A Manifesto on Health Data Rights

As a medical patient, I’ve always assumed that my medical records were something that I had a right to – after all, they are about me, and my freedom to share them with a second doctor, or see them myself so I can understand my own medical situation, seems self-evident. It was only the fact that so many of these records were on paper that made it so difficult for them to be shared. Electronic access would change all that.

I was surprised then, when I met recently with a congressman in Washington, a former physician, to talk about healthcare reform. When we moved to the topic of portable health care records, I was quite startled to hear him say “When I was practicing as a physician, I considered those records to be my property.” After all, he said, they were his notes, his analysis. He obviously still felt this way.

Given this disconnect, I was glad to endorse today’s Health Data Bill of Rights:

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

1. Have the right to our own health data

2. Have the right to know the source of each health data element

3. Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form

4. Have the right to share our health data with others as we see fit

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

I urge you to add your voice to mine by endorsing the health data bill of rights.

P.S. If you wonder whether a non-binding manifesto like this can have an impact on the deliberations of government, you have only to look at another similar statement, issued at the end of 2007 by a group of open data activists at a meeting organized by Carl Malamud of public.resource.org at O’Reilly, with support from Google, Yahoo! and the Sunlight Foundation, the 8 Open Data Principles. It was extremely gratifying to recently see the White House blog considering the commitment of the Obama administration to these principles.

Or consider the Robustness principle from RFC 761, the commitment to interoperability that provided a philosophical touchstone for the Internet, and has helped ensure its extraordinary resilience.

Statements of principle do matter. We may not yet have any idea what the exact format of an open health record system will look like, but we don’t need to. If we establish the underlying principle of open exchange, the marketplace can sort out the details.

Health data exchange will unleash one of the great opportunities of the coming decade. Let’s make it happen!

tags: ,
  • I would support this “Bill”. My concern is the health data that is kept and how it is shared and between whom. Clinical Studies? Health Industry? Do Insurances have access to clinic databases? Employers have access to the data?

    Steve Jobs – to name a prominent figure – should have the right to keep his medical records his private thing (despite all attempts by Shareholders and indiscretion of the Wall Street Journal to know every bit).

    Privacy, Security, as well as Transparency (who sees what) should be above any Data Mining, Data Sharing interests of clinics, research, industries and employers. Add it to the Bill, Sir.

  • Alternately, you can do what media producers have always done – insist that any intellectual property they pay for be created on a ‘work for hire’ basis.

    Doctors that respond to such a request by insisting that they – and they alone – retain a proprietary and controlling interest in your medical records should be reminded of their Hippocratic Oath, and the fact that such a blinkered attitude towards IP runs an obvious risk of serious harm to the patient.

  • Should we not, then, have a similar bill of rights for all data collected about us on the Web?

    Also, the list of principles should include the right to be proactively and effectively informed of all data collected, so that we know what data we have the other rights to.


  • The fellow who said, “When I was practicing as a physician, I considered those records to be my property” may have felt that way, but the law hasn’t supported that view for at least 25 years.

  • I love the principal here, and I’ll add my voice to the others.

    The fear I have though is that there are enough morons in the world that will undoubtedly encourage this in order to undermine it. Recognizing our undoubted rights to such data could lead way to much more ominous form of data pretexting, whereby legislation had to be drafted to control how people can access data as simple as their own phone records, in order to thwart those that would try to access that data in order to mine it, sell it, or exploit it.


  • Any chance we could get you to post this to http://www.ushealthcrisis.com?

  • Janie Lee, M.Ed.

    I don’t think that medical records should be online, I am totally against it. There are hackers galore and they have already hacked into any computer that they wanted. I don’t see putting health records on line as a good sunshine ruling, I see it as a lousy approach to record keeping to tell the truth about it. I really think that only the doctor and I should have access to my or my loved ones health care records and if I want to get them and share them then I believe I should have every right to do that from my doctor. What do you think about that?

  • Janie, you are right. Only you and your doctor should have access to your information. That is why they should be online. Because on paper, many eyes can see them. Each time your paper file is hauled out of the back room storage area, 2 or 3 clerks, nurses, assistants all can look at your file, without permission and leave no trace they viewed it. Over the course of a serious illness dozens if not scores of people beyond you and your doctor will be able to see your data. When it is in digital form, there is far more control of who can see it, and if anyone had improper access to it. If you are really serious about security of your records you will want them to be digital.

