Who Owns EHR Data? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Electronic Health Records
News
9/9/2014
09:16 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Who Owns EHR Data?

The owners of electronic health records aren't necessarily the patients. How much control should patients have?

application FairWarning. The software tracks whether employees or clinicians have legitimate reasons for opening particular records.

Because the software records anyone who accesses a record, "you can't hide from the EHR anymore like you could with a paper chart," Rosenhagen says. He contends the EHR provides a more secure environment than paper records did.

Courion, which developed similar software, has clients such as Miami Children's Hospital, Quest Diagnostics, and Memorial Sloan Kettering Cancer Center. They use its software to automatically update hires and terminations to limit access to authorized personnel retrieving legitimate information, says Courion's Zannetos.

The right to patient records changes over time, creating an added challenge. Parents, for example, control access to children's EHRs -- while they're children.

"Once they turn 18 you've got to turn that off and give access to the 18-year-old, who's supposedly no longer a child," says Zannetos, father of two young adults. Zannetos says the healthcare industry needs to learn from the credit card industry, and how it considers a wide range of factors to spot fraud. "We have to constantly watch through the very complex connections between people, apps, access rights, and what they're doing, and raise alerts when things look like they're out the norm," he says.

IT departments also must guard against patients' errors. All too often consumers use the same password for multiple sites. If a breach occurs at an unrelated site, users might think their data is secure but cyberthieves could now have the password that protects their personal health information, Zannetos says. Organizations might want to enforce frequent password changes, require multicharacter passwords, or assign passwords to consumers, rather than allowing them to use their own creation.

InformationWeek 2014 Healthcare IT Priorities Survey of 322 healthcare technology professionals, February 2014.
InformationWeek 2014 Healthcare IT Priorities Survey of 322 healthcare technology professionals, February 2014.

Some providers have moved beyond portals and extend complete access to patients through the Open Notes initiative, says David Harlow, principal at The Harlow Group, a healthcare legal and consulting firm. In March, for example, WellSpan Health began offering patients access to office-visit notes, as well as lab results, physicals information, immunizations, and imaging studies.

"It means really sitting side by side with a patient in front of the computer screen, rather than having the computer screen between the doctor and patient, in order to share that information in real-time during the office visit," Harlow says. "It's a real culture change."

To promote access to all electronic records, regardless of providers' EHRs, the federal government and participating partners use Blue Button, a technology that lets consumers click on a blue link to view online, download, and share their records. Although not all providers participate today, HealthIT.gov claims the roster is expanding rapidly.

All for one, one for all
There is a point at which patients lose control of their data; that is when identifiable information is removed and organizations use the vast collection of health data for analytics.

"If it's de-identified, then it's not considered to be that patient's information anymore," Harlow says.

HIPAA recommends one formal process to de-identify data. It requires stripping out all potentially identifiable information, an approach that safeguards patients but deprives researchers, he says. Statistical de-identification, which uses techniques that allow inclusion of certain demographic points, is more valuable to researchers, Harlow adds. Optum Labs, for example, uses multiple de-identification steps when it receives data from Humedica and provides pockets of data to authorized researchers, says Paul Wallace, chief medical officer at Optum Labs. Both approaches satisfy HIPAA rules to preserve patient anonymity, although statistical deidentification -- while more useful -- is also more costly.

Organizations use this statistical de-identified patient data for everything from healthcare and provider quality control and treatment improvement, to researching new medicines and finding new relationships between disease cause and effect.

However, statistically de-identifying data isn't perfect. In a study last year, the Whitehead Institute for Biomedical Research, a nonprofit research and teaching institution with programs in cancer research, developmental biology, genetics, and genomics, was able to re-identify 50 people who had sent personal DNA data in genomics studies such as the 1000 Genomes Report. The odds of being named from a de-identified database were 4 in 10,000, according to a 2005 study. Since that year, consumers share more identifiable information via social media and apps, and more information is digitally available, so perhaps it's more likely to be identified today.

Rather than de-identify data, researchers should be held responsible for protecting personal data and privacy, recommends an article on the Association for Computing Machinery's website written by Jon P. Daries, Justin Reich, Jim Waldo, Elise Young, Jonathan Whittinghill, Daniel Thomas Seaton, Andrew Dean Ho, and Isaac Chuang. Although they focused on students in higher education, the authors argue de-identification forces changes to data that threaten analysis and weaken the results. Too much concern for de-identifying could stifle important research, they say.

Patients worried about their data being re-identified might lie to medical professionals, to hide alcohol, drug, or physical abuse, or conceal embarrassing symptoms. Others are concerned insurers or employers will combine readily available credit card information with health data to paint clear pictures about consumers' cigarette, fast food, or liquor purchases.

