Who owns healthcare data? Who can access healthcare data? Who can control how healthcare data are used? Those three questions can form the basis for going into any number of directions in the discussion around healthcare data. The questions will also spark substantial debate as to the best means of answering.
Trying to come up with a definitive answer is not something that any one person can or should do though. Instead, the questions should serve as a basis for generating an open dialogue among all interested parties. That dialogue can go into issues such as being able to access and collect all data, controlling how the data are used and how profit can be made, and other issues.
Under the way in which the system is currently set up, how data may be used is not necessarily clear. For organizations within what can be best framed as the traditional healthcare system, HIPAA clearly establishes a framework for how data may be utilized. HIPAA breaks use and disclosure into a few main categories that are premised upon whether an individual must be given the opportunity to approve or object to a use or disclosure. There are only a few instances where clear permission is needed, though those instances do focus on when an organization could profit from the use of an individual’s information. Otherwise, HIPAA is fairly permissive in being able to use information in support of most business operations. The expansive ability to use healthcare data can be surprising to individuals and prompt concern about just where data are being sent.
From that backdrop, a new idea making the rounds is intriguing, if not necessarily practical. Specifically, a model patient data use agreement is being suggested. The model agreement (a copy of which seems difficult if not impossible to find), would be a short and simple agreement that tries to balance out rights and obligations as well as clearly introducing the individuals’ interests into the equation. A large part of the aim is to insert individuals into access and control, which could lead to also including individuals in discussions around monetization.
The goals of the model data use agreement align with many concerns around privacy being voiced by individuals. However, while recognized in some of the coverage of the model agreement, current laws and regulations may limit the extent of what such an agreement can do. Access by individuals (at least under HIPAA) is clear and should not be restricted, but some organizations also have parallel retention or maintenance obligations that cannot be overlooked. Many licensed entities must keep records for mandated periods of time. While retention does not mean exclusivity, it can impact control.
Another issue would be how to balance considerations of access. What if an individual gets the full control, becomes unhappy with an organization, and cuts off access (if that is possible). The denial of access could impact care or service outcomes. Who would be liable or responsible in that event?
If the goal of the model agreement is to generate equal footing or enhanced leverage to individuals, that outcome cannot be considered in isolation. As always, healthcare issues are multilayered and ever interconnected. It may not be possible or feasible to allow or enable full control. In that regard, the key should be to achieve balance. One side should not hold all of the cards. Instead, collaboration and coordination would likely be closer to an ideal situation.
With all of that being said, the examples and considerations above candidly apply more to traditional healthcare organizations as opposed to newer technology companies. For technology companies not within the traditional healthcare ecosystem, the arguments may not be as applicable. In that instance, a more equal playing field may be preferable and achievable. When consequences are not as tied to life in death, then considerations and balances can be different.
Regardless of the situation, the discussion around access and control is becoming more open and must continue. It cannot be shoved back into a closet and left to linger in the background. The traditional and emerging technological healthcare systems deserve and demand better.