MHA 616 UOP Law and Standards Peer Review

Law and Standards Peer Review

Prior to beginning work on this interactive assignment, read Chapters9 through 11 from the Wager, Lee, & Glaser (2017) text, and thearticles by Adjerid, Acquisti, Telang, Padman, & Adler-Milstein(2016), Cartwright-Smith, Gray, & Thorpe (2016), Marvin (2017), andRichesson & Chute (2015). This assignment is a culmination of yourWeek 4 Health Insurance Portability and Accountability Act (HIPAA)Violations assignment. You will summarize your Health InsurancePortability and Accountability Act (HIPAA) Violations from Week 4 andthen include it to your discussion post for a classmate to review.Reflectback to the proposal you created for the Week 1 assignment to meet anorganization’s needs and determine how the components from this weekalign with your proposal.

Your peer review must include the following components:

Summarize key points of your Health Information System CaseSelection and Proposal from Week 1 to include the concepts from theHealth Insurance Portability and Accountability Act (HIPAA) Violationsassignment:Defend the laws and standards you applied to your Week 4 HealthInsurance Portability and Accountability Act (HIPAA) Violationsassignment.Defend how HIPAA Privacy and Security is exclusively applied.

Chapter 9
Privacy and Security
Learning Objectives
To be able to distinguish among privacy, confidentiality, and security as they relate to health
information.
To be able to identify the purpose of the Privacy Act of 1974 and 42 C.F.R. (Code of Federal
Regulations) Part 2, Confidentiality of Substance Abuse Patient Records.
To be able to describe and discuss the impact of the HIPAA Privacy, Security, and Breach
Notification rules.
To be able to identify threats to health care information and information systems caused by
humans (intentional and unintentional), natural causes, and the environment.
To be able to understand the purpose and key components of the health care organization
security program and the need to mitigate security risks.
To be able to discuss the increased need for and identify resources to improve cybersecurity
in health care organizations.
Privacy is an individual’s constitutional right to be left alone, to be free from unwarranted
publicity, and to conduct his or her life without its being made public. In the health care
environment, privacy is an individual’s right to limit access to his or her health care information.
In spite of this constitutional protection and other legislated protections discussed in this
chapter, approximately 112 million Americans (a third of the United States population) were
affected by breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large
insurance-related corporations accounted for nearly one hundred million records being
exposed (Koch, 2016). In one well-publicized security breach at Banner Health, where hackers
gained entrance through food and beverage computers, approximately 3.7 million individuals’
information was accessed, much of it health information (Goedert, 2016).
Health information privacy and security are key topics for health care administrators. In today’s
ever-increasing electronic world, where the Internet of Things is on the horizon and nearly
every health care organization employee and visitor has a smart mobile device that is
connected to at least one network, new and more virulent threats are an everyday concern. In
this chapter we will examine and define the concepts of privacy, confidentiality, and security as
they apply to health information. Major legislative efforts, historic and current, to protect
health care information are outlined, with a focus on the Health Insurance Portability and
Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Different types of
threats, intentional and unintentional, to health information will be discussed. Basic
requirements for a strong health care organization security program will be outlined, and the
chapter will conclude with the cybersecurity challenges in today’s environment of mobile and
cloud-based devices, wearable fitness trackers, social media, and remote access to health
information.
Privacy, Confidentiality, and Security Defined
As stated, privacy is an individual’s right to be left alone and to limit access to his or her health
care information. Confidentiality is related to privacy but specifically addresses the expectation
that information shared with a health care provider during the course of treatment will be used
only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust.
Security refers to the systems that are in place to protect health information and the systems
within which it resides. Health care organizations must protect their health information and
health information systems from a range of potential threats. Certainly, security systems must
protect against unauthorized access and disclosure of patient information, but they must also
be designed to protect the organization’s IT assets—such as the networks,hardware, software,
and applications that make up the organization’s health care information systems—from harm.
Legal Protection of Health Information
There are many sources for the legal and ethical requirements that health care professionals
maintain the confidentiality of patient information and protect patient privacy. Ethical and
professional standards, such as those published by the American Medical Association and other
organizations, address professional conduct and the need to hold patient information in
confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and
the government through Centers for Medicare and Medicaid, dictate that health care
organizations follow standard practice and state and federal laws to ensure the confidentiality
and security of patient information.
Today, legal protection specially addressing the unauthorized disclosure of an individual’s
health information generally comes from one of three sources (Koch, 2016):
Federal HIPAA Privacy, Security, and Breach Notification rules
State privacy laws. These laws typically apply more stringent protections for information
related to specific health conditions (HIV/AIDS, mental or reproductive health, for example).
Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or
deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require
certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or thirdparty providers for PHR vendors or PHR-related entities to notify individuals of a security
breach.
However, there are two other major federal laws governing patient privacy that, although they
have been essentially superseded by HIPAA, remain important, particularly from a historical
perspective.
The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975])
Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2)
The Privacy Act of 1974
In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the
American public with the right to obtain information
Chapter 10
Performance Standards and Measures
Learning Objectives
To be able to explain the significant role of health information in national private and public
quality improvement initiatives.
To be able to compare and contrast licensure, certification, and accreditation processes.
To be able to discuss the role of the Joint Commission and the National Committee for
Quality Assurance in ensuring the quality of care in the United States.
To be able to understand performance measurement development in the United States.
To be able to identify the roles of specific public and private organizations in the
development and endorsement of national performance measures.
To be able to understand the origins and uses of major health care comparative data sets.
This chapter examines public and private organizations and processes that establish standards
for ensuring that health records are maintained accurately and completely and that they
contain the data and information needed to define and report a wide range of measures to
determine the quality and efficiency of health care. These activities are very important and
have a significant influence on providers and HIT capabilities, significant enough for us to
devote an entire chapter to them.
Health care organizations and health plans use data and information to measure performance
against internal and external standards; to compare performance to other like organizations; to
demonstrate performance to licensing, certifying, and accrediting bodies; and to demonstrate
performance for reimbursement purposes. This chapter begins with an examination of the
licensure, certification, and accreditation of health care facilities and health plans, followed by
an overview of key comparative data sets often used by health care organizations in
benchmarking performance. The chapter concludes with a description of the national initiatives
using performance measures to improve the quality and safety of health care, including those
affecting provider reimbursement.
In the section titled “Licensure, Certification, and Accreditation,” we define these processes, list
the accrediting organizations recognized by CMS, and examine the missions and general
functions of the Joint Commission and the National Committee for Quality Assurance (NCQA).
These discussions focus on how the licensure, certification, and accreditation processes not
only use health information to measure performance but also how they influence the health
care information that is collected.
“Measuring the Quality of Care” begins with a historical perspective of major milestones in the
national agenda for health care quality improvement, followed by a discussion of the current
efforts to improve health care quality and patient safety, focusing on the efforts that involve
using health care data and information to measure performance. Quality measures are created
and validated by a range of organizations, private and public. However, in the recent years
significant progress has been made in aligning these measures across organizations. Another
significant movement related to quality measurement in the United States is implementation of
value-based reimbursement programs, which are based on established performance criteria.
The government plans for significant growth in these programs over the next decade.
Licensure, Certification, and Accreditation
Health care organizations, such as hospitals, nursing homes, home health agencies, and the like,
must be licensed to operate. If they wish to file Medicare or Medicaid claims, they must also be
certified, and if they wish to demonstrate quality performance, they will undergo an
accreditation process. What are these processes, and how are they related? If a health care
organization is licensed, certified, and accredited, how will this affect the health care
information that it creates, uses, and maintains? In this section we will examine each of these
processes, their impact on the health care organizations, and their relationships with one
another.
Licensure
Licensure is the process that gives a facility legal approval to operate. As a rule, state
governments oversee the licensure of health care facilities, and each state sets its own
licensure laws and regulations. All facilities must have a license to operate, and it is generally
the state department of health or a similar agency that carries out the licensure function.
Licensure regulations tend to emphasize areas such as physical plant standards, fire safety,
space allocations, and sanitation. They may also contain minimum standards for equipment and
personnel. A few states tie licensure to professional standards and quality of care, but not all. In
their licensure regulations, states generally set minimum standards for the content, retention,
and authentication of patient medical records. Exhibit 10.1 is an excerpt from the South
Carolina licensure regulations for hospitals. This excerpt governs patient medical record content
(with the exception of newborn patient records, which are addressed in a separate section of
the regulations). Although each state has its own set of medical record content standards,
these are fairly typical in scope and content.
Exhibit 10.1 Medical Record Content: Excerpt from South Carolina Standards for Licensing
Hospitals and Institutional General Infirmaries
601.5 Contents:
A. Adequate and complete medical records shall be written for all patients admitted to the
hospital and newborns delivered in the hospital. All notes shall be legibly written or typed and
signed. Although use of initials in lieu of licensed nurses’ signatures is not encouraged, initials
will be accepted provided such initials can be readily identified within the medical record. A
minimum medical record shall include the following information:
Admission Record: An admission record must be prepared for each patient and must contain
the following information, when obtainable: Name; address, including county; occupation; age;
date of birth; sex; marital status; religion; county of birth; father’s name; mother’s maiden
name; husband’s or wife’s name; dates of military service; health insurance number; provisional
diagnosis; case number; days of care; social security number; the name of the person providing
information; name, address and telephone number of person or persons to be notified in the
event of emergency; name and address of referring physician; name, address and telephone
number of attending physician; date and hour of admission;
History and physical within 48 hours after admission;
Provisional or working diagnosis;
Pre-operative diagnosis;
Medical treatment;
Complete surgical record, if any, including technique of operation and findings, statement of
tissue and organs removed and post-operative diagnosis;
Report of anesthesia;
Nurses’ notes;
Progress notes;
Gross pathological findings and microscopic;
Temperature chart, including pulse and respiration;
Medication Administration Record or similar document for recording of medications,
treatments and other pertinent data. Nurses shall sign this record after each medication
administered or treatment rendered;
Final diagnosis and discharge summary;
Date and hour of discharge summary;
In case of death, cause and autopsy findings, if autopsy is performed;
Special examinations, if any, e.g., consultations, clinical laboratory, x-ray and other
examinations.
Source: South Carolina Department of Health and Environmental Control, Standards for
Licensing Hospitals and Institutional General Infirmaries, Regulation 61–16 § 601.5 (2010).
