In an era where electronic health records are permeating all aspects of clinical care, who really owns patient data is the question on everybody’s mind. In reality, providers, patients, and health IT vendors all have some ‘justifiable’ proprietorship over health information.
But who has the final say when it comes to the extremely private information patients entrust to their doctors?
All three have a reasonable stake, so perhaps the more valuable question to focus on shouldn’t be who owns the data, but how this data should be used. And then, what kind of privacy controls are in place to stop them from abusing it?
Today we take a look at the highly contested issue of patient data and what providers can and can’t do with health information.
Patient Data Use
Ethically speaking, EHRs should grant patients the greatest degree of ownership. With 80% of Americans concerned about EHR privacy, it’s no surprise patients sometimes want to control and claim ownership of the intimate information housed in their electronic records.
Likewise, hospitals, practices and other healthcare vendors may do the same, which creates conflicts between economic and personal value, as well as a struggle between professional and patient autonomy.
The notion of ownership is an inadequate concept for health information because each proprietor has a unique set of privileges that do not line up exactly with any conventional understanding of “possession.”
For example, while medical providers can obviously change the contents of an EHR, they are not allowed make any edits without maintaining a log of modifications. This is why most EHRs contain the functionality to “sign” EHR data, which establishes a record of any changes made to patient information.
On the other hand, patients probably share the least amount of control over their health information data. Even though they are allowed to comment on and amend health files, these can only be suggested updates to the clinical version of the patient record.
However, patients are allowed to access their electronic records at a moment’s notice to view lab results or check treatment summary documents.
Ironically, it is neither the patient nor the provider who is closest to owning data. Health IT vendors have the most complete access to EHR information. But the situations in which they can access patient data are very limited.
Patient data can only be used by health IT vendors when it’s been approved by the physician or for purposes of software updates and repairs.
Privacy Controls
Data ownership is a security concern, so beginning with a set of security standards could keep entities from abusing patient information for personal gain.
The new HIPAA omnibus rule tries to do that, to a certain extent. Under the new rule, health IT vendors become directly responsible for patient security in their systems. This means practices can no longer be held accountable for vendor mistakes leading to security breaches.
The omnibus rule also sets limits on how personal health information (PHI) can be used for marketing purposes. Before vendors or providers can market a third-party service based on personal health information (PHI), or sell/provide access to this data for payment, they must first get permission from each patient whose PHI will be used.
Providers, patients and vendors all need to work together to guarantee a smooth and secure flow of health information. If each segment follows the guidelines set forth by HHS, then true “ownership” will be inconsequential in light of better, more transparent medical treatment plans.
Do you know what you need when setting up a new medical practice?