Who owns the data

Who owns the health information?

  • the patient to whom it refers?
  • the health provider who created it?
  • the IT specialist who has the greatest control over it?
  • the researcher who aggregates it?
  • the health 2.0 company that harvested it?

the notion of ownership is inadequate for health information. No one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the right to do things like that a “master copy” of health information.

All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

But asking the question at all is a hash argument.

What is a hash argument?

Come to think of it, there’s a certain class of rhetoric I’m going to call the “one way hash” argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of “fingerprint” for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo.  Certain bad arguments work the same way—skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible—even somewhat intuitive—to the layman and sounds as though it might qualify as some kind of insight… The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.

At some point I will modify this article to actually do the rebuttal. At this point it is enough to say that -even asking the question- who owns the data is creating a hash argument. The question presumes that the notion of ownership is valid and jettisons those foolish enough to try and answer the question into needless circular debate. Once you mistakenly assume that the question is answerable you cannot help but back an unintelligible position.

People asking this question at conferences is a pet peeve for me.

(update 2012: fleshing out this post, for reposting to radar)

So the reason that “ownership” does not apply to well to health data is that “ownership” means a little too much to apply well for anyone. Here is a quick chart that shows what is possible depending on a given role.

Person/Privilege Delete their copy of data Arbitrarily (without logs) edit their copy of data Correct the providers copy of the data Append to the providers copy of the data Acquire copies of HIPPA covered data
Sourcing Provider No. HIPPA mandates that the provider who creates HIPAA covered data must ensure that a copy of the record is available. Mere deletion is not a privilege that a provider has with their copies patient records. No. While the provider can change the contents of the EHR, they are not allowed to change the contents without a log of those changes being maintained. Many EHRs contain the concept of “signing” EHR data, which translates to “the patient data entering the state where it cannot be changed without logging anymore”. Yes. The provider can correct their copy of the EHR data, providing the maintain a copy of the incorrect version of the data. Yes. The providing merely add to data, without changing the “correctness” of previous instances of the data. Sometimes. Depending on the providers ongoing “treatment” status of the patient, they typically have the right to acquire copies of treatment data from other treating providers. If they are “fired” then they can lose this right.
Patient rights Yes they can delete their own copies of their patient records, but requests to providers that their charts be deleted will be denied. No. Patients cannot change the “canonical” version of a patient record No. While a patient has the right to comment on and amend the file, they can merely suggest that the “cannonical” version of the patient record be updated. Yes. The patient has the right to append to EHR records under HIPPA. HIPPA does not require that this amendment impact the “canonical” version of the patient record, but these additions must be present somewhere, and there is likely to be a substantial civil liability for providers who fail to act in a clinically responsible manner on the amended data. The relationship between “patient amendments” and the “canonical version” is a complex procedural and technical issue that will see lots of attention in the years to come. Usually. A patient typically has the right to access the contents of an EHR system assuming they pay a copying cost. EHRs frequently make this copying cost unreasonable and the results are so dense that they are not useful. There are also exceptions this “right to read” which includes psychiatric notes, and legal investigations.
True Copyright Ownership (i.e. the relationship you have with paper you have written or a photo you have taken). Yes. You can destroy things you own. Yes. You can change things you own without recording what changes you made. No. If you hold copyright to material and someone has purchased a right to a copy of that material, you cannot make them change it, even if you make “corrections”. Sometimes, people use licensing rather than mere “copy sales” to enforce this right (i.e. Microsoft might have the right to change your copy of Windows, etc…) No. Again you have no rights to change another persons copy of something you own the copyright to. Again, some people use licensing as a means to gain this power rather than just “sale of a copy”. No. You do not have automatic right to copies of other peoples copyrighted works, even if they depict you somehow. (this is why your family photographer can gouge you on reprints.

Ergo: neither a patient, nor a doctor has an “ownership” relationship with patient data. So asking “who owns the data” is a meaningless time-wasting and shallow conceptualization of the issue which is at hand.

The real issue is: “What rights to patients have regarding healthcare data that refers to them?” This is a deep question because patient rights to data vary depending on how the data was aquired. For instance a PHR record is primarily governed by the EULA between you and the PHR provider (which usually gives you wildly varying rights depending), while right to your doctors EHR data is dictated by both HIPPA and Meaningful Use standards.

Usually, what people really mean when they say “The Patient owns the data” is “The patients needs and desires regarding data should be respected”. That is a great instinct, but unless we are going to talk about very specific privileges enabled by regulation or law, it really means “Whatever the provider holding the data thinks it means”.

For instance, while current Meaningful Use does require providers to give patients digital access to summary documents, there is no requirement for “complete” and “instant” access. While HIPPA mandates “complete” access, the EHR serves to make printed copies of previously digitized patient data completely useless. The devil is in the details here and when people start going on about “the patient owning the data” what they are really doing is encouraging a mental shortcut that cannot readily be undone.

HTH,
-FT

6 thoughts on “Who owns the data

  1. Is this the new Godwin’s Law? Toss out “hash argument,” and expect all discussion to cease? Established notions of ownership are not all trivial, and there are few other available models to challenge the “might makes right” argument of possession. Excluding any ownership-based discussion only delivers the debate to those whose motives are more economic than social or moral.

    So how about a rejoinder: “what kind of ‘ownership’ did you have in mind?”

  2. Really interesting analysis of the situation. When I’ve heard this question or read it online, in my head I always say “Who CARES?” This is a good explanation of why I shouldn’t care. I think we’re too worried about ownership and not worried enough about providing great results. Not to mention some civility and understanding.

  3. Not at all. Rather, “calling hash argument” requires that you at least reference why an argument qualifies. This is easier to do when you can link to something that clearly details why the argument is a hash argument, which is exactly what I have done here. It is useful to point out when someone is opening a can of worms that has no added benefit to a discussion.

  4. One of the few constitutional amendments I’d like to see is something along these lines:

    ———–
    Data concerning a citizen is the joint property of the citizen and the entities that create that data.
    ———–

    Call it a hash argument if you like. I prefer not to. I see it as a key to personal empowerment in an age of information and increasing corporate power.

    — stanley krute

  5. What does “joint property” mean?
    I have “joint property” with my wife and (heaven forbid) if we ever get a divorce there will be a big mess.
    Who has control of what goes in the data? Who has the responsbility to maintain the data?

    Your statement sounds lovely but deals with none of the actual complexities in the issue.
    It does not even detail how this notion of ownership that you have not defined is empowering…

    -FT

Comments are closed.