Who Owns Patient Data In Electronic Health Records? – Redux

My post on this topic of June 15th, 2012 has generated a flurry of activity within the HIMSS discussion group on LinkedIn. With 150 comments and counting, I am somewhat amazed that there are so many dimensions, and perspectives, on this question. Especially among health information management professionals. This post, is my attempt to summarize some of what I’ve learned in reviewing the comments, and delving further into the available research.

First, the concept of “ownership” of patient data in electronic health records (EHRs) is conceptually simple and appealing to many individuals. In many of the discussion posts, knowledgeable professionals assert, “of course, it is the patient owns their medical data”. I believe this speaks to just how compelling this concept is at first blush. In our society and our legal structure, ownership implies a very high level of control that is comforting given the sensitive nature of our health information. In this discussion, what I see is a perspective that it is somehow “right” that patients should own their medical record information.

But as Dr. Evans in her paper “Much Ado About Data Ownership” notes, there is a balancing act between a patients strict ability to control dissemination of their medical information with the potential public good derived from such sharing of data. In this paper, she states that:

“The pro-privacy proposals rest on a mythical view of private property. Three centuries ago Sir William Blackstone noted how the human imagination is drawn to the idea of property as ‘that sole and despotic dominion which one man claims and exercises over external things of the world in total exclusion of the right of any other individual in the universe.’ This idea resonates with the ‘autonomy über alles’ strand of privacy advocacy that asserts that a patient’s right to control access to health data should trump all other interests, even society’s interest in conducting studies that might save or improve other people’s lives.”

While current privacy laws and regulations do provide the patient with significant rights that might otherwise be associated with “ownership” to their medical data, the concept of ownership in this context appears flawed.

Which brings us to my second point, that ownership is clearly a legal construct, and it does not appear that anyone has provided a reference to state or federal law that specifically speaks to ownership of patient data in electronic health records. I found one of Dr. Lafky’s comments thoughtful on this topic, and have seen it reflected in numerous other opinions and studies.

“Many people consider the collected and interpreted medical facts about themselves to be private, and assert ownership over these. But what they really seek, in my opinion, is to control dissemination of the information, which if they truly owned the information, would give them certain rights in that regard. But the ownership model is not robust in this case, since to exercise it requires painstaking specification of who is permitted to do what with each datum. It has been largely impossible to produce broader rules that cover even routine situations and preferences under and ownership model.

In Dr. Evans research, as well as others noted in my earlier post, there is a persuasive argument that “ownership” isn’t the right question, and that rather, the better question is about relative control and responsibilities of all parties in the healthcare ecosystem that potentially touch, transmit, or otherwise interact with EHRs. She in fact suggests that “propertization” of health data wouldn’t actually lead to better protections than are currently stipulated under the law. She notes that:

“The urge to propertize health data needs to be weighed skeptically and with a clear understanding of how property rights actually work. If pursued, data ownership may disappoint many of its proponents because of a surprising truth: the framework of patient entitlements and protections afforded by the HIPAA Privacy Rule and the Common Rule is strikingly similar to what patients would enjoy if they owned their data.”

Lastly and most importantly, however, this discussion has elevated my level of concern that the rush towards digitization and electronic distribution of medical health records based on the financial motivations of “meaningful use” has inherent patient privacy risks that haven’t been well thought out and addressed. Indicative of this disquieting fact is that there is such a lively debate about “ownership”, rights of control, and responsibilities for the caretakers of patient medical and health data.

This situation is one where it feels like the genie is already out of the proverbial bottle. When I visit my doctor or check into the hospital for a procedure, information about me, my medical conditions, my prescription history, the doctor’s diagnosis, the recommended treatment regiment, among other information, is entered into an EHR system. As my doctor’s clinic and my hospital strive to reach meaningful use, they will participate within a health information exchange (HIE), which will allow all of this information, and more, to flow out into the ether in many cases without my express permission.

All of this is moving too quickly. The push is towards implementing these systems in order to obtain meaningful use funds. While “ownership” of all this data may not turn out to be the right question, or the right legal approach to address the associated concerns, there is a very real need for practitioners across this ecosystem to place significant focus and resources on achieving a workable model that better empowers the patient to exert an appropriate level of control over the distribution and uses of their medical records.

As I stated in my recent article in Forbes, “our nation can’t afford to keep building out an electronic healthcare system without addressing these issues. No cut-and-dried legal remedy exists. It’s a robust debate with more facets than a well-cut diamond. I believe the answer lies in the private sector, specifically a consortium of EHR vendors, software developers, and privacy/security professionals. Together, these experts can bring a holistic view of the issue of patient privacy and data control in a way that no governing body can.”

What do you think? How best to get the genie back in the bottle long enough to get our arms around these issues?