The phone rings. A tired hospital administrator picks it up. An equally tired patient barks into the phone “what the *&@! do I have to do to get my $(!)! health record out of you people? Don’t mail me a 1,000 pages, send me my electronic record.” Both of them hate those few moments and each is a little worse off for it. Another phone rings. A software developer’s support staff answers it. The same tired administrator barks at them asking how to get the patient’s health record. The support staff tells them how to export it as a PDF or as an XML file. The administrator takes notes. Using the notes that are legible, the administrator goes back and produces the XML file. The patient yells at the administrator for providing them with a useless document and threatens to sue them under “HIPAA and the even the new HIPAA.” And around they go. Ultimately, the patient just wants to put the record into their phone app so they can reference it when visiting their providers.
HIPAA’s and the 21st Century Cures Act’s thicket of regulations and laws that protect and control Protected Health Information (“PHI”) and Electronic Health Information (“EHI”) are what drove the administrator’s and support staff’s responses. These laws have also pulled the wool over most people’s eyes. Your average person walks around thinking that they own their health record. This blog post is meant to disabuse you of that notion. Not only do you not own your own health record, but some organizations have the ability to monetize and use the data in your personal health record when you cannot.
A clarifying portrayal of how complex healthcare and data rights are sits in this tiny intersection of copyright, HIPAA, and state property law. In most states, basic property law dictates that the owner of your healthcare records is your healthcare provider. Not you. So from the outset, these records are basically business records that belong to the business. While it’s disappointing, it makes some sense. That said, the general population has a basic expectation that folks will have access to their health records. That’s where HIPAA steps in. HIPAA gives patients a property interest in the PHI contained in their health records. Specifically, patients are entitled to a copy of all of the PHI in their “designated record set.” That’s basically everything related to your care, which includes your medical records, billing records, lab results, clinical notes, images, etc. There’s a lot more that HIPAA does, but with respect to your property rights in “your” health record, that’s about it. It creates a right of access.
So your healthcare provider owns your health record and you have a property interest in it. You also have the right to access and amendment it. It’s a mouthful but clear enough, right? Wrong. Because other folks have OTHER property interests in your health record, and it gets shared around (or in some cases, doesn’t) to meet their interests, even if those interests are not aligned with your care or even your healthcare provider’s business interests.
“You’re a crazy lawyer who doesn’t know what he’s talking about,” says every person I tell this to. Fine, let me spell it out.
As stated above, a designated record set includes your actual medical record, billing records, lab results, clinical notes, images, etc. Electronic health record vendors are generally certified through the Office of the National Coordinator’s (“ONC”) Health IT Certification Program. Healthcare providers and hospitals have to use a certified EHR if they take a certain amount of Medicare and/or Medicaid or they face financial consequences, in some cases exclusion from Medicare. That’s why by the ONC’s estimates about 80% of all physicians have adopted a certified EHR.[1] Hospitals sit around 96%.[2] Therefore chances are, if you are in the United States, your health record is being produced by a physician using one of those systems.
For IT systems to talk to each other they have to have a common language: a dictionary. Can you imagine how many different types of lab tests and results must exist? How many different types of medications are out there? And how many different ways can we diagnose somebody? How many ways can we talk about what happened to somebody? And how many different ways to providers talk about these things? More than one, I bet. For any of this to make sense for insurance or healthcare providers, and for IT systems to talk to each other, these things have to have standard value sets between entities.
That is where it gets dicey and when copyright law comes stomping in with government contracting and regulation as its unwitting partners. DHHS, along with every other major health insurance company, has more or less standardized what content they want to see in a health record, and how it should be formatted. They want to see a whole lot of data, and some of it has to be formatted in a way that conforms with a standard adopted by DHHS. And in keeping with federal traditions, notably those set by the Department of Defense, DHHS has decided to obtain those standards from private parties. This decision ensures that copyrighted material gets into your health record every time you visit a doctor.
To illustrate, the government requires that a certified EHR represents certain clinical fields in certain ways. A certified health EHR system that also supports medical billing MUST capture the following types of data (this is not an exhaustive list):
- Laboratory Tests, Values, and Results;
- Diagnoses;
- Medications;
- Problems (read, diagnoses); and,
- Procedures.
It must both DESCRIBE these things, and then offer VALUES for them. The values are the numerical codes that sit behind each one of things. By way of example: the patient from the beginning of this post breaks a leg. The patient is a biological male and identifies as such (this is relevant to copyright interests). He sees a new doctor at an outpatient clinic. The doctor sets his leg. He is prescribed a medication. He later has a reaction to the medication and the same doctor give him a blood test to determine whether there was a drug allergy.
His health record is now littered with copyrighted material. When he broke his leg, his provider documented his diagnosis as, let’s say “S82.80 Fractures of Other parts of lower leg, closed.” That contains an International Classification of Diseases (“ICD”) code, and its corresponding description. The copyright to ICD codes rests with the World Health Organization (“WHO”). When the doctor set his leg, it would be recorded as a Current Procedural Code (“CPT”) value, or multiple ones, for cutting into the leg and setting it. CPT codes are owned by the American Medical Association (“AMA”). When they prescribed him a medication, it was done so according to a value defined by the RxNORM value set, which is published by the United States National Library of Medicine. When he had a negative reaction, that would get recorded as a SNOMED code and description, specifically “416098002 Drug allergy (disorder),” which is owned by the International Health Terminology Standards Organization. His lab test had a Logical Observation Identifiers Names and Codes (“LOINC”) code on it that indicated what test was performed, and that is owned by the Indiana University School of Medicine. And since he was a new patient, the doctor likely recorded his sex and gender in accordance with another SNOMED code, along with another one owned by Health Level Seven (“HL7”), a health IT standards organization.
Except for the US federal government, each of those organizations would argue that they have a copyright interest in his health record because its copyrighted material is on it: the aforementioned codes and their descriptions. So “your health record” is really your healthcare provider’s records, subject to the copyright interests of several industry and lobbying organizations, an international non-governmental organization, the State of Indiana, and a couple of miscellaneous non-profits. This is a non-exhaustive list.
So what does that mean? HIPAA means that our patient had the right to a copy of his health record. That much is clear and is not going to implicate copyright law. But what can he do with it? Let’s say he is what I affectionately call a “garage developer.” He decides he wants to monetize his data, and the data of his (consenting) family and friends. He sells those health records to an analytics provider. To do so, he sends them along as readable and structured PDFs, and the analytics provider gives him money for the records. Arguably this implicates copyright law and a potential infringement because he made a copy of protected material for commercial gain. Not only that, but his email provider probably did, too.
It’s not your data.
[1] https://www.healthit.gov/data/apps/office-based-physician-health-it-adoption
[2] https://www.healthit.gov/data/apps/non-federal-acute-care-hospital-health-it-adoption-and-use
eHealth Law Blog 
Loved the article David!
Sent from my iPhone
>
LikeLike