Ownership questions persist and remain controversial.
Recently we have been involved in several discussions regarding who “owns” the chart: the medical record. I really didn’t know the correct answer, and I’m sure most people don’t, either. They just have an opinion, many times based on experience and passion. Keep in mind that there are actually many components to the medical record, whether a hospital record, an office/clinic record, etc., therefore it makes that decision somewhat even more complicated. Components of the record include:
- Physician documentation
- History and physical
- Progress notes
- Assessment and plans
- Discharge summary
- Nursing, physical therapy, dietary, utilization review, social service notes and more
- Lab results, tests, and imaging results
- Demographic and billing information
- And much more
We recently did a brief survey on LinkedIn to see what the general consensus was, and here are the results:
We purposely left the question somewhat vague, otherwise more detail might make the responses somewhat confusing and challenging to interpret. Although there was not a lot of participation, I am not surprised that the majority of the votes were that the chart or medical record belonged to the patient. It’s the patient’s own data/information, right? That is what I originally thought, but does it really belong to the patient? Let me provide you with a detailed analysis – and even with that, the answer may be somewhat tenuous and uncertain. There are several factors that must be considered as background, so let’s start with some definitions:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA, or the Kennedy–KassebaumAct) is a United States federal statute enacted by the 104th Congress and signed into law by President Bill Clinton on Aug. 21, 1996. It modernized the flow of healthcare information, stipulated how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent.
- Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organizations, or other individuals. Privacy laws are considered within the context of an individual’s privacy rights, or within reasonable expectation of privacy. The Universal Declaration of Human Rights states that everyone has the right to privacy.
- An electronic health record (EHR) is the systematized collection of patient and population electronically stored health information in a digital format (although in some situations, that may not be so). For example, the hybrid record, now fairly rare, includes electronic and written data. These records can be shared across different care settings. Records are shared through network-connected, enterprise-wide information systems or other information networks and exchanges. EHRs may include a range of data, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal statistics like age and weight, and billing information.
- Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) caused by others. Beneficiaries (technically referents) of security may be of persons and social groups, objects and institutions, ecosystems, or any other entity or phenomenon vulnerable to unwanted change.
With these definitions as background in mind, there is one distinction that needs to be established before we get to the focus of this article. That is ownership of the data versus access to the data. The “access” issue is easy. Clearly, there are regulations and rules that give a patient access to their medical records, and when it comes to this access, patients have the right to:
- View and get copies of their data in the format of their choosing;*
- Request changes to that information; and
- Ensure that the personal medical records are correct and complete.
*According to Forbes Councils Member Raj Sharma, “what’s important to remember is that personal health records that are not part of a medical provider’s electronic health record are not considered to be legal records and therefore are not HIPAA covered entities.” However, there are still privacy laws for protection.
The more controversial issue and basis for the rest of this discussion is this: who owns the medical record, the “chart”? The terms “medical record,” “health record,” and “medical chart” are used somewhat interchangeably to describe the systematic documentation of a single patient’s medical history and care across time within one particular healthcare provider’s jurisdiction.”This gets more involved and possibly confusing when it comes to where the data is housed and who the provider is, but the rules apply across all locations:
- Physician’s office;
- Solo practice
- Multiple physician/specialty
- And the list goes on.
These are all healthcare providers, so with this diversity there have to be overarching statements for this ownership to cover all aspects, as data ownership is a critical factor in data management.
In general, ownership of this data belongs to the individual or company who created or authored that information. Data ownership includes criteria such as:
- Authorization to collect, view, edit, and share specific data; and
- How long will the data be maintained? This question is critical from a cyber risk perspective.
For example, intellectual property laws protect “original works of authorship.” Medical records represent professional medical opinions of a physician or a medical institution, and therefore may not necessarily be the patient’s property. For example, the assessment and plan in a history and physical is a function of the physician’s diagnostic processing, their original work of authorship, and is an integral part of the medial record. But it is not specifically identifiable patient data, although it is determined from the patient’s data and story.
