By Matt Fisher, Esq
Twitter: @matt_r_fisher
The current state of medical data is very complicated. The amount of medical data being created is exploding all of the time. The explosion is being facilitated by the always increasing number of ways of creating it and a broadening array of people or entities how want access to it. More data and exposure also means greater concerns about privacy, which in turn leads to questions of who should own medical data. The primary suggestions are the individual about whom the data relates, medical providers or facilities, or the government.
A recent conversation on Twitter with Dr. Charles Webster (@wareflo) and Leonard Kish (@leonardkish) focused on what it means to own a medical record. The conversations as spurred after a link to an article identifying New Hampshire as the only state where an individual owns their medical record. During the course of the conversation, Dr. Webster posted a link to Much Ado About Data Ownership, an article by Professor Barbara Evans from the University of Houston Law Center published in the Fall 2011 volume of the Harvard Journal of Law & Technology.
Professor Evans’ article examines what data ownership would mean and the impact on privacy. As discussed in the article, Professor Evans suggests that data propertization proposals fall into two general categories: (1) pro-privacy and (2) pro-access. The pro-privacy camp advocates that individuals would own their medical data. The idea is that an if an individual owns their medical data, then that individual could exercise sole and complete dominion over that data. The pro-access approach focuses on ensuring wide and open access to data for research, public health and similar uses.
When examining the pro-privacy approach, Professor Evans undercuts the concept that an individual would ever entirely own data because true and exclusive ownership of any form of property is not an actual concept as the law has developed. Instead, property is always subject public use, public health and other general benefit exceptions. From this perspective, the use and disclosure scheme currently in place through the HIPAA Privacy Rule is not too far off from how individual ownership would likely operate.
After discussing ownership schemes, Professor Evans also examines certain uses of medical data and ideal means of structuring data for such uses. While Professor Evans focuses on research, the discussion is also applicable when considering the ability to share data between providers or have an individual let their data follow them. A big issue is being able to compile a comprehensive record of an individual’s care across all providers. If an individual owns their own data, such a goal could be defeated because an individual may not have authorized disclosure or another issue could pop up. Privacy becomes thornier in the research context because identifiable data or at least unbiased data is very important.
The basic premise of Professor Evans’ article is that ownership is a red herring. Ownership is never absolute regardless of the structure or an individual’s assumptions about what ownership means. As described by Professor Evans, an individual never fully and exclusively owns their property. An exception or way around ownership is almost always present or possible. Often, the most common way around privacy is through government action. The government may take property by eminent domain in the real property context, or establishing the need to use or access data for the general pubic good as in the public health allowed uses found in the HIPAA Privacy Rule.
Given that data can never be kept fully private, the concern about ownership does appear to be overblown. Is ownership really needed? Arguably, ownership is not the real issue at all. Privacy and effective use are not likely to be determined by ownership. The confluence of ownership with privacy is mislaid. Ownership will not and does not ensure privacy.
As came up during the Twitter discussion with Dr. Webster and Mr. Kish, a bigger concern is how data flows. Flow can equate with access, control, usefulness, and more. As many of argued recently, healthcare is experiencing an overall hinderance of workflow.
The widespread use of electronic medical records, the desire to incorporate patient generated data and other recent developments have left many trying to figure out how to use all of the new data. The vast quantities of data are not getting into necessary hands,which is causing frustration on many fronts. Individuals feel as though they cannot access their own medical records, which has given rise to many patient movements including Get My Health Data. Providers feel that data is not organized, cannot be found in an EMR, and too much is required to manipulate data. None of these issues raises an ownership or privacy concern. Instead, the bigger issue is how to get all of the data into the system in a meaningful way for all involved. As such, the issue is really one of workflow.
The issue of workflow is mostly about process. From the legal perspective, the issue of ownership is well established. Property law has a long history. As indicated above, there is no absolute right of ownership in any form of property, which is especially applicable in the healthcare context. The potentially larger question is what impact does the law have on workflow. Many blame HIPAA for hampering the ability of any on the healthcare industry to use or disclose medical data, namely protected health information. Oftentimes, restrictions on data usage are the result of not understanding HIPAA or misapplying its rules.
When HIPAA is fully understood and followed, there should not be unnecessary restrictions on the flow of data within healthcare. Instead, data can move with relative ease, though in a secure and private manner. For example, HIPAA does not prevent an individual from accessing their own data, though there are some hoops to jump through. Additionally, providers are not prevented from sharing data to secure assistance or provide the best treatment possible. It is fully understood that this description of HIPAA is a very gross simplification and glosses over some components that should be amended. Notwithstanding the need for acknowledged changes, the promise for good workflow is present in the existing system. Siloing data and operations cannot continue or be allowed. The key is for all parts of healthcare, from patients to providers to administration to legal to work in unison.
Is ownership of medical data or workflow a Shakespearean comedy (happy ending) or tragedy (sad ending). At this point in time, the end result is not clear nor can an ending really be predicted. However, recognizing the issues can help draw focus and hopefully influence a better outcome.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.