Everybody Wants a Piece of You - Health data rights and questions of ownership in the digital age

MDNG Primary Care, January 2010, Volume 12, Issue 1

Although HIPAA nominally guarantees an individual's right to access his or her protected health information, several groups and organizations, claiming that HIPAA is inadequate, have put forth declarations of patients' rights to protect and control their own health data. But, says the author of this article, even these measures are too vague. Instead, he proposes a system that would facilitate true and complete control over personal health data, to the point that patients could license access to researchers and others.

Although HIPAA nominally guarantees an individual’s right to access his or her protected health information, several groups and organizations, claiming that HIPAA is inadequate, have put forth declarations of patients’ rights to protect and control their own health data. But, says the author of this article, even these measures are too vague. Instead, he proposes a system that would facilitate true and complete control over personal health data, to the point that patients could license access to researchers and others.

Who “owns” my medical information? Me? My doctor? My health insurance company? Can I take possession of it? Protect it? Prevent access to it? Share access to it, either freely or at a price? These are questions that are beginning to take form and that demand answers.

When we think about personal data, the two categories of information that are often perceived to be the most personal and private are financial data and health data. Although numerous laws have been in effect for many decades regarding the privacy of personal fi nancial data, it is only recently that personal health data has come under the attention of legal regulation.

The US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, containing both a Privacy Rule and a Security Rule. The Privacy Rule took effect in 2003, regulating the use and disclosure of “protected health information” (PHI) by “covered entities,” which include doctors and health insurance companies. The Security Rule established measures that covered entities must take to protect PHI. HIPAA specifi cally states that individuals have a right to access and receive a copy of their PHI (www.privacyrights.org/fs/fs8a-hipaa.htm). Covered entities must also protect the PHI and inform patients when PHI is disclosed and to whom. But it does not address data ownership.

There is growing interest in asserting individuals’ right to ownership of their health data. HealthDataRights.org (www.healthdatarights.org) drafted a “Declaration of Health Data Rights” that outlines four basic principles that proclaim all people have the right to:

  • Their own health data
  • Know the source of each health data element
  • Take possession of a complete copy of their individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form
  • Share their health data with others as they see fit

Some feel that these four rights do not go far enough. According to Jen McCabe, a founder at start-up social media company Contagion Health (http://contagionhealth.com), the language in the Declaration is unactionable. In the blog post “Why I Didn’t Sign the Declaration of Health Data Rights — Yet,” McCabe said that “Terms are so loosely used that it will be very challenging to state with certainty when a ‘right’ to health data has been abused” (http://j.mp/In9SB). AHIMA has come out with an even more specifi c “Health Information Bill of Rights,” containing seven principles, most of which begin with “The right to access…” and “The right to expect…” (http://j.mp/8x5WsJ). Here, again, we see data ownership “rights” enumerated using vague language.

Personal Health Records (PHRs), such as Microsoft HealthVault and Google Health, can help aggregate and share personal health data and provide patients with more control over what goes into their record and who can access it. But even secure PHRs may not go far enough to protect health data. For example, Google Health’s Privacy Policy states that even though you may revoke someone’s access to your data, they “may retain a copy of the information” (www.google.com/intl/en-US/health/privacy.html).

A modest proposal

I propose that we as individuals actually own the data that pertain to our own bodies. We should be able to control that data in a manner similar to a copyright or to other licenses, such as the Creative Commons license (www.creativecommons.org).

Not only should we have a right to access our data and to receive a copy of it, we should be able to control who can see it and for what purpose. We own it, like we own a piece of real estate. New health data is created when we pay others to produce it (via health insurance premiums, copays, and out-of- pocket fees). By doing so, we are actually licensing them future access to this data since they created it under our direction.

But let’s conduct a thought experiment to see where this licensure model could lead. Imagine a PHR that automatically collected all your personal health data: doctor visits, hospital care, lab results, pharmacy data, device data (eg, home blood pressure machines, glucometers, Fitbits), etc. You could review, correct, and annotate any of it. And you could license access to any parts of it--either in identifi ed or de-identifi ed form--based on who wants to see the data, why, and when. You could track who accessed what data when and for what purpose.

This licensed access would provide legal protections against unauthorized use. It would also permit more control, thus allowing patients greater involvement and investment in both their health information and their health in general. People could manage their health record with the same regularity and interest with which they now manage their personal banking or investment records.

Now add in the network effect. We each have a network of individuals and entities that we may want to have read and/or write access to parts or all of our health data. Not just doctors and hospitals, but chiropractors, social workers, physical therapists, nurse practitioners, naturopaths, acupuncturists--all the people who may have an impact on your health.

But we’re not done. We could also permit access to family members, friends, online contacts, researchers, even marketers. You could select which data are accessible to which category of user, and have it be identifi able or not. Data from individuals who have opted to share information could be pooled by category and looked at as a population. That would permit, say, a diabetes researcher to request access to only specifi c data (eg, glucose levels, hemoglobin A1C levels, cholesterol, medications, height, weight, age, gender, and exercise level over the past 12 months) for all patients with diabetes over age 35 years on sitagliptin and an antidepressant medication.

A real-time mechanism similar to Google’s AdSense (www.google.com/adsense) program could be developed that matched up the researcher’s data elements of interest with the patients’ data-sharing preferences. There would be many users whom patients would want to have access to this data at no cost (such as their providers and family). However, some patients may want to make parts of their data available for a fee to certain user categories, such as marketers, researchers, or pharmaceutical companies. These data could be pooled so that users could set a bid price for the type of de-identifi ed data they want access to, patients can set a license price to access certain data under certain conditions, and the real-time bidding process (an “auction,” if you will) would result in a match. Each patient would then be paid for the opportunity to mine their data.

One could imagine the emergence of data- mining companies that search your records for health-enhancing opportunities at your request. Such a tool might have spotted the missed heart attack on his father’s old EKG that Alan Viars mentioned in his Janu- ary 2 e-patients.net post (http://j.mp/6NkG3j). Or it could enable users to review their blood pressure readings and compare them to all other 54-year-old men on atenolol who have opted to share this data. Or it could be used to compare patients who share depression rating scale scores over time since starting an SSRI antidepressant and help determine how those scores may be ass- ociated with different levels of exercise. The possibilities are endless.

Let the flowers bloom

In November 2009, a group of clinicians, “e-patients,” informaticians, technologists, and policy wonks began a spontaneous discussion about these health data rights and related issues. This discussion, taking place on blogs, Twitter, Google Wave, and conference calls, has coalesced into a movement called Flower (http://speakflower.org) that promulgates the message that we should control our health data and have universal standards for sharing it.

This is the sort of thing that could truly bend the cost curve in healthcare. This is the sort of reform that is needed to change the way in which healthcare information is used. This could be the cornerstone of true “meaningful use” of health information technology.

Steven Daviss, MD, DFAPA, chairs the Department of Psychiatry at Baltimore Washington Medical Center and co-chairs CCHIT’s Behavioral Health Work Group. He can be contacted via Twitter @HITshrink and e-mail at drdaviss@gmail.com.