An initial license is required before a facility opens its doors, and this license to operate must
generally be renewed annually. Some states allow organizations with the Joint Commission or
other accreditation to forgo a formal licensure survey conducted by the state; others require
the state survey regardless of accreditation status. As we will see in the section on
accreditation, the accrediting bodies’ standards are more detailed and more stringent than the
typical state licensure regulations. Also, most accreditation standards are updated annually;
most licensure standards are not.
Certification
Certification gives a health care organization the authority to participate in the federal
Medicare and Medicaid programs. Legislation passed in
1
Health Insurance Portability and Accountability Act (HIPAA) Violations
MHA 616 Health Care Management Information Systems
Natesha Finch
Instructor: Rafael Caycho
November 28th, 2002
2
Health Insurance Portability and Accountability Act (HIPAA) Violations
The HIPAA is one of the regulations that the government has implemented to protect
patient data against intrusions and unauthorized access from third parties (Schumaker, 2021).
The goal of the implementation of these regulations was informed by the desire to eliminate
some of the core challenges affecting patient safety in data sharing. The adoption of electronic
health records and medical technologies has enabled healthcare facilities to boost collaboration.
Improved collaboration has been achieved through enhanced data sharing. However, violations
have been reported affecting patient data sharing and quality of care delivery. Overcoming these
violations is essential since it increases the effectiveness of the adopted medical technologies by
promoting collaboration and real-time patient service delivery.
This report has selected the violation involving Cottage Health. In 2018, this health
facility was fined $3 million by the OCR based on violations that were reported in its electronic
health systems. It was reported that Cottage Health`s data was exposed to third parties through
breaches. Two breaches were reported at the facility, which affected the capacity to maintain the
intended privacy of the patient data. In these breaches, the facility reported that data belonging to
62500 individuals were exposed to third parties. This data comprised patient names, emails,
contacts, social security numbers, diagnosis, and but not limited to, lab results. These breaches
undermined the integrity of the organizational systems and patient data.
Cottage Health was required to pay $3 million to OCR based on the outcomes of the
preliminary research. This research offered a foundation for examining the potential weaknesses
that led to the data breaches. On the same note, the facility was fined because of the failure to
perform a comprehensive assessment of its information systems. Such a failure created
weaknesses that enabled third parties to access the internal resources and data.
3
One of the approaches that have been used in promoting information security is creating a
reliable improvement framework. The government, through the HIPAA, has offered guidelines
for protecting patient records against unauthorized access. The facility will benefit from creating
a comprehensive information system management framework that will involve policies,
procedures, and guidelines for ensuring data security. The goal of this framework is to create
sufficient policies, procedures, and guidelines that would enable the facility to eliminate the risks
of intrusions. The core policies that the facility must create relate to password and user account
management and network administration (Stine, Quinn, Witte & Gardner, 2020). These policies
will enable the facility to reduce the risks of intrusions. On the same note, the facility will benefit
from using guidelines and regulations that will align with HIPAA recommendations for ensuring
data security. These guidelines will ensure strategic awareness about data security promotion.
The success of the organization in promoting information security will depend on the
ability to leverage the available technologies and guidelines to ensure sufficient awareness about
information security. The facility will benefit from using an enterprise risk management
framework. This framework will enable the facility to implement a penetration testing and
vulnerability assessment framework to determine the weaknesses that its systems exhibit.
This incident has offered strategic lessons about information security planning. The
proposed project will benefit from an enterprise risk management framework. This framework
will create a reliable foundation for progressively assessing the risks that may occur in the
internal infrastructures. The proposed infrastructure will be protected through progressive risk
assessment. Such an intervention will ensure that the organization reduces the risks of
unauthorized access that may be witnessed within the operational settings (Zhang, 2022).
Secondly, it is essential to invest in a dynamic risk management platform. This platform will
4
ensure that new risks are identified and handled according to their implications on the
organizational systems.
5
References
Schumaker, E. (2021). What is a HIPAA violation?. ABC News.
Stine, K., Quinn, S., Witte, G., & Gardner, R. (2020). Integrating cybersecurity and enterprise
risk management (ERM). National Institute of Standards and Technology, NIST Internal
or Interagency Report (NISTIR), 8286.
Zhang, Y. (2022). Economic Globalization and Corporate Accounting Risks: An Analysis of
Enterprise Risk Management Based on Big Data. Security and Communication
Networks, 2022.
Chapter 11
Health Care Information System Standards
Learning Objectives
To be able to give examples of the methods by which standards are developed: ad hoc, de
facto, government mandate, and consensus.
To be able to identify and discuss the role of organizations that currently have a significant
impact on the adoption of health care information standards in the United States.
To be able to identify and discuss the role of federal initiatives and legislation that have a
significant impact on the adoption of health care information standards in the United States.
To be able to identify examples within the major types of health care information standards
and the organizations that develop or approve them.
To understand the importance of health care IT standards to the future of the US health care
delivery system.
Throughout this text we have examined a variety of different types of standards that affect,
directly or indirectly, the management of health information systems. In Chapter Ten we
examined health care performance standards; Chapter Two looked at data quality standards,
Chapter Nine at security standards, and so on. In this chapter we will examine yet another
category of standards that affect health care data and information systems: health care
information system (HCIS) standards. In all cases the standards examined represent the
measuring stick or set of rules against which an entity, such as an organization or system, will
compare its structures, processes, or functions to determine compliance. In the case of the
HCIS standards discussed in this chapter the aim is to provide a common set of rules by which
health care information systems can communicate. Systems that conform to different
standards cannot possibly communicate with one another. Portability, data exchange, and
interoperability among different health information systems can be achieved only if they can
“communicate.” For a simple analogy, think about traveling to a country where you do not
speak the language. You would not be able to communicate with that country’s citizens without
a common language or translator. Think of the common language you adopt as the standard set
of rules to which all parties agree to adhere. Once you and others agree on a common
language, you and they can communicate. You may still have some problems, but generally
these can be overcome.
By nature HCIS standards include technical specifications, which make it less easy for the typical
health care administrator to fully understand them. In addition, a complex web of public and
private organizations create, manage, and implement HCIS standards, resulting in standards
that are not always aligned, making the standards even more difficult to fully grasp. In fact,
some may actually compete with one another. In addition to the complex web of standards
specifically designed for HCIS, there are many general IT standards that affect health care
information systems. Networking standards, such as Ethernet and Wi-Fi, employed by health
care organizations are not specific to health care. Extensible markup language (XML) is widely
accepted as a standard for sharing data using web-based technologies in health care and other
industries. There are many other examples that are beyond the scope of this text. Our focus will
be on the standards that are specific to HCIS.
With HIPAA came the push for adoption of administrative transaction and data exchange
standards. This effort has been largely successful; claims are routinely submitted via standard
electronic transaction protocols. However, although real progress has been made in recent
years, complete interoperability among health care information systems remains elusive.
Chapter Three examined the need for interoperability among health care information systems
to promote better health of our citizens; Chapter Two discussed the lack of standardization in
EHRs as an issue with using EHR data in research; and Chapter Nine outlined problems
associated with misalignment of quality and performance measures, in part because of a lack of
interoperability and standardization in EHRs and other health care information systems.
Interoperability, as defined by the ONC (2015) in its publication Connecting Health Care for the
Nation: A Shared Nationwide Interoperability Roadmap, results from multiple initiatives,
including payment, regulatory, and other policy changes to support a collaborative and
connected health care system. The best political and social infrastructures, however, will not
succeed in achieving interoperability without supportive technologies.
This chapter is divided into three main sections. The first section is an overview of HCIS
standards, providing general information about the types of standards and their purposes. The
second section examines a few of the major initiatives, public and private, responsible for
creating, requiring, or implementing HCIS standards. Finally, the last section of the chapter
examines some of the most commonly adopted HCIS standards, including examples of the
standards when possible.
HCIS Standards Overview
Keith Boone, a prolific blogger and writer on all topics related to HIT standards, once wrote,
“Standards are like potato chips. You always need more than one to get the job done” (Boone,
2012b). In general, the health care IT community discusses HCIS standards in terms of their
specific function, such as privacy and security, EHRs, electronic prescribing (e-prescribing), lab
reporting, and so on, but the reality is that achieving one of these or other functions requires
multiple standards directed at different levels within the HCIS. For example, there is a need for
standards at the level of basic communication across the Internet or other network
(Transporting), standards for structuring the content of messages communicated across the
network (Data Interchange and Messaging), standards that describe required data elements for
a particular function, such as the EHR or clinical summary (Content), and standards for naming
or classifying the actual data, such as units of measure, lab tests, diagnoses, and so on
(Vocabulary/Terminology). Unfortunately, there is no universal model for categorizing the
plethora of HCIS standards. In this chapter we will look at standards described as Data
Interchange and Messaging, Content, and Vocabulary/Terminology standards.
Standards, as we have seen, are the sets of rules for what should be included for the needed
function and system level. This is only a portion of the challenge in implementing standards.
The other challenge is how are the standards used for a particular function or use case? Much
of the work.
Chapter 12
IT Alignment and Strategic Planning
Learning Objectives
To be able to understand the importance of an IT strategic plan.
To review the components of the IT strategic plan.
To be able to understand the processes for developing an IT strategy.
To be able to discuss the challenges of developing an IT strategy.
To describe the Gartner Hype Cycle recognizing the wide range of emerging technologies at
various stages of maturity.
Information technology (IT) investments serve to advance organizational performance. These
investments should enable the organization to reduce costs, improve service, enhance the
quality of care, and, in general, achieve its strategic objectives. The goal of IT alignment and
strategic planning is to ensure a strong and clear relationship between IT investment decisions
and the health care organization’s overall strategies, goals, and objectives. For example, an
organization’s decision to invest in a new claims adjudication system should be the clear result
of a goal of improving the effectiveness of its claims processing process. An organization’s
decision to implement a care coordination application should be a consequence of its
population health management strategy.
Developing a sound alignment can be very important for one simple reason—if you define the
IT agenda incorrectly or even partially correctly, you run the risk that significant organizational
resources will be misdirected; the resources will not be put to furthering strategically important
areas. This risk has nothing to do with how well you execute the IT direction you choose. Being
on time, on budget, and on specification is of little value to the organization if it is doing the
wrong thing!