  • Ben

    Thanks for posting. I’ve been in and out of several Hospitals (2) this year while dealing with an illness. One of the biggest frustrations (excluding the obvious) was the transfer of all records from one hospital to another, I was even told by my former Dr that I couldn’t have the CT scans because “the files were to big to burn to a CD.” He was not pleased with my response. I went to the second hospital with my file (data) The Dr came back several hours after I was admitted saying the file was incomplete. Again more back and forth to finally get what I rightfully own. Obvious concerns about privacy aside, this is a healthy step forward.

  • The “Health Data Bill of Rights” should apply to ALL personally-identifiable data that any company collects about us.

    Such a declaration of rights to our personal data would help us protect our privacy and provide opportunities for us to put the data to good use ourselves.

    Just as one example, Mint.com shouldn’t need complete control of my online bank account to help me understand my finances – I should have a right to download all data my bank stores about me, and I should be able to share that data in read-only format with Mint.com if I so choose.

  • ++ Zak …individuals don’t even know today the extent to which their data is collected, mined, marketed, and used opaquely to make decisions about them that affect their lives.

  • In addition to signing this we need to verbally demand it from our doctors, clinics, and hospitals. My father recently told me of a encounter with a now former doctor of his who required him to repeat numerous tests at a nearby clinic. When my father prodded him about why he needed to repeat these tests he began with technical jargon. Well, it turns out he and his brother own the clinic and generate revenue from these tests. Not everybody asks their doctor tough questions like my father, with electronic medical records one can quickly identify when a doctor orders repeat tests and then send flags/alerts to primary care physician, payment providers, etc. This simple type of alert could save billions of dollars of waste.

  • Pete Austin

    How about:
    (1) The raw data about you should belong to you.
    (2) But the doctor’s expert analysis based on the data should belong to the doctor.

    This seems to satisfy the Health Data Bill of Rights *and* your physician, so it’s presumably how the medical establishment would implement it. Unfortunately I doubt that you, as a non-expert, could get much benefit from (1) without (2), so perhaps this needs more thought.

  • I think that Digital Rights Management (DRM) is the principal problem/solution for give the next step to the «Web 3.0», the definitely «Semantic Web».

    Thanks to Tim O’ReillyTim for your clear exposition of a capital concept of the «Work-in-Progress» towards a real «Knowledge Society».

    Julián Chappa

  • TJ Laurenzo

    A few years ago I was at an urgent care facility. When I left I asked for some of the raw data and the response was somewhat cryptic: “The information in your medical records is yours, but the records themselves belong to us.” When I asked how I could get the information, I was told, “We’ll tell you what you need to know and answer any question you have.”

    The issue was not big enough for me to look into further, but if this is the actual interpretation in the wild, that seems mildly insane.

  • The fundamental question is:

    ‘Who owns the data generated from a doctor/hospital visit’?

    It is understandable that the doctor and/or hospital will want to own this data, so that they can learn from aggregate knowledge of individual patient diagnoses.

    It is also understandable that the patient will want to own this data, so that they can easily get a second opinion, or give their entire medical history (compiled from multiple doctors’ visits) to a doctor treating a new condition.

    Perhaps one way of breaking down the manifesto into an actionable structure is to draft a license, similar to the GPL. In the open source world, there are similar tensions regarding copyright. Many projects have a copyright sharing agreement with developers, where both parties can use the code that the developer wrote for their own purposes.

    Similarly, in the healthcare data scenario, it would be beneficial for both the patient and doctor to use data generated from the doctor/patient visit for their own purposes.

    Intertwined with data ownership issues are privacy issues. Does a doctor have a right to use your name when speaking about your condition? Of course not. Does the patient have the right to speak out about a doctor who missed a diagnosis? You bet.

    Thanks for bringing up this problem, Tim. A new approach to healthcare across providers is sorely needed (and has been for decades!) – especially as we move toward a ‘public healthcare option’ which will require patients, doctors, hospitals, and insurance providers to work together more than ever.

  • There needs to be a fifth right, the right to correct false data in the healthcare records.

