Who owns the data?

2011 08 01 10 12 17 961 Cloud Computing 70

This article originally appeared on Dr. Larry Emmott's blog, "Emmott on Technology," on October 17, 2012. Reprinted with permission of Dr. Larry Emmott.

When you visit a medical or dental office in the future, you won't be handed a clipboard and paper forms -- all your personal and medical data will be stored on the cloud. The medical/dental office will merely request a download, and all the data will be available instantly. No forms, no guessing about medications, no forgetting your last visit, no confusion about insurance.

Isn't that great? All your highly personal medical data will be available to anyone with access through the cloud!

As digital technology and electronic health records stored in the cloud continue to develop, they generate legal, moral, and philosophical questions our existing ethical framework is simply not equipped to handle. Most of these ethical questions can be summed up as: Who owns the data?

If you ask patients, the immediate and unequivocal answer is that they, the patients, own the data. That seems right; each patient should have control of their medical information. In fact, however, that is not the way the system works.

If I have a bunch of patient data stored on my server or somewhere in a shared cloud data base, do I own it? The data are there because I created it as a byproduct of doing business. As the creator, do I own it or does each patient own his or her own and am I just the custodian? As a medical professional, I am responsible for acting on the data. Patient records and the valuable data they contain are a major part of the value of a practice when I sell. Are patient records intellectual properties that I own and control as if I had created a textbook or novel?

Other ethical considerations

If you ask a dental practice management software (PMS) company who owns the data, the immediate and unequivocal answer is that the doctor owns the data. Yet again, this is not how the system works.

If as a dentist I own the data, I should be able to exercise the basic rights of ownership, including using or selling the data. However, I can only sell the data in a very proscribed fashion. I can sell it to another dentist buying the practice, but I cannot sell it to a drug company looking for customers. As a dental professional, I am obligated ethically and legally to protect the data as confidential.

Even if I sell the data in an acceptable fashion, the fact is the buyer is usually restricted in how he or she can access and use the data. Generally, the user can only fully access the data using a specific PMS, and even then there are lots of limitations. PMS systems can and do embed code that will only allow you to share data with selected others, such as certain e-claims companies. Or you could only share a radiograph with a proprietary viewer.

<(By the way, you never actually own the PMS software, even if you bought and paid for it. You just own a license to use it.)

If I have the data but can't access parts of it or, more commonly, can't transfer parts of it, do I really own it?

Medical research and HIPAA

One of the most significant benefits of large, online databases of medical information is the aggregation of data for medical research purposes. Already there have been important findings resulting in improved patient care based on database analysis. It seems axiomatic that more data from a wide range of sources will ultimately lead to better results.

That is a good thing, but then there is the issue of privacy. The amazing features of digital data that make it so useful and powerful, such as ease of use, rapid access, and instantaneous transfer, also make it susceptible to abuse.

The primary issue driving HIPAA privacy rules is that a patient's information must be protected. HIPAA is not about speaking a patient's name out loud in the waiting room; it is about electronic medical data and the fact that making it available to others is wrong. Wrong morally and legally.

That seems to be obviously true on the surface. Our personal data should be held in confidence. But what if we choose to make it public by participating in a study? Do we still own that data? Who does -- the researchers, the Web aggregator, or the public, as in the public good? Is it OK to use personal medical data in a study without the patient's permission if the personal identifiers are removed?

If a large medical organization, say a hospital or an HMO collects a very large set of data that could be analyzed to improve our understanding of a disease and treatment, why not?

In an ideal world, all our medical data could be accumulated in a huge national (or, for that matter, global) data bank. This mass of data would be used by benevolent researchers to delve into disease patterns and treatment outcomes to provide a vastly improved understanding of the human condition.

In this ideal world, the results would be readily available through online diagnostic databases and treatment planning algorithms. Unfortunately, in the real world, we have fear, politics, bureaucrats, proprietary databases, the nightly news, and less than benevolent people.

Dr. Larry Emmott has more than 30 years of experience as a practicing general dentist in Phoenix and is considered one of the leading dental high-tech authorities in the U.S. He has addressed hundreds of professional groups and has been a featured speaker at every major U.S. dental meeting. He is a regular contributor to several national magazines and was the high-tech columnist for Dental Products Report.

Page 1 of 351
Next Page