Policy Forum
Sep 2012

Would Patient Ownership of Health Data Improve Confidentiality?

Barbara J. Evans, PhD, JD, LLM
Virtual Mentor. 2012;14(9):724-732. doi: 10.1001/virtualmentor.2012.14.9.pfor1-1209.


Modern testing technology can extract a wealth of information from the merest speck of a person—a biospecimen—and information systems can transmit entire medical records at the click of a mouse. Given these capabilities, confidentiality—the notion that information patients share during medical treatment should not be disclosed to others without the patient’s authorization—is a fragile concept [1]. One response to patient concerns about confidentiality has been to press state legislators to give patients actual ownership of their medical information. Five states have done so with respect to genetic information [2], and a number of other states are considering whether to recognize patient ownership of health records [3].

It seems obvious, at first glance, that “[h]ow the law defines ownership of patient data…affects patient confidentiality” [4]. However, letting patients own their health records may not be an effective way to improve confidentiality. Although it seems counterintuitive, the protections patients currently enjoy under the Health Insurance Portability and Accountability Act (HIPAA) [5] Privacy Rule [6] and the Common Rule [7] are surprisingly similar to those they would have if they owned their data and biospecimens [8].

The Framework of Protections under HIPAA and the Common Rule

The HIPAA Privacy Rule and the Common Rule require, as their baseline, that patients sign privacy authorizations [9] or informed consent forms [10] (or both) before another party can gain access to their medical information or biospecimens. Access to data and specimens is consensual in the sense of requiring the patients’ permission. Both regulations, however, shift to a regime of nonconsensual access—that is, access without authorization or informed consent--in various situations [11-15]. The Department of Health and Human Services (HHS) recently published an advance notice of proposed rulemaking (ANPRM) [16] that explored possible changes to the Common Rule. The proposal, if implemented, would alter some of the details regarding when consent is required but would continue to allow nonconsensual access under certain circumstances [17-20].

The HIPAA Privacy Rule and the Common Rule currently allow nonconsensual access to data and tissues for certain uses believed to have a high social value—for example, public health, judicial, and law enforcement activities. Nonconsensual research uses of data and biospecimens are allowed under various conditions that purport to manage the risks to patient confidentiality by, for example, de-identifying or coding data in compliance with specific standards [15, 21-25] or converting the data to a limited data set as defined in the HIPAA Privacy Rule [26]. An additional way to gain access to data and biospecimens for research is to have an institutional review board or privacy board (collectively, IRB) [27-30] approve a waiver of the baseline consent or authorization requirements [31, 32].

When data are supplied to researchers under a HIPAA waiver, there is a “minimum necessary” [33] requirement, meaning that no more information can be disclosed than is required to accomplish the goals of the research. However, HIPAA does not require the data or biospecimens to be de-identified or even coded when granting a waiver. In theory, identified data or specimens could be disclosed to researchers under a waiver if the identifiers are necessary to the research and if an IRB determines that several other waiver conditions have been met [34].

Obviously, the HIPAA Privacy Rule and the Common Rule do not ensure “confidentiality” in the ordinary sense of the word. Both regulations allow information shared during medical consultation (and specimens collected during treatment) to be disclosed to third parties without the patient’s permission. The protections these regulations provide do not live up to many people’s notion of “confidentiality.” This situation explains the recent push for patient ownership of medical information and biospecimens.

If Patients Owned Their Data

Would a regime of patient data ownership do a better job of protecting confidentiality? In popular conception, ownership confers a solid, indisputable right of control. Unfortunately, this is not how property rights actually work.

Consider, by way of comparison, ownership of a home (assuming it is paid in full and free of any mortgage). In the ordinary course of things, a person wishing to use your home must enter a consensual transaction with you, and you are free to define the terms of that transaction, such as the price at which you would be willing to sell or lease the property. If someone uses your home without your consent, the law affords you an injunction remedy—courts and law enforcement authorities will help you stop the unwanted use [35]. This package of rights and remedies is what lawyers refer to as “property-rule” protection [36]. People who call for patient ownership of data often seem to have this type of protection in mind: all uses of data would require the patient’s consent on terms defined by the patient, and unconsented uses could be enjoined (forced to stop).