IT Planning Objectives
The IT strategic planning process has several objectives:
To ensure that information technology plans and activities align with the plans and activities
of the organization; in other words, the IT needs of each aspect of organizational strategy are
clear, and the portfolio of IT plans and activities can be mapped to organizational strategies and
operational needs
To ensure that the alignment is comprehensive; in other words, each aspect of strategy has
been addressed from an IT perspective that recognizes not all aspects of strategy have an IT
component, and not all components will be funded
To identify non-IT organizational initiatives needed to ensure maximum leverage of the IT
initiative (for example, process reengineering)
To ensure that the organization has not missed a strategic IT opportunity, such as those that
might result from new technologies
To develop a tactical plan that details approved project descriptions, timetables, budgets,
staffing plans, and plan risk factors
To create a communication tool that can inform the organization of the IT initiatives that will
and will not be undertaken
To establish a political process that helps ensure the plan results have sufficient
organizational support
At the end of the alignment and strategic-planning process, an organization should have an
outline that at a high level resembles Table 12.1. With this outline, leadership can see the IT
investments needed to advance each of the organization’s strategies. For example, the goal of
improving the quality of patient care may lead the organization to invest in databases to
measure and report quality, predictive algorithms to identify patients at risk of readmission,
and the EHR.
Table 12.1 IT initiatives linked to organizational goals
Goal IT Initiatives
Research and education
Research patient data registry
Genetics and genomics platform
Grants management
Patient care: quality improvement Quality measurement databases
Order entry
Electronic health record
Patient care: sharing data across the system
Enterprise master person index
Clinical data repository
Common infrastructure
Patient care: non-acute services
Nursing documentation
Transition of care
Financial stability
Revenue system enhancements
Payroll-personnel system
Cost accounting
Article 1
Abstract
Health information exchanges (HIEs) are healthcare information technology efforts designed to
foster coordination of patient care across the fragmented U.S. healthcare system. Their purpose is
to improve efficiency and quality of care through enhanced sharing of patient data. Across the
United States, numerous states have enacted laws that provide various forms of incentives for
HIEs and address growing privacy concerns associated with the sharing of patient data. We
investigate the impact on the emergence of HIEs of state laws that incentivize HIE efforts and
state laws that include different types of privacy requirements for sharing healthcare data,
focusing on the impact of laws that include requirements for patient consent. Although we
observe that privacy regulation alone can result in a decrease in planning and operational HIEs,
we also find that, when coupled with incentives, privacy regulation with requirements for patient
consent can actually positively impact the development of HIE efforts. Among all states with
laws creating HIE incentives, only states that combined incentives with consent requirements
saw a net increase in operational HIEs; HIEs in those states also reported decreased levels of
privacy concern relative to HIEs in states with other legislative approaches. Our results
contribute to the burgeoning literature on health information technology and the debate on the
impact of privacy regulation on technology innovation. In particular, they show that the impact
of privacy regulation on the success of information technology efforts is heterogeneous: both
positive and negative effects can arise from regulation, depending on the specific attributes of
privacy laws.
Health Information Ownership: Legal
Theories and Policy Implications
Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*
ABSTRACT
This Article explores the nature and characteristics of health
information that make it subject to federal and state laws and the existing
legal framework that confers rights and responsibilities with respect to
health information. There are numerous legal and policy considerations
surrounding the question of who owns health information, including
whether and how to confer specific ownership rights to health
information. Ultimately, a legal framework is needed that reflects the
rights of a broad group of stakeholders in the health information
marketplace, from patients to providers to payers, as well as the public’s
interest in appropriate sharing of health information.
TABLE OF CONTENTS
I.
II.
III.
IV.
INTRODUCTION ………………………………………………………….. 208  
T HE U NIQUE N ATURE OF H EALTH INFORMATION ……………. 209  
A. Definitions of Health Information ……………………………. 210  
1. Health Information Characteristics ……………….. 210  
2. Health Information Types …………………………….. 212  
T HE L EGAL AND P OLICY L ANDSCAPE FOR H EALTH
INFORMATION ……………………………………………………………. 214  
L EGAL T HEORIES OF INFORMATION O WNERSHIP …………….. 219  
A. Property law …………………………………………………………. 220  
B. Intellectual Property Law ……………………………………….. 225  
C. Federal Privacy Law ……………………………………………… 226  
1. Constitutional Law ………………………………………. 226  
2. HIPAA ………………………………………………………… 228  
*
The authors thank Jennifer Ansberry, JD, MPH, Maanasa Kona, JD, LLM, and
Resa Cascio, JD, LLM, for their valuable research contributions to this paper.
207
208
V.
VI.
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
3. Other Federal and State Statutes and
Regulations Protecting Health Information
Privacy …………………………………………………. 231  
a. The Genetic Information Non-Disclosure
Act of 2008 (GINA) ………………………. 232  
b. Privacy Act and FOIA …………………………. 233  
c. 42 C.F.R. Part 2 …………………………………. 234  
D. Contract Law ………………………………………………………… 235  
E. State Law …………………………………………………………….. 236  
P OLICY C ONSIDERATIONS ……………………………………………. 237  
C ONCLUSION …………………………………………………………….. 241  
I. INTRODUCTION
The concept of owning information invokes thoughts of
property and profit. Property ownership means that the owner may
use the property as he or she wishes. The owner may modify it,
destroy it, transfer it by sale or donation, and permit others to use it
according to his or her terms, among other things.
However,
ownership of health information is less clear. In some cases, the law
ascribes clear ownership rights over part or all of a health record, but
in other cases, information may be used by a number of parties
without clear ownership rights, even for the person who is the subject
of the information. Stakeholders at the state and federal levels
struggle with these issues as more uses for health information are
developed, technological advancements enable greater mobility, and
accessibility and ownership of health information becomes more
significant, yet the answer to the ownership question remains unclear.
Numerous potential solutions to the health information ownership
question exist. One option would be to allow each person to own the
information held in her personal medical records, even if another
person created the record. Another might be to give ownership of the
patient’s information to the healthcare provider who recorded that
information.
Or perhaps the many rights surrounding health
information amount to ownership or make ownership irrelevant in a
highly regulated environment.
This Article will explore the existing laws that confer rights
and responsibilities with respect to health information, discuss
various legal theories of ownership that could apply to health
information, and consider the implications of applying them in the
current health information policy landscape. In Part I, the Article will
explore the nature of health information and the various
2016]
HEALTH INFORMATION OWNERSHIP
209
characteristics that may make it subject to federal and state
regulation. In Part II, the Article will explore the legal and policy
landscape surrounding health information regulation, considering why
ownership of health information is of particular relevance now. In
Part III, the Article will discuss the various laws and legal theories
that apply to health information, giving full ownership rights or rights
to access, use, and control it. Finally, in Part IV, the Article will
discuss policy considerations surrounding the question of health
information ownership, including the implications of conferring
specific ownership rights over health information. While there is no
one solution to the question of health information ownership, given
the complex bundle of overlapping rights under state and federal laws
that apply, the Article highlights the policy considerations that weigh
against treating health information exclusively as property.
Ultimately, a legal framework is needed that reflects the rights of the
many stakeholders in the health information marketplace, from
patients to providers to payers, as well as the public’s interest in the
appropriate sharing of health information.
II. THE UNIQUE NATURE OF HEALTH INFORMATION
In some ways, health information is similar to other types of
personal information: it contains unique details about a particular
individual. Like financial information, it can be used improperly to
discriminate against an individual and, like private photos or personal
thoughts, it can be embarrassing if disclosed publicly. In other ways,
health information is unique.
For example, disclosing health
information to others is necessary both for proper medical treatment
of the person who is the subject of the information and also for the
business purposes of potentially many different people or entities,
such as doctors for treatment and billing purposes and health
insurance companies for payment purposes. Health information may
be relevant to third parties, as in the case of communicable diseases or
inheritable genetic conditions. Before considering how laws apply to
health information, it is important to define what health information
is and explain what makes it subject to regulation.
210
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
A. Definitions of Health Information
The most basic definition of health information is any
information concerning the health of at least one person.1 When
considering law and policy, however, the regulated information must
be specifically defined. For example, the physical medical record, the
content of the record, biological samples taken from a person, and data
aggregated from many different people can all be considered “health
information,” but they may be treated differently under the law. Not
all health information is subject to regulation, and information that is
regulated may be subject to laws that overlap or directly contradict
each other.2
1. Health Information Characteristics
There is no single legal framework governing “health
information;” rather, information may be subject to one or more laws
and/or regulations depending on the information’s specific
characteristics.
For purposes of applying legal protections and
restrictions, health information can be defined based on a variety of
characteristics, such as its content, its source, and its form. These
characteristics are not mutually exclusive, so that multiple
overlapping rights and obligations may apply to a particular record or
piece of information, complicating the question of ownership.
Content focuses on the substance of the information. The
American Health Information Management Association (AHIMA)
defines health information as “the data related to a person’s medical
history, including symptoms, diagnoses, procedures, and outcomes.”3
This content-based definition is perhaps the broadest possible way to
describe health information, as there are no limitations related to its
source, form, or subject. The Office for the National Coordinator for
Health Information Technology (ONC) uses a slightly narrower
definition, recognizing health information as information about an
individual’s medical condition or history where the information can be
used to identify an individual.4 Indeed, identifiability is a critical
1.
What
Is
Health
Information?,
A M.
HEALTH
INFO.
MGMT.
ASS’N,
http://www.ahima.org/careers/healthinfo [https://perma.cc/8NV9-5VL4] (last visited Oct. 27,
2016).
2.
See, e.g., Beverly Cohen, Reconciling the HIPAA Privacy Rule with State Laws
Regulating Ex Parte Interviews of Plaintiffs’ Treating Physicians: A Guide to Performing HIPAA
Preemption Analysis, 43 HOUS. L. REV. 1091, 1105–07 (2006).
3.
What Is Health Information?, supra note 1.
4.
What Is “Health Information” for Purposes of the Mobile Device Privacy and Security
Subsection
of
HealthIT.gov?,
HEALTHIT.GOV,
https://www.healthit.gov/providers-
2016]
HEALTH INFORMATION OWNERSHIP
211
component underlying most federal and state laws and regulations
governing health information.5
Health information can also be categorized by its source, which
refers to the person or the entity that initially collected the information,
as well as the setting in which the information was generated or
collected. Sometimes, the individual subject of the information or the
individual’s family members may be the information collector. Health
information may also be collected by entities providing care, paying for
care,6 performing public health functions, conducting research, or
delivering other services that may incidentally involve healthcare
information, such as those provided by prisons, schools, or
universities.
