Whose Data Is It Anyway? C A L I FOR N I A Expanding Consumer Control over Personal Health Information H EALTH C ARE F OU NDATION Introduction Key Findings Health information in the United States is largely K Redefining consumers’ rights will require possessed and controlled by clinicians who provide a fundamental shift from the current legal care and by insurance companies and other entities structure, in which clinicians control medical who pay for care. While federal and state laws give records and determine the permissible Issue Brief consumers the right to obtain paper copies of their circumstances for disclosing the information medical records, the terms of such transactions in them, to a new legal structure in which may be onerous. Moreover, the information cannot consumers have an affirmative right to access be readily transmitted and, for both patients and electronic information regardless of its source providers of care, generally is not useful in care and to use it as they deem necessary. delivery, outcomes analysis, or biosurveillance. K New laws could give consumers the right to direct that a copy of any personal health California’s law is typical. Within 15 days of a information stored in a standardized electronic patient’s request, the clinician must provide a format be sent to the custodian of their paper copy of that individual’s records at a cost of choice, and ensure that the custodian uses 25 cents per page.1 For many patients, especially the information in a manner specified by the the chronically ill, who have voluminous records consumer. and see multiple clinicians, access to personal health information under these terms is too K Current regulation of personal health expensive and involves unacceptable delays in information under federal and state law is gaining access to vital data. fragmented. Because federal law does not preempt more stringent state privacy laws, As health care transitions from paper-based and because Congress has not chosen to act, to electronic records, there is a significant states may have to take the near term reform opportunity to expand the traditional concept of initiative. consumers’ rights to access and use their personal K New laws will require a clear definition of health information. Indeed, such access and use are “personal health information custodian.” crucial prerequisites to realizing the full potential They should also include safeguards under of technologically driven advances in the health consumer protection laws to ensure that such care system. information remains secure and is not used inappropriately, affirm the right of consumers This policy brief explores important issues that to send and store the information as they see must be addressed if consumers are to have fit, and set fees for electronic transmissions of meaningful legal rights to access, use, and control medical data from providers to patients. their electronic health information through a personal health information custodian serving on K Economic incentives for clinicians to adopt a F ebruary their behalf. technology enabling them to convey personal 2008 health information to patients would facilitate the and automatically receive updates — including transition to a new legal framework. Eventually, notification of changes — from these sources. this capability might be required as a condition for ■K Organize the information in formats that are receiving federal reimbursement under Medicaid, meaningful to them and their health care providers, Medicare, or other government-financed programs. and take advantage of features that educate them and help them participate in their care. Background Mounting evidence indicates the importance of engaging ■K Search through their personal health information patients directly in their care.2 Yet in today’s health care more easily and efficiently — for example, to find the environment, consumers typically must gather and store name of a particular drug or to access an old care personal health information on paper. Collecting such plan for a long-term chronic condition. information from multiple providers is time-consuming and burdensome. The information often is fragmented Personal Health Information Custodians and incomplete, and transmitting it to other providers is The potential role of personal health information onerous for consumers and providers alike. custodians, or third parties, in helping consumers obtain, organize, and use their information to improve their Perhaps most importantly, the information is in a format health is gaining recognition. Internet and technology that is meaningless to patients and, if scattered among companies, federal and state policymakers, employers, different locations, may not be accessible to caregivers. insurers, and foundations are exploring the technical This leaves even the most educated and committed infrastructure that could support a custodial system, the patients without a crucial tool for taking an active role in policies that would govern it, its financial feasibility, and their care. the potential clinical benefits to patients and society.3 A New Health Information Paradigm As these players know, health care in the future will Consumers now expect to be able to access various types be powered by rapid technological advances that bring of information on the Internet. With rising adoption of new opportunities to engage consumers in personalized health information technology and the increasing ability disease management and other activities aimed at to collect, store, and exchange information electronically, improving the quality and efficiency of care. However, a growing number of consumers also expect to be able to this new paradigm will also pose greater risks, such as access their personal health data. security breaches and the inappropriate use or sale of personal health information by commercial interests. In an ideal, electronically enabled health care system, To fully realize potential quality and efficiency gains, consumers could: consumers will need greater access to their personal health information, and