BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Wells Fargo Senior EVP Ather Williams On Digital And AI In Banking
Self-Awareness Is The Leadership Word Of The Month For April 2024
Total Quality Logistics CIO Ryan Kean On Keys To Fostering Growth
For ExxonMobil, Data Is Much More Than Just The New Oil
Hiring? Job-Seeking? Beware Of Artificial Education, Not AI
ONC Invites Public Input On Health IT Plan
Edit Story
LeadershipCIO Network

Who Controls Your Health Data?

Eric Savitz
Former Staff
IT Central
Contributor Group
Opinions expressed by Forbes Contributors are their own.
This article is more than 10 years old.

Guest post written by Doug Pollack

Doug Pollack is chief strategy officer at ID Experts, a provider of computer data breach tools and services.

Can you limit access to the psychiatric notes in your chart once they have been entered into your provider’s new Electronic Health Record system?

Does your podiatrist need access to your reproductive health history?

It sounds absurd, but the adoption of electronic health records and Health Information Exchanges, could enable this level of access in the future. The goal with these initiatives is to provide access to each American’s medical records in order for physicians to better provide treatment. We are a mere 18 months away from this becoming a reality; 2014 is the year set by the Obama Administration for most Americans to have an electronic health record. Healthcare providers are scrambling to benefit from the billions of federal dollars in “meaningful use” incentives for adopting EHRs.

But does the patient benefit? And, I wonder, who owns the patient data in these electronic health records? Is ownership even the appropriate lens to view this issue?

Whoever the “owner” or custodian is would be responsible for the privacy of this data. But who is that? The patient? The physician? The health plan? The hospital?

It’s a simple question, I thought, and should have a simple answer. Not so. Legally, it’s unclear who owns the data, and in fact, ownership may well be the wrong question. As I did my research, I discovered that the real issue is that of control and responsibilities.

What control does the patient or other member of the healthcare ecosystem have when it comes to accessing, modifying, and transmitting any medical data? I asked an attorney who specializes in patient privacy to help me understand the issue.

“Few federal or state laws talk about ownership of health information,” says Adam H. Greene, a partner with the law firm of Davis Wright Tremaine LLP in Washington, D.C. “Rather, we have a confusing tapestry of federal and state laws governing the level of control that patients have over the sharing of their health information.”

The Great Privacy vs. “Need-to-Know” Debate

At the core of this privacy debate is the assertion that physicians need access to a patient’s records to provide optimal treatment. In his paper, “Debate over patient privacy control in electronic health records” Mark A. Rothstein, Chair of Law and Medicine at the Louis D. Brandeis School of Law at the University of Louisville, notes that “many physicians assert that patients should not be able to control the content of their health records because doing so would fundamentally change medical practice.” This perspective is fundamentally at odds with that of patient privacy advocates.

On an ironic note, an acquaintance of mine noted the reluctance of providers to share information with patients. With equal reluctance to grant access on both sides, it becomes, as he notes, “not so much about ownership as it is about checks and balances.”

The Economics of EHRs in the Healthcare Ecosystem 

Patient privacy rights aside, the issues of access to electronic health records will impact the business of healthcare on several fronts:

  • What regulatory impacts will EHRs have on how healthcare providers and their business associates share information? 

The HITECH Act, the federal law that promotes EHR adoption through meaningful use incentives, also requires safeguards for protecting patient data. The law gives regulators the ability to impose fines in the million-dollar range.

  • There is the issue of the cost of protecting the most sensitive medical information. 

Greene says that “most states provide patients with a large amount of control over certain categories of health information, such as mental health or HIV information.” Who will pay to provide that control in the era of electronic health information?

In his paper, Rothstein notes a federal initiative that would enable patients to retain control over sensitive categories of medical information. He admits, however, that “there have been no explicit proposals” to bring the proposal past the drawing board. If this is the case, then these controls would have to be implemented after the fact to existing electronic health systems - a costly addition.

  • Healthcare providers could also face civil suits over the unauthorized disclosure of patient data - and the definition of “unauthorized disclosure” in the world of EHRs/HIEs is wide open to interpretation.

This unauthorized disclosure could also limit a patient’s ability to get insurance or a job. Organizations will need to understand their liability.

What We Can Do

Maybe ownership isn’t the right question for the patients’ data in EHRs, but how to implement patient privacy and control over the use and access to the data certainly is. Our nation can’t afford to keep building out an electronic healthcare system without addressing these issues. No cut-and-dried legal remedy exists. It’s a robust debate with more facets than a well-cut diamond.

I believe the answer lies in the private sector, specifically a consortium of EHR vendors, software developers, and privacy/security professionals. Together, these experts can bring a holistic view of the issue of patient privacy and data control in a way that no governing body can. And we must act now.

I hope it’s not too late.

Eric Savitz
Eric Savitz