Balancing the Data Equation

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Who owns healthcare data? Who can access healthcare data? Who can control how healthcare data are used? Those three questions can form the basis for going into any number of directions in the discussion around healthcare data. The questions will also spark substantial debate as to the best means of answering.

Trying to come up with a definitive answer is not something that any one person can or should do though. Instead, the questions should serve as a basis for generating an open dialogue among all interested parties. That dialogue can go into issues such as being able to access and collect all data, controlling how the data are used and how profit can be made, and other issues.

Under the way in which the system is currently set up, how data may be used is not necessarily clear. For organizations within what can be best framed as the traditional healthcare system, HIPAA clearly establishes a framework for how data may be utilized. HIPAA breaks use and disclosure into a few main categories that are premised upon whether an individual must be given the opportunity to approve or object to a use or disclosure. There are only a few instances where clear permission is needed, though those instances do focus on when an organization could profit from the use of an individual’s information. Otherwise, HIPAA is fairly permissive in being able to use information in support of most business operations. The expansive ability to use healthcare data can be surprising to individuals and prompt concern about just where data are being sent.

Despite the arguable shortcomings of HIPAA in that regard, it at least imposes a clear set of standards on organizations that must comply with its requirements. For a multitude of new organizations collecting what is ostensibly healthcare information, HIPAA does not apply at all. The organizations getting the “free pass” are the newer digital health and other technology companies that aim services directly at individuals. By going direct to individuals and bypassing the traditional system, the new entities fall outside of HIPAA and the attendant privacy and security requirements. Without a clear regulatory scheme mandating how privacy should (or must) be respected, individuals must rely upon an innate sense of right and wrong, which will be contained within the Terms of Use and a Privacy Policy. Neither may provide much comfort since both will likely be dense legal documents that, even if they get read, must be agreed to as written. No company is likely willing to or expecting to have to negotiate the terms.

From that backdrop, a new idea making the rounds is intriguing, if not necessarily practical. Specifically, a model patient data use agreement is being suggested. The model agreement (a copy of which seems difficult if not impossible to find), would be a short and simple agreement that tries to balance out rights and obligations as well as clearly introducing the individuals’ interests into the equation. A large part of the aim is to insert individuals into access and control, which could lead to also including individuals in discussions around monetization.

The goals of the model data use agreement align with many concerns around privacy being voiced by individuals. However, while recognized in some of the coverage of the model agreement, current laws and regulations may limit the extent of what such an agreement can do. Access by individuals (at least under HIPAA) is clear and should not be restricted, but some organizations also have parallel retention or maintenance obligations that cannot be overlooked. Many licensed entities must keep records for mandated periods of time. While retention does not mean exclusivity, it can impact control.

Another issue would be how to balance considerations of access. What if an individual gets the full control, becomes unhappy with an organization, and cuts off access (if that is possible). The denial of access could impact care or service outcomes. Who would be liable or responsible in that event?

If the goal of the model agreement is to generate equal footing or enhanced leverage to individuals, that outcome cannot be considered in isolation. As always, healthcare issues are multilayered and ever interconnected. It may not be possible or feasible to allow or enable full control. In that regard, the key should be to achieve balance. One side should not hold all of the cards. Instead, collaboration and coordination would likely be closer to an ideal situation.

With all of that being said, the examples and considerations above candidly apply more to traditional healthcare organizations as opposed to newer technology companies. For technology companies not within the traditional healthcare ecosystem, the arguments may not be as applicable. In that instance, a more equal playing field may be preferable and achievable. When consequences are not as tied to life in death, then considerations and balances can be different.

Regardless of the situation, the discussion around access and control is becoming more open and must continue. It cannot be shoved back into a closet and left to linger in the background. The traditional and emerging technological healthcare systems deserve and demand better.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.