Ownership and Privacy of Health Data: An Emerging Conflict
Guest post by Robert B. McCray, president and CEO, Wireless-Life Alliance (WLSA).
A patient’s right to the privacy of their health records seems obvious, but some of the benefits of connected health will only be achieved if this right is qualified and perhaps compromised. Assuming the twin goals of maximizing both personal and public health, there can be no absolute rights of privacy or ownership in personal health data.
The tools of connected health make it possible to determine the efficacy and safety of diagnostic and therapeutic devices and services in the real world. This can serve as the basis for a learning health care system that continuously improves its services and outcomes. Today it takes between 15 and 17 years for the medical community to fully embrace better approaches.
Traditional privacy and ownership rights of health data stand in the way of these benefits. An obvious example of the problem arises where an antibiotic drug taken for an infectious and dangerous disease is not effective. What if a diagnostic device is unreliable? Does the patient have an absolute right to privacy in these situations? What obligation does that patient and her provider have to other individuals who are at risk and to the system that is paying for ineffective services?
There has been a lot of discussion recently in regard to the ownership of patient health data in the electronic health records of providers. The issues of ownership and privacy are overlapping considerations in determining the answer to these questions.
Privacy and ownership of health data are two closely related concepts. Both are relevant in the context of connected health, for different reasons. I suggest that patients should expect that in a well-functioning and affordable healthcare system, their commercial ownership (i.e. the right to profit from its use) and privacy expectations are not absolute. They must be tempered by the needs of a well-run and affordable system. This is a fundamental policy issue that must be resolved before additional barriers to a connected health world are created.
Traditional ownership and privacy rights assume that no one other than the patient has a stake in personal health information. Patients consent to healthcare providers who need the information to treat the patient. If a third party payor is involved, it is also necessary to permit them to have access to help ensure that the payments are appropriate and correct.
However, there are good reasons why the patient’s rights should be qualified. I suggest that the patient’s ownership and privacy rights must be limited by the legitimate needs of others to make (appropriate and limited) use of the data. In my opinion, a patient who uses the healthcare system cannot wall off access to all of their personal information.
The societal stake in preventing disease transmission, regulating the efficacy and safety of devices and therapeutics, and covering the cost burden of disease dictates that payors and appropriate authorities should have certain rights to the data. Providers should have rights to use clinical information to improve the quality and efficacy of their services. IT vendors would arguably have similar legitimate needs for access to the information for the purpose of improving their platforms.
I believe that the basics of a rational system are simple:
- Any person or organization with access to patient information should maintain its privacy.
- An owner and anyone designated by the owner will normally be the only person entitled to make it available to new parties.
- Ownership and privacy rights are subservient to the rights of others who may be harmed by another’s condition (e.g. infectious disease).
- If a patient uses the healthcare system, he cannot opt out of reasonable sharing of private information or commercialization of a “large” pool of de-identified data. This would include outcomes related to the use of unsafe or ineffective devices, procedures or therapeutics.
- Patients, providers and all suppliers in healthcare do not have proprietary rights to negative outcomes. That is, the needs of other patients and the taxpayer trump traditional privacy and ownership rights.
Some of these suggestions may seem extreme, but consider a different situation. Does a car owner or manufacturer have the right to secrecy regarding the cause of brake failure? If an automobile breaks down on a foggy night in the middle of a traffic lane, should not everyone on that highway be immediately told of the hazard?
Government and taxpayers are the major source of funding for healthcare, but the system we have is unmanageable and inefficient. To gain the benefits of modern innovation, technology, big data and global cloud-based systems, we need to rethink ownership and privacy rights and avoid creating new barriers to the creation of an affordable and broadly accessible system for connected personal health and health care.
 Balas EA, Boren SA. Managing clinical knowledge for health care improvement. In: Yearbook of Medical Informatics. Bethesda, MD: National Library of Medicine; 2000:65-70.