Laws focusing on the source alone may protect
information only in its collected form, meaning the information itself
is not protected but the list, database, or other collected information
format is protected, as in the case of a business record, such as a
patient list. Moreover, these laws may only protect information held
by a certain party, such as a substance abuse treatment facility.
Lastly, the form of medical information indicates the method
by which information is collected and stored. Health information may
be tangible, such as a tissue sample, or intangible, such as an
individual’s memory about his or her health or an individual’s genetic
information. Intangible health information becomes tangible once it is
recorded or extracted from the individual.
Tangible health
information is stored digitally or on paper, or as preserved physical
samples, such as those kept in biobanks. Some legal protections and
restrictions apply to health information by virtue of its form or
medium, such as laws granting ownership of a medical record to the
healthcare provider that holds it.7 In that case, the information is
protected health information because it is contained in a medical
record, but the protection may not follow the information once it
leaves the medical record.
professionals/faqs/what-health-information-purposes-mobile-device-privacy-and-security-sub
[https://perma.cc/72JC-NQT2] (last visited Oct. 27, 2016).
5.
See, e.g., Health Insurance Portability and Accountability Act (HIPAA) of 1996 §
1177, 42 U.S.C. § 1320d(6) (2012) (defining an “offense” by referring four times to “identifiable
health information” or “health identifier”).
6.
Health insurers, for example, are entities that pay for care, though other entities
may be involved in payment. This would include the federal government when it directly pays
providers to deliver care to a specific population for which it has responsibility, such as veterans.
7.
E.g., S.C. CODE ANN. § 44-115-20 (West 2016) (a physician is the owner of medical
records that were made in treating a patient and are in his or her possession, as well as the
owner of records transferred to him or her concerning prior treatment of the patient); V.A. CODE
ANN. § 54.1-2403.3 (West 2016) (medical records maintained by any healthcare provider are the
property of the healthcare provider or the provider’s employer).
212
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
2. Health Information Types
When considering ownership and regulation of health
information, it is important to understand what may be owned or
regulated.
Laws may regulate only a certain type of health
information, as in the case of state laws granting ownership of genetic
information to the subject of the information,8 which can complicate
matters if a certain record contains multiple types of information. It
is important to understand the terms used by policymakers and
stakeholders to delineate different types of information because these
definitions may determine what rights and responsibilities apply to
that information.
The medical and health policy communities have adopted
several commonly used terms to define certain types of health
information. The term “clinical data,” for example, refers to health
information collected in a clinical setting by a provider from a patient.9
Clinical data may include patient histories, lab results, x-rays, or
provider notes.10 Clinical data is stored in electronic health records
(EHRs) and electronic medical records (EMRs), paper-based medical
records, and clinical trial records.11
“Administrative data” is information collected from patients by
healthcare stakeholders, such as providers and payers, in connection
with the patient’s care or payment for care.12 Administrative data is
used primarily for business purposes like record keeping or billing and
may include patient demographic and insurance information.13
8.
E.g., ALASKA STAT. ANN. § 18.13.010 (West 2016) (“DNA sample and the results of a
DNA analysis are the exclusive property of the person sampled or analyzed.”); COLO. REV. STAT.
ANN. §§ 10-3-1104.6, -1104.7 (West 2016) (indicating genetic information is the property of the
individual); FLA. STAT. § 760.40 (2016) (“[R]esults of . . . DNA analysis, whether held by a public
or private entity, are the exclusive property of the person tested.”); GA. CODE ANN. § 33-54-1
(West 2016) (“Genetic information is the unique property of the individual tested . . . .”); LA.
STAT. ANN. §§ 22:1023, 40:2210 (2016) (“[I]nsured’s or enrollee’s genetic information is the
property of the insured or enrollee . . . .”).
9.
Data
Resources
in
the
Health
Sciences,
U.
WASH.,
http://guides.lib.uw.edu/hsl/data/findclin [https://perma.cc/3TXB-EQT5] (last visited Nov. 2,
2016).
10.
THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., COMMON
CLINICAL
DATA
SET
2
(2015),
https://www.healthit.gov/sites/default/files/commonclinicaldataset_ml_11-4-15.pdf
[https://perma.cc/G37Q-LPP2]; see also What Is Health Information?, supra note 1.
11.
See, e.g., INST. OF MED., CLINICAL DATA AS THE BASIC STAPLE OF HEALTH LEARNING:
CREATING AND PROTECTING A PUBLIC GOOD: WORKSHOP SUMMARY 45 (National Academies Press
2010), http://www.ncbi.nlm.nih.gov/books/NBK54296/ [https://perma.cc/9VDT-SPY9].
12.
Id. at 100.
13.
Id. at 126.
2016]
HEALTH INFORMATION OWNERSHIP
213
Administrative data may be found in EHRs and EMRs, paper-based
medical records, and practice management systems.14
Finally, “patient-generated health data” (PGHD) is “healthrelated data created, recorded, or gathered by or from patients” or
patients’ family members or other caregivers in non-clinical settings.15
PGHD may be generated or collected by mobile apps, personal health
records (PHRs), and home health equipment that does not
automatically transmit to a provider, such as a blood glucose
monitor.16
Other common terms refer to the content of the information.
“Biospecimens” are physical materials taken from an individual,
including tissue, blood, urine, or other human-derived material,17 as
well as the information derived from the material, such as extracted
DNA.18 A biospecimen can comprise subcellular structures, cells,
tissue, organs, blood, gametes (sperm and ova), buccal swabs,
embryos, fetal tissue, exhaled breath condensate, and waste (urine,
feces, sweat, hair and nail clippings, shed epithelial cells, and
placenta).19 “Genetic information” refers to information about an
individual’s genetic makeup and the genetic makeup of an individual’s
family members, as well as information about the manifestation of a
disease or disorder in an individual’s family members, such as a
family medical history.20 Both biospecimens and genetic information
may be defined and regulated according to their form as well as
content, as in the case of a rule applying only to the physical sample
taken from a body.
14.
Id. at 69.
15.
Patient-Generated Health Data, HEALTHIT.GOV, https://www.healthit.gov/policyresearchers-implementers/patient-generated-health-data [https://perma.cc/6QHJ-T7MT] (last
visited Oct. 27, 2016).
16.
Id.
17.
OFFICE OF BIOREPOSITORIES AND BIOSPECIMEN RESEARCH ET AL., NCI BEST
PRACTICES
FOR
BIOSPECIMEN
RESOURCES
59
(2011),
http://biospecimens.cancer.gov/bestpractices/2011-NCIBestPractices.pdf [https://perma.cc/WAH23WQS] (last visited Oct. 27, 2016).
18.
NAT’L INST. OF HEALTH, GUIDELINES FOR HUMAN BIOSPECIMEN STORAGE AND
TRACKING
WITHIN
THE
NIH
INTRAMURAL
RESEARCH
PROGRAM
3
(2013),
https://oir.nih.gov/sites/default/files/uploads/sourcebook/documents/ethical_conduct/guidelinesbiospecimen.pdf [https://perma.cc/QU9E-CDR4] (last visited June 28, 2016).
19.
OFFICE OF BIORESPOSITORIES AND BIOSPECIMEN RESEARCH ET AL., supra note 17, at
59; Jonathan S. Miller, Can I Call You Back? A Sustained Interaction with Biospecimen Donors
to Facilitate Advances in Research, 22 RICH. J.L. & TECH. 1 (2015).
20.
Adapted from the definition of “genetic information” set forth in GINA Title I. See
Genetic Information Nondiscrimination Act of 2008 § 201, 42 U.S.C. § 2000ff (2012).
214
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH INFORMATION
In recent years, evolving technology has made health
information more accessible and more meaningful to individual
consumers, providers, payers, and researchers.
Value-based
purchasing policies have created incentives for providers to collect,
analyze, and report more data about individual patients.21 Wearable
devices collect and record health information such as activity, heart
rate, and blood sugar level, enabling individuals to monitor, and thus
better manage their own health.22 These and other self-management
tools, such as Consumer Health Informatics (CHI) applications, are
particularly useful for patients with chronic conditions. For example,
researchers have found that the use of such tools can positively affect
health outcomes in the cases of breast cancer, alcohol abuse, smoking
cessation, obesity, diabetes, mental health, and asthma.23
CHI
applications also include electronic PHRs and patient portals, some of
which function as peer interaction systems by which users can
communicate with others who have similar conditions.24 Individuals
may also choose to share personal health information freely online
through websites specifically designed to aggregate information from
patients, such as PatientsLikeMe,25 as well as on social media.26
Providers even share patient information on social media (with
privacy protections in place), essentially crowdsourcing medical
diagnosis and treatment.27
21.
See, e.g., Linking Quality to Payment, MEDICARE.GOV,
https://www.medicare.gov/hospitalcompare/linking-quality-to-payment.html
[https://perma.cc/D5FK-XVJQ] (last visited Oct. 27, 2016).
22.
See John Comstock, CES 2016: Running List of Health and Wellness Devices,
MOBIHEALTH NEWS (Jan. 6, 2016), http://mobihealthnews.com/content/ces-2016-running-listhealth-and-wellness-devices [https://perma.cc/U4B3-WSJ2].
23.
JOHNS HOPKINS UNIV. EVIDENCE-BASED PRACTICE CTR., IMPACT OF CONSUMER
HEALTH
INFORMATICS
APPLICATIONS,
at
v
(2009),
http://www.ahrq.gov/downloads/pub/evidence/pdf/chiapp/impactchia.pdf [https://perma.cc/8H5QL9KR].
24.
Bisk, Defining the Concept of CHI, and Exploring How It Is Democratizing
Healthcare for Patients, USF HEALTH, http://www.usfhealthonline.com/resources/keyconcepts/consumer-health-informatics/#.V2xi0jkrK2x [https://perma.cc/5TET-T7GU] (last visited
Nov. 2, 2016).
25.
Live
Better,
Together!,
PATIENTSLIKEME,
https://www.patientslikeme.com
[https://perma.cc/R66M-K49F] (last visited Nov. 2, 2016).
26.
See Patricia Sanchez Abril & Anita Cava, Health Privacy in a Techno-Social World:
A Cyber-Patient’s Bill of Rights, 6 NW. J. TECH. & INTELL. PROP. 244, 247–48 (2008).
