August 20, 2012
Who owns a patient’s health information?·The patient to whom it refers?·The health provider that created it?·The IT specialist who has the greatest control over it?The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:
“Come to think of it, there’s a certain class of rhetoric I’m going to call the ‘one-way hash‘ argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of ‘fingerprint’ for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo. Certain bad arguments work the same way — skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible — even somewhat intuitive — to the layman andsounds as though it might qualify as some kind of insight … The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.”
The question “Who owns the data?” presumes that the notion of ownership is valid, and it jettisons those foolish enough to try to answer the question into a needless circular debate. Once you mistakenly assume that the question is answerable, you cannot help but back an unintelligible position.Ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data. The following chart shows what’s possible depending on a given role.
Person / PrivilegeDelete their copy of dataArbitrarily (without logs) edit their copy of dataCorrect the provider’s copy of the dataAppend to the provider’s copy of the dataAcquire copies of HIPAA-covered dataSourcing ProviderNo. HIPAA mandates that the provider who creates HIPAA-covered data must ensure that a copy of the record is available. Mere deletion is not a privilege that providers have with their copies of patient records.
Most EHR systems enforce this rule for providers.No. While providers can change the contents of the EHR, they are not allowed to change the contents without a log of those changes being maintained. Many EHRs contain the concept of “signing” EHR data, which translates to “the patient data entering the state where it cannot be changed without logging anymore.”Yes. Providers can correct their copy of the EHR data, providing they maintain a copy of the incorrect version of the data. Again, EHR software enforces this rule.Yes.
The providers can merely add to data, without changing the “correctness” of previous instances of the data. EHR systems should seamlessly handle this case.Sometimes. Depending on the ongoing “treatment” status of the patient, providers typically have the right to acquire copies of treatment data from other treating providers. If they are “fired,” they can lose this right.Person / PrivilegeDelete their copy of dataArbitrarily (without logs) edit their copy of dataCorrect the provider’s copy of the dataAppend to the provider’s copy of the dataAcquire copies of HIPAA-covered dataPatient rightsYes, they can delete their own copies of their patient records, but requests to providers that their charts be deleted will be denied.No. Patients cannot change the “canonical” version of a patient record.No.
While patients have the right to comment on and amend the file, they can merely suggest that the “canonical” version of the patient record be updated.Yes. The patient has the right to append to EHR records under HIPAA. HIPAA does not require that this amendment impact the “canonical” version of the patient record, but these additions must be present somewhere, and there is likely to be a substantial civil liability for providers who fail to act in a clinically responsible manner on the amended data. The relationship between “patient amendments” and the “canonical version” is a complex procedural and technical issue that will see lots of attention in the years to come.Usually.
Patients typically have the right to access the contents of an EHR system, assuming they pay a copying cost. EHRs frequently make this copying cost unreasonable, and the results are so dense that they are not useful. There are also exceptions to this “right to read,” including psychiatric notes and legal investigations.Person / PrivilegeDelete their copy of dataArbitrarily (without logs) edit their copy of dataCorrect the provider’s copy of the dataAppend to the provider’s copy of the dataAcquire copies of HIPAA-covered dataTrue Copyright Ownership (i.e. the relationship you have with a paper you have written or a photo you have taken)Yes.
You can destroy things you own.Yes. You can change things you own without recording what changes you made.No. If you hold copyright to material and someone has purchased a right to a copy of that material, you cannot make them change it, even if you make “corrections.” Sometimes, people use licensing rather than mere “copy sales” to enforce this right (i.e. Microsoft might have the right to change your copy of Windows, etc.).No. Again, you have no rights to change another person’s copy of something you own the copyright to. Again, some people use licensing as a means to gain this power rather than just “sale of a copy.”No.
You do not have an automatic right to copies of other people’s copyrighted works, even if they depict you somehow. (This is why your family photographer can gouge you on reprints.)Person / PrivilegeDelete their copy of dataArbitrarily (without logs) edit their copy of dataCorrect the provider’s copy of the dataAppend to the provider’s copy of the dataAcquire copies of HIPAA-covered dataIT SpecialistKind of. Regulations dictate that IT specialists and vendors should not have the right to delete patient records. But root (or admin) access to the underlying EHR databases ensure that only people with backend access can truly delete patient records. Only people with direct access to source code or direct access to the database can completely circumvent EHR logging systems.
The “delete privilege” is somewhat difficult to accomplish entirely without detection, however, since it is likely that someone (i.e. the patient) will know that the record should be present.Yes. Source code or database-level access ensures that patient records can be modified without logging.Yes. Source code or database-level access ensures that patient records can be modified without logging.Yes. Source code or database-level access ensures that patient records can be modified without logging.No. Typically, database administrators and programmers do not have the standing to request medical records from other sources.
Ergo, neither a patient nor a doctor nor the programmer has an “ownership” relationship with patient data. All of them have a unique set of privileges that do not line up exactly with any traditional notion of “ownership.” Ironically, it is neither the patient nor the provider (when I say “provider,” this usually means a doctor) who is closest to “owning” the data. The programmer has the most complete access and the only role with the ability to avoid rules that are enforced automatically by electronic health record (EHR) software.So, asking “who owns the data?” is a meaningless, time-wasting, and shallow conceptualization of the issue at hand.The real issue is: “What rights do patients have regarding healthcare data that refers to them?” This is a deep question because patient rights to data vary depending on how the data was acquired.
For instance, a standalone personal health record (PHR) is primarily governed by the end-user license agreement (EULA) between the patient and the PHR provider (which usually gives the patient wildly varying rights), while right to a doctor’s EHR data is dictated by both HIPAA and Meaningful Use standards.Usually, what people really mean when they say “The patient owns the data” is “The patient’s needs and desires regarding data should be respected.”
That is a wonderful instinct, but unless we are going to talk about specific privileges enabled by regulation or law, it really means “whatever the provider/programmer holding the data thinks it means.”For instance, while current Meaningful Use does require providers to give patients digital access to summary documents, there is no requirement for “complete” and “instant” access to the full contents of the EHR. While HIPAA mandates “complete” access, the EHR serves to make printed copies of digitized patient data completely useless.
The devil is in the details here, and when people start going on about “the patient owning the data,” what they are really doing is encouraging a mental shortcut that cannot readily be undone.Fred Trotter is a recognized expert in Free and Open Source medical software and security systems and is the author of Meaningful Use and Beyond: A Guide for IT Staff in Health Care. He has spoken on those subjects at the SCALE DOHCS conference, LinuxWorld, DefCon and is the MC for the Open Source Health Conference. This post first appeared on O’Reilly Radar.