Who owns the health information?
- the patient to whom it refers?
- the health provider who created it?
- the IT specialist who has the greatest control over it?
- the researcher who aggregates it?
- the health 2.0 company that harvested it?
the notion of ownership is inadequate for health information. No one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the right to do things like that a “master copy” of health information.
All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.
But asking the question at all is a hash argument.
What is a hash argument?
Come to think of it, there’s a certain class of rhetoric I’m going to call the “one way hash” argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of “fingerprint” for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo. Certain bad arguments work the same way—skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible—even somewhat intuitive—to the layman and sounds as though it might qualify as some kind of insight… The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.
At some point I will modify this article to actually do the rebuttal. At this point it is enough to say that -even asking the question- who owns the data is creating a hash argument. The question presumes that the notion of ownership is valid and jettisons those foolish enough to try and answer the question into needless circular debate. Once you mistakenly assume that the question is answerable you cannot help but back an unintelligible position.
People asking this question at conferences is a pet peeve for me.
(update 2012: fleshing out this post, for reposting to radar)
So the reason that “ownership” does not apply to well to health data is that “ownership” means a little too much to apply well for anyone. Here is a quick chart that shows what is possible depending on a given role.
|Person/Privilege||Delete their copy of data||Arbitrarily (without logs) edit their copy of data||Correct the providers copy of the data||Append to the providers copy of the data||Acquire copies of HIPPA covered data|
|Sourcing Provider||No. HIPPA mandates that the provider who creates HIPAA covered data must ensure that a copy of the record is available. Mere deletion is not a privilege that a provider has with their copies patient records.||No. While the provider can change the contents of the EHR, they are not allowed to change the contents without a log of those changes being maintained. Many EHRs contain the concept of “signing” EHR data, which translates to “the patient data entering the state where it cannot be changed without logging anymore”.||Yes. The provider can correct their copy of the EHR data, providing the maintain a copy of the incorrect version of the data.||Yes. The providing merely add to data, without changing the “correctness” of previous instances of the data.||Sometimes. Depending on the providers ongoing “treatment” status of the patient, they typically have the right to acquire copies of treatment data from other treating providers. If they are “fired” then they can lose this right.||Patient rights||Yes they can delete their own copies of their patient records, but requests to providers that their charts be deleted will be denied.||No. Patients cannot change the “canonical” version of a patient record||No. While a patient has the right to comment on and amend the file, they can merely suggest that the “cannonical” version of the patient record be updated.||Yes. The patient has the right to append to EHR records under HIPPA. HIPPA does not require that this amendment impact the “canonical” version of the patient record, but these additions must be present somewhere, and there is likely to be a substantial civil liability for providers who fail to act in a clinically responsible manner on the amended data. The relationship between “patient amendments” and the “canonical version” is a complex procedural and technical issue that will see lots of attention in the years to come.||Usually. A patient typically has the right to access the contents of an EHR system assuming they pay a copying cost. EHRs frequently make this copying cost unreasonable and the results are so dense that they are not useful. There are also exceptions this “right to read” which includes psychiatric notes, and legal investigations.|
|True Copyright Ownership (i.e. the relationship you have with paper you have written or a photo you have taken).||Yes. You can destroy things you own.||Yes. You can change things you own without recording what changes you made.||No. If you hold copyright to material and someone has purchased a right to a copy of that material, you cannot make them change it, even if you make “corrections”. Sometimes, people use licensing rather than mere “copy sales” to enforce this right (i.e. Microsoft might have the right to change your copy of Windows, etc…)||No. Again you have no rights to change another persons copy of something you own the copyright to. Again, some people use licensing as a means to gain this power rather than just “sale of a copy”.||No. You do not have automatic right to copies of other peoples copyrighted works, even if they depict you somehow. (this is why your family photographer can gouge you on reprints.|
Ergo: neither a patient, nor a doctor has an “ownership” relationship with patient data. So asking “who owns the data” is a meaningless time-wasting and shallow conceptualization of the issue which is at hand.
The real issue is: “What rights to patients have regarding healthcare data that refers to them?” This is a deep question because patient rights to data vary depending on how the data was aquired. For instance a PHR record is primarily governed by the EULA between you and the PHR provider (which usually gives you wildly varying rights depending), while right to your doctors EHR data is dictated by both HIPPA and Meaningful Use standards.
Usually, what people really mean when they say “The Patient owns the data” is “The patients needs and desires regarding data should be respected”. That is a great instinct, but unless we are going to talk about very specific privileges enabled by regulation or law, it really means “Whatever the provider holding the data thinks it means”.
For instance, while current Meaningful Use does require providers to give patients digital access to summary documents, there is no requirement for “complete” and “instant” access. While HIPPA mandates “complete” access, the EHR serves to make printed copies of previously digitized patient data completely useless. The devil is in the details here and when people start going on about “the patient owning the data” what they are really doing is encouraging a mental shortcut that cannot readily be undone.