In the days of paper and pen, medical records were tangible documents. Most physicians considered that they owned the file cabinet in which records were stored and the physical documents within. Patients could obtain copies of the record with due authorization. Transfer of practice ownership often came with patients’ records, and this seemed to confirm that the records were an asset of the practice.
Well, what about now—in the era of electronic health records (EHRs)? Today’s file cabinet is represented by the architecture of the EHR, and the physical record exists as invisible digital data bytes. Who should own the record? Who should control access to the record? It’s not a clear area legally, ethically, or operationally.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules gives patients certain rights with respect to their medical records. HIPAA says that a patient is allowed to “inspect, review, and receive a copy of his or her medical records” held by all providers covered under HIPAA. Individual states have long had laws pertaining to protection, maintenance, copying, and disposal of records. But while some states provide that a physician or health system employer owns the medical record, most state laws are silent about actual ownership of the physical record. Only New Hampshire provides definitively that medical record patient-specific information is owned by the patient. (However, multiple surveys indicate that generally about half of all patients believe they own their medical records.)
The issue of who should own the records—physician or patient—is complex, replete with questions around health literacy, potential for patient confusion, and even misinterpretation of the old-fashioned Shortness Of Breath acronym. However, most physicians are comfortable with the concept that patients should be able to access their entire medical record upon request. Many EHRs now contain patient portals providing varying degrees of data access.
Control of record access is different from simple ownership. EHRs have created new challenges including access issues derived from the sharing of a single record among multiple specialties, protocols for destruction of EHR notes that are past the statute of limitations for legal action, etc.
Another HIPAA issue concerns differential access to potentially patient-identifying data or protected health information (PHI) versus de-identified data. Data containing PHI are frequently accessed under HIPAA by health systems and payers for quality of care, payment, and business operations. (As an example, patients with certain risk factors may be robocalled, with the messages prompting them to “ask your doctor about statins” or offering tools for blood sugar control.) They may not be accessed by third parties beyond these permitted exceptional uses.
De-identified aggregated data (not containing PHI) may be accessed for a variety of desirable purposes, such as infectious disease community surveillance, FDA postmarketing approval studies, population health research, and quality improvement.
EHR clinical data are even making their way into the world of social media. Last year, Facebook tried to acquire de-identified patient records to match them with identifiable Facebook user data—and create digital health profiles. HIPAA does not prevent this. Consider the privacy implications.
The physician’s conundrum becomes even more complex when the EHR vendor contractually retains exclusive use of de-identified data and doesn’t make it available for socially and medically desirable purposes. This is analogous to saying to the physician, “You own the data contained in the file, but you can’t open the file.” Ownership then becomes a moot point.
Some policymakers believe that the solution is clear patient ownership of health data with assignment of access rights to physicians and facilities as needed. In the meantime, it behooves us all to pay attention to data rights, both as physicians and as patients. It’s a confusing topic with parties other than the physician and patient involved, a fuzzy legal environment, and the potential for unforeseen and potentially undesirable outcomes.