    The fundamental health care problem is political, not technical. As long as an industry is trying to make a profit on sick people, questions of data management are secondary to the fundamental issue.
    Please see the link from my name for more.

  • I need to OWN my information. I can automatically license it to my physician for the life of our relationship. This should extend to the combined string created by my name, DOB, SSN, and a password. I should be able to sue anybody who uses my personal information without my express permission and that permission should be kept in a common Federal database. Hopefully that would put a damper on the value of data in the hands of databrokers like Elseivier’s and credit brokers. Finally – spammers.

  • I need to OWN my information. I can automatically license it to my physician for the life of our relationship. This should extend to the combined string created by my name, DOB, SSN, and a password. I should be able to sue anybody who uses my personal information without my express permission and that permission should be kept in a common Federal database. Hopefully that would put a damper on the value of data in the hands of databrokers like Elseivier’s and credit brokers. Finally – spammers.

  • I also wanted to stress the point that privacy also should be part of the bill of rights. I want full control esp. over such data. I don’t want my doctor or whoever to share it with whoever he likes.

    As for the expert analysis: If I pay for it I think I also should own it and the same rules of protection should apply esp. because the analysis is maybe the part which is more sensitive.

  • I just discovered Radar and am glad Tim is bring up such important issues.

    I think patients must have more access to and control over their medical information than they do today. This is clear. I am hoping to help make it happen. But the issue has some important nuances.

    On an idealistic level, I of course see the virtue in patients actually *owning* their medical information and being able to take it with them as they leave doctor #1 and join doctor #2, deleting and adding access rights to doctors, hospitals, and other entities as they wish.

    However, on a practical level, we live in a society where the same patient can turn around and sue doctor #1 who would then have nothing on which to base his/her defense. That doesn’t make sense either.

    Some make the argument that patients don’t have the expertise to understand the medical jargon and doctor-speak in medical records, and therefore should have only limited access. That reasoning doesn’t hold water. More transparency and access will encourage doctors to document care as if the patient will read what they write (as they should have been doing in the first place), leading to more respectful, accurate, and useful medical records. There may be rare exceptions where knowledge of certain medical observations might actually harm the patient, but these should be treated as exceptions and not the rule.

    Others are concerned that currently hospitals and insurance-based medical practices add all sorts of bogus diagnoses and procedure codes in order to game the corrupt insurance system, and that patients will be confused were they privy to this “noise” in their records. To that strange argument, I say that we must reform or eliminate the current insurance system that allows, encourages, and indeed requires (if said hospitals and practices are to stay in business) such inaccurate and wasteful practices.

    Do you know that if you currently use medical insurance in the US, you have already signed a contract giving the insurance company permission to access your records at any time at their discretion? Many of my patients see me precisely because I do not contract with insurance companies and thus am able to offer them a degree of privacy that they find desirable. I would be delighted if the “system” improved to provide a ubiquitous modicum of individual privacy, access, and control.

    Just 2c from a doctor (and former electrical engineer & hacker) in solo practice.

    Paul Abramson, MD, MS
    San Francisco, CA

  • cactusmitch

    Heath Data, rights and wrongs.
    The need for privacy is a red herring that the health billing mafia uses to protect its sham operation. Ineffective but lucrative treatments are rampant. Many times there treatments are provided by well meaning but poorly informed practitioners.

    Health data should be anonimized and widely available for analysis.

  • Jennifer McCabe, my most trusted advisor on health 2.0 issues, blogged about why she didn’t sign the declaration:


    Anyone serious on this issue should be following her blog and following her on twitter: http://twitter.com/jensmccabe .


  • Alicia Halliburton

    How much will the Government see?

  • Tex Cano

    Tim (or others), is there a reliable description of the current structure of a ‘medical record’?

    Is there a known common database (or databases) that contain this information? And how is this database accessed by the current parties that have such access?

    What are the standard client-side software applications that provide this access?

    I’ve long wondered about these things, since the days that the medical record was all paper-based.

  • No matter how you turn and twist, no solution will ever be possible without the establishment of the human, constitutional principle: Personal data is Personal Property! Just adapt the iDNA Manifesto which covers this in a simple and effective way.
    See http://pauljansen.eu/iDNA-Manifest3p1.htm