In order to protect the patient’s privacy in healthcare systems, there are continuous efforts made to limit the exchange of identifiable medical information to only the entities that may be directly involved in providing medical care to the patient. Although patients can request their records be sent to others, they are never involved with the exchange and mining of their medical data by say a researcher or a pharmaceutical company or a government agency. Suppose if patients (or consumers) were given the choice of making their own informed decisions about privacy and can selectively give out their identifiable medical data to the parties of their choice. Would it increase the medical and economic value of their data? More importantly, could the patients receive a share of any medical and financial benefits themselves?
With the advent of mobile health and other health related wearables, it is slowly becoming evident that a consumer movement is percolating, and that consumer mediated exchange might be the need of the hour. This research paper aims to explore the different scenarios and cases pertaining to patients being the sole owners of their data through a literature review. It will also talk about the repercussions, if any, that this solution might pose to the overall security and privacy of data, and ways in which this can be mitigated.
One of the pressing questions that is surfacing as health app developers and clinical data researchers are delving into digital data and electronic medical records and making AI-enabled products that help the doctors in managing information and helping them diagnose diseases is that when they decide to use patient’s medical information to create a commercial product, is the patient owed a part of the bargain. Currently, in a routine research hospital environment, the patients sign a paper in the huge stack of admission paperwork that gives permission to the institution to use their personal data for research. While the patient may think that they’re in control of their data, this is nothing but a myth – in fact, the healthcare market does not have any of the self-regulating forces that are seen in the other industries. In the healthcare world, patient data is a dicey area. It is protected by HIPAA laws; de-identified patient data is used in clinical trials owing to the randomized clinical trials process, and an increase in data sharing and transparency of clinical trial data is an ongoing effort.
Many patients in clinical trials never receive a follow-up call about the clinical trial they were in, whether or not the trial was successful. More so, HIPAA allows providers to charge patients a reasonable, cost-based fee when they seek copies of their medical records or request they be forwarded to another provider or organization. With the advent of mobile health, patients can do a lot today that they were not able to in recent times. They can do their own cardiogram, check their child’s skin for jaundice infection, apply sleep apnea tests at home through a sensor and on their smart phones. It is turning out to be a new and exciting era where the public can approach and acquire vital health information inexpensively. It potentially has a disruptive impact where the medical community believes that the patients cannot handle the truth indicating a sense of paternalism running through. But studies have shown that patients want to know more about their condition and treatment and would want to have control over their data (Auerbach, S. M. 2001).
In terms of policy and regulatory perspectives, user privacy and ownership of user-generated data has been an under-explored territory. Government-regulated clinical and research medical data are constantly scrutinized owing to the lack of transparency and unclear agendas. One such example is the implementation of the care.data initiative in the UK which was aimed at individual data sharing with researchers by the NHS, and controversially, with businesses ultimately resulting in a failure of the initiative (Goldacre, B. 2014). Another example with private user-generated health data that is collected from apps, social media and wearable devices also show absence of transparent data ownership regulation. User-generated health data that is directly collected by IT and social media companies and tracking/wearable devices which commonly do not have an opt-out policy can be potentially subject to intrusion using data analytics driven marketing and unregulated sharing or use (Merchant, B. 2015). This intrusion is much more concerning to some citizens with them feeling that their explicit consent is required for data sharing. Re-migrating to the data in clinical trials, a study in Canada showed that patients would like academic researchers to share more information about their data and stop working in a hunter-gatherer environment where they feel entitled to keep the data that they have mined (Friend, S. 2010).
Very few individuals actually like to engage in human trials, and about 50% of clinical trial sites enroll one or no patients in their trial (CISCRP, P 2010). The research could be in a drastically different place if these individuals could share their clinical data themselves, either through Electronic Medical Records or Personalized Health Records, biometric tracking mechanisms, or through questionnaires. Although it may create data integrity problems, it is understood that patient control of clinical data will introduce both chaos and richness into the system (Moyé, L. A. 2008). A privately held company called Private Access gives individuals the potential to enter data that could be useful for clinical trial recruitments. The individuals themselves control the privacy of their data based on their preferences. This could range from all scientists being able to see all of their data, some scientists can see their data, or nobody can see their data. Going forward, these controls would open access to individual’s data held by labs, medical professionals; and pharmaceutical companies like Pfizer are foraying into advancing this functionality of patient access and control with Private Access (Terry, S. F., & Terry, P. F. 2011).
Another Silicon Valley-based company called Genomera has come up with a platform that allows the public to share their genomic and phenotypic information but also provide them the tools to create and participate in their own clinical trials. The participants can then choose to report the results back to the group for joint analysis thus imparting the locus of control on the participants (Dolgin, E. 2010). When it comes to sharing clinical data, privacy is always one of the major concerns. However, if participants control the distribution of their data, these concerns are reduced as the major privacy law in the United States, the Health Insurance Portability and Accountability Act (HIPAA) would not apply. Individuals can share their own clinical information under the HIPAA regulations. Having said that, there is a need for controls at a granular level in the privacy systems as individuals will want to share their information selectively. Guides such as those used by Private Access will be helpful.