assurances that the information is K Easily transmit discrete portions or comprehensive protected from such risks. files of their data to the caregiver(s) of their choice for direct care or other purposes, on demand and in a An increasingly antiquated legal structure is significantly matter of seconds. shaping the technological, operational, and business ■K Access a copy of their personal information from models that are evolving for the custodianship of personal various sources, store the information in one location, health information. The creators of this structure did not fully anticipate the change from paper-based to 2  |  California HealthCare Foundation digital health records nor contemplate the possibilities of both providers and patients generate, including consumer-centered health information exchange. information about medications and lab results. Custodial Models K Regional health information organizations and A variety of health information custodial models are health information exchanges. RHIOs and HIEs evolving. They include: are relatively new developments. They involve the creation of an intermediary entity that develops K Provider-based personal health records. Via a and implements policies, procedures, and systems Web portal, consumers can call up personal health to support the business, technological, legal, and records (PHRs) kept by a health care provider to view governance infrastructures for health information their personal health information in an emergency, exchange among health care constituents. These schedule appointments, send email to or receive models are attractive because they consolidate clinical email from a physician, consult with a health care information from multiple sources. professional, take advantage of educational programs that help them better understand and self-manage Unfortunately, the vast majority of RHIOs and medical conditions and medications, or perform HIEs have struggled to define a workable business other tasks. model. Many of the early efforts have focused on information exchange among providers for treatment Under this model, health information generally is purposes rather than on giving consumers more tethered to the clinician who is its source, which access to and control of their personal information. limits consumers’ ability to collect and synthesize information from multiple clinicians. This simple K Internet-based products. Internet companies are model may be a logical starting point for a more developing products that not only give consumers sophisticated model. Web access to general information about medical conditions, illnesses, and treatments, but also offer K Health plan- or employer-based PHRs. These a directory of patient-reviewed physicians. Some PHRs give consumers Web access to benefits new products help consumers collect and store information and more, based on claims data. Users their personal health information, with the goal can enter their medical histories in the PHR, search of ultimately enabling them to share it with care for providers, receive wellness education, and perform providers. This model is consumer-centric in the other functions. sense that health information is collected and stored Again, in this model health information is tethered independently of an individual’s relationship with any to one source — the health plan or employer. particular clinician, health plan, or employer. Consumers can get claims-based information from Although Internet-based products hold great promise, multiple clinicians because all claims are paid by they still are unproven and face significant challenges the same payer. But they cannot access far richer with respect to obtaining the necessary patient clinical information, because each clinician controls consents that enable the collection, storage, and use the medical records in his or her possession. Amid of health information in a central location. the transition to electronic formats, health plans are creating the capacity to gather and store not K Health data bank. This emerging, though still only claims data but also clinical information that largely theoretical, model provides a new, legislatively Whose Data Is It Anyway? Expanding Consumer Control over Personal Health Information  |  3 authorized framework that allows consumers to store Additionally, these models rely on clinicians’ adoption health information in a neutral, “community-owned” of new electronic systems. Adoption has been slow even entity. The entity shares personal information with though the benefits of such systems are clear and widely health care providers at the patient’s discretion. acknowledged. One of the many reasons for the slow pace of adoption is the lack of a legally sanctioned — and Multiple bills have been introduced in Congress operationally and financially feasible — structure for that promote health data banks, which give patients consolidating information in a way that is meaningful ownership of their electronic records and will serve and useful for both clinicians and consumers. as the foundation for national health information exchange.4 Laws Governing Personal Health Information Technological and Legal Hurdles Current laws and regulations governing the collection From a consumer perspective, all of the models described and exchange of health information have developed above face significant challenges. in an isolated, paper-based system in which providers and payers are the primary keepers of information. Provider- and health plan/employer-based PHRs give Consumers’ access to and control of it are a secondary consumers only slices of their relevant health information consideration. because the PHRs generally have limited ability to collect clinically rich information from multiple clinicians. Or Federal and state laws assume that health information they depend on claims information, which is less reliable must be protected under the dominion and control of and less clinically valuable. Moreover, consumer attitudes health care providers and of payers who make use of about sharing personal health information