Do You Really Want Full Access to Your Health Data?
Disclaimer: I am not a disinterested party in this debate.
There is a miniature debate going on right now about patient rights to their health data. At least some number of patient rights advocates understandably believe that patients should be given full control over their health records. This sort of information could be used in third party applications to all sorts of good ends.
On the other hand, this sort of information could be used in third-party applications to all sorts of bad ends. People pay surprisingly little attention to the detailed, small-type legal disclaimers that they sign. If an application someone wants to use asks for access to their health data, some large fraction of prospects will simply acquiesce. And with this “consent”, the application can do whatever it wants within the broad boundaries of the agreement they themselves wrote.
This sort of trade-off has come up before. The result has been consumers giving up large amounts of information about their internet usage to corporations without much insight into what they are giving up and with comparatively little to show for their sacrifice.
Health information is different. Such information, if made public, can be truly and permanently damaging to a person in a way their web-browsing patterns are unlikely to.
This, however, is an inevitable consequence of giving patients the rights to get programmatic access to their health records. There will be some tiny number of users who use such information in productive ways like quantitative tracking of their health. There will be millions who share their health data because some start-up figured out a way to monetize the information therein.
The right to access your health information in a programmatic fashion also gives you the right to unwittingly give a random app developer access to your health information. Is this a right we actually want?
I’m not sure I fully follow. Are we talking about access or control? I can imagine scenarios where the patient simply needs to know their own medical information and yet is not allowed to access it, or cannot easily access it. Maybe that doesn’t happen in real life and maybe that’s not what is at issue, but if it is, then I think patients should be able to access.
I haven’t thought about your angle before.
The libertarian in me would say that if the patient has full access, then at least they have a choice. The paternalist in me worries that someone, as you put it, might find a way to “monetize” convincing that patient to surrender some or all of that information–and to do so in way that may harm the patient’s interests.
Is there a middle ground? Is the debate over “control” over the patient’s records or simply empowering the patient to access those records? Or both? [Hint: I didn’t read the link and I haven’t been following this debate, so I don’t know.]Report
Right now HIPAA requires covered entities (most providers, insurance companies, claims clearinghouses) to provide patients their designated record sets at minimal cost (essentially cost of creating copies). Patients however do not have the right to request all of their info at any time in any form and from any entity who happens to have it.
My opinion is that while that right should eventually exist it should only be granted as part of a scheme also allowing substantial control by consumers over the information in the possession of third parties. I actually think the CCPA in California isn’t the worst blue print in the world for this (right now PHI is specifically excluded).
The thing to be wary of on the ‘free the data’ side is that once its out of the HIPAA space the data is subject only to whatever is in the TOU between the individual and the application. Maybe its a worthy trade off but probably not in most cases. You might find your health records used for intrusive and embarrassing marketing purposes or even sold to the highest bidder for who knows what. This is an area where the law has really not caught up with technology and our geriatric legislators don’t strike me as up to task to protect the public interest. I’m pretty sure the CCPA (which again, inapplicable but the leading example of new data protection law) only passed to prevent a much more stringent law from taking effect that passed at referendum.Report
Thanks for the rundown of the issues.Report
Yes. I want it.
Hundreds of thousands of people die every year from medical error, countless numbers more just live with uncomfortable and anxiety-inducing completely treatable health problems for years like I did, and we can’t know how many people were told by doctors “you’re fine, go home” and then died and the connection was never drawn. I suspect it’s a lot, particularly a whole lot of women and minorities.
Will there be practical issues? Sure. Do I care? No. They need to let me see my goddamn test results since they don’t even bother to look at them before I get in the room with them.
Dr. Google gives better advice than 9 out of 10 doctors I’ve ever been to.Report
What if a tech company collected it and sold it to an agency who turnes it into a browsable list employers could use to make hiring decisions? Or maybe to some other bad actor who used it to identify targers for blackmail? Maybe they get used for research purposes without compensation to you or IRB oversight.Report
And I would have to trust politicians to legislate to prevent that in the future. (I’d also point out that pretty much everyone has SOME medical issue or genetic disposition towards such) and so at some point if an employer tried to find an employee without those issues they’d be choosing from a ridiculously small pool)
I find I’m quite tired of these line drawing exercises where the lines are drawn always to favor already powerful lobbies at the expense of relatively powerless individuals. Kinda puts me in mind of saying “Women need to wear burkas to protect themselves from men who can’t control themselves”. The solution to bad actors is not removing freedom from people and allowing potentially corrupt 3rd parties to decide whether or not you have a right to go outside in shorts or seeing test results that you paid for.
I am sure you’re the one out of ten good doctor that I just haven’t been lucky enough to come across, but I am also sure you’ve seen your fair share of docs that are overworked and burned out and not always giving patients their best selves. I think I have a right to take care of myself if no one else seems willing to.Report
I’m not a doctor, I’m an in-house healthcare attorney. And I hear what you’re saying, hence my comment above on the thread. What I don’t think is useful is turning this into a removing freedom versus not removing freedom. From that perspective one could easily conclude that the providers own the records they create and no one including the individual has any rights over it. Indeed some providers do take that kind of position (sounds like you’ve experienced this first hand).