Owning a home does not, unfortunately, ensure this sort of protection. There are many situations where consensual ordering breaks down. If a neighbor’s Fourth-of-July fireworks burn down your house, there is no opportunity beforehand to negotiate a consensual transaction in which you agree to a price at which you would be willing to have your house destroyed. The deed is done; the house has been taken nonconsensually, and it is too late to enjoin the violation of your rights. Instead, law grants you what is known as “liability-rule” protection: you may petition a court to set an appropriate level of compensation for your loss [37]. Tort lawsuits are the most famous example of liability-rule protection, but there are many others, including two that have particular salience in the context of data ownership: (1) actions the state takes under its police power to protect the public’s health, safety, morals, or welfare [38], and (2) eminent domain.

The state’s police power to use patient-owned data. If a home is poorly maintained and poses a threat to neighboring properties, the state can order it cleaned up or demolished without the owner’s consent. In these situations, the government usually does not owe the homeowner compensation for the loss. In the nineteenth century, courts analyzed such cases under natural rights principles that grounded property rights in personhood [39]. These old cases are intriguing because their reasoning bears a surprising resemblance to modern bioethical analysis that grounds privacy rights in autonomy. The natural-rights rationale for allowing the state to place burdens on the property owner was that a person has no natural right to harm his neighbors and thus suffers no compensable loss of rights when the state steps in to protect their interests [40].

Even when a home is well maintained and poses no risk to others, the state still can interfere with property rights in ways that promote public health and welfare—for example, by passing laws that force owners to install sidewalks at their own expense. The natural-rights rationale for forcing owners to bear these costs was that each affected owner receives “implicit in-kind” [41] compensation: there is “reciprocity of advantage” [42, 43] since each affected owner benefits from the improvements fellow citizens are similarly forced to make [41, 44]. The scope of the state’s police power thus includes a power to force owners to contribute positive benefits to the community; it is not limited to controlling nuisances and harms [45]. However, nineteenth-century courts set limits on the state’s power to force people to make positive contributions for the good of the public. The state could validly ask people to do so only when there was reciprocity of advantage, so that each person who gave to the community also got something back from it.

Public health activities long have been viewed as legitimate exercises of the state’s police power [46, 47]. The reciprocity-of-advantage concept in nineteenth-century property law resonates with a concept used in modern bioethical analysis of public health uses under the Common Rule. When deciding whether a proposed study is public health “practice” or public health “research” [48-50], some IRBs inquire whether the study will offer “benefits internal to the community” [51, 52]. When benefits of a study flow to the people who contributed data or specimens, this tends to favor a finding that the study is public health practice that does not require consent under the Common Rule. If the study benefits groups other than the data or specimen contributors, this tends to support a finding that the use is research that does require consent.

This resonance between nineteenth-century natural-rights analysis and contemporary bioethical thought is no accident. When the benefits of a study are internal to the community, this is merely another way of saying that there is reciprocity of advantage. Modern bioethical analysis of public health uses under the Common Rule is strikingly similar to the natural-rights analysis nineteenth-century courts applied when analyzing police-power intrusions on individual property rights. Bioethicists might draw upon these cases for insights on how to make difficult ethical trade-offs when there is conflict between individual autonomy and public interests.

Even if patients owned their data and biospecimens, these resources still could be used in public health activities without their permission—the same level of protection that patients already have under the HIPAA Privacy Rule and the Common Rule. Both regulations allow nonconsensual access to data and biospecimens to benefit public health.

Eminent domain and patient-owned data. The state has an additional power known as eminent domain or “takings” power. The significance of this power in the present discussion is that the state can pass laws that take a person’s property without consent, even when there is no reciprocity of advantage—that is, when the burdens of a measure to benefit the public are disproportionately visited on a few members of the community [53].

The state can take a person’s home to build a new sports stadium, even when the owner is not a sports fan and will never personally enjoy the new facility. Even if the affected homeowner theoretically shares in the benefits of a project—as with a highway project—the benefits and burdens may be so badly skewed that there is no way to pretend the owner will receive in-kind compensation for the loss. The joys of driving on a new highway are a shabby reward for losing one’s home. The Supreme Court considers it a “taking” when governmental action forces “some people alone to bear public burdens which, in all fairness and justice, should be borne by the public as a whole” [54]. The government still can force the owner to give up her property, but the owner is entitled to receive “just compensation” under the Fifth Amendment to the U.S. Constitution.