27.
See, e.g., Alex Mohensi, Doc APProvED: ‘Instagram for Doctors,’ 36 EMERGENCY
MED.
NEWS
22
(2014),
http://journals.lww.com/emnews/Fulltext/2014/04000/Doc_APProvED___Instagram_for_Doctors_.15.aspx
[https://perma.cc/2B9P-GKDX]; see also Esther K. Choo et al., Twitter as a Tool for
2016]
HEALTH INFORMATION OWNERSHIP
215
Technology is also enabling the use of “big data” drawn from
health records, which promises to improve the quality of healthcare,
allow a greater understanding of patient and provider behaviors, and
even find new treatments for conditions like cancer. “Big data” refers
to very large datasets containing vast quantities of a variety of
information types that arrive and must be processed quickly.28 It also
invites concern about commercial uses by information resellers and
marketers, as well as nefarious uses like identity theft and
discrimination.29 Cybersecurity experts estimate that a stolen medical
record is worth ten times more than stolen credit card information
because of medical information’s greater profit potential.30 In the
legal data market, health information is collected and sold to
companies such as credit bureaus, advertisers, and investigators. An
appendix to a 2013 Government Accountability Office (GAO) report on
information resellers listed characteristics that the credit reporting
company Experian used to identify individuals to include in marketing
lists it created and provided to its clients.31 The characteristics
included an extensive list of heath conditions, including potentially
sensitive conditions like Alzheimer’s disease, cancer, clinical
depression, diabetes, erectile dysfunction, epilepsy, irritable bowel
syndrome, menopause, Parkinson’s disease, and prostate problems.32
The business of gathering health data for commercial purposes can be
significant; for example, IMS Health, one of the leading providers of
such intelligence, reported approximately $1.5 billion in annual
revenue for its information segment in each of the last five years.33
IMS Health draws information from a variety of sources, including
over 500 million patient medical records and over fourteen million
healthcare providers and organizations (Figure 1). These millions of
Communication and Knowledge Exchange in Academic Medicine: A Guide for Skeptics and
Novices, 37 MED. TCHR. 411, 413 (2014).
28.
Bernard Marr, Big Data a Game Changer for Healthcare, FORBES (May 24, 2016,
1:55
AM),
http://www.forbes.com/sites/bernardmarr/2016/05/24/big-data-a-game-changer-inhealthcare/#28efa52f3c75 [https://perma.cc/UYA3-MJKC].
29.
Id.
30.
Caroline Humer & Jim Finkle, Your Medical Record Is Worth More to Hackers Than
Your Credit Card, REUTERS (Sep. 24, 2014, 2:24 PM), http://www.reuters.com/article/uscybersecurity-hospitals-idUSKCN0HJ21I20140924 [https://perma.cc/X7QQ-4SVD].
31.
U.S. GOV’T ACCOUNTABILITY OFFICE, INFORMATION RESELLERS: CONSUMER PRIVACY
FRAMEWORK NEEDS TO REFLECT CHANGES IN TECHNOLOGY AND THE MARKETPLACE 52–53 (2013),
http://www.gao.gov/assets/660/658151.pdf [https://perma.cc/U8JQ-SZZZ].
32.
Id. at 53.
33.
IMS
HEALTH
HOLDINGS,
INC.,
2015
ANNUAL
REPORT
38
(2015),
http://s2.q4cdn.com/521378675/files/doc_downloads/2016/IMS_2015_AnnualReport_Final_Final.pdf [https://perma.cc/V35F-JGCT]. $1.5 billion per year is a lot of money to
make just from aggregating and selling health data.
216
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
records and pieces of patient information are combined into a dataset
that is sold as a product to a variety of users.34 These practices
illustrate how one’s health information may be commodified—that is,
turned into a product for someone else’s profit. In this landscape,
legal ownership of information becomes a critical question.
Figure 1: Data combined by IMS Health for its “Market Insights”
health information business sector35
Courts are confronting these new data uses and considering
where they fit in existing legal structures, such as intellectual
property law. Two cases decided by the US Supreme Court in recent
years illustrate the challenge of sorting out legal rights where
corporate interests in personal information are concerned.36 In 2013,
in Ass’n for Molecular Pathology v. Myriad Genetics, Inc., (Myriad),
the Court considered a challenge to a patent held by Myriad Genetics
on genetic tests for certain genes that increase the risk of breast and
ovarian cancer.37 The tests involved isolating natural DNA strands
and creating synthetic complementary DNA that mirrored the original
isolated strands with slight alterations.38 The Court ruled that
synthetically created complementary DNA is patentable, while
isolated natural DNA is not.39 Although the case appeared to be a
relatively straightforward application of intellectual property law,
granting corporations a protectable property interest in material
derived from an individual’s DNA could have far-reaching
implications.40 If a corporation can create a commodity from DNA,
selling it and preventing others from making competing products,
34.
Id.
35.
Global,
National
and
Subnational
Insights,
QUINTILESIMS,
http://www.imshealth.com/en/solution-areas/market-insights [https://perma.cc/NG8J-YY56] (last
visited Nov. 12, 2016).
36.
See generally Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107
(2013); Sorrell v. IMS Health Inc., 564 U.S. 552 (2011).
37.
Myriad, 133 S. Ct. at 2110–11.
38.
Id. at 2111.
39.
Id.
40.
Id. at 2113, 2120.
2016]
HEALTH INFORMATION OWNERSHIP
217
other activities that amount to ownership of a person’s biological
material are not far off.
In 2011, the Court considered the constitutionality of legal
restrictions on the use of collected personal information in Sorrell v.
IMS Health Inc.41 Sorrell dealt with a common marketing practice,
wherein pharmacies collect prescriber-identifying information when
processing prescriptions and sell this information to “data miners.”42
Data miners use this information to produce reports on prescriber
behaviors, de-identified with respect to patients but identifying the
prescribing physician, which they lease to pharmaceutical
manufacturers.43 Manufacturers then employ “detailers,” commonly
known as pharmaceutical sales representatives or “drug reps,” who
use the reports to strategically market and promote their drugs to
physicians.44
The Vermont law in question prohibited pharmacies from
selling or disclosing prescriber-identifying information for marketing
purposes without the prescriber’s consent and further prohibited
pharmaceutical manufacturers and marketers from using prescriberidentifiable information for sales marketing and promotion practices.45
The majority used a First Amendment free speech analysis to strike
down the statute because it imposed a burden on the protected speech
of the regulated pharmacies, manufacturers, and marketers, including
plaintiff IMS Health, thereby restricting communication.46
The dissent, however, argued that Vermont’s law regulated
commercial activity rather than speech and thus imposed no
significant burden on free speech.47 Because the majority interpreted
restrictions on the use of health information as a free speech violation
rather than regulation of health information use and exchange for
commercial purposes, the Court may have made it very difficult for
legislators to regulate the activity of collecting and disseminating
personal information, including health information, for profit. With
respect to ownership of health information, it may not be possible
after Sorrel to give ownership rights over health information to a
particular individual or entity through statute, regulation, or common
41.
Sorrell, 564 U.S. at 557.
42.
Id. at 558.
43.
Id.
44.
Id.
45.
VT. STAT. ANN. tit. 18, § 4631(d) (West 2010), invalidated by Sorrell v. IMS Health,
Inc., 564 U.S. 552 (2011).
46.
Sorrell, 564 U.S. at 563–65.
47.
Id. at 591–92.
218
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
law because another party may be able to claim a constitutional right
to use the information for their own purposes.
The legal status of health information is the subject of robust
debate and the legal landscape is in flux. Scholars debate what legal
framework—whether property law, tort law, or constitutional
protections of free speech—should apply to health information.48
Members of the public debate the ethics of using personal health
information without consent, as in the case of Henrietta Lacks, whose
cancer cells were taken, replicated, and later commodified for valuable
research for decades without her consent and without her family’s
knowledge.49 Policymakers debate the proper balance between the
potential benefits of data derived from personal information and the
need to protect privacy and other rights.50
At the federal level, ONC is leading efforts to define the rules
of the road for the use and exchange of health information. For
example, ONC released a set of guiding principles related to health
information exchange governance in 2013, which were designed to
serve as a common framework for organizations engaging in the data
exchange for healthcare purposes.51 In 2015, ONC released the
Federal Health IT [Information Technology] Strategic Plan 2015–
2020,52 which highlights the importance of protecting health
information privacy and security in order to support and advance
“widespread use of all forms of health IT.”53 According to the Plan,
clarifying federal and state laws governing the privacy and security of
health information is a key component of promoting greater adoption
of health information technology.54
48.
See, e.g., Barbara J. Evans, Much Ado About Data Ownership, 25 HARV. J.L. &
TECH. 70, 74 (2011) (arguing against propertization of health data); Bonnie Kaplan, Selling
Health Data: De-Identification, Privacy, and Speech, 24 CAMBRIDGE Q. HEALTHCARE ETHICS 256
(2015) (comparing property and free speech framework and suggesting tort law as alternative);
Paul M. Schwartz, Property, Privacy, and Personal Data, 117 HARV. L. REV. 2055, 2056 (2004)
(criticizing tort law as comprehensive framework and suggesting property law as proper
framework).
49.
See generally REBECCA SKLOOT, THE IMMORTAL LIFE OF HENRIETTA LACKS (Random
House 2010).
50.
See, e.g., Marc A. Rodwin, Patient Data: Property, Privacy & the Public Interest, 36
AM. J.L. & MED. 586, 617 (2010).
51.
THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., GOVERNANCE
FRAMEWORK FOR TRUSTED ELECTRONIC HEALTH INFORMATION EXCHANGE 1 (2013),
https://www.healthit.gov/sites/default/files/GovernanceFrameworkTrustedEHIE_Final.pdf
[https://perma.cc/8WX9-DBFT].
52.
THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., FEDERAL HEALTH
IT STRATEGIC PLAN 2015–2020, at 4 (2015), https://www.healthit.gov/sites/default/files/9-5federalhealthitstratplanfinal_0.pdf [https://perma.cc/BSG4-943T].
53.
Id.
54.
Id. at 43.