with health selected information to pay claims, ensure quality, and plans or employers, and providers’ reluctance to share operate care management programs. These laws generally information with competitors, often make it difficult to do not distinguish between providers’ medical records and create a comprehensive medical record organized around patients’ personal health information. the patient. Providers must maintain medical records in accordance More independent models, such as RHIOs and with specific standards under federal and often state laws. HIEs, solve competitive issues that have stymied the The records play an important role not only in patient marketplace. However, there are no standards for care, but also in quality monitoring, malpractice, and collecting, storing, and using health information; state other issues. Patients do not own their medical records or laws that govern access, control, and use of information have an absolute right to alter them; for the most part, vary; current laws do not give consumers any rights their rights are limited to getting copies of information in to access electronically generated information about the records. their health; and RHIOs and HIEs are unregulated because they fall outside the purview of federal and state This system falls short as a viable legal framework for confidentiality laws. Because of confidentiality concerns, health information custodians, for two reasons: winning patients’ trust can be especially difficult. 1.Federal and state health care laws generally cover Together, the custodial models constitute a fractured, only certain types of entities (primarily providers and chaotic landscape that acts as an obstacle to consumer- payers), so there are no parameters for how and with centric health care. whom third parties — that is, entities not governed 4  |  California HealthCare Foundation by federal or state law — may collect and exchange such agreements currently falls under general consumer personal health information. Without regulatory protection laws rather than privacy laws. protection, such entities face enormous challenges in earning patients’ trust. Many states, including California, have extensive laws governing health information privacy and security. .Consumers have only limited rights to access, use, 2 These laws often predate HIPAA and typically include and control their health information. Although more stringent restrictions on information disclosure they do have the right to receive copies of their and use. For example, California law includes special paper records, and federal guidance has indicated protections for HIV/AIDS testing and other specific types that efforts should be made to provide information of particularly sensitive health information.7 Because electronically when it is available in that format, the HIPAA does not preempt more stringent state law, these laws do not include a clear consumer right to access requirements are layered on top of HIPAA provisions, electronic personal health information kept by “covered effectively raising the bar on legal protections for certain entities” — namely, health care providers and health types of information or entities. plans.6 Nor do the laws address electronic information exchange. New York’s law is structured more around the type of These regulatory inadequacies, if not corrected, are entity than the information it possesses. Confidentiality likely to limit opportunities in the emerging market for requirements are scattered among statutes and regulations consumer-driven health information exchange. governing various categories of providers, professions, and health plans. Thus, mental health information kept by Federal and State Laws Vary an entity licensed by the state Office of Mental Health The Health Insurance Portability and Accountability Act has greater protection, while such information stemming (HIPAA) of 1996 governs federal regulation of health care from a visit to a primary care physician does not. information. HIPAA seeks to ensure that personal health information in the possession of providers and payers is The California Confidentiality of Medical Information protected from uses or disclosures that would compromise Act is less fragmented and more far-reaching than the interests of patients. Its reach is explicitly limited to HIPAA or laws in many other states. It governs not covered entities.6 only providers and payers, but also employers. The law defines “provider” broadly to include any corporation HIPAA regulates protected health information that third organized for the primary purpose of maintaining medical parties use for or on behalf of covered entities, based on information in order to make it available to patients or business associate agreements between covered entities providers for diagnosis or treatment. In addition, the law and third parties. These agreements require associates covers health information that any entity obtains from to comply with HIPAA. However, if information is other, specifically regulated entities.8 transmitted to a third party that is neither a covered entity nor a business associate of a covered entity, HIPAA does Despite the California law’s broad reach, it regulates not regulate it. In this case, the information is protected only entities that primarily maintain or transmit medical only under the third party’s terms of use, privacy information. If the chain of information possession policy, or other commitments it may have made to the breaks down, so does legal protection. Entities for whom consumer in a data-sharing agreement. Enforcement of health information is not a primary business, and entities that obtain information from others for whom health Whose Data Is It Anyway? Expanding Consumer Control over Personal Health Information  |  5 information is not a primary business, are not regulated An electronically enabled world would not necessarily by this law. In the context of personal health information make access to health information cost free, as data custodians, this means it is possible — even likely — that providers