Who Owns Patient Data?

Who owns a patient’s health information?

  • The patient to whom it refers?
  • The health provider that created it?
  • The IT specialist who has the greatest control over it?

The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.

All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:

“Come to think of it, there’s a certain class of rhetoric I’m going to call the ‘one-way hash‘ argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of ‘fingerprint’ for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo. Certain bad arguments work the same way — skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible — even somewhat intuitive — to the layman and sounds as though it might qualify as some kind of insight … The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.”

The question “Who owns the data?” presumes that the notion of ownership is valid, and it jettisons those foolish enough to try to answer the question into a needless circular debate. Once you mistakenly assume that the question is answerable, you cannot help but back an unintelligible position.

Ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data. The following chart shows what’s possible depending on a given role.

Click to view larger image

Ergo, neither a patient nor a doctor nor the programmer has an “ownership” relationship with patient data. All of them have a unique set of privileges that do not line up exactly with any traditional notion of “ownership.” Ironically, it is neither the patient nor the provider (when I say “provider,” this usually means a doctor) who is closest to “owning” the data. The programmer has the most complete access and the only role with the ability to avoid rules that are enforced automatically by electronic health record (EHR) software.

So, asking “who owns the data?” is a meaningless, time-wasting, and shallow conceptualization of the issue at hand.

The real issue is: “What rights do patients have regarding healthcare data that refers to them?” This is a deep question because patient rights to data vary depending on how the data was acquired. For instance, a standalone personal health record (PHR) is primarily governed by the end-user license agreement (EULA) between the patient and the PHR provider (which usually gives the patient wildly varying rights), while right to a doctor’s EHR data is dictated by both HIPAA and Meaningful Use standards.

Usually, what people really mean when they say “The patient owns the data” is “The patient’s needs and desires regarding data should be respected.” That is a wonderful instinct, but unless we are going to talk about specific privileges enabled by regulation or law, it really means “whatever the provider/programmer holding the data thinks it means.”

For instance, while current Meaningful Use does require providers to give patients digital access to summary documents, there is no requirement for “complete” and “instant” access to the full contents of the EHR. While HIPAA mandates “complete” access, the EHR serves to make printed copies of digitized patient data completely useless. The devil is in the details here, and when people start going on about “the patient owning the data,” what they are really doing is encouraging a mental shortcut that cannot readily be undone.

Categories: Uncategorized

Tagged as: ,

Leave a Reply

Your email address will not be published. Required fields are marked *