Dan Keller's Health Policy
Healthcare Technology Site

Who Owns Patient Data? -- Redux

Not a Simple Question

As I have discussed previously, patients do not "own" the medical data that is about them. I decried this state of affairs and exhorted industry to relinquish this ownership and the patient himself to take more control and involvement. However, the issue is more nuanced than that. I have investigated it further. Here is what I have learned.

This is an evergreen topic and evokes much passion. Perennially, it pops up in on-line discussions. Invariably, some naive well-wisher pipes up, "Patient data is the patient's, of course!" Peter, one of my nursing school professors -- he even claimed to possess a law degree -- made this sadly optimistic assertion. Alas, it is decidedly not so. The good news -- as I'll explain below -- is that it doesn't matter.

But first, who does own it? The answer is simple: the owner is the provider institution (hospital, clinic, care provider, doctor's office, lab, etc.) that created it. Regardless of ownership, most states' laws entitle the patient to access. The other thing that matters to patients is privacy, about which see below. But no, Peter, the patient is not the owner.

The notion of ownership is appealing because it implies a high degree of control. It is soothing to apply familiar concepts of private property to data. However, data is not like the familiar objects of daily life, and the rules that govern it are different.

Furthermore, medical data is unlike other kinds of data. It has its own rules. It is intellectual property yet it is not like inventions that are governed by patent laws that permit their owners to conduct various economic activities. It also is not like works of art whose creators or owners have certain exclusive rights ("copyrights"). Starting in 1996, the rules that govern medical data were codified in The Health Insurance Portability and Accountability Act (HIPAA).

Though it says nothing about ownership, wisely leaving this to the states, the HIPAA legislation thoroughly regulates privacy. Here is a a state-by-state review of how it's been implemented. For the purpose of privacy, ownership has little relevance.

Questions of privacy are not simple. There is a delicate balance between the privacy of the individual versus the public good (e.g. for research) that can be achieved when data is shared.

Ownership of What, Exactly?

When we talk about ownership, what is it we talk about owning? Pieces of paper? Bits in a computer? What matters more is who is responsible for storing it reliably and accessibly, and for safeguarding it, i.e. stewardship. And most important of all is who can see it, copy it, use it, modify it, update and distribute it, i.e. control. These are the real issues: stewardship and control.

HIPAA focuses on these essential aspects. It mandates that patients can know the data-handling practices of medical practitioners and providers; request and, with a few exceptions, obtain the privacy protection of their healthcare information; review and copy their medical record; request that inaccuracies be corrected; and know who has accessed their medical records. It also specifies who is liable if access to the data is breached. In other words, though they do not have ownership, patients can expect an appropriate degree of privacy and they do have control, shared with providers and institutions.

Who Uses Health Data?

Clearly, healthcare providers need to be able to access and update patient data in order to do their work, and HIPAA provides for the patient to sign an Authorization that grants permission for the provider to "collect, use and disclose information about the patient as allowed or restricted by law, and so long as it is in the course of treatment, payment or healthcare operations in accordance with same".

However, patients, providers, and provider institutions are not the only stakeholders. There are competing and legitimate uses for this data that go beyond the needs of the patient and the caregiver. We must also consider researchers, legislators, policy-makers, vendors, and manufacturers. Giving patients blanket control to withhold data from these users would be overreaching.

Research requires access to this data, aggregating and mining it longitudinally, demographically, and epidemiologically once it is de-identified to protect privacy. Legislators need this information to set public policy wisely. Cost/benefit analysis requires data about outcomes. The newly-legislated health information exchanges (HIEs) need it, too, and we benefit from their work. HIPAA provides precise guidance on de-identifying data so that disclosures -- even without express permission from patients -- do not harm them.

Applying these new rules is not simple. Here are some examples of potential conflicts over access to medical data:

  • Should a doctor have to buy the data about his/her patients from an on-line medical record service if he/she decides to change vendors? The vendor controls the database but do they also control the data that is in it?
  • If a medical practice splits up, which provider gets which records?
  • If patient Smith goes to hospital A and then to hospital B, who must pay for Smith's data to follow him (if indeed that happens at all)? Who determines the format of the delivery? If the two hospitals' data formats are incompatible, who is responsible for the conversion?

Who Sets the Policies?

HIPAA is not the only source of medical data policy. Others who offer carefully-crafted guidelines include the American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA). AHIMA addresses the use of this data for commercial purposes such as pharmaceutical development and sales, and manufacturing of medical products. AHIMA's guidelines discuss:

  • Data control and stewardship;
  • Consensus and reasonable policies for privacy and security;
  • Public awareness and improved public health;
  • Policies and procedures to foster trust between stakeholders;
  • Nomenclature and standardized terminology; and
  • Exchange of health information.

In sum, HIPAA and others do the important job of balancing the conflicting needs of medical data stakeholders, and establish appropriate regulations and responsibilities. Ownership is not the real issue. It's time for public discussion to focus on what matters most: stewardship and control.

-- Dan Keller, April 2013

Back to Dan Keller's Health Policy and Healthcare Technology Site.