would still incur expenses and have to charge some custodian models would fall wholly outside of patients a reasonable fee. But it could make access less existing regulatory authority. expensive and, equally important, more convenient for patients. They would be able to receive, organize, and An example would be an Internet service company that transmit their information more quickly and easily, launches an online product to which consumers submit enabling more timely delivery of health care. copies of their medical records. The company records, organizes, and posts the information on a secure Web Policymakers largely overlook the concept of a site for each consumer’s private use. Because consumers, consumer right to electronic health information. Even rather than the company, have obtained this information, the Health Information Privacy and Security Act,11 the chain of possession guaranteeing privacy protections recently introduced in the U.S. Senate, seeks only to under California law is broken. The company and its establish a federal right to copy one’s health records. product are unregulated, and the information is not With the exception of guidance under HIPAA privacy protected by statute. rules indicating that efforts should be made to provide electronic information to consumers when it is available, Why Consumers Have Limited Access to no current laws grant them the right to receive such Their Personal Health Information information. Under HIPAA and state laws, patients have the right to access their medical records directly. However, if a patient Toward a New Legal Framework signs an authorization permitting the disclosure of records The number and nature of the challenges outlined here to a third party, such as a health information custodian, argue that a new legal framework is necessary to promote the provider or health plan is not obligated to comply. consumers’ access to and use of electronic personal health The authorization permits, but does not mandate, information — one that also protects the information disclosure.  and thereby earns consumers’ trust. To ensure continuity and consistency, and to facilitate the development of Furthermore, under HIPAA, covered entities may charge a consumer-centric approach everywhere, a federal patients a “reasonable” fee for copying and delivering their framework might be best. paper health records.9 In California, this fee is 25 cents per hard-copy page or 50 cents per microfilm page.10 However, many privacy rights are embedded in state laws, Federal and state laws recognize that manual copying is and Congress has been reluctant to preempt what has labor-intensive. long been the province of states. If state laws continue to play the central role in regulating consumer health privacy Such fees are expensive or even prohibitive for some and consent, states may have to lead the reform effort. patients. In contrast, if electronic transactions were Although a state approach creates near term challenges technically feasible and appropriate policies were in place, for a national market of personal health information providers could quickly and efficiently download personal custodians, over time regulation could be coordinated health information and transmit it to patients with the through multi-state compacts or federal legislation. click of a button.  6  |  California HealthCare Foundation The following policy considerations will be crucial to the misuse by bad actors. Such laws would govern the sharing success of a new, consumer-centric legal framework for and sale of data; require meaningful consumer consent personal health information. processes, transparency, data security, and protections against breaches of law or contract; and include violation Defining “Personal Health Information remedies to help consumers feel comfortable with Custodian” commercial practices. The first step in building a new legal framework would be to define the key features of entities that qualify as Ideally, consent policies would ensure that consumers personal health information custodians in a way that understand precisely what information is being conveyed includes the entire range of models. Defining custodians by health care providers to custodians, to whom and by their functions (for example, as clearinghouses or under what circumstances a custodian may release it, health information exchanges) rather than by type and what happens to the information when a consumer’s (provider, payer, or employer), tax status (nonprofit or relationship with a custodian ends. for-profit), or technical or business model would increase the likelihood that, as these entities evolve, the law will Providers’ and Payers’ Obligations remain effective. Meaningful consumer rights to standardized, electronic personal health information would give consumers The proposed Health Information Privacy and Security enforceable authority to direct a clinician, a payer, or Act reflects such evolutionary flexibility. It defines a data any entity holding such information to send a copy broker as: of it to the personal health information custodian of the consumer’s choice. This is essential because many “…a data bank, data warehouse, information consumers may not have the desire, capability, or clearinghouse, record locator system, or other necessary security protections to store and use the business entity, which for monetary fees, dues, or information on their home computers. on a cooperative nonprofit basis, engages in the practice of accessing, collecting, maintaining, Legally binding rights would also update the fees that modifying, storing, recording, transmitting, holders of personal health information could charge destroying, or otherwise using or disclosing the for transmitting it electronically. One challenge will protected health information of individuals. Any be the limited capability of most clinicians to share person maintaining protected health information electronically formatted information with patients or their for the purposes of making such information representatives. available to the individual or the health