The question any new regulatory approach has to ask who is actually being empowered. My guess is that everyone would say the goal is empowering consumers. However, if not done well or solely through libertarian principles the answer could well end up being big tech. While that might address certain problems with provider information hoarding it would create new ones which is why this has to be addressed with appropriate care and nuance. If we get it wrong there may not be a way to re-close the flood gates.Report
I’ll second the it’s not, or shouldn’t be, about “removing freedom versus not removing freedom.” Maybe the same piece of legislation that liberalizes access could also have protections in it. Of course, we have to discount the fact that any legislation will have unintended (or intended, but unwanted by many) consequences.Report
I used to think InMD was a doctor, too. But now I think his/her name means “In Maryland.”
Without commenting on the issue of access vs. how to regulate other entities getting it, I’ll say that I’d like access, myself. I’d also like my doctor to run a liver-function test because he has (actually, had) me on medicine, one of the possible side effects of which is liver damage. He hasn’t done it. Or he says he’s done it, but I never see the results. I just want to know how my liver is doing. (I’m also fortunate enough that I am able to pay for it myself should insurance not pay for it. But no, he doesn’t do the tests.)Report
While I know that I should have access to my data, I’m not sure that other people should have access to their own.
Is there any way to make sure that I know mine but other people won’t know theirs?Report
A sprawling, byzantine system of fees, waivers, and paperwork.Report
Bring it on! Byzantine health care regulations pay my bills.Report
You could go to medical school.Report
Where I’d have physical access to the servers!Report
1. You currently do have the right to access your health data, as specified by InMD above.
2. Doing so is a cumbersome process as a result of current regulations including HIPAA, which were not really written for the internet age.
3. Special interests also benefit from and safeguard the existing costly and inefficient processes. This is a general trend throughout health care that is worse than in other industries.
4. There are special categories such as HIV status and psychiatric records that currently have additional protections.
5. Things like immunization records, readily apparent anthropometric data, and normal results from well visits probably do not need any special privacy safeguards. This information is often even required by schools or workplaces, which makes subjecting it to medical privacy laws somewhat silly.
6. I like when my patients are aware of their own medical results and come in with questions. (Most physicians would agree, I think.) It lets me tailor my conversation to the patient’s concerns and also gives me the chance to ask any follow-up questions that might change the significance of a particular data point.Report
I believe you. I also strongly suspect you’re right that “most physicians” would agree if you (or I) asked them.
In practice, though, I suspect it shakes out that the person with follow-up questions gets only 15 minutes (if that) to explain their concerns. And the person might have, say, 4 or 5 concerns, and possibly concern #3 or #4 is most important, but the physician responds only to concern #1, or possibly #1 and #2, because those are the first concerns the physician heard. By the time #3 and later comes around, the physician has zoned out.
I strongly suspect that this dynamic obtains most of the time. I even more strongly suspect that it’s NOT a character fault of the physician, but the fault of the way the medical system prioritizes short visits and easily diagnosable disorders/syndromes/conditions.
Because it (I suspect) is largely the fault of the system, and because I know too little about the system and how it works (except from the standpoint of a patient, and thankfully I have had little, though not no, such experience), I don’t know the remedy or even if there is a remedy that’s practicable on a large scale.Report
Training more physicians would be the place to start. There is currently a major shortage in every medical specialty. US residency training is severely underfunded, and new restrictions on immigration mean that fewer foreign physicians are allowed to practice. With the Baby Boomers aging, and with the uniquely high expectations of that generation in particular, the problem will only get worse.Report
Have you by chance read Danielle Ofri’s, “What Patients Say, What Doctors Hear”? I found it very enlightening on what doctors could do in the short term (before more secular improvements like training more physicians) to start to resolve some of the communication problems.
Not being a doctor, I can’t judge firsthand whether what she suggests makes sense, but she certainly seems empathetic enough and I wish my primary care physician would do the same.Report
I haven’t read it, and I’m only vaguely familiar with it. I’m not in primary care, so it’s slightly less applicable to my practice, but it looks interesting. I agree that communication is the most important thing. I prefer to listen longer and avoid multitasking even if it means potentially getting behind on my other tasks – call it a measure twice, cut once approach to medical care – but I do think a lot of the external forces in the health care world heavily disincentivize that sort of doctor-patient relationship, even if everyone has the best intentions.Report
There’s an interesting question here about ownership of data that’s more general than the medical case presented. Data is generated about you (the consumer, patient, citizen, etc.) by various entities (banks, doctors, telecoms, isp’s, government agencies). So who owns that data? Does it belong to the person whom it’s about, or does it belong to the entity that generates/collects the data? You can make good-faith arguments in both directions.
I would note that when I separated from the Navy I was handed a fairly thick folder of medical/dental records. Every single scrap of paper generated by every encounter with the military medical system — every doctor’s note, test result, dental X-ray, vaccination… everything — was in that folder. I was a healthy guy but it was still almost an inch thick.
On a practical level, we moved around a lot during the first 15 years or so of our marriage and my wife had/has some continuing fairly serious medical issues. Trying to get records transferred to a new provider was a huge PITA, and there are literally dozens of providers in her history spread all over the country — Kansas City, Indianapolis, Chicago, Virginia, Louisiana, Connecticut, Denver, Wyoming. Portable electronic records — which weren’t really a thing yet most of that time — would have been incredibly helpful.Report