Who Owns Patient Data in Electronic Health Records?

I recently began exploring the question of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the “owner” would be responsible under circumstances where there was an unauthorized disclosure of such protected health information (PHI), in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward. As it turns out, many have pondered this question and suggest that the question of “ownership” of medical data may be a misplaced one, an unanswerable question, and that the more relevant question is what control the patient, and other members of the health ecosystem, have relative to accessing, modifying, appending and transmission of this data. In other words, how is patient privacy provided for within the new EHR universe?

The dimensions of legal ownership were investigated by Hall and Shulman in their article “Ownership of Medical Information” published in 2009 in the Journal of the American Medical Association. They explored how property law would be only one of several “legal regimes that control the rights and responsibilities over economic goods” and that contract, tort and regulatory law would also come into play.

They discuss the overlapping rights that exist to patient health records, and note the economic obstacles that inhibit those with some possession of health records, as a result of their IT systems, from having financial motivation to share this information. They also discuss the question of whether the patient has any rights relative to the monetization of their health data. Specifically the ask “should patients be allowed to commercialize access to their medical information?” But they did little to answer my simple question of “who owns patient data”.

In an article aptly titled “Who owns patient data?” by Trotter published in O’Reilly Radar posits that the “notion of ownership is inadequate for health information.” While it seems like it should be an answerable question, he argues that it is inherently unanswerable. That “ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data.” It is with this insight that I began to realize that ownership may be the wrong question, and that the better question is who has what rights to access, modify, append, and share our health records.

In exploring the question (as it turns out it really is a debate) of patient privacy control of their electronic health records, a paper by Rothstein titled “Debate over patient privacy control in electronic health records” was published in 2011 in the Bioethics Forum. In reviewing Dr. Rothstein’s learned analysis, I realize that while there has been an exponential increase in the number of physicians using EHRs and patient records housed in EHRs, that the thorny question as to exactly what rights patients have to control the sharing of their health records, along with the mechanisms for sequestering highly sensitive information such as psychotherapy notes, reproductive issues, sexually transmitted disease information, and drug use history, and how any rights would be operationalized, are severely lacking.

In his overview of public hearings for two advisory committees of the Department of Health and Human Services (HHS) regarding privacy concerns raised as a result of EHRs in Washington, D.C. in February, 2011, he highlights three dimensions of the patient privacy concerns.While HIPAA privacy laws are extensive, they don't appear to address any of these three issues and concerns.

1. That healthcare providers will have access to information that they do not need to know. For example, your dentist probably doesn’t need access to your reproductive health history.

2. That individuals applying for jobs and insurance typically are required to authorize disclosure of their entire health record. Given that there are around 25MM such disclosures per year, the concern is broad and the potential for embarrassment, stigma and discrimination is high.

3. That many patients engage in defensive practices with their physicians to limit the sensitive information in their health records. So they either lie, or lie by omission, and may even risk sub-optimal medical care in order to protect the privacy of what they may view as sensitive or embarrassing information.

Rothstein goes on to describe three potential approaches to providing for patient privacy in this new era of networked EHRs. What is very scary to me, however, is that this conversation as to how to implement privacy controls is being carried on just as massive numbers of hospitals and physicians are implementing EHRs and testing their interoperability with Health Information Exchanges (HIEs) in order to capture billions of dollars in funding from the federal government via Meaningful Use grants.

He notes that “many physicians assert that patients should not be able to control the content of their health records because doing so would fundamentally change medical practice.” This position and perspective is one that is fundamentally at odds with that of patient privacy advocates.

The recent second annual Health Privacy Summit, organized by Patient Privacy Rights and its founder, Dr. Deborah Peel, recently took place in Washington, D.C. It brought together a who’s who of experts from every area of the patient privacy ecosystem, including Joy Pritts, Chief Privacy Officer, and Farzad Mostashari, National Coordinator, from the Office of the National Coordinator (ONC) at HHS, and these exact issues were discussed. In an article published in O’Reilly Radar titled “Health care privacy discussed as an aspect of patient control” by Oram just after the conference, he noted the “tension between privacy and the kind of data sharing needed to improve patient care” that existed among and between the speakers.

So the good news is that the question as to how patients will be able to control the accuracy of information in their health record, and the sharing of highly sensitive information that could lead to negative outcomes if shared, and potentially misused, is being discussed and debated. The “other news” is that this debate is taking place while our health information is being amassed into EHRs that are popping up at virtually every location where we are receiving medical services. It really would have been nice if such issues had been discussed and resolved PRIOR to a massive incentive plan and rollout of EHRs. But better late than never.

And of course, the question of “ownership” of our health records is one that is likely to go down as unanswerable or ultimately irrelevant. I’ll try to ask a more intelligent question next time.