It seems like three concepts are being conflated in this conversation. One is ownership of the records of the services performed by a provider ("the data"). The second is rights to access the data. The third is rights to "do stuff" with that data. It would seem the original copy of the records stored on a provider's EHR (or the paper records in their record closet) belong to the provider. The patient doesn't own that copy of the records. It documents the work the provider did, the observations and results the provider captured, the medical recommendations the provider made, and is the basis of mounting a legal defense if the provider is sued for malpractice. Not to mention, there are record retention requirements the provider is required to follow, another hallmark that they own those records. However, the patient also has a right to access and copy ALL of the provider's records about them. That copy belongs to the patient. Taking these two points together, then, it seems like the provider and the patient both have a right to own a copy of the same data. On a right to "do stuff" with the data, this is the more complicated thing, and the area in which HIPAA most needs a refresh. Just because a provider "owns" their copy of the records doesn't inherently give them rights to "do stuff" with it. We have also seen some legislation that the provider has an obligation to do some stuff at the direction of the patient with said data (e.g., securely transmit it to another provider), but the provider still gets to retain a right of ownership of their copy of the data.
Are we talking about the health data itself? In which case my measured blood pressure or my white blood cell count data is mine, and I am free to store it in the form of my choosing. I can take a picture or write it in a book or store it in my own health information software. I think the difficulty starts when someone else provides the storage form. If my blood pressure is taken and the tech says "110/75, that's great!" The measurement has been shared with me and I am free to take ownership of the storage of that data for myself. But I generally assume that the tech will convert the information into a stored format (e.g. as an entry in the office EHR). At that point I would argue that it is now shared information since I am expecting my internist to provide the storage form and use the information to advise my care. My internist has invested in the storage format, I have not chipped in directly for the EHR (or paper chart) and very indirectly at best. My internist has additional responsibility for providing specific data elements and information to other agencies, I would think that that would confer some assumption of ownership. There is a cost of storage, whether that is rented office space that stores paper files, or a cloud service subscription. There is a time cost of data entry and data transfer. Should people individually or collectively (eg through federal funding) pay for the storage? Would that further support the patient ownership of the information?
"Property is theft. Nobody “owns” anything. When you die, it all stays here." - George Carlin
Who owns your social media data? Who owns your phone records? Information that is collected about you is not necessarily owned by you. Health information is no different. When I go to my doctor and he records my blood pressure, do I own the documentation of this? Yes, there should be limits on how my doctor uses this information but the information that is recorded is not my property. I trust my doctor will use this information for me, and if that includes sharing this information then so be it. If I did not have this trust, I would go to a different doctor.
IMHO: Patients show own the data that is tied to their record with View or Add capabilities. Any delete or edit should be done by clinicians to correct errors and not by patients to avoid whitewashing that might hinder treatment. However, de-identified data that can't be associated with the patient should be used as a collaboration tool for the greater good.
Imagine the scenarios that are becoming more common today, for example, women and men can respond to a medication or treatment with different outcomes. How can that data be used to improve care? Complex patients with multi-disease states analyzed to help create a care plan that suits that population. What populations by geography are overprescribed opioids and which are not getting adequate pain control and support? I know some tools do some of this work but in siloes. Privacy concerns/hacking backdoors are hampering the ability to use it to create intelligent care models.
The US for-profit health insurance model both contributes to silos and creates a very real concern for patients who might get less or no coverage or unreasonably high rates/deductibles if the data is hacked. Until the system changes, a global de-identified healthcare database is just a pipedream. So for now, the data must be owned by the patient.
Commenting as a former Health Information Management (HIM) professional, one of the first items learned in (then-) "Medical Record Science" as part of a Baccalaureate degree program in the health sciences at a large, teaching university and hospital during the late 1960s was that the data generated by a health care provider are owned by the patient; however, the medium on which the data reside is owned by the health care provider/organization. At that time, the medium on which the data resided was analog paper, analog photographic film, etc. Even during graduate school in Health Informatics at a different, but equally-large, teaching university and hospital, this "standard" hadn't changed, even though the medium on which the data resided clearly had. Sadly, the HIM (i.e., custodial) policies and procedures of providing "copies" of the data to the patient from many health care provider sites could not (and still cannot) keep up with the demand and required, procedural intricacies (e.g., the privacy of the patient; the security of the data).
RE: If the patient owns the data, why can't the patient add/delete/edit the data -- The patient can and formally has been able to do such since HIPAA (1996). Many times have I, personally, added addenda to my health record (one [a patient, a health care provider] cannot edit/delete any data in the original; one can add to [e.g., clarify] any data in the original. Just ask your "friendly HIM professional" at your "friendy health care provider site" (and shame on the HIM professional/provider site if you are rebuked).
Odd question, because the fact is that In 49 states, patient do NOT own their medical records. Only in New Hampshire do patients own their medical records.
‘Those who cannot remember the past are condemned to repeat it.’ (George Santayana, 1905).
For those old enough to remember having to cajole/plead/pay the college Registrar to obtain a paper copy of your grades (and paying more for multiple copies on watermarked paper), this situation will be of no surprise. By the late 80’s, online access to your own grades (and other students’ if security wasn’t properly implemented) was de rigueur, and a student couldn’t fathom not having immediate access to their own information.
Healthcare should, and in short time will, view themselves as the creator, custodian, provider and guarantor of the completeness, accuracy, security and availability of a patient’s own data.
Black and white question is useful for the survey but the answer is probably somewhere in-between (e.g. 90% vs 10%). I frequently hear that healthcare organization pay to have doctors, nurses, pharmacies, and staff enter all the data therefore they should own a portion of the rights. I would argue that the patient's insurance plan (along with its co-pay, co-insurance, deductible and out-of-pocket) cover that expense. Imagine filling your taxes and have your accountant hold/sell your tax records and send you to the basement of his firm if you want a copy of your return... on a CD-ROM.
Separate from the law, patient ownership tends to encourage or force actions we'd prefer through economics. Consider privacy - a provider can't sell data they don't own (without opt-in consent) and if their security is lacking, there's a clear cause of action.
And we've seen the opposite, where the providers feel they own things from the patient. Viz. Henrietta Lacks.
That's the law. But the reality is not what the law says.