Who owns the data in an Electronic Health Record?
By Nancy Stafford
The ownership of the data in an electronic health record (EHR) is in debate. That is not too comforting, is it?
Let's begin with how different groups think of your EHR data.
Medical practitioners view an Electronic Medical Record (EMR) as the legal record of all treatments and symptoms of a patient's situation and it is the source data for an EHR. With paper records, these practitioners “own” the paper, therefore they “own” the records. According to an article in the American Medical Journal from 2009, the ownership of paper medical records has no direct translation to electronic records. This is a major barrier to EHR adoption and must be sorted out.
Health insurance companies view EHR much the same as do the medical practitioners. However, they also use your EHR to study trends and set prices mindful of the company's bottom line. That means that accountants and analysts have access to some levels of your health records.
Investigative scientists who conduct clinical trials define EHR as “a system for collecting clinical signs, symptoms, problems, diagnoses, test results to support routine clinical care” (according to a presentation titled: “Integrating Electronic Health Records and Clinical Trials” at the University of Colorado). Does this mean that they can use EHR without consent? What happens if they gather EHR for one purpose and see something else that interests them?
According to a Health Data Management study, 51 percent of pharmaceutical companies have partial or full access to clinical data in electronic health records. They believe this data will be their organization's greatest asset.
Lawyers see your records as evidence and suggest that there should be full disclosure during discovery for a litigation process. Maybe – but maybe only relevant facts and not other information.
The government set out to protect a patient's privacy as early as the 1970s. Congress enacted a confidentiality law for substance use treatment information (42 CFR, Part 2) that addressed privacy issues involved with substance and alcohol treatment and programs. This outlines the privacy requirements, including the rules for electronically transmitted patient information for these treatments.
There are additional laws that outline the ownership of data for privacy, confidentiality, protection of human subjects, electronic records, e-signature rules, and human subject protection. However, these laws do not protect the individual's records once the identifying name, address, birthday and other unique records are removed. There is also another debate: Once a record is seen for the initial purpose, can it be used for another purpose?
EHR hosts say the EHR data belongs to the medical practitioners that have hired the hosting company and that any time it is accessed it must be authorized by those medical practitioners.
Some everyday patients will think, “Of course it is my data. I own the information that pertains to me,” but this is incorrect. It seems everyone EXCEPT the patient owns the EHR data.
However, there is evidence that a patient does own some of his/her data. According to a HIMSS Analytics Database white paper, a patient owns the data in a Continuity of Care Document (CCD) and has the ability to input and access that information.
It seems to be a bit different overseas. According to a briefing paper from Digital Preservation Europe, an Electronic Personal Health record is owned by the individual and he/she can decide how to use that data. The patient controls the content and access to the records. The authors of this paper note that “confidentiality means that the data contained in the EHRs should not be intercepted during its transmission by unauthorized people.”
The good news is that more and more committees studying ownership of EHR data are leaning toward a patient-controlled authorization as to who can see and use their health records. As this issue is sorted out, there will be plenty more debate, which will inevitably lead to more defined regulations. But while all of this remains up in the air, it is clear that those in the healthcare industry will be watching the developments in health IT with careful eyes.