In a longer study [55], summarized below, I explored the analogy between eminent domain doctrine and unconsented uses of data and biospecimens in research. “Research,” as defined in the HIPAA Privacy Rule and the Common Rule [56, 57], produces findings that are generalizable to populations other than the participants whose data are being used. Nonconsensual uses of data in research cannot be justified under a reciprocity-of-advantage rationale because, quite often, the data and specimen contributors derive no benefits whatsoever. If patients owned their data and biospecimens, eminent domain seemingly would be the only available legal mechanism for procuring these resources for use in research without patient consent. The question is, “How would that work?” The major conclusions are as follows:

  1. Under current legal precedents concerning property rights, it would be possible to take data and specimens for use in private, commercial research projects that offer the prospect of developing a beneficial new therapy [58]. Such takings could be allowed even when the new therapy would only be available to patients who could afford to pay for it. In other words, patient-owned data could be taken without consent for use in research sponsored by pharmaceutical and medical device companies.
  2. It is unlikely that patients would receive monetary compensation when their data and tissues were taken for use in research [59]. Courts interpret “just compensation” to mean fair market value for property. Courts give no compensation for above-market subjective value an owner may place on a property—if, for example, the owner grew up in the house or her children decorated its walls with hand-painted frescoes that she treasures but that other buyers would not value similarly [60]. There also is no compensation for undeveloped use rights [61, 62]—the value an unused piece of land might have had if the owner had chosen to build a palace on it. These same limitations presumably would restrict compensation for data and biospecimens.

    When patients want their data to remain unused because of privacy or dignitary concerns, the fair market value of the data apparently would be zero: there is no alternative, consensual data use by which to assess the data’s fair market value. The value (in the patient’s mind) of keeping data unused would most likely be viewed as a subjective value or an undeveloped use right, for which the patient would receive no compensation under modern takings doctrine.

  3. There is a long tradition in the United States of laws that allow private bodies to approve takings of property. For example, railroad companies have been allowed to approve takings of property to assemble railroad rights-of-way for tracks. This so-called “private” eminent domain power is surprisingly similar to the role IRBs play under the waiver provisions of the HIPAA Privacy Rule and the Common Rule. The waiver provisions are consistent with American legal traditions that date back to the colonial era. If patients owned their data, some scheme of private eminent domain power would probably emerge, and it very well might resemble the waiver provisions that exist in current regulations [63]. Here, it is interesting to note that two of the five states that have recognized patients’ ownership in genetic information have implemented schemes that allow unconsented use of this information in research [64].


There are few discernible differences between the level of confidentiality patients would enjoy if they owned their data and biospecimens and what they presently have under the HIPAA Privacy Rule and the Common Rule. A property regime would, however, impose a takings criterion known as a “public use” requirement that would help ensure that eminent domain takings of data and tissues must serve a socially beneficial purpose [65].The HIPAA Privacy Rule and the Common Rule currently lack such a criterion in their waiver provisions, leaving patients with no assurance that unconsented uses of their data and specimens would serve a useful purpose. This is a point on which the HIPAA Privacy Rule and the Common Rule need reform [65]. Many bioethicists agree that the “central ethical issue” [66] in unconsented use of data or biospecimens is whether the public benefits to be gained from the use are great enough to justify the burden it will place on the data or tissue contributors [67]. The current waiver provisions do not adequately address this question.

Patients’ concern about confidentiality, however, does not really turn on how their data and specimens are used. Confidentiality, in many patients’ minds, is breached by any unauthorized use of a patient’s data or biospecimens, regardless of the benefits to be gained by the use. From the standpoint of protecting patients’ confidentiality, data ownership offers little improvement over the HIPAA Privacy Rule and the Common Rule. This suggests that patient ownership of data is not a fruitful path for reform. It would leave patients with many of the same dissatisfactions they have with the current regulations.


  1. Nass SJ, Levit LA, Gostin LO eds.; Institute of Medicine Committee on Health Research and the Privacy of Health Info. Beyond The HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: National Academies Press; 2009. http://www.nap.edu/catalog/12458.html. Accessed August 8, 2012.

  2. The five states are Alaska, Colorado, Florida, Georgia, and Louisiana. Ram N. Assigning rights and protecting interests: constructing ethical and efficient rights in human tissue research. Harvard J Law Tech. 2009;23(1):141.

