Virtual Mentor. September 2012, Volume 14, Number 9: 724-732.
Would Patient Ownership of Health Data Improve Confidentiality?
The protections patients currently have under the Health Insurance Portability and Accountability Act Privacy Rule and the Common Rule are surprisingly similar to those they would have if they owned their data and biospecimens.
Barbara J. Evans, PhD, JD, LLM
Modern testing technology can extract a wealth of information from the merest speck of a person—a biospecimen—and information systems can transmit entire medical records at the click of a mouse. Given these capabilities, confidentiality—the notion that information patients share during medical treatment should not be disclosed to others without the patient’s authorization—is a fragile concept . One response to patient concerns about confidentiality has been to press state legislators to give patients actual ownership of their medical information. Five states have done so with respect to genetic information , and a number of other states are considering whether to recognize patient ownership of health records .
It seems obvious, at first glance, that “[h]ow the law defines ownership of patient data…affects patient confidentiality” . However, letting patients own their health records may not be an effective way to improve confidentiality. Although it seems counterintuitive, the protections patients currently enjoy under the Health Insurance Portability and Accountability Act (HIPAA)  Privacy Rule  and the Common Rule  are surprisingly similar to those they would have if they owned their data and biospecimens .
The Framework of Protections under HIPAA and the Common Rule
The HIPAA Privacy Rule and the Common Rule require, as their baseline, that patients sign privacy authorizations  or informed consent forms  (or both) before another party can gain access to their medical information or biospecimens. Access to data and specimens is consensual in the sense of requiring the patients’ permission. Both regulations, however, shift to a regime of nonconsensual access—that is, access without authorization or informed consent--in various situations [11-15]. The Department of Health and Human Services (HHS) recently published an advance notice of proposed rulemaking (ANPRM)  that explored possible changes to the Common Rule. The proposal, if implemented, would alter some of the details regarding when consent is required but would continue to allow nonconsensual access under certain circumstances [17-20].
The HIPAA Privacy Rule and the Common Rule currently allow nonconsensual access to data and tissues for certain uses believed to have a high social value—for example, public health, judicial, and law enforcement activities. Nonconsensual research uses of data and biospecimens are allowed under various conditions that purport to manage the risks to patient confidentiality by, for example, de-identifying or coding data in compliance with specific standards [15, 21-25] or converting the data to a limited data set as defined in the HIPAA Privacy Rule . An additional way to gain access to data and biospecimens for research is to have an institutional review board or privacy board (collectively, IRB) [27-30] approve a waiver of the baseline consent or authorization requirements [31, 32].
When data are supplied to researchers under a HIPAA waiver, there is a “minimum necessary”  requirement, meaning that no more information can be disclosed than is required to accomplish the goals of the research. However, HIPAA does not require the data or biospecimens to be de-identified or even coded when granting a waiver. In theory, identified data or specimens could be disclosed to researchers under a waiver if the identifiers are necessary to the research and if an IRB determines that several other waiver conditions have been met .
Obviously, the HIPAA Privacy Rule and the Common Rule do not ensure “confidentiality” in the ordinary sense of the word. Both regulations allow information shared during medical consultation (and specimens collected during treatment) to be disclosed to third parties without the patient’s permission. The protections these regulations provide do not live up to many people’s notion of “confidentiality.” This situation explains the recent push for patient ownership of medical information and biospecimens.
If Patients Owned Their Data
Would a regime of patient data ownership do a better job of protecting confidentiality? In popular conception, ownership confers a solid, indisputable right of control. Unfortunately, this is not how property rights actually work.
Consider, by way of comparison, ownership of a home (assuming it is paid in full and free of any mortgage). In the ordinary course of things, a person wishing to use your home must enter a consensual transaction with you, and you are free to define the terms of that transaction, such as the price at which you would be willing to sell or lease the property. If someone uses your home without your consent, the law affords you an injunction remedy—courts and law enforcement authorities will help you stop the unwanted use . This package of rights and remedies is what lawyers refer to as “property-rule” protection . People who call for patient ownership of data often seem to have this type of protection in mind: all uses of data would require the patient’s consent on terms defined by the patient, and unconsented uses could be enjoined (forced to stop).
Owning a home does not, unfortunately, ensure this sort of protection. There are many situations where consensual ordering breaks down. If a neighbor’s Fourth-of-July fireworks burn down your house, there is no opportunity beforehand to negotiate a consensual transaction in which you agree to a price at which you would be willing to have your house destroyed. The deed is done; the house has been taken nonconsensually, and it is too late to enjoin the violation of your rights. Instead, law grants you what is known as “liability-rule” protection: you may petition a court to set an appropriate level of compensation for your loss . Tort lawsuits are the most famous example of liability-rule protection, but there are many others, including two that have particular salience in the context of data ownership: (1) actions the state takes under its police power to protect the public’s health, safety, morals, or welfare , and (2) eminent domain.
The state’s police power to use patient-owned data. If a home is poorly maintained and poses a threat to neighboring properties, the state can order it cleaned up or demolished without the owner’s consent. In these situations, the government usually does not owe the homeowner compensation for the loss. In the nineteenth century, courts analyzed such cases under natural rights principles that grounded property rights in personhood . These old cases are intriguing because their reasoning bears a surprising resemblance to modern bioethical analysis that grounds privacy rights in autonomy. The natural-rights rationale for allowing the state to place burdens on the property owner was that a person has no natural right to harm his neighbors and thus suffers no compensable loss of rights when the state steps in to protect their interests .
