Stay Connected

EHR Privacy – Who Owns the Data…the Vendor or the Patient?

There has been a lot of discussion recently in regard to the ownership of patient data in the electronic health records of providers, and the rumblings continue as I speak with folks at this year’s mHealth Summit, though the issues of ownership and privacy are readily confused.

Privacy and ownership are two closely related concepts.  Both are relevant in the context of mobile health, for different reasons.  I suggest that patients should expect that in a well functioning and affordable health care system, their commercial ownership (i.e. the right to profit from its use) and privacy expectations cannot be absolute.  They must be tempered by the needs of a well run and affordable system.  This is a fundamental policy issue that must be resolved before additional barriers to a connected health world are created.

Traditional ownership and privacy rights assume that no one other than the patient has a stake in personal health information.  Patients consent to health care providers who need the information in order to treat the patient.  If a third party payor is involved, it is also necessary to permit them to have access to help ensure that the payments are appropriate and correct.

However, there are good reasons why the patient’s rights should be qualified.  I suggest that the patient’s ownership and privacy rights must be limited by the legitimate needs of others to make (appropriate and limited) use of the data.  In my opinion, a patient who uses the health care system cannot wall off access to all of their personal information.

The societal stake in preventing disease transmission, regulating the efficacy and safety of devices and therapeutics, and covering the cost burden of disease dictates that payors and appropriate authorities should have certain rights to the data.  Providers should have rights to use clinical information to improve the quality and efficacy of their services.  IT vendors would arguably have similar legitimate needs for access to the information for the purpose of improving their platforms.

I believe that the basics of a rational system are simple:

  • Any person or organization with access to patient information should maintain its privacy.
  • An owner and anyone designated by the owner will normally be the only person entitled to make it available to new parties.
  • If you use the health care system, you cannot opt out of reasonable sharing of private information or commercialization of a “large” pool of de-identified data.
  • Some of the nuances:
    • When is a pool of information large enough to qualify?
    • What are the permitted uses of such a pool of information or should there be any limitations?
    • Should an opt-out mechanism be included?

Government and taxpayers are the major source of funding for health care, but the system we have is unmanageable and inefficient.  In order to gain the benefits of modern innovation, technology, big data and global cloud-based systems, we need to rethink ownership and privacy rights and avoid creating new barriers to the creation of an affordable and broadly accessible system for connected personal health and health care.

EHR Privacy – Who Owns the Data…the Vendor or the Patient?