However, privacy systems with granular controls are desirable because individuals will want to share information selectively, as is their right. Further, the various options will undoubtedly be complex, and guides such as those used by Private Access will be essential. Terry, S. F., & Terry, P. F. (2011) mention that it is imperative for individuals to become active participants in clinical trials as the benefits of participant ownership and sharing of trial data appear to outweigh the risks. An instance where neither the patients nor the insurers did not ‘own’ their data is given in the paper by Cios, K. J., & Moore, G. W. (2002), where a few Health Maintenance Organizations (HMOs) refused to pay for patient participation in clinical treatment protocols that were deemed experimental. This brings up the issue that if insurance providers do not own their insurees’ data, they can refuse to pay for the collection and storage of the data.
Mikk, K. A. and colleagues, (2017) shared the viewpoint aiming to improve patient engagement and proposed a Data Use Agreement (DUA) that relates to the data quality, integrity, privacy, and security. This proposal would create a longitudinal health data set for individuals that aggregates health data from various care settings using common data elements. Not only would patients benefit from access to all of their data, but clinicians could benefit too by seeing a more complete and accurate picture of the patients in front of them. Also, providing patients with options to share all, some, or none of their data, they may actually be more comfortable providing health data for research (Blumenthal, D. 2017). Study by other scholars’ state that neither property nor privacy law completely apply to health data or a patient’s ability to control their health data (Rodwin, M. A. 2010). Kish, L. J., & Topol, E. J. (2015) proposed a technological solution called UnPatient which would allow biomedical data to be shared and traded as property at a very granular level but retains the necessary privacy and security and complies with the existing regulations.
For health data to have a real home owned by its rightful owner, they need to be: first, accessible anywhere and always available to the originator; second, controlled by the person they came from or their agent; third, unique and verifiable as belonging to a real person; fourth, privacy-enabled; fifth, secure; sixth, independent of any third party; and finally, able to solve the data provenance problem, that is, when, where and from whom the data came. Perhaps, it is time to recognize Blockchain as an ecosystem that can place the patient as the enabler and not the provider or the medical facility. Leveraging the underlying technology of Bitcoin and using and repurposing of the blockchain technology could enable health data ownership at a global level (Peck, M. 2015). Block chain could also help solve data provenance problems like evidence of where a piece of health data comes from, creating an ability to visualize the data supply chain.
v A model which uses this is Switzerland’s healthbank that provides its users with a platform to store and manage their health information in a secure environment. The users have complete data sovereignty and are also able to make their data available for medical research. The users in turn are given financial compensation for providing their data. The platform thus enables new opportunities for patient-oriented research. The further advancement in using Blockchain, could enable users to track the personal patient-generated health data from apps, wearables in the research process with a timestamp (Mettler, M. 2016). Use of personal health records may enable individuals to access, manage and share their health data.
However, its widespread adoption comes with its own set of vulnerabilities in terms of the privacy and security. Web-based PHRs are subject to numerous threats just like other Internet applications and patients may not be fully equipped to deal with such threats. It may raise privacy concerns where patients will need to know to whom they are granting access and for what purpose. (Señor, I. C., Alemán, J. L. F., & Toval, A. 2012). Kostkova, P. and colleagues (2016) suggest that Healthcare policymakers at international level need to develop a shared policy and regulatory framework supporting a balanced agenda that safeguards personal information, limits business exploitations, and gives out a clear message to the public while enabling the use of data for research and commercial use. So, can Patients really own their data?
They can have the right to see their data; right to ask for their data to be correct and UpToDate, but they cannot own it. The basis for this are two reasons: First, Patients do not have the responsibility of maintaining the data – to check for errors, make back-ups, bring it to appointments. Current practice is a long way from this, and even tools that allow for patients to hold data and record their own data like My Clinical Outcomes (Black, N. 2013) are far from being a complete medical record. Secondly, quite a lot of the health data in the records is not generated by the patient themselves. Some of it is directly patient generated (like pain scores) or is a simple recording (e.g. blood pressure), where as much of the data is interpreted (Cardiac sounding chest pain) and much was acquired from the patient by the provider at some expense (Radiology scans) and some was actually generated by the provider (therapy plans).
Thus, it is not very clear as to in what sense can the patients own their data. SUMMARY/CONCLUSION: As of now hospitals are the custodians of health data and data sharing approaches are very conservative. What really matters is the intentionality of the data. If the healthcare system is really moving towards a patient centric approach, then the Privacy rules should give the ownership of the data to the patients. But, as mentioned above, it will come with its own repercussions. Any entity that wants or needs to share a patient’s health record will need the patient’s agreement and access. It is time to make the patients well informed about protecting their own data and coming up with laws and policies to look at those that are not able to make such a decision. Before the custody of data is transferred to the patients who could be misinformed or uninformed, there is a dire need of creating the right ethics, rules and regulations to prevent patients sharing their data only to find out that its being used in an untoward way. On the technology front, Blockchain could be the catalyst that someday accelerates a massive change process in healthcare by enabling medical information to be available wherever patient’s go for their care.