Saturday, July 02, 2011

Who Owns Patient Data?

If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. Its peculiar character, too, is that no one possesses the less, because every other possesses the whole of it. He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening me. -- Thomas Jefferson

Topic 3 on the June 20 #HITsm Tweetchat got into discussions of who owns patient data. The moral high ground today seems to be towards "patient ownership."  Reality is just a bit different, and I think the discussion of ownership is not all that useful.  It should be about rights and responsibilities with respect to patient data, rather than a discussion of ownership.  My statement on this is remarkably similar to a post made by Dave Hitz on his blog.

With all due respect to patient advocates who claim ownership of the data, I don't see this enshrined in law, nor do I think "ownership" should be.  The challenge to think about are the needs of providers, who collect and organize this data to run their practices. The existence and organization of that data is essential to their practice.  Could you imagine the merger, acquisition or other disposition of a healthcare provider practice where the data they used to operate didn't go with the business?  Would that benefit patients? Almost certainly not.

What I do see in regulation is the right to obtain the data that a provider has on me (or you).  If you think about it, data is something easily shared.  After all, it's pretty easy to make copies of information, as Jefferson alludes to in the above quote.

As of now, the HIPAA Privacy regulation gives patients the right to access their information under 45 CFR §164.524 and the right to amend it under 45 CFR §164.526. Providers have the responsibility to make it available and to amend it as appropriate subject to review by the provider (with respect to accuracy,  appropriateness and source).  There are a lot of caveats here which clearly need to be change.  Provisions of this regulation are the cause of Regina Holliday's 73¢ Mural.

HITECH and Meaningful Use change that, but they assert it as a provider responsibility, rather than a patient right.  Providers that want to obtain Meaningful Use incentives have to provide patients with an electronic copy of their record within three business days of the request (instead of the 30 allotted by HIPAA) for at least 50% of patients making the request.  This is a pretty low bar.

I'm certainly in agreement with the majority that believe patients should have better rights to their data than currently available in law or regulation, but when we talk about ownership, it only confuses the issue.

Keith W. Boone is a Standards Geek for GE Healthcare. He is a member of the HL7 Board, and co-chairs the Patient Care Coordination Planning Committee for Integrating the Healthcare Enterprise. Keith writes regularly on his blog about Healthcare Standards.


June 22, 2011 | Keith W. Boone