Balancing the Data Equation

juggler-1216853_640Who owns healthcare data? Who can access healthcare data? Who can control how healthcare data are used? Those three questions can form the basis for going into any number of directions in the discussion around healthcare data. The questions will also spark substantial debate as to the best means of answering.

Trying to come up with a definitive answer is not something that any one person can or should do though. Instead, the questions should serve as a basis for generating an open dialogue among all interested parties. That dialogue can go into issues such as being able to access and collect all data, controlling how the data are used and how profit can be made, and other issues.

Under the way in which the system is currently set up, how data may be used is not necessarily clear. For organizations within what can be best framed as the traditional healthcare system, HIPAA clearly establishes a framework for how data may be utilized. HIPAA breaks use and disclosure into a few main categories that are premised upon whether an individual must be given the opportunity to approve or object to a use or disclosure. There are only a few instances where clear permission is needed, though those instances do focus on when an organization could profit from the use of an individual’s information. Otherwise, HIPAA is fairly permissive in being able to use information in support of most business operations. The expansive ability to use healthcare data can be surprising to individuals and prompt concern about just where data are being sent.

Despite the arguable shortcomings of HIPAA in that regard, it at least imposes a clear set of standards on organizations that must comply with its requirements. For a multitude of new organizations collecting what is ostensibly healthcare information, HIPAA does not apply at all. The organizations getting the “free pass” are the newer digital health and other technology companies that aim services directly at individuals. By going direct to individuals and bypassing the traditional system, the new entities fall outside of HIPAA and the attendant privacy and security requirements. Without a clear regulatory scheme mandating how privacy should (or must) be respected, individuals must rely upon an innate sense of right and wrong, which will be contained within the Terms of Use and a Privacy Policy. Neither may provide much comfort since both will likely be dense legal documents that, even if they get read, must be agreed to as written. No company is likely willing to or expecting to have to negotiate the terms.

From that backdrop, a new idea making the rounds is intriguing, if not necessarily practical. Specifically, a model patient data use agreement is being suggested. The model agreement (a copy of which seems difficult if not impossible to find), would be a short and simple agreement that tries to balance out rights and obligations as well as clearly introducing the individuals’ interests into the equation. A large part of the aim is to insert individuals into access and control, which could lead to also including individuals in discussions around monetization.

The goals of the model data use agreement align with many concerns around privacy being voiced by individuals. However, while recognized in some of the coverage of the model agreement, current laws and regulations may limit the extent of what such an agreement can do. Access by individuals (at least under HIPAA) is clear and should not be restricted, but some organizations also have parallel retention or maintenance obligations that cannot be overlooked. Many licensed entities must keep records for mandated periods of time. While retention does not mean exclusivity, it can impact control.

Another issue would be how to balance considerations of access. What if an individual gets the full control, becomes unhappy with an organization, and cuts off access (if that is possible). The denial of access could impact care or service outcomes. Who would be liable or responsible in that event?

If the goal of the model agreement is to generate equal footing or enhanced leverage to individuals, that outcome cannot be considered in isolation. As always, healthcare issues are multilayered and ever interconnected. It may not be possible or feasible to allow or enable full control. In that regard, the key should be to achieve balance. One side should not hold all of the cards. Instead, collaboration and coordination would likely be closer to an ideal situation.

With all of that being said, the examples and considerations above candidly apply more to traditional healthcare organizations as opposed to newer technology companies. For technology companies not within the traditional healthcare ecosystem, the arguments may not be as applicable. In that instance, a more equal playing field may be preferable and achievable. When consequences are not as tied to life in death, then considerations and balances can be different.

Regardless of the situation, the discussion around access and control is becoming more open and must continue. It cannot be shoved back into a closet and left to linger in the background. The traditional and emerging technological healthcare systems deserve and demand better.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Business, Compliance, Health IT, Healthcare, HIPAA, Regulations, State Law and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s