Who Really Owns Your Health Data?
Updated: Jul 25, 2019
It was not that long ago that nine out of ten U.S. doctors stored their patients' records in color-coded files and updated them by hand. Now, approximately 85% of nationwide office-based physicians are using electronic health records (EHRs). Similarly, more than 90% of large, medium, small rural and critical access hospitals are currently using EHRs. If you visit a doctor today or are admitted to a hospital, there is a pretty good chance that your doctor will enter your medical record into an EHR, which you can subsequently view and download from a dedicated web portal. If you have ever wondered, “Does my health information belong to me or to my doctor?” you are not alone.
There are many people or entities who could claim ownership over a patient’s medical information. Does your physician own it? The medical institution? Some third party? In general, ownership of information belongs to the individual or company who created or authored that information. For example, intellectual property laws protect “original works of authorship.” Medical records represent professional medical opinions of a physician or a medical institution, and therefore may not necessarily be the patient's property.
Why shouldn't individuals own their medical records? After all, these medical records contain their personal health information and were created for them. Lab work is literally a part of the patient -- why should other people own that?
Every state has different laws (registration required) about who owns medical records. New Hampshire is the only state that explicitly gives patients ownership of their health data, and most states don't have any law delineating the custody of records. However, today most systems provide patients access to information through a web portal. It shows a list of person’s health conditions in easy to understand terms, lists medications she is currently taking and includes lab and imaging study results, as well as recommended health measures.
Under federal and state law, patients have legal privacy, security and accuracy rights related to their health information. However, once that information is captured and documented in written or electronic form (e.g., paper chart or electronic data file), and since the health care provider owns the media in which the information is recorded and stored, the health care provider gains the property right of possession of data. In essence, the health care provider becomes the legal custodian of your health care record and is given specific legal rights and duties relating to possession and protection of that health record.
If you don’t “own” your medical data, then what does all this talk of “patient’s data ownership” really mean? Rather than ownership, it’s the idea of having access and control over your data that you should be focusing on.
For example, the patient has a right to view and get copies of her health information, as well as request changes to the information. Patients also have a right to get their health records in the format they choose -- some patients may want electronic copies of medical records, others might want to download them from a web portal and still others may use standard interfaces to access their information in EHRs. This is really important because it allows individuals to retain a copy of their health records in their custody and this has profound implications for how consumers finally become active participants in their health and wellness. Regardless of who owns their medical records, when patients have a copy of their health records that are readily accessible on their phones, for instance, they become more aware and engaged. What's more, engaged patients are healthierpatients.
Imagine a time when users will be able to easily review their health data, share it with third parties like hospitals and doctors or sell it to pharmaceutical and research companies that are conducting clinical trials. Access to these records has never been easier -- more than 80% of patientssaid that their online medical records were easy to understand and useful for monitoring their health.
It is clear that full patient’s access to medical data is just a matter of time and it will have significant implications on everything from patient’s health to the ways we shop and pay for health care. What’s important to remember is that personal health records that are not part of a medical provider’s electronic health record are not considered to be legal records and therefore are not HIPAA covered entities. Meaning, once you download a copy of your medical records, that copy is yours. You can do whatever you want with it even though the health care provider remains the legal custodian of your health records and is required to comply with specific regulations relating to possession and protection of your health data. If the health care provider de-identifies or removes your personal information, that data is no longer protected under the Health Insurance Portability and Accountability Act (HIPAA). It can be used for a number of purposes, including aggregation into a specific data set that may be “owned” by the creator of that data set. There is a lot of interest from pharmaceutical and medical research companies in obtaining data that has information about patient’s treatment and outcomes but does not include patient’s personal information. These datasets become valuable commodities and can be bought or sold without your knowledge or consent. In fact, it is a multibillion-dollar market, but you are not getting a dime.
Your physical health records belong to your health care provider, but the information in it belongs to you. Having ownership and control over that information helps you ensure that your personal medical records are correct and complete. It makes you more engaged and healthier! It enables you to understand how your data is being shared. Last but not least, it allows you to treat your health care data as a digital asset that you can donate for research or sell for a monetary benefit. After all, it is your body and your data.