Although one person's information speaks solely to that individual's health, the records of an entire population paint a broader picture, one that holds clues to cures, treatments, and prevention. Consumers might generate their personal health data, but they don't own their records. If we're all to reap the benefits of that collective knowledge, it's up to organizations that steward this data to protect it from those that seek to use it for illegal, unethical, or harmful purposes.


Download the entire September issue of InformationWeek Healthcare.

Alison Diana is an experienced technology, business and broadband editor and reporter. She has covered topics from artificial intelligence and smart homes to satellites and fiber optic cable, diversity and bullying in the workplace to measuring ROI and customer experience. An ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AliN258
50%
50%
AliN258,
User Rank: Apprentice
10/30/2014 | 5:25:08 AM
EMR data
My former billing company who also owned our practice EMR has refused to provide us access to the OLD data and has disconnected my staff and my username and access after we changed to a new billing company?

What is the current rules of practice and traditions in such a case?

Thank you
GaryAk
50%
50%
GaryAk,
User Rank: Apprentice
9/14/2014 | 5:42:23 PM
HIPAA needs to be revised
A patient in many cases has to go through a lot of hoops to get their own records.   Having to sign a form every time following a visit or procedure to get one's own records is silly.   Having providers not be willing to email or fax electronic records to your home because it is not secure, even when you are willing to waive your 'privacy' rights.


It is a rare doctor that agrees to email back and forth with a patient, relying on some secure, encrypted form of electronic communication that is functionally complex and difficult even for a tech-savvy patient to keep.


HIPAA needs to be amended to allow the option for simpler forms of communications and less barriers to the patient to get their own records electronically or otherwise.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/10/2014 | 4:48:41 PM
Ownership Records
Interestingly, most people who shared this story on Twitter and then posted their own answer to the headline's question responded, "patients." 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/10/2014 | 4:47:48 PM
Re: Governance and strategy
Yes I think healthcare organizations would be well-served if they move away from focusing so much on compliance (which is, of course, necessary) and focus more on risk-management and transparency, when it comes to data and security. As the South Nassau executive said, patients want more transparency from their healthcare providers -- in terms of cost, access to their own information, and providers' records for safety, etc. -- and those that deliver this information are most likely to succeed over those that continue to make this info hard to find or access. CIOs and their IT teams play an integral role in making this happen securely.
pfretty
100%
0%
pfretty,
User Rank: Ninja
9/10/2014 | 11:16:00 AM
Governance and strategy
"The CIO is responsible for creating the foundation for a new culture of transparency." This is such a key component of today's data-laden society. And, its especially true in sensitive field like the medical industry. Going forward organizations need to place more emphasis on developing, nuturing and mantaining data strategies while embrace proven governance tactics.  Obviously both will come with maturity, but its the organizations who embrace it early who will surface as leaders. 

 

Peter Fretty
Laurianne
50%
50%
Laurianne,
User Rank: Author
9/9/2014 | 1:49:20 PM
Re: preferred contact
Medicine is one of the few industries where you still see fax machines in heavy rotation.
Ariella
50%
50%
Ariella,
User Rank: Author
9/9/2014 | 12:25:53 PM
Re: preferred contact
@Alison As I said, I don't care for letters, though I have recieved a few from doctors or hospitals, particularly if they wanted to make some official communication prior to or after a particular procedure. But I really thought it was total overkill when a doctor sent a note that the office didn't show that certain tests were done via certified mail. That was a pain, in fact, b/c the mail carrier just left the slip about it in my mailbox without giving me the chance to sign for it. And the slip doesn't even let you know who the sender is. So I had to trek over to the post office the next day to sign for the letter -- as I had no idea what it was or how urgent it may be.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/9/2014 | 11:55:53 AM
Re: preferred contact
The preference for letters by such a big number of doctors really shows, in my mind, the comfort level some practices have with the old ways of doing things and their discomfort with trying new, more efficient means of communication. When you think about it, letters are expensive: They take time to personalize, print, and stuff into envelopes, and they're expensive over time -- paper, print, envelopes, labels, stamps, and staff time. You also have to ensure patients' mailing addresses are kept current (which billing requires too, of course). 

That said, a lot of doctors' offices still rely on fax a lot. In dealing with two specialists recently, I was surprised to learn that one doctor faxed his records over to the other doctor's office; the other doctor, in turn, wanted to send her records back electronically but was forced to fax them back because the first doctor didn't have the capacity to receive them electronically (despite using an electronic health record in his practice). Unsurprisingly, during our first visit to the second specialist, part of my daughter's record was missing because the first doctor's assistant hadn't sent over the complete file. 
Ariella
50%
50%
Ariella,
User Rank: Author
9/9/2014 | 11:50:24 AM
preferred contact
I'm surprised as many as 13% prefer letters. It seems so inefficient. I'd fall into the majority here with a preference for phone, and email as my second choice.
News
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
News
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll