Who owns patient data?

Look inside health data access and you'll see why "ownership" is inadequate for patient information.

Who owns a patient’s health information?

  • The patient to whom it refers?
  • The health provider that created it?
  • The IT specialist who has the greatest control over it?

The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.

All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:

“Come to think of it, there’s a certain class of rhetoric I’m going to call the ‘one-way hash‘ argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of ‘fingerprint’ for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo. Certain bad arguments work the same way — skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible — even somewhat intuitive — to the layman and sounds as though it might qualify as some kind of insight … The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.”

The question “Who owns the data?” presumes that the notion of ownership is valid, and it jettisons those foolish enough to try to answer the question into a needless circular debate. Once you mistakenly assume that the question is answerable, you cannot help but back an unintelligible position.

Ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data. The following chart shows what’s possible depending on a given role.

Person / Privilege Delete their copy of data Arbitrarily (without logs) edit their copy of data Correct the provider’s copy of the data Append to the provider’s copy of the data Acquire copies of HIPAA-covered data
Sourcing Provider No. HIPAA mandates that the provider who creates HIPAA-covered data must ensure that a copy of the record is available. Mere deletion is not a privilege that providers have with their copies of patient records. Most EHR systems enforce this rule for providers. No. While providers can change the contents of the EHR, they are not allowed to change the contents without a log of those changes being maintained. Many EHRs contain the concept of “signing” EHR data, which translates to “the patient data entering the state where it cannot be changed without logging anymore.” Yes. Providers can correct their copy of the EHR data, providing they maintain a copy of the incorrect version of the data. Again, EHR software enforces this rule. Yes. The providers can merely add to data, without changing the “correctness” of previous instances of the data. EHR systems should seamlessly handle this case. Sometimes. Depending on the ongoing “treatment” status of the patient, providers typically have the right to acquire copies of treatment data from other treating providers. If they are “fired,” they can lose this right.
Person / Privilege Delete their copy of data Arbitrarily (without logs) edit their copy of data Correct the provider’s copy of the data Append to the provider’s copy of the data Acquire copies of HIPAA-covered data
Patient rights Yes, they can delete their own copies of their patient records, but requests to providers that their charts be deleted will be denied. No. Patients cannot change the “canonical” version of a patient record. No. While patients have the right to comment on and amend the file, they can merely suggest that the “canonical” version of the patient record be updated. Yes. The patient has the right to append to EHR records under HIPAA. HIPAA does not require that this amendment impact the “canonical” version of the patient record, but these additions must be present somewhere, and there is likely to be a substantial civil liability for providers who fail to act in a clinically responsible manner on the amended data. The relationship between “patient amendments” and the “canonical version” is a complex procedural and technical issue that will see lots of attention in the years to come. Usually. Patients typically have the right to access the contents of an EHR system, assuming they pay a copying cost. EHRs frequently make this copying cost unreasonable, and the results are so dense that they are not useful. There are also exceptions to this “right to read,” including psychiatric notes and legal investigations.
Person / Privilege Delete their copy of data Arbitrarily (without logs) edit their copy of data Correct the provider’s copy of the data Append to the provider’s copy of the data Acquire copies of HIPAA-covered data
True Copyright Ownership (i.e. the relationship you have with a paper you have written or a photo you have taken) Yes. You can destroy things you own. Yes. You can change things you own without recording what changes you made. No. If you hold copyright to material and someone has purchased a right to a copy of that material, you cannot make them change it, even if you make “corrections.” Sometimes, people use licensing rather than mere “copy sales” to enforce this right (i.e. Microsoft might have the right to change your copy of Windows, etc.). No. Again, you have no rights to change another person’s copy of something you own the copyright to. Again, some people use licensing as a means to gain this power rather than just “sale of a copy.” No. You do not have an automatic right to copies of other people’s copyrighted works, even if they depict you somehow. (This is why your family photographer can gouge you on reprints.)
Person / Privilege Delete their copy of data Arbitrarily (without logs) edit their copy of data Correct the provider’s copy of the data Append to the provider’s copy of the data Acquire copies of HIPAA-covered data
IT Specialist Kind of. Regulations dictate that IT specialists and vendors should not have the right to delete patient records. But root (or admin) access to the underlying EHR databases ensure that only people with backend access can truly delete patient records. Only people with direct access to source code or direct access to the database can completely circumvent EHR logging systems. The “delete privilege” is somewhat difficult to accomplish entirely without detection, however, since it is likely that someone (i.e. the patient) will know that the record should be present. Yes. Source code or database-level access ensures that patient records can be modified without logging. Yes. Source code or database-level access ensures that patient records can be modified without logging. Yes. Source code or database-level access ensures that patient records can be modified without logging. No. Typically, database administrators and programmers do not have the standing to request medical records from other sources.