  3. Evans BJ. Much ado about data ownership. Harvard J Law Tech. 2012;25(1):69-130.
  4. Rodwin MA. Patient data: property, privacy & the public interest. Am J Law Med. 2010;36(4):586-618.
  5. Health Insurance Portability and Accountability Act of 1996, Pub L No 104-191, 110 Stat 1936 (codified as amended in scattered sections of 18, 26, 29 and 42 USC).

  6. US Department of Health and Human Services (HHS). Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule), codified at 45 CFR parts 160, 164.

  7. HHS. Basic HHS Policy for Protection of Human Subjects (Common Rule), 45 CFR part 46 subpart A (sections 46.101-46.124).

  8. Evans (2012), 77-86.

  9. HHS. Uses and disclosures for which an authorization is required, 45 CFR section 164.508.

  10. HHS. General requirements for informed consent, 45 CFR section 46.116.

  11. HHS. Uses and disclosures for which an authorization or opportunity to agree or object is not required, 45 CFR section 164.512.

  12. HHS. Human subject research to which the policy applies. Basic HHS Policy for Protection of Human Subjects, 45 CFR sections 46.101(b)–(d).

  13. HHS. Definition of research. 45 CFR section 46.102(d).

  14. HHS. Definition of human subject. 45 CFR section 46.102(f).

  15. The US Department of Health and Human Services Office for Human Research Protections (OHRP) has determined that research involving only coded private information and biospecimens is not human subject research that requires informed consent. See Office for Human Research Protections. Guidance on research involving coded private information or biological specimens; Oct. 16, 2008. http://www.hhs.gov/ohrp/policy/cdebiol.html. Accessed July 15, 2012.

  16. HHS. Advanced notice of proposed rulemaking: human subjects research protections: enhancing protections for research subjects and reducing burden, delay, and ambiguity for investigators. Fed Regist. 2011;76:44512-44531. To be codified at 45 CFR parts 46, 160, 164, and 21 CFR parts 50, 56. https://www.federalregister.gov/articles/2011/07/26/2011-18792/human-subjects-research-protections-enhancing-protections-for-research-subjects-and-reducing-burden. Accessed August 9, 2012.

  17. HHS. Fed Regist. 2011;76:44518-44521.

  18. HHS, Fed Regist. 2011;76:44527, table 1, Proposal for the excused category of research involving pre-existing information or biospecimens. https://www.federalregister.gov/articles/2011/07/26/2011-18792/human-subjects-research-protections-enhancing-protections-for-research-subjects-and-reducing-burden#t-1. Accessed August 9, 2012.

  19. But the same document suggests that consent could be waived in certain circumstances. HHS. Fed Regist. 2011;76:44523-44525.

  20. Public comment was sought on whether certain activities, such as quality-improvement and public-health activities, should lie outside the Common Rule’s consent requirements. HHS. Fed Regist. 2011;76:44521 question 24.

  21. Part of 45 CFR 164.514 allows data to be de-identified, for HIPAA purposes, by stripping away eighteen specific types of identifiers or by having a statistician certify that the risk of re-identification is “very small.” See Other requirements relating to uses and disclosures of protected health information, 45 CFR section 164.514(b).

  22. The definition of “human subject” in subpart A means that research with data is not covered by the Common Rule’s consent requirements if investigators do not receive identifying information or interact with the subjects. See Basic HHS Policy for Protection of Human Research Subjects, 45 CFR section 46.102(f).

  23. The advanced notice of proposed rulemaking, on the other hand, proposes a consent requirement for some uses of de-identified data that would not presently require consent under the Common Rule. HHS. Fed Regist. 2011;76:44519.

  24. HHS. Fed Regist. 2011;76:44523.

  25. Coded data is considered “de-identified” under the HIPAA Privacy Rule if the code key is derived in a certain way and if there are restrictions on access to the code key. See HHS. Other requirements relating to uses and disclosures of protected health information, 45 CFR section 164.514(c).

  26. HHS. Other requirements relating to uses and disclosures of protected health information, 45 CFR section 164.514(e).

  27. HHS. Assuring compliance with this policy -- research conducted or supported by any Federal Department or Agency, 45 CFR section 46.103(b).