Even when a home is well maintained and poses no risk to others, the state still can interfere with property rights in ways that promote public health and welfare—for example, by passing laws that force owners to install sidewalks at their own expense. The natural-rights rationale for forcing owners to bear these costs was that each affected owner receives “implicit in-kind”  compensation: there is “reciprocity of advantage” [42, 43] since each affected owner benefits from the improvements fellow citizens are similarly forced to make [41, 44]. The scope of the state’s police power thus includes a power to force owners to contribute positive benefits to the community; it is not limited to controlling nuisances and harms . However, nineteenth-century courts set limits on the state’s power to force people to make positive contributions for the good of the public. The state could validly ask people to do so only when there was reciprocity of advantage, so that each person who gave to the community also got something back from it.
Public health activities long have been viewed as legitimate exercises of the state’s police power [46, 47]. The reciprocity-of-advantage concept in nineteenth-century property law resonates with a concept used in modern bioethical analysis of public health uses under the Common Rule. When deciding whether a proposed study is public health “practice” or public health “research” [48-50], some IRBs inquire whether the study will offer “benefits internal to the community” [51, 52]. When benefits of a study flow to the people who contributed data or specimens, this tends to favor a finding that the study is public health practice that does not require consent under the Common Rule. If the study benefits groups other than the data or specimen contributors, this tends to support a finding that the use is research that does require consent.
This resonance between nineteenth-century natural-rights analysis and contemporary bioethical thought is no accident. When the benefits of a study are internal to the community, this is merely another way of saying that there is reciprocity of advantage. Modern bioethical analysis of public health uses under the Common Rule is strikingly similar to the natural-rights analysis nineteenth-century courts applied when analyzing police-power intrusions on individual property rights. Bioethicists might draw upon these cases for insights on how to make difficult ethical trade-offs when there is conflict between individual autonomy and public interests.
Even if patients owned their data and biospecimens, these resources still could be used in public health activities without their permission—the same level of protection that patients already have under the HIPAA Privacy Rule and the Common Rule. Both regulations allow nonconsensual access to data and biospecimens to benefit public health.
Eminent domain and patient-owned data. The state has an additional power known as eminent domain or “takings” power. The significance of this power in the present discussion is that the state can pass laws that take a person’s property without consent, even when there is no reciprocity of advantage—that is, when the burdens of a measure to benefit the public are disproportionately visited on a few members of the community .
The state can take a person’s home to build a new sports stadium, even when the owner is not a sports fan and will never personally enjoy the new facility. Even if the affected homeowner theoretically shares in the benefits of a project—as with a highway project—the benefits and burdens may be so badly skewed that there is no way to pretend the owner will receive in-kind compensation for the loss. The joys of driving on a new highway are a shabby reward for losing one’s home. The Supreme Court considers it a “taking” when governmental action forces “some people alone to bear public burdens which, in all fairness and justice, should be borne by the public as a whole” . The government still can force the owner to give up her property, but the owner is entitled to receive “just compensation” under the Fifth Amendment to the U.S. Constitution.
In a longer study , summarized below, I explored the analogy between eminent domain doctrine and unconsented uses of data and biospecimens in research. “Research,” as defined in the HIPAA Privacy Rule and the Common Rule [56, 57], produces findings that are generalizable to populations other than the participants whose data are being used. Nonconsensual uses of data in research cannot be justified under a reciprocity-of-advantage rationale because, quite often, the data and specimen contributors derive no benefits whatsoever. If patients owned their data and biospecimens, eminent domain seemingly would be the only available legal mechanism for procuring these resources for use in research without patient consent. The question is, “How would that work?” The major conclusions are as follows:
There are few discernible differences between the level of confidentiality patients would enjoy if they owned their data and biospecimens and what they presently have under the HIPAA Privacy Rule and the Common Rule. A property regime would, however, impose a takings criterion known as a “public use” requirement that would help ensure that eminent domain takings of data and tissues must serve a socially beneficial purpose .The HIPAA Privacy Rule and the Common Rule currently lack such a criterion in their waiver provisions, leaving patients with no assurance that unconsented uses of their data and specimens would serve a useful purpose. This is a point on which the HIPAA Privacy Rule and the Common Rule need reform . Many bioethicists agree that the “central ethical issue”  in unconsented use of data or biospecimens is whether the public benefits to be gained from the use are great enough to justify the burden it will place on the data or tissue contributors . The current waiver provisions do not adequately address this question.
Patients’ concern about confidentiality, however, does not really turn on how their data and specimens are used. Confidentiality, in many patients’ minds, is breached by any unauthorized use of a patient’s data or biospecimens, regardless of the benefits to be gained by the use. From the standpoint of protecting patients’ confidentiality, data ownership offers little improvement over the HIPAA Privacy Rule and the Common Rule. This suggests that patient ownership of data is not a fruitful path for reform. It would leave patients with many of the same dissatisfactions they have with the current regulations.
Barbara J. Evans, PhD, JD, LLM, is a professor of law, co-director of the Health Law & Policy Institute, and director of the Center on Biotechnology & Law at the University of Houston Law Center, a member institution of the Texas Medical Center.
DisclosureThis research has been supported by the Greenwall Foundation and the University of Houston Law Foundation.
Related in VM
The viewpoints expressed on this site are those of the authors and do not necessarily reflect the views and policies of the AMA.
© 2012 American Medical Association. All Rights Reserved.