Ergo, neither a patient nor a doctor nor the programmer has an “ownership” relationship with patient data. All of them have a unique set of privileges that do not line up exactly with any traditional notion of “ownership.” Ironically, it is neither the patient nor the provider (when I say "provider," this usually means a doctor) who is closest to “owning” the data. The programmer has the most complete access and the only role with the ability to avoid rules that are enforced automatically by electronic health record (EHR) software.

So, asking “who owns the data?” is a meaningless, time-wasting, and shallow conceptualization of the issue at hand.

The real issue is: “What rights do patients have regarding healthcare data that refers to them?” This is a deep question because patient rights to data vary depending on how the data was acquired. For instance, a standalone personal health record (PHR) is primarily governed by the end-user license agreement (EULA) between the patient and the PHR provider (which usually gives the patient wildly varying rights), while right to a doctor’s EHR data is dictated by both HIPAA and Meaningful Use standards.

Usually, what people really mean when they say “The patient owns the data” is “The patient’s needs and desires regarding data should be respected.” That is a wonderful instinct, but unless we are going to talk about specific privileges enabled by regulation or law, it really means “whatever the provider/programmer holding the data thinks it means.”

For instance, while current Meaningful Use does require providers to give patients digital access to summary documents, there is no requirement for “complete” and “instant” access to the full contents of the EHR. While HIPAA mandates “complete” access, the EHR serves to make printed copies of digitized patient data completely useless. The devil is in the details here, and when people start going on about “the patient owning the data,” what they are really doing is encouraging a mental shortcut that cannot readily be undone.

Note: This is a refresh of an article originally published here. Photo on home and category pages: Stethoscope by rosmary, on Flickr

Meaningful Use and Beyond: A Guide for IT Staff in Health Care — Meaningful Use underlies a major federal incentives program for medical offices and hospitals that pays doctors and clinicians to move to electronic health records (EHR). This book is a Rosetta Stone for the IT implementer who wants to help organizations harness EHR systems.


tags: , , , ,

Get the O’Reilly Data Newsletter

Stay informed. Receive weekly insight from industry insiders.

  • http://healthcaresecpriv.blogspot.com John Moehrke

    Well said…. Ownership legally can only be applied to physical things. Copyright is the better concept to use for information.

  • http://marktsinfoblog.blogspot.com Mark Thristan

    An interesting and well-though out post. HIPAA is not the only fruit, however!
    In Europe, the approach to Data protection and privacy does actually start with the concept that the individual is “owner” of his/her data, and does have rights for withdrawal, retraction, correction, access etc. throughout the chain. Everything from that point on is more a question of “custodianship” (not this is not a legal term, and I am not a lawyer).
    A Dr is the legal custodian of patient clinical data, but still often needs patient permission (“informed consent”) in order to use patient data.
    Likewise any company handling data – in addition to having to deal with archiving, auditing, security and other data protection and privacy concerns, is required to have a Data Protection Officer who is responsible for ensuring the data ownership and custodianship path is not breached.
    This is enacted in Law (European regulation, and individual country laws, such as the Data Protection Act in the UK), and is enforced, and widely known.
    This is not the same, however, as saying that every element is enforced or that there are not significant issues in handling patient data (as this is also considered “sensitive data” on top of already being personal data (and sometimes personally identifiable data).
    Anyway, your article has reminded me that I must get around to reading my copy of Meaningful Use!

    …Oh, and with regard to John Moerke’s comment – patients are physical things, and health data is nearly always closely related to the physical. Copyright is for works of creation or authorship, so the territory is much less clear than the statement he makes (I believe).