care provider, including persons furnishing free or paid personal Importantly, new laws would need to allow sufficient health records, electronic health records, electronic time for the market to adapt. In the absence of mandates, medical records, and related products and services, however, providers and others may find little incentive to shall be deemed to be a data broker subject to the make access to electronic health information an affordable requirements of this Act.”12 option for consumers. Custodians’ Obligations Economic Incentives for Physicians One issue is whether custodians would be subject to To be of value to consumers, electronic personal health new consumer protection laws ensuring the privacy and information must be available in a format that makes security of personal health information and preventing its Whose Data Is It Anyway? Expanding Consumer Control over Personal Health Information  |  7 it easy to combine information from multiple sources At a minimum, new laws should give consumers an and organize it in a comprehensible way. A variety of affirmative right to authorize the transmission of any incentives for clinicians are emerging that encourage them standardized, electronic personal health information to a to install and use electronic health records to improve custodian of their choice, and ensure that custodians use consumers’ overall health. The incentives often are such information in a manner directed by consumers. conditioned on compliance with national standards. These laws would have significant potential to engage patients in their health care by clearly defining their Significantly less attention has been paid to the rights (thus winning their trust) and fostering models of capability of technology systems to electronically convey information custodianship that support their needs. health information to consumers. Linking physician incentives to such capability would accelerate consumers’ engagement in their health care and the potential clinical Authors benefits that could result. William S. Bernstein, J.D., Julie V. Murchinson, M.B.A., Melinda J. Dutton, J.D., Terri D. Keville, J.D., and Robert Incentives might include state or federal grants and D. Belfort, J.D.; Manatt Health Solutions specific Medicaid and/or Medicare reimbursements. Over time, government policy could evolve to include stronger A c k n ow l e d g m e n t mechanisms for ensuring that standardized personal health information is transmitted electronically — for Special thanks to those who also contributed to this example, by making this capability a condition publication including JanLori Goldman, David Lansky, Kalpana Bhandarkar, Lori Evans, Lucia Savage, and Rachel of participation in Medicaid, Medicare, or other Block. government-financed health programs. Enforcement Is Essential About the F o u n d at i o n Enforcement of new, consumer-centric laws would likely The California HealthCare Foundation, based in Oakland, be essential to ensure compliance. Without clearly defined is an independent philanthropy committed to improving legal protections that are enforced, consumers will be California’s health care delivery and financing systems. reluctant to entrust their personal health information to Formed in 1996, our goal is to ensure that all Californians third parties. Enforcement would protect information have access to affordable, quality health care. For more custodians as well as consumers. information about the foundation, visit us online at www.chcf.org. Conclusion As adoption of health information technology and the ability to exchange personal health information advance, so too should the legal foundation that facilitates access to and control of such information for consumers’ benefit. Early technological advances offer a window of opportunity to design legal parameters for appropriate consumer access and control, regardless of the information’s source or how it is used. 8  |  California HealthCare Foundation Endnotes 1 0. California Health and Safety Code § 123110(a) and (b). 1. California Health and Safety Code § 123110(b). 1 1. The text of this legislation is available at www.govtrack.us/congress/billtext.xpd?bill=s110-1814. 2. Markle Foundation. Americans Want Benefits of Personal Health Records. June 2003 (www.connectingforhealth.org/ 1 2. Ibid. resources/phwg_survey_6.5.03.pdf ). 3. Notable among these activities is the Markle Foundation’s Connecting for Health Work Group on Consumer Access Policies. 4. See, for example, the Independent Health Record Bank Act of 2006, H.R. 5559/S. 3454, which did not become law. It proposed limiting data banks to nonprofit organizations and specified that such entities would be considered covered entities under HIPAA (www.govtrack.us/congress/billtext.xpd?bill=h109-5559 and www.govtrack.us/congress/billtext.xpd?bill=s109-3454). See also the Health Record Trust Act, H.R. 2991, introduced in the House of Representatives in July 2007 (www.govtrack.us/congress/billtext.xpd?bill=h110-2991). See also (1) Yasnoff, W.A. HRBA: Health Record Banking Alliance (www.hhs.gov/healthit/ahic/materials/06_07/cps/ hrba.pdf ); (2) Ibid. “Health Record Banks Enable Privacy in Health Information Infrastructure.” Presentation to NCVHS Privacy and Confidentiality Subcommittee, Hyattsville, Maryland, January 23, 2007 (www.ncvhs.hhs.gov/070123p2.pdf ). In this model, the multi-stakeholder board of a nonprofit data bank would regulate privacy. 5. Goldman, J. “New consumer right fuels opportunity for e-access to medical records.” iHealthBeat, October 30, 2002 (www.ihealthbeat.org/articles/2002/10/30/ New-consumer-right-fuels-opportunity-for-eaccess-to- medical-records.aspx?ps=1&authorid=). 6. 45 Code of Federal Regulations. § 160.102. HIPAA also covers “health care clearinghouses,” narrowly defined as entities that translate data from nonstandard to standard format. 7. California Health and Safety Code §§ 120975. 8. California Civil Code Sections 56–56.16. 9. 45 Code of Federal Regulations. 164.524(c). Whose Data Is It Anyway? Expanding Consumer Control over Personal Health Information  |  9