2016]
HEALTH INFORMATION OWNERSHIP
219
IV. LEGAL THEORIES OF INFORMATION OWNERSHIP
In law, ownership generally means legal title to something
combined with the exclusive right to possess it.55 Legal title gives the
owner a variety of rights, including rights to control, use, profit from,
dispose of, and prevent others from using the thing that is owned.56
This concept is straightforward in the case of an object or piece of real
estate. In the case of health information, ownership is usually less
clear. A patchwork of laws grants various rights and obligations with
respect to health information and medical records, including privacy,
confidentiality, and the rights to access, amend, and direct the
transfer of one’s health information.57 Some rights come from specific
laws and regulations, while others are derived from broader principles
of law, like privacy and property.58
Some states have laws granting specific ownership over
medical records or health information either to the healthcare
provider or, in New Hampshire, to the individual who is the subject of
the information.59 Some of these state laws use the term “own” or
“owner,” while others use the term “property.”60 In Wyoming, the law
refers to the physical conveyance for the information, giving the
provider ownership of “the paper, microfilm, or data storage unit upon
which the patient’s information is maintained [and stating that
patients] do not have a right to possess the physical means by which
the information is stored,” although they must be given access to
“pertinent information.”61 In New Hampshire, the state’s Patients’
Bill of Rights law states: “[m]edical information contained in the
medical records at any facility licensed under this chapter shall be
deemed to be the property of the patient.”62 This law is unique among
states and, since providers retain a property interest in their business
records, it is not clear how the conflicting property rights of patients
and providers would be resolved in case of a dispute. There are also
cases finding that medical records are the property of the healthcare
55.
56.
Ownership, BLACK’S LAW DICTIONARY (10th ed. 2014).
E.g., Jane B. Baron, Property as Control: Case of Information, 18 MICH. TELECOMM.
& TECH. L. REV. 367, 384 (2012).
57.
E.g., Mark A. Hall, Property, Privacy, and the Pursuit of Interconnected Electronic
Medical Records, 95 IOWA L. REV. 631, 649–50 (2010).
58.
See id.
59.
Who Owns Medical Records: 50 State Comparison, HEALTH INFO. & L.,
http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-statecomparison [https://perma.cc/3H2N-XNF5] (last visited Nov. 12, 2016).
60.
See id.
61.
024-052 WYO. CODE R. § 003 (LexisNexis 2016).
62.
N.H. REV. STAT. ANN. § 151:21 (2016).
220
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
provider who created them, even where there is no statute or
regulation to that effect.63
While ownership is significant, it may not determine who can
do what with health information. Patients may have rights with
respect to their medical records under some federal privacy laws and
regulations.64
Many states have specific laws addressing how
providers must maintain, protect, and dispose of records, as well as
laws giving patients, providers, and others access to medical records,
regardless of ownership status.65 The following discussion addresses
the legal theories that could potentially serve as the basis for
ownership of health information, including property law, intellectual
property law, and privacy law.
A. Property law
In the United States, there is no recognized property interest in
one’s own personal information.66 There may be property interests in
specific types of information, as in the case of medical information
under the New Hampshire law67 referenced above, or in the physical
container that houses the information, such as a computer or diary.68
When information about individuals is compiled from public data or by
an entity with legal access to the information, such as a credit card
company, it can be sold without the permission of the subjects of the
information, who are not entitled to any compensation.69 Information
about customers, such as mailing lists, can be distributed alongside
real property when a business is transferred.70
Property can be defined broadly as “any interest in an object,
whether tangible or intangible, that is enforceable against the
63.
See, e.g., Holtkamp Trucking Co. v. David J. Fletcher, M.D., L.L.C., 932 N.E.2d 34,
43 (Ill. 2010) (holding that medical records were physician’s property); McGarry v. J.A. Mercier
Co., 262 N.W. 296, 297–98 (Mich. 1935) (holding that x-ray negatives were the property of the
physician who made them, not the patient).
64.
Hall, supra note 57, at 649–50.
65.
See
States,
HEALTH
INFO.
&
L.,
http://www.healthinfolaw.org/state
[https://perma.cc/6DWF-FVSR] (last visited Nov. 13, 2016).
66.
Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal
Information, 37 U.C. DAVIS L. REV. 379, 403 (2003).
67.
N.H. REV. STAT. ANN. § 151:21 (2016).
68.
Hall, supra note 57, at 646–47.
69.
Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1352–53 (Ill. App. Ct. 1995).
70.
E-7.04
Sale
of
a
Medical
Practice,
A M.
MED.
ASS’N,
https://www.denbar.org/docs/AMA%20(Professionalism)%20E-7.pdf?ID=2373
[https://perma.cc/5P5Y-WBAT] (last updated Sept. 26, 2005).
2016]
HEALTH INFORMATION OWNERSHIP
221
world.”71 As explained by the California Supreme Court, applying a
broad definition, “[t]he term ‘property’ is sufficiently comprehensive to
include every species of estate, real and personal, and everything
which one person can own and transfer to another. It extends to every
species of right and interest capable of being enjoyed as such upon
which it is practicable to place a money value.”72 Others have limited
the definition of property to the specific set of “legally sanctioned
property forms” defined by legislatures.73 This Article uses a broad
definition, modified to apply to health information. Thus, a property
interest in health information may be defined as any interest in the
health information that is enforceable against the world. Property
rights under this definition are distinguished from the more limited
rights that apply under the terms of a contract, where rights are
enforceable only against a party to the contract, or rights that only
apply in certain settings or for certain users, such as health
information privacy and security regulations. When considering
property rights in personal information, courts have historically held
that such information belongs to no one until it is collected, at which
point it belongs to the collector.74 Thus, when a company collects the
names, addresses, phone numbers, and shopping histories of its
customers, that information may become a protected piece of property
that can be transferred along with other corporate property when the
business is sold or sold outright as a product itself.75
In the healthcare context, medical records typically belong to
the physician, hospital, or another provider that created them.76
Thinking of healthcare like any other service industry, the medical
record is a record of the service provided to the customer. For the
healthcare provider, the information in a medical record is necessary
for a number of purposes other than patient care. These include
receiving payment for the service from an insurance company,
complying with state and federal reporting requirements, supporting
business functions such as profit-sharing among partners and paying
taxes, and defending the provider in case of any claim of malpractice.77
71.
Schwartz, supra note 48, at 2058.
72.
Yuba River Power Co. v. Nevada Irrigation Dist., 207 Cal. 521, 524 (1929).
73.
Thomas W. Merrill & Henry E. Smith, Optimal Standardization in the Law of
Property: The Numerus Clausus Principle, 110 YALE L.J. 1, 10 (2000).
74.
Bergelson, supra note 66, at 403.
75.
E.g., Julia N. Mehlman, If You Give a Mouse a Cookie, It’s Going to Ask for Your
Personally Identifiable Information: A Look at the Data-Collection Industry and a Proposal for
Recognizing the Value of Consumer Information, 81 BROOK. L. REV. 329, 331 (2015).
76.
E.g., Hall, supra note 57, at 646–47.
77.
Stanley J. Reiser, The Clinical Record in Medicine Part 2: Reforming Content and
Purpose, 114 ANNALS INTERNAL MED. 980, 984 (1991).
222
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
As business records, medical records and the information they contain
can be transferred when, for example, a partner leaves a medical
practice or a practice merges with another institution.78 Custody of
medical records may be made part of an employment contract between
a practice and an individual physician or part of a contract for the sale
of a practice.79 Patients cannot take the original medical record away
from the provider who created it, as it remains a vital business record
of the service provided.
On the other hand, the property interest in medical records is
not exclusive to the individual or entity that created them.80 Because
of the many rights held by individual patients with respect to their
medical records, records may not be disposed of in the same manner
as other property.81 Medical records cannot be destroyed or given to
others without following the procedures prescribed by federal and
state laws.82 Providers cannot prevent individuals from taking the
information in their records and giving it to a competing provider.83
The property interest a physician has in medical records is
fundamentally different than the property interest he or she has in an
x-ray machine or stethoscope.84 Thus, while medical records are
certainly property, they are a unique type of property.
Turning to the information contained in the medical record, it
may be the property of the person or entity that collected it. In
general, the collected form of the information may be “property,”
which courts have recognized,85 rather than the individual pieces of
the information itself. In the case of a customer list, for example, the
list may be considered property in its collected form. However, when
the names of some of the individuals from that customer list are
available elsewhere, such as in a phone book, it cannot be said that
the phone book contains the property of the company that collected the
customer list. In other words, the fact that health information may be
78.
WILLIAM H. ROACH JR. ET AL., MEDICAL RECORDS AND THE LAW 333 (Jones and
Bartlett Publishers 4th ed. 2006).
79.
Id. at 339.
80.
Mark A. Hall & Kevin A. Schulman, Ownership of Medical Information, 301 J. AM.
MED. ASS’N. 1282, 1282–84 (2009).
81.
See generally id.
82.
E.g., Christine L. Glover, To Retain or Destroy? That Is the Health Care Records
Question, 103 W. VA. L. REV. 619, 625–26 (2001).
83.
See Hall & Schulman, supra note 80, at 1282–84.
84.
Id.
85.
E.g., In re Nw. Airlines Privacy Litig., No. CIV.04-126(PAM/JSM), 2004 WL
1278459, at *4 (D. Minn. June 6, 2004) (where airline passengers’ personal information was
compiled and combined with other information to form a record, and the record itself became the
airline’s property).
2016]
HEALTH INFORMATION OWNERSHIP
223
the property of one party in its collected form does not mean that the
information itself is the property of the collector wherever it exists.
Whether or not the collected health information, like that in a
medical record, could be the property of the person who is the subject
of the information remains in question. In general, courts have
refused to recognize property rights in information about oneself, even
as they recognize causes of action where personal information is
misused, as in the case of identity theft or misappropriation of an
individual’s name or likeness for profit.86 Individuals have been
unable to prevent the distribution of information about them by
investigators, credit companies, and magazine publishers.87
Certainly, health information cannot be the exclusive property of the
subject, since the information itself is contained in business records of
the health providers who recorded the information and must be
exchanged with others, such as regulators, insurance companies, and
other providers, in order to do business.
What about genetic information, which is even more closely
tied to an individual than a name or photograph? Does genetic
information, such as a DNA sequence, have a special status as
property even where other health information does not? In the
famous Moore v. Regents of the University of California,88 a physician
at UCLA Medical Center isolated a cell line from the patient Moore’s
T-lymphocytes, extracted from biological samples taken during his
treatment.89
The physician made agreements to profit from
commercial development of the cell line and resulting products. Moore
sued, claiming, among other causes of action, that the biological
samples that yielded the cell line were his property that was illegally
converted by the physician.90 To prove the tort of conversion, the
“plaintiff must establish an actual interference with his ownership or
right of possession . . . [w]here plaintiff neither has title to the
property alleged to have been converted, nor possession thereof, he
cannot maintain an action for conversion.”91 In Moore, the California
Supreme Court held that Moore did not have an enforceable property
interest in his cells under existing law, partly because he did not
86.
