US Senator Urges EHR Vendors to Expand Patient Data Controls

Key Clinical Summary

• Senator Ron Wyden called on major electronic health record (EHR) vendors to add patient-facing tools that increase transparency and control over medical data sharing to strengthen cybersecurity.
• The request highlights Epic’s existing feature that notifies patients which organizations access their records and allows them to opt out of sharing.
• The initiative comes amid rising US health care cyberattacks, including breaches affecting hundreds of millions of patient records.

A leading US lawmaker is pressing electronic health record (EHR) vendors to give patients more visibility and control over who can access their medical data. In a letter sent to 10 health IT companies, Senator Ron Wyden, D-Ore., cited growing cybersecurity threats and pointed to patient control features already adopted by Epic, the nation’s largest EHR vendor, as a potential industry standard.

Main News

Wyden’s letter, shared with Healthcare Dive, was sent to major health IT and EHR firms, including Athenahealth, Oracle Health, Meditech, and Netsmart. The senator asked whether their patient portals or interoperability frameworks include features that allow patients to see which health care organizations have accessed their records and to opt out of data sharing.

The request follows Epic’s implementation of functionality that notifies users when organizations have access to their medical records, prompts them to confirm preferences when receiving sensitive care, and allows them to decline record sharing. Wyden described these tools as a way to balance the benefits of interoperability with the need for strong privacy protections.

“While interoperability improves care by enabling better data sharing, it must be balanced with strong privacy protections for sensitive health information,” Wyden wrote. He warned that current systems allow broad access to patient data nationwide, even when providers are not involved in a patient’s care.

“Currently, the sensitive health data of the vast majority of Americans can be accessed by health providers in states around the country, regardless of whether those providers are actually treating the patient,” Wyden wrote. “Such widespread access exposes patients to the threat of improper access, theft, and leaking of their sensitive health information.”

Wyden asked vendors to respond by January 20, 2026, and to indicate whether they would commit to deploying similar patient control features. He also raised concerns that widespread access to health data could pose national security risks by making it easier for foreign actors to obtain information on military and intelligence personnel.

Clinical Implications

For clinicians and health care organizations, the push underscores growing scrutiny of how interoperability is implemented in US health systems. While data sharing is essential for coordinated care, population health management, and emergency treatment, expanding access without patient awareness may increase vulnerability to breaches and erode trust.

High-profile cyberattacks have amplified these concerns. In 2024, a breach at UnitedHealth-owned Change Healthcare exposed data on nearly 193 million people, the largest health care data breach reported to federal regulators. Additional incidents in 2025 affected organizations such as Yale New Haven Health and DaVita, compromising millions of records.

Netsmart said it “remains engaged in industry discussions related to patient access, consent, and data governance,” according to a company spokesperson.

Conclusion

Wyden’s request places new pressure on US EHR vendors to align interoperability with stronger patient-driven privacy controls. As cyber threats continue to escalate, the outcome of this effort may shape how health systems balance data sharing, patient autonomy, and security in an increasingly digital health care environment.

Reference

Olsen E. Wyden pushes EHR vendors to adopt data privacy features. Medtech Dive. Published December 17, 2025. Accessed January 20, 2026. https://www.medtechdive.com/news/ron-wyden-letter-ehr-vendors-data-privacy/808119/