Horcruxes in Healthcare: Who Owns Your Medical Identity?

In the now-classic Harry Potter series, the villain Voldemort cannot tolerate the idea of death. The most horrific of his many attempts at immortality is when he splits his soul into seven pieces, and “stores” them in powerful objects—so-called Horcruxes. To ensure his survival, Voldemort spreads the Horcruxes far and wide.

Similarly, our personal medical information is scattered far and wide. The recent article, Medical Data Everywhere: Health Revolution or Time Bomb?, identifies just a few healthcare Horcruxes: electronic health records, health information exchanges (HIEs), cloud computing, and a “universe of devices,” including tablet computers, medical implants, and Fitbits.

Download: Criminal attacks are now leading cause of healthcare breaches

The Murky Question of Identity Ownership

Arguably, Voldemort “owned” his Horcruxes—they held pieces of his soul, after all. When it comes to our medical identity, the question of ownership is not so clear-cut. The seemingly obvious answer would be us, as patients.

But a fascinating map from healthinfolaw.org reveals that only one out of 50 states—New Hampshire—has a law that says the patient owns the information in his or her medical record. Twenty-one states, including California, Florida, and Texas, give data ownership to hospitals or physicians. The remaining 28 states have no such laws at all.

A Radar.O’Reilly article by Fred Trotter, “Who owns patient data?” suggests that the “notion of ownership is inadequate for health information.” While it seems like it should be an answerable question, he says that “ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data.”

The Golden Rule of PHI

Rather than ownership, the more important question is, as I discovered a few years back, is who has what rights to access, modify, append, and share our health records.

In other words, how is patient privacy provided for within the digital universe? One powerful idea is providers as “data stewards.” As one article in Medical Economics puts it, “Experts now counsel physicians against the concept of data ownership entirely. Instead, they encourage physicians to consider themselves ‘stewards’ of the data within their possession and administrative control.”

Several years ago, the National Committee on Vital and Health Statistics issued a primer on data stewardship. The agency put a biblical spin on its definition: “The fundamental tenet of data stewardship might be expressed as Do unto the data of others as you would have others do unto yours.”

The primer goes on to list four principles and practices of data stewardship:

1. Individual rights, such a person’s right to access or correct one’s own data
2. The responsibilities of the health data steward, such as ensuring “Data quality, including integrity, accuracy, timeliness, and completeness”
3. Needed security safeguards and controls
4. Accountability, enforcement, and remedies. These include policies for data use and accountability, plus consequences for violation and remediation for affected individuals.

We Must Be Good Data Stewards
With a little help from his friends, Harry Potter destroys all of Voldemort’s Horcruxes. But our sensitive medical information lives on in the indestructible Horcruxes of EHRs, the cloud, health information exchanges, and even the Apple Watch strapped to our wrists. The individual patient’s ability to control access and use of their data is limited, at best. Nonetheless, the accelerated pace of cyberattacks on healthcare and other data requires patients, healthcare providers, insurers, regulators, and vendors in the private sector to band together to be good stewards of the data that does pass through our hands.

Download: Criminal attacks are now leading cause of healthcare breaches