have the right to restrict such access to electronic health data.

Natural persons shall have the right to give access to or request a data holder from the health or social security sector to transmit their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge, and without hindrance from the data holder or from the manufacturers of the system used by that holder [Article 3, §8] []
[...] natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data [Article 3, §9] []
The Research

The Swedish Agency for Health and Care Services Analysis [] reports that the majority of the population accepts and wants digital data about their own care and health to be used so that it is useful, including for safer care and research. At the same time, it is important that the data be handled securely and protected from unauthorized access.

In the NORDeHEALTH 2022 patient survey [], questions related to sharing of the respondents’ records were asked, as well as requests for unwanted record access. Among the Swedish respondents, 4% (501/12,334) of respondents answered that they had experienced that someone had seen their health records without their consent [], a finding that requires further analysis. Although 4% can be considered a low number, it stands in stark contrast to the clear message from policy makers that unauthorized access should not occur [,].

With the increasing possibilities for secondary use of health data, both by research and industry stakeholders, it will become even more important for patients to be aware of how to manage their health data, and consent to sharing it, in a safe way. Further research is needed both to understand patients' incentives for and experiences of sharing their data for secondary use and to identify interventions to increase digital health literacy regarding secondary use specifically.

Viewpoint

Unauthorized access can reduce both patient safety and trust in health care, but it can also erode opportunities for secondary use of health data. Existing controls for information security and privacy, therefore, need to be improved in line with the EHDS proposal.

Conclusions

We argue that with the realization of the EHDS, patients’ opportunities to access and control third-party access to their EHRs are likely to change dramatically. ORA implementation today is fragmented throughout Europe, and the EHDS proposal aims to ensure all European citizens have equal online access to their health data. However, we argue that in order to implement the EHDS, we need more research evidence on the key ORA principles we have identified in our analysis. Results from the NORDeHEALTH project provide some of that evidence, but we have also identified important knowledge gaps that still need further exploration. Research such as that performed in the NORDeHEALTH project offers important firsthand insights and will be essential to inform the design and implementation of ORA to meet the requirements of the EHDS. However, further international collaboration and research, and dedicated funding, are needed to achieve a comprehensive understanding of sociotechnical and contextual factors necessary to consider for ensuring successful, secure, and ethical implementation of EHDS.

This work was supported by the Citizen and Health Data Working Group in the European Federation for Medical Informatics (CHD WG, EFMI). This work was supported by NordForsk through the funding to Nordic eHealth for Patients: Benchmarking and Developing for the Future, NORDeHEALTH (project #100477), the Swedish Research Council for Health, Working Life and Welfare (FORTE) through the funding to Beyond Implementation of eHealth (project #2020-01229), the Strategic Research Council at the Academy of Finland (projects #352501 and #352503), and the Norwegian Centre for E-health Research. CB was supported by a Keane Scholar Award. The study funders played no role in the study design, data interpretation, writing of the results, or decision to submit the manuscript for publication.

Data sharing is not applicable to this article as no data sets were generated or analyzed during this study.

MH and AK prepared the initial draft. All authors participated in revising the text and approved the final manuscript.

None declared.

Edited by T de Azevedo Cardoso; submitted 17.05.23; peer-reviewed by E Meier-Diedrich, J Sippel, O Petrovskaya, Y Feng; comments to author 06.09.23; revised version received 31.10.23; accepted 25.04.24; published 27.06.24.

©Maria Hägglund, Anna Kharko, Annika Bärkås, Charlotte Blease, Åsa Cajander, Catherine DesRoches, Asbjørn Johansen Fagerlund, Josefin Hagström, Isto Huvila, Iiris Hörhammer, Bridget Kane, Gunnar O Klein, Eli Kristiansen, Jonas Moll, Irene Muli, Hanife Rexhepi, Sara Riggare, Peeter Ross, Isabella Scandurra, Saija Simola, Hedvig Soone, Bo Wang, Maedeh Ghorbanian Zolbin, Rose-Mharie Åhlfeldt, Sari Kujala, Monika Alise Johansen. Originally published in the Journal of Medical Internet Research (https://www.jmir.org), 27.06.2024.

This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research (ISSN 1438-8871), is properly cited. The complete bibliographic information, a link to the original publication on https://www.jmir.org/, as well as this copyright and license information must be included.