The creator of the original expression in a work is its author, according to copyright law. The author is also the owner of the copyright, unless there is a written agreement by which the author assigns the copyright to another person or entity, such as a publisher. In cases of works made for hire, the employer or commissioning party is considered to be the author. Work for hire is a statutorily defined term (17 U.S.C. § 101).
To emphasize these concepts of copyrights, there are several examples to consider:
- When you hire a photographer, who owns the photos?
- When a biography is written, who owns the rights to the book?
- What about licensing software purchased for use?
- When you upload your personal photos on social media, do you still own them?
These are rhetorical questions, but most people do not understand the consequences involved, and may not care. We consider our healthcare data to be very personal and confidential, and we have been led to believe so by privacy laws. We really don’t see copyrights stated in medical records by the authors of documentation, so is it implied?
A copyright is a form of protection provided by the laws of the United States for “original works of authorship,” including literary, dramatic, musical, architectural, cartographic, choreographic, pantomimic, pictorial, graphic, sculptural, and audiovisual creations. “Copyright” literally means the right to copy, but has come to mean that body of exclusive rights granted by law to copyright owners for protection of their work. One must remember that copyright protection does not extend to any idea, procedure, process, system, title, principle, or discovery. Similarly, names, titles, short phrases, slogans, familiar symbols, mere variations of typographic ornamentation, lettering, coloring, and listings of contents or ingredients are not subject to copyright.
An implied copyright license is a license created by law in the absence of an actual agreement between parties. Implied licenses arise when the conduct of the parties indicates that some license is to be extended between the copyright owner and the licensee, but the parties themselves did not bother to create a license. The purpose of an implied license is to allow the licensee (the party who licenses the work from the copyright owner) some right to use the copyrighted work, but only to the extent that the copyright owner would have allowed, had the parties negotiated an agreement.
Patients have legal privacy, security, and accuracy rights related to their health information under federal and state law. However, once that information is captured and documented in written or electronic form (and since the healthcare provider owns the media in which the information is recorded and stored), the healthcare provider gains the property right of possession of data. In essence, the healthcare provider becomes the legal custodian of your healthcare record, and is given specific legal rights and duties relating to possession and protection of it.
When a patient is changing physicians, going to see a referred-to specialist, sending information to your insurance company, and so many other situations, you as the patient must sign a release to allow that to occur. If indeed the patient owned the chart/medical record, would that be necessary? Within a practice, center, or hospital, the physician is the “owner” in terms of data management. This means the physician decides what data is maintained by the facility. That is why physicians within a group practice and hospitalist teams can all look at the same patient data without getting individual permissions. It does not mean that the physician owns the data and can walk away with it. Yes, it is your data, but you were not the “author.” The healthcare provider is the custodian.
When it comes to obtaining patient release of information for patient data access, HIPAA protects patient privacy. The law generally bars healthcare professionals from sharing a patient’s medical records without receiving written permission from the patient.
Here is one of the many reasons why that release is necessary: when you start seeing a new medical provider, the purpose of that release form is that it grants permission for certain staff members that work with that physician or entity to access your record. That access must occur as part of your treatment, and is generally very limited. Anyone who can use those records must follow HIPAA; they can’t divulge any information to anyone other than the approved care team and you. If you want to see a different medical professional for additional treatment, that doctor will need to request a release as well if they are outside of the already approved care team.
Who owns the chart requires a complex answer, not something as simple as the survey at the beginning of this article may imply. After reading this, you may still be confused, especially with all of the definitions and regulations, but here is the ultimate conclusion: the patient’s physical health records belong to the healthcare provider, whatever that may be.
Having ownership and control over that information helps to ensure that the patient’s personal medical records are complete and correct.
About the Co-Author:
Henry Draughon is president and owner of Process Delivery Systems (PDS), a business process consulting firm. PDS helps clients define, document, and optimize their critical business processes. PDS delivers end-to-end processes, integrated policies, and associated resources in a visually intuitive manner that quickly gets all stakeholders on the same page.
Draughon is a former naval flight officer and air traffic control officer. He has a master’s degree in Business Administration and Communications and has an extensive background in information technology, project, and process management.
Contact the author: