By Dr. Oleg Bess
In the wake of the shocking news that the now-defunct firm Cambridge Analytica acquired a stunning amount of Facebook profile data, public concern has intensified over how much we can trust the entities that hold our data.
For hospitals that handle some of the most sensitive data of all, personal health information, it would be wise to prepare now to answer tough questions – including from patients, the media and regulators – that are surely coming.
1. Who actually owns the patient’s medical records?
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
Is it the provider who collects it? The EHR vendor that stores it? The answer should be: the patient. Moreover, the patient should have a clear sense of all of the data the provider has about them. There is another parallel here with Facebook, which offers a way for users to download and view the data that Facebook has stored about them to date. Patients should have a similar capability for their healthcare data, whether stored in an EHR or HIS, or in a patient-centered data home (such as those that health information exchanges and hospital information networks are aiming to create).
2. What if the patient wants his or her data deleted?
Put plainly, the law is not on the patient’s side on this issue. That goes for both federal and state law. For example, CMS requires Medicare providers to retain patient records for a certain number of years, while various states have patient record retention laws in place. Sharing de-identified data is regulated but allowed in many instances. And while the selling of patient data is mostly forbidden, there are some exceptions.
Still, it is the patient’s data, and such requests should be respectfully handled. And to the fullest extent possible, patient should have the ability to decline to have their identified data shared with third parties beyond providers and payers.
3. Who is responsible for the data’s integrity?
Legally, it isn’t the patient. It is the provider or entity that houses this data – and it is becoming increasingly apparent that these stewards are housing too many incomplete or erroneous patient records.
A RAND report stated that about 8 percent of the time, “some health information about a patient will be missing when an exact match is required.” A recent Black Book Research survey found that mismatched data occurs at a far higher rate, especially when records are transmitted between hospitals that don’t have patient matching tools in place, such as an enterprise master patient index. In such instances, the research organization discovered, these organizations achieved just a 24 percent match rate.