Transcript: Who owns electronic health information?

Here’s a written transcript of the Healthcare Town Hall video segment on ownership of electronic health records.

Q: Gail Graham, in the case of the V.A., who owns the patient records in your system?

Gail Graham: Well, by statute, V.A., as the custodian of the record. But the information is actually owned by the patient, and the control and the release of that information is owned by the patient. We do have legal parameters for how we keep it and the duration for which we keep it. But disclosures of that information are established in the Privacy Act and in HIPAA. And I think for us, too, our patients have a long history of maintaining a copy of their record that dates back to their military service. So even before provisions of HIPAA allowed for amendment and getting copies of your records, it was a very commonplace thing for the veterans to keep a copy of their medical record as they moved around.

Q: When you want to use these records in some way to improve your care or for other purposes, do you have to go back to the patients and ask permission, or how is that handled?

Gail Graham: We do not have to do that if we’re using it for our healthcare operations as stipulated by HIPAA or the Privacy Act. For some generic research that you can use to identify data, we wouldn’t have to get permission. But for instance, when it’s not possible to de-identify the data, the veteran would have to provide permission to use the data.

Q: Go ahead.

Michael Kreidler: I think one of the big concerns obviously is is that when it comes to whether it’s life insurance or health insurance, is the information somehow going to be used for underwriting purposes that provide a disservice to individuals who are going to be reticent to have any of their information out there? I think there are ways of having protections in law — and the law will make sure and the regulators will make sure that that information isn’t abused in some fashion, to be used contrary [to its intent] but still have the information so you can make important medical decisions about how we should make sure that care is delivered. So it’s care that works and not care that doesn’t work.

Q: Are there risks here though? For example, if I now have access to all of my medical records, I know a lot more about my health as a result. I’m empowered. I’m also now responsible for truthfully answering all of the questions on an underwriting application from a payer or insurer as a result. And that could prevent me from being able to obtain coverage. Couldn’t it? Is this a real issue, Ron?

Ron Sims: I would like as a consumer not to have … whether my medical records are on a server within a group health or whether they’re in a thumb drive in my home or whatever, I think that I should be the person that makes the decision about the release of that information and how I want it used. I don’t think that is a decision of the insurance company or my provider or my practice. And the assumption and why it’s so important to me is that over the years, we all of a sudden will have a change of circumstance. So all of a sudden you think, well, maybe it’s important that we just take a little bit of a person’s personal privacy and say that it is no longer protected. Is this my paranoia? But there is — the information that is contained in my medical records, I don’t think anybody should be able to access it unless I agree that it should be accessed. I think it’s important to me to have that information be private, to be mine, to be under my control. And if anybody wants to know what’s in it, for me to make that decision. And that’ll be particularly critical as we begin to get into people’s DNA. I don’t want anybody running through my DNA and saying, “Here are all the risks that his DNA shows he may have.” So that would influence an employer or an insurance company or affect my healthcare rates. So I think the new technologies that we’re going to have in healthcare and the information that’s going to be stored in those files, I think mandates that there’d be a consensus to almost a joint ownership of that information at the minimum.

Q: Gail, can the V.A. share patient records with insurance companies, with life insurers, for example?

Gail Graham: For example, the V.A. does bill for care that’s provided for non-service-connected treatment. We can provide the medical records for the treatments that were provided, with a few exceptions. We cannot provide without a patient’s authorization. We cannot provide information on drug, alcohol abuse, sickle cell anemia, HIV and some protective diagnoses.

Q: Why are those protected? Why are those handled differently than other conditions?

Gail Graham: There was a special statute, U.S.C. 7332, that protected those really to provide protections — it predated some of the genetic discrimination issues — because it was felt that knowledge of those diseases would adversely affect the individual so that they should have authority to say when that information is disclosed. So, for example, if we treat a patient for alcohol abuse, we cannot provide that information to their insurance company, not even the coded data or the medical records without their explicit authorization.

Q: But I mean, is there a logic to the distinction being made? I mean why should some conditions …

Gail Graham: Well, I mean it’s been greatly debated. And right now for a V.A. it is one of the challenges we have with broader participation and things like the Nationwide Health Information Network (NHIN). As it stands today, because it’s not easy to detect this information in our records, we would have to assume that it’s present in all records and require authorization, for example, for participation in a NHIN activity. I think it’s good business sense to actually keep the patient informed and to obtain those authorizations.

Q: I should make a full disclosure here before I ask George this question, which is that I used to work at Microsoft. I still do some work for Microsoft. I’ve even done some writing for Microsoft about HealthVault. So that’s out on the table. And as a result of being a consultant at Microsoft, I got an e-mail from Microsoft and HealthVault recently that offered me an opportunity at a steep discount to get my genome, my genetic code reported to me. And I jumped at the chance, and all it takes is a saliva test. It’s really simple. And then that’ll all be stored in my HealthVault account. George, should I be worried about my insurance company getting access to my genetic code?

George Scriban: No. And here’s the reason why: When we designed HealthVault, it was very clear to us that the service, you know, was going to succeed only if it was absolutely crystal clear to the users that we operated it for their benefit and on behalf of them. We consider ourselves stewards and custodians of the data but not in control of it in any way. So the way HealthVault is designed is exactly what people have been asking for up here, which is every access of that information has to be explicitly authorized by the individual user. So there’s nothing happening, no data mining, no aggregation, no reporting of that data without the individual user’s explicit knowledge and consent.

Q: Are there any legal protections out there not just with HealthVault but in general about the sharing of this kind of information as it increasingly becomes perhaps common for people to get information about their genetic code in order to get an early warning about potential diseases they may inherit? Should people be confident that only they will have access to this information if they obtain it? I’m not sure who I’m addressing here who might be able to answer my question. John?

John Hammarlund: Well, certainly HIPAA and the Privacy Act would be sort of the foundation of that protection. And while they’re imperfect, they’re robust enough to protect an awful lot of individuals from getting their healthcare publicly disseminated. So I think as we move more toward greater transparency in healthcare, more focus on value in healthcare, informed consumerism and perhaps even some ambitious Medicare reform, as Ron is suggesting that might happen, I would imagine that the Privacy Act and HIPAA would maybe have to be made even more robust to sort of catch up with technology and ensure that, you know, things can’t fall through the cracks.

Q: I’m also not sure who to address this question to … but on the other hand, is it possible — is it likely that privacy concerns may restrict the use of electronic health records such that their benefits can’t be fully derived?

George Scriban: Well, there’s an old saying in the information security business that you can make it the safest computer possible that’s encased in concrete and buried six feet underground. So there is, you know, privacy like everything else, privacy and security, there is a set of trade-offs that you’re making between the benefit that you get out of some service and the amount of privacy — well not necessarily the amount of privacy but the amount of control that you have over that information. I think a well-designed system — and it’s self-serving for me to say so but I think HealthVault’s one of them — is one that allows users the flexibility to make those distinctions and trade-offs themselves. An example would be that for me, generally being healthy and not managing a chronic condition and not requiring any sort of major care yet, I’m pretty interested in my record being kept with relatively limited distribution. On the other hand, if I get a diagnosis of some sort of, pancreatic cancer, for instance, you’d better believe I’d start getting interested in clinical trials pretty fast. And the amount of information I’m willing to share goes way up because the benefits far outweigh the privacy risks, at least in that calculation. So what I would appreciate is not having the privacy regulation or the privacy policy so hard-coded that I can’t make that distinction for myself.

Joe Scherger: I just want to make a comment that Harris International did a survey of the public and asked respondents what information about them was the most private. And their healthcare information came out third. Number one was how much money they had in the bank, and number two was how much money they had saved up for retirement. Some people still keep their money in the mattress because they don’t want it online or in a digital form. But that’s the exception. And I think paper-based healthcare records are going to be obsolete in the not-too-distant future. Now, we need safeguards like we have in financial information, but I don’t think it’s going to stop the inevitable.

Jim Schibanoff: If you ask a physician about this trade-off of privacy versus information, the physicians would overwhelmingly say privacy is really important but that information is even more important. You have a person in the emergency room who has chest pain and they’re from out of town, and the key piece of information is what the old electrocardiogram looked like compared to the one that you’ve just done. If you don’t have that information, you may do a whole set of exams that are expensive and risky, cardiac catheterization and so forth that could be obviated by just getting an old electrocardiogram on an electronic health record.

Q: And if the patient’s not currently able to provide informed consent, is not in a condition to do so, would that in effect be a barrier to obtaining that electrocardiogram?

Jim Schibanoff: That would be a barrier, certainly.