I.J. Schiffres, Annotation, Invasion of Privacy by Use of Plaintiff’s Name or Likeness
in Advertising, 23 A.L.R.3d 865 § 4 (1969).
87.
E.g., Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1351 (Ill. App. Ct. 1995); Shibley
v. Time, Inc., 341 N.E.2d 337, 340 (Ohio Ct. App. 1975); U.S. News & World Report, Inc. v.
Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996).
88.
Moore v. Regents of Univ. of Cal., 793 P.2d 479, 487 (Cal. 1990) (rejecting
individual’s claim of property right in his genetic information).
89.
Id. at 481.
90.
Id. at 482.
91.
Id. at 488.
224
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
expect to retain possession of them after they were taken from his
body.92 The court declined to extend conversion to the facts in Moore,
noting the chilling effect on medical research and development of
treatments that would result from giving every patient a property
interest in their biological samples taken in the course of treatment
and any resulting research or innovation.93 Interestingly, genetic
information is one type of health information where states have given
individuals a property interest under the law. In Alaska,94 Colorado,95
Florida,96 Georgia,97 and Louisiana,98 state statutes declare genetic
information, DNA samples, or the results of DNA analysis to be the
property of the individuals who are the subject of the information.
Likewise, reproductive material has been deemed property after it has
been removed from the body.99 In general, reproductive material itself
is not sold but “donated,” although the donor may receive substantial
compensation in exchange for her “donor services.”100 Indeed, egg
donation is an $80 million market.101 Largely self regulated, there are
industry guidelines limiting the amount of compensation an egg donor
may receive, though no limits apply to sperm donation. These limits
were challenged in a class action102 brought by egg donors that was
settled in early 2016.103
Thus, given this history of treating
reproductive material as property or allowing the sale of reproductive
material using contracts in the same way other goods are sold, there is
potentially a greater degree of ownership that applies to reproductive
material than to other biological material or, more broadly, to health
information.
In contrast, the status of preserved embryos is much less clear.
Some courts have held that as potential persons, embryos cannot be
92.
Id. at 488–89.
93.
Id. at 494.
94.
ALASKA STAT. ANN. §§ 18.13.010–.030, .100 (West 2016).
95.
COLO. REV. STAT. ANN. §§ 10-3-1104.6, 1104.7 (West 2016).
96.
FLA. STAT. § 760.40 (2016).
97.
GA. CODE ANN. §§ 33-54-1 to -8 (West 2016).
98.
LA. STAT. ANN. § 22:1023 (2016).
99.
E.g., Kurchner v. State Farm Fire & Cas. Co., 858 So. 2d 1220, 1221 (Fla. Dist. Ct.
App. 2003) (holding that sperm outside of the body is property for purposes of insurance claim).
100.
Kamakahi v. Am. Soc’y for Reprod. Med., No. C 11-01781 SBA, 2013 WL 1768706, at
*3 (N.D. Cal. Mar. 29, 2013).
101.
Id.
102.
Kamakahi v. Am. Soc’y for Reprod. Med., No. 11-CV-01781-JCS, 2015 WL 1926312,
at *1 (N.D. Cal. Apr. 27, 2015).
103.
Jacob Gershman, Fertility Industry Group Settles Lawsuit over Egg Donor Price
Caps, WALL ST. J. (Feb. 3, 2016, 11:01 AM), http://blogs.wsj.com/law/2016/02/03/fertilityindustry-group-settles-lawsuit-over-egg-donor-price-caps/ [https://perma.cc/989S-CHXF].
2016]
HEALTH INFORMATION OWNERSHIP
225
property to be transferred like other marital property,104 while others
have freely enforced contracts that determine how embryos are to be
used or disposed of in the case of a separation.105 As the practice of
assisted reproduction continues to become more common, the legal
approach to the disposition of embryos may be informative for the
question of health information ownership. At least two people have
simultaneous and valid legal interests in a frozen embryo, created
from their biological material, which is somewhat analogous to
multiple parties having valid interests in a piece of health
information.
As these examples illustrate, the practice of treating health
information as property under the law has an uneven history. There
are some forms of health information, such as medical records created
by a healthcare provider in the course of doing business, that the law
is comfortable treating as property. Other forms, such as biological
materials and genetic information, have been treated differently.
Because an ownership interest may be claimed in intangible
information rather than the physical form of the record, some have
proposed that health information be protected under intellectual
property law.106
B. Intellectual Property Law
Intellectual property laws (which include trademark, copyright,
and patent mechanisms) confer the rights of property on creations of
the mind, such as scientific discoveries, artwork, designs, and written
work, which one could not otherwise have an exclusive interest.107
The term “[i]ntellectual property relates to items of information or
knowledge, which can be incorporated in tangible objects at the same
time in an unlimited number of copies at different locations anywhere
in the world.”108 In order to be protected by a patent, which is the
mechanism that would apply to most healthcare-related intellectual
property, the discovery in question cannot be simply a “consequence of
the body’s natural processes.”109 Even if the natural phenomenon in
question is not identical across every person, if “the genetic
104.
Davis v. Davis, 842 S.W.2d 588, 593, 604 (Tenn. 1992).
105.
E.g., Litowitz v. Litowitz, 48 P.3d 261, 274 (Wash. 2002).
106.
See Schwartz, supra note 48, at 2076.
107.
See
What
Is
Intellectual
Property?,
WORLD
INTELL.
PROP.
ORG.,
http://www.wipo.int/about-ip/en/ [https://perma.cc/HS98-PTZU] (last visited Nov. 14, 2016).
108.
SRIKANTH VENKATRAMAN, UNDERSTANDING DESIGNS ACT 115 (2010).
109.
Genetic Techs. Ltd. v. Bristol-Myers Squibb Co., 72 F. Supp. 3d 521, 530 (D. Del.
2014).
226
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
correlations . . . exist apart from any human action,” the discovery is
unpatentable.110 Most of the health information about an individual
that is collected in medical records and databases is merely reporting
on the observed biological state and processes of the individual who is
the subject of the information. As such, it could not be protected by
intellectual property law, even if a human made the observation.
Courts in the United States have rejected attempts to patent
diagnostic procedures and medical treatments.111 However, it is
possible for a physician to use a very specialized technique for
evaluating or treating a patient and for that technique to be protected
by copyright or patent laws.112 The US Patent and Trademark Office
(USPTO) issued guidance to illustrate what considerations may allow
a procedure for evaluating or treating a natural process to be
protectable.113 If such protection is granted, the physician may be able
to shield the protected part of the evaluation from disclosure. Thus,
there is some capacity for health information to be protected by
intellectual property law, but it is limited under current standards.
C. Federal Privacy Law
1. Constitutional Law
The US Constitution does not explicitly enumerate a right to
privacy.114 However, various amendments to the Constitution grant
rights that relate to personal autonomy, an aspect of privacy insofar
as individuals can choose whether or not to participate in certain
activities or be subject to certain experiences, such as “the right to be
left alone.”115 The US Supreme Court has also identified a right to
privacy under the Fourteenth Amendment.116 Under the Fourteenth
110.
Id. (citing Genetic Techs. Ltd. v. Agilent Techs., Inc., 24 F. Supp. 3d 922, 927 (N.D.
Cal. 2014) (stating correlations between variation in non-coding and coding regions alone are
unpatentable natural laws despite not being “universal” or “immutable scientific truths”)).
111.
E.g., Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1298
(2012); PerkinElmer, Inc. v. Intema Ltd., 496 Fed. Appx. 65 (Fed. Cir. 2012). In Australia, by
contrast, medical treatments are considered patentable. Apotex Pty Ltd v Sanofi-Aventis
Australia Pty Ltd [2013] HCA 50.
112.
See Memorandum from Andrew H. Hirshfeld, Deputy Comm’r for Patent
Examination Policy, U.S. Patent and Trademark Office, to the Patent Examining Corps (Mar. 4,
2014),
http://www.uspto.gov/patents/law/exam/myriad-mayo_guidance.pdf
[https://perma.cc/3T4R-Z8C6].
113.
Id.
114.
Julie K. Freeman, Medical Records and the U.S. and Pennsylvania Constitutions’
Right to Privacy, 70 Pa. B.A. Q. 93, 95 (1999).
115.
Robert E. Mensel, The Antiprogressive Origins and Uses of the Right to Privacy in
the Federal Courts 1860–1937, 3 FED. CTS. L. REV. 109, 124 (2009).
116.
See, e.g., Roe v. Wade, 410 U.S. 113, 164 (1973).
2016]
HEALTH INFORMATION OWNERSHIP
227
Amendment, a law is unconstitutional if it infringes upon the exercise
of a fundamental right, such as the right to privacy, without a
“compelling” state interest.117 The right to privacy is defined and
determined on a case-by-case basis; for example, the Court has
identified a specific right to privacy with respect to decisions about
“family, marriage, motherhood, procreation, and child rearing.”118
One aspect of the privacy concept is the ability to control one’s
own information.119 However, existing Supreme Court case law does
not recognize within the right to privacy a right to control information,
though it has specifically declined to foreclose that possibility for the
future.120 As it currently stands, the right to control one’s information,
health-related or otherwise, is not considered a fundamental right,
and thus any law infringing upon that ability need only be rationally
related to a legitimate government purpose.121 Ten states explicitly
recognize an individual’s right to privacy in their constitutions.122
These states prohibit unreasonable or unwarranted invasions of
privacy, though none specifically include the right to control one’s
personal information as an aspect of “privacy.”123 In general, however,
the right to information privacy has been conferred primarily by
statute and regulation rather than by courts’ application of a
constitutional right.124
There is no comprehensive federal statutory framework
governing health information privacy and security,125 rather a
patchwork of federal laws that often overlap or even contradict each
other. The primary function of these laws and regulations is to limit
the ways in which lawful holders of the information may use and
share it with or without the subject of the information’s consent.126
Although federal privacy laws and regulations do not explicitly confer
an ownership interest in health information, they do grant
information holders some ability to direct and control how the
117.