  28. HHS. IRB membership, 45 CFR 46.107.

  29. HHS. IRB functions and operations, 45 CFR 46.108.

  30. HIPAA waivers can be approved by either a Common Rule-compliant IRB or by a HIPAA-compliant “privacy panel” similar to an IRB. SeeHHS. Uses and disclosures for which an authorization or opportunity to agree or object is not required, 45 CFR section 164.512(i)(2)(iv).

  31. HHS. Uses and disclosures for which an authorization or opportunity to agree or object is not required, 45 CFR section 164.512(i).

  32. HHS. General requirements for informed consent. 45 CFR section 46.116(d).

  33. HHS. Other requirements relating to uses and disclosures of protected health information, 45 CFR section 164.514(d).

  34. Evans BJ. Ethical and privacy issues in pharmacogenomic research. In: Macleod HL, ed. Pharmacogenomics: Applications to Patient Care. 2nd ed. Lenexa, KS: American College of Clinical Pharmacy; 2009:313-338.

  35. Merrill TW. The economics of public use. Cornell Law Rev. 1986;72:61-116.

  36. Calabresi G, Melamed AD. Property rules, liability rules, and inalienability: one view of the cathedral. Harvard Law Rev. 1972;85(6):1089-1128.
  37. Calabresi, Melamed, 1092.

  38. Merrill, 66.

  39. Claeys ER. Takings, regulations, and natural property rights. Cornell Law Rev. 2003;88(6):1549-1671.
  40. Claeys, 1578.

  41. Claeys, 1589.

  42. Claeys ,1587-1589.

  43. Claeys, 1619-1621.

  44. Claeys, 1557.

  45. Hart JF. Land use law in the early republic and the original meaning of the takings clause. Northwestern Univ Law Rev. 2000;94:1099-1156.

  46. Hall MA. Property, privacy, and the pursuit of interconnected electronic medical records. Iowa Law Rev. 2010;95(2):631-663.
  47. Parmet WE. After September 11: rethinking public health federalism. J Law Med Ethics. 2002;30(2):201-211.
  48. Amoroso PJ, Middaugh JP. Research vs. public health practice: when does a study require IRB review? Preventive Med. 2003;36:250-253.

  49. Centers for Disease Control and Prevention. HIPAA privacy rule and public health. MMWR Morb Mortal Wkly Rep. 2003;52:1-20. http://www.cdc.gov/mmwr/pdf/other/m2e411.pdf. Accessed July 15, 2012.

  50. Snider DE Jr, Stroup DF. Defining research when it comes to public health. Pub Health Rep. 1997;112(1):29-32.
  51. Hodge JG, Gostin LO. Public health practice vs. research. Council of State and Territorial Epidemiologists; 2004:7. http://www.cste.org/pdffiles/newpdffiles/CSTEPHResRptHodgeFinal.5.24.04.pdf. Accessed July 15, 2012.

  52. Hodge JG. An enhanced approach to distinguishing public health practice and human subjects research. J Law Med Ethics. 2005;33(1):125-140.
  53. Claeys, 1570.

  54. Armstrong v United States, 364 US 40, 49 (1960).

  55. Evans (2012), 80-86.

  56. See HHS. Definitions. 45 CFR section 164.501.

  57. See HHS. Human subject research to which the policy applies. 45 CFR section 46.101(d).

  58. Evans (2012), 80-81.

  59. Evans (2012), 81-82.

  60. Bell A, Parchomovsky G. The hidden function of takings compensation. Virginia Law Rev. 2010;96:1673-1725.

  61. Claeys, 1600-1601.

  62. Claeys, 1632.

  63. Evans (2012), 84-86.

  64. Ram, 141 (listing Colorado and Georgia).

  65. Evans (2012), 119-129.

  66. Casarett D, Karlawish J, Andrews E, Caplan A. Bioethical issues in pharmacoepidemiologic research. In: Strom BL, ed. Pharmacoepidemiology. 4th ed. Chicester, UK: John Wiley & Sons; 2005: 597.

  67. Jacobson PD. Medical records and HIPAA: is it too late to protect privacy? Minn Law Rev. 2002;86(6):1497-1514.


Virtual Mentor. 2012;14(9):724-732.



This research has been supported by the Greenwall Foundation and the University of Houston Law Foundation.

The viewpoints expressed in this article are those of the author(s) and do not necessarily reflect the views and policies of the AMA.