Who owns patient data?

Children’s Hospital Boston has filed a suit in federal court against former post-doctoral fellow Isin Cakir, MD. The suit claims that Cakir took a hospital-issued laptop to a computer forensics company and asked the contents be preserved. The hospital alleges Cakir’s motive was “to take information rightfully belonging to the hospital and to sell it or use it with others to commercialize a drug or drugs competitive with the drugs that he was working on in Boston Children’s Hospital’s laboratory.”

Around the same time Boston Children’s filed its suit, a jury found that the University of California, Los Angeles (UCLA) Health System was not responsible for the unauthorized release of Norma Lozano’s medical records. Lozano claimed that an assistant in a medical office that was affiliated with the University shared photos of her records with others, including her ex-boyfriend, whom the medical assistant was now dating.

Jurors in that case told Law 360 that UCLA Health System was the wrong target for Lozano’s suit. One juror said if she had instead sued the medical practice and/or the woman who had actually released the records, their verdict would have been different.

In today’s world, electronic records are easy to share among providers, and are relatively easy to hack. Each organization and each state also has different rules as to what can be shared and with whom.

Although many organizations have taken the stance patients own their own healthcare data, that isn’t really the case.  “It’s like we have a vacation home, and we’ve given out keys to 50 different people, and they all show up at the same time,” Chris Zannetos, CEO and founder of security developer Courion, told InformationWeek. Zannetos said although patients want their data to be shared when needed, they are often surprised by how quickly they can lose control.

Other organizations are of the opinion that the doctor or hospital where the record originated owns the data, but that isn’t exactly true, either. According to Medical Economics, experts now counsel that organizations should move away from the concept of data ownership entirely, and instead consider themselves “stewards” of the data within their possession and administrative control.

Arguments have also been made EHR vendors own the data they collect. But the Health Insurance Portability and Accountability Act (HIPAA) makes it clear EHR vendors are not the sole owners of patient healthcare data because under HIPPA, EHR vendors are required to return or destroy patient health information once a contract has been terminated.

Still, Adam Greene, JD, a partner with the law firm Davis Wright Tremaine and an expert on healthcare technology and privacy, told Medical Economics that organizations too often give vendors the upper hand on data rights by not addressing them during contract negotiations. Green also said questions about data rights should be “top of mind” during contract negotiations. “And if they feel like the contract with the EHR vendor does not provide enough details on this front, they should ask the questions, and if they feel like they need to get the answers in writing, they should push for that,” he said.

For example, one of the reasons that Cerner was chosen for the $4.3 billion contract with the Department of Defense (DOD) is the DOD will retain ownership of the data collected. 

Top Image Credit: Fotolia

Leave a Reply

Notify of