Id. at 155–56.
118.
Paris Adult Theater v. Slaton, 413 U.S. 49, 65 (1973).
119.
See Hall & Schulman, supra note 80, at 1282–84.
120.
ERWIN CHEMERINSKY, CONSTITUTIONAL LAW: PRINCIPLES AND POLICIES 856 (3d ed.
2006).
121.
See id.
122.
Privacy Protections in State Constitutions, NAT’L CONF. ST. LEGISLATURES (Dec. 3,
2015),
http://www.ncsl.org/research/telecommunications-and-information-technology/privacyprotections-in-state-constitutions.aspx [https://perma.cc/VG3R-Q6MY].
123.
See id.
124.
See id.
125.
Jane Hyatt Thorpe & Elizabeth A. Gray, Big Data and Public Health: Navigating
Privacy Laws to Maximize Potential, PUB. HEALTH REP. 130(2):171–75 (2015).
126.
E.g., Hall, supra note 57, at 657.
228
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
information is used.127 Some laws and regulations give individuals
explicit rights with respect to their health information when it is in
the possession of certain lawful holders of that information.128 These
laws vary considerably in terms of the health information they protect
and the entities they govern, though all of these laws apply only to
identifiable information.129
2. HIPAA
The most widely referenced federal framework related to
health information are the Health Insurance Portability and
Accountability Act of 1996 (HIPAA)’s130 Administrative Simplification
provisions131 and their enabling regulations—the Privacy, Security,
Breach Notification, and Enforcement Rules, known collectively as
“the HIPAA Rules.” Under HIPAA, individually identifiable health
information is oral or recorded information created or received by a
healthcare provider, health plan, employer, or healthcare
clearinghouse that identifies or could be used to identify an individual,
and relates to the individual’s care or to his past, present, or future
mental or physical health condition or payment for care.132 The
HIPAA Rules do not apply to individually identifiable health
information held in certain types of records, such as education records,
or about individuals deceased for over fifty years.133 The information
subject to HIPAA is referred to as “protected health information”
(PHI). Much health-related information exists outside of HIPAA’s
protections, including PGHD,134 consumer and sentiment data
describing patient activities and preferences (i.e., exhaust data),135
127.
See id.
128.
See id. at 646.
129.
Id. at 659.
130.
Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. No.
104-191, 110 Stat. 139 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
131.
See, e.g., id. at §§ 261–62.
132.
45 C.F.R. § 160.103 (2016) (“Individually identifiable health information is
information that is a subset of health information, including demographic information collected
from an individual . . . .”).
133.
Id.
134.
Patient-Generated Health Data, supra note 15.
135.
Nicolas P. Terry, Big Data Proxies and Health Privacy Exceptionalism, 24 HEALTH
MATRIX
65,
85
(2014),
http://scholarlycommons.law.case.edu/cgi/viewcontent.cgi?article=1005&context=healthmatrix
[https://perma.cc/RR4R-Z4Y4].
2016]
HEALTH INFORMATION OWNERSHIP
229
and de-identified information—though these types of information may
be subject to other laws and regulations.136
The HIPAA Rules only regulate the use, disclosure, and
management of PHI when it is in the possession of certain entities.137
These are Covered Entities (health plans, healthcare clearinghouses,
and most healthcare providers)138 and their Business Associates
(entities that have access to PHI in the course of performing certain
services for or functions on behalf of a Covered Entity);139 HIPAA does
not govern individually identifiable health information when it is in
the possession of non-regulated entities (i.e., neither Covered Entity
nor Business Associate), even if the information meets the definition
of PHI.140
The HIPAA Rules collectively serve as the federal floor for
identifiable health information privacy and security.141 The HIPAA
Privacy Rule, as its name suggests, governs the privacy and
confidentiality of PHI.142 It dictates when and to whom a Regulated
Entity is permitted to disclose PHI, which can be grouped into three
broad categories:
1. Required Disclosures: a Regulated Entity must disclose PHI to
the individual subject of the information upon request143 and
136.
See generally What Is “Health Information” for Purposes of the Mobile Device
Privacy and Security Subsection of HealthIT.gov?, supra note 4.
137.
45 C.F.R. § 160.102(a), (b) (2016).
138.
45 C.F.R. § 160.103 (defining “covered entity” to include “[a] health plan,” “[a]
health care clearinghouse,” and “[a] health care provider who transmits any health information
in electronic form in connection with a transaction covered by this subchapter”); see also §
160.103 (defining “health care clearinghouses” to include businesses or agencies that process
nonstandard health information they receive from other entities into a standard format); §
160.103 (where “health information”—information (identifiable or not) that is created by a
healthcare provider, health plan, public health authority, employer, life insurer, school or
university, or healthcare clearinghouse and that relates to an individual’s healthcare or an
individual’s past, present, or future physical or mental health or condition or payment for care—
has a broader definition than “protected health information”); 45 C.F.R. § 162 (2016) (defining
“covered health care provider” as one who electronically transmits health information in
connection with “covered” transactions, which include, but are not limited to, benefit eligibility
inquiries and claims).
139.
45 C.F.R. § 160.103 (defining “business associate” to include those who provide
“legal, actuarial, accounting, consultation, data aggregation . . ., management, administrative,
accreditation, or financial services”).
140.
See, e.g., Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information Technology for Economic and Clinical Health
Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA
Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (codified at C.F.R. pts. 160, 164).
141.
See 45 C.F.R. § 160 (2016); see also 45 C.F.R. § 160.203 (2016); 45 C.F.R. § 164.502
(2016).
142.
See generally 45 C.F.R. §§ 164.500–.534 (2016).
143.
45 C.F.R. § 164.502(a)(2)(i), (4)(ii) (2016).
230
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
to the Secretary of the US Department of Health and Human
Services (HHS) for enforcement and compliance purposes;144
2. Prohibited or Limited Disclosures: a Regulated Entity may not
disclose PHI for certain purposes145 (e.g., most sales of PHI146)
and must obtain an individual’s authorization to disclose
certain types of PHI (e.g., psychotherapy notes147) in almost all
circumstances;148 and
3. Permissive Disclosures: a Covered Entity149 may disclose
[most] PHI without first obtaining the subject’s authorization
for a variety of purposes (though some of these purposes
require that, where practicable, the individual be given the
opportunity to informally object to the disclosure150).151
Any disclosures not required, permitted, or prohibited by the Privacy
Rule require written authorization from the individual subject of the
PHI.152 The “permissive disclosure” exceptions were designed to
permit Covered Entities to engage in fundamental healthcare
activities without being burdened by authorization requirements.153
Permissive exceptions include disclosures for purposes of treatment,
payment, and healthcare operations,154 as well as a variety of purposes
that benefit the public good, such as disease surveillance, national
security, and law enforcement activities.155 These exceptions are so
broad that Covered Entities essentially retain greater control over
PHI than the actual subject of the information.156 However, in an
144.
45 C.F.R. § 164.502(a)(2)(ii), (4)(i).
145.
See 45 C.F.R. § 164.502(a)(5).
146.
45 C.F.R. § 164.502(a)(5)(ii).
147.
45 C.F.R. § 164.508(a) (2016).
148.
45 C.F.R. § 164.508(a)(2).
149.
See 45 C.F.R. § 164.502(a)(1); see also 45 C.F.R. § 164.502(a)(3) (stating that a
business associate may only disclose PHI as required by its business associate contract or the
law).
150.
45 C.F.R. § 164.510 (2016).
151.
45 C.F.R. § 164.512 (2016); see also OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND
DISCLOSURES:
EXCHANGE
FOR
TREATMENT
1
(2016),
http://www.hhs.gov/sites/default/files/exchange_treatment.pdf
[https://perma.cc/8WK6-F6D5];
OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND DISCLOSURES: EXCHANGE FOR HEALTH CARE
OPERATIONS 1 (2016), http://www.hhs.gov/sites/default/files/exchange_health_care_ops.pdf
[https://perma.cc/22LV-LN9M].
152.
45 C.F.R. § 164.502(a)(1).
153.
See, e.g., Standards for Privacy of Individually Identifiable Health Information, 67
Fed. Reg. 14776 (proposed Mar. 27, 2002) (to be codified at C.F.R. pts. 160, 164).
154.
45 C.F.R. § 164.506 (2016).
155.
45 C.F.R. § 164, §§ 510, 512 (2016).
156.
See infra notes 168–73.
2016]
HEALTH INFORMATION OWNERSHIP
231
effort to balance an individual’s interest in his or her own information
with the need to enable proper functioning of the healthcare system,
the Privacy Rule establishes six rights individuals have with respect
to their PHI:
1. To be notified of uses and disclosures a Covered Entity may
make;157
2. To request restrictions on some uses and disclosures, though a
Covered Entity is only required to comply with such a request
in very limited circumstances;158
3. To request that a health plan or a covered provider
communicate PHI confidentially (i.e., by alternative means or
at alternative locations), though a health plan is only required
to comply in specific circumstances;159
4. To inspect and obtain a copy of PHI or have the Covered Entity
transmit a copy of PHI to a designated third party;160
5. To amend PHI in certain circumstances;161 and
6. To receive an accounting of disclosures of PHI made in the
preceding six years, though many types of disclosures are
exempt from the accounting requirement.162
While the HIPAA Privacy Rule grants an individual substantial
rights, including access to and some measure of control over their
health information, because of the many exceptions to and limitations
on these rights, they do not equate to the full control that ownership
under a property theory would convey.163
3. Other Federal and State Statutes and Regulations Protecting
Health Information Privacy
Some other federal statutes and regulations protect health
information primarily based on its content. These include: 42 C.F.R.
Part 2 (Part 2),164 which protects identifying information about
157.
158.
159.
160.
161.
162.
163.
164.
45 C.F.R. § 164.520(a)(1) (2016).
45 C.F.R. § 164.522(a) (2016).
45 C.F.R. § 164.522(b).
45 C.F.R. § 164.524 (2016).
45 C.F.R. § 164.526 (2016).
45 C.F.R. § 164.528 (2016).
Hall, supra note 57, at 649.
42 C.F.R. § 2 (2016).
232
VAND. J. ENT. & TECH. L.
[Vol. XIX:2:207
substance abuse treatment patients, the Genetic Information NonDisclosure Act of 2008 (GINA),165 which protects individuals’ genetic
information, and the Patient Safety and Qual…