Who owns protected health information?

Given all the attention being paid to protected health information (PHI), you’d think we would already have answered some of the basic questions, beginning with who actually owns it.

But according to this data security expert, you better think again.

“I recently began exploring the question,” Doug Pollack begins his reflection, “of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the ‘owner’ would be responsible under circumstances where there was an unauthorized disclosure of such protected health information [PHI], in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward."

On the contrary, what he actually finds is a series of questions that, like a ball of yarn with one end loose, just keeps on getting longer. His search is a good read because he points to a number of perspectives on the question.

For example, the authors of a piece that ran in 2009 in the Journal of the American Medical Association, “discuss the overlapping rights that exist to patient health records, and note the economic obstacles that inhibit those with some possession of health records, as a result of their IT systems, from having financial motivation to share this information. They also discuss the question of whether the patient has any rights relative to the monetization of their health data.”

Another piece argues that "…ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data."

As he tries to find the answer, our blogger begins to “realize that while there has been an exponential increase in the number of physicians using EHRs and patient records housed in EHRs…the thorny question as to exactly what rights patients have to control the sharing of their health records…and how any rights would be operationalized” hasn’t been answered nearly as fully as it should be.

As it turns out, he doesn’t offer an answer of his own, and to a considerable extent that may be because there isn’t a single answer to which all will agree. For those who are LinkedIn, the piece has begun to generate some discussion, and after just a few comments it becomes clear that the question will probably not be answered any time soon.

Add new comment