The bigger question is how patients can use that information to positively affect their lives.
DETERMINING WHO OWNS patient data is a hot topic of discussion in the health care information technology (IT) realm. The natural response to the question is the patient, but additional layers of complexities and considerations exist. Patient data ownership can be broken into the ownership of the data versus the medical records and the ability of patients to access their data.
The Legal Side
A subtle difference in ownership exists from a legal standpoint. Through the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, patient data are protected, and patients have privacy and security around the information.1 This means that patients must give health care organizations permission to share their data with other health care organizations. However, after patients are seen by providers and their histories, labs, presentations, and other information are documented in medical records that providers create, the providers, or the health care organizations underemployed by the providers, become the owners.
To further confuse matters, the laws regarding patient data and records ownership may vary by state. Some states may indicate that patients own all their data, including the medical records, whereas other states may deem that patients own their data but health organizations own the medical records. From a legal perspective, the ownership of the data and medical records is confusing, but the focus should really be on how those data are accessed and used for patient health improvements.
Through the HIPAA Privacy Rule, patients can “inspect, review and receive a copy of his or her own medical records and billing records.”2 So, even though patients do not own the actual medical records created for them by the provider office or hospital, they are still required by law to have access to their data, which is reassuring from a patient perspective. Of note, when requesting records, patients are essentially requesting a copy of the records and not the originals themselves.
However, stipulations do exist for patients when requesting copies of the records. Part of the Omnibus Rule of 2013 indicates that depending on the state, patients may obtain copies of medical records for a “reasonable, cost-based fee.”3 That cost depends on what each state deems reasonable. For example, in California, the patient or legal representative who requests a copy of the records may pay a maximum of 25 cents per page or 50 cents per page of microfilm; a charge for the labor of copying the medical record, whether it be electronic or paper; a charge for supplies, such as media and postage; and a charge for preparation of a summary of the medical record.4
Cures Act Final Rule
Access to patient data has been further extended in terms of patient convenience. In March 2020, the Office of the National Coordinator of Health Information Technology released its 21st Century Cures Act Final Rule, which provides a plethora of additional measures for health technology in health systems. One is related to the ability to engage patients more in their health care by allowing them to more easily access their data.5
One of the hallmarks of the rule is the concept of interoperability and how that can allow for better patient access to data and an overall improved patient experience. Interoperability refers to the ability of disparate health information systems to communicate with one another without major hiccups. To prepare systems for a better interoperable environment, the rule outlines a list of specific requirements that health care IT vendors must follow when creating their application programming interfaces (APIs).6 These APIs are to be available to software vendors to build platforms that allow patients the freedom of using an application of their choice to pull and track their own health data.
What About Security?
With any new regulation or rule that involves sensitive information such as patient data, a discussion on security is inevitable. How do the new rules address security? Can third-party vendors be trusted with access to these APIs?
These questions do not have simple answers. As health care information continues to evolve, so do the methods of handling those data and understanding the perspectives behind them. Regarding security, data is to be handled with the minimum requirements of the HIPAA Security Rule.5 The rule also outlines that the health IT developers are responsible for helping third-party vendors with interoperable services and data transfers.5
Ownership is a complicated beast. Although legal ownership of medical records does lie with patients, whether that matters is debatable. Rules are in place to ensure that patients have access to their data, whether they own the records or not, and newer rules potentially allow patients to be highly engaged in their own health care by making more of those data interoperable from a health care IT standpoint. From a health care economic standpoint, the discussion of data ownership is overshadowed by discussions of how patients can make positive impacts in their own lives with access to those data.
Kevin Tien, PharmD, Pharmacy Informatics Specialist at Choc Children's, assisted with writing this article.Tony Dao, PharmD, CPHIMS, CSSBB, LSSBB, PMC HI, is a pharmacy informatics specialist at CHOC Children’s in Orange, California; the founder of the Pharmacy IT & Me podcast; and cofounder of the Pharmacy Informatics Academy.