In the wake of the shocking news that the now-defunct firm Cambridge Analytica acquired a stunning amount of Facebook profile data, public concern has intensified over how much we can trust the entities that hold our patient data.

For hospitals that handle some of the most sensitive data of all, personal health information, it would be wise to prepare now to answer tough questions – including from patients, the media and regulators – that are surely coming. 

1. Who actually owns the patient’s medical records? Is it the provider who collects it? The EHR vendor that stores it? The answer should be: the patient. Moreover, the patient should have a clear sense of all of the data the provider has about them. There is another parallel here with Facebook, which offers a way for users to download and view the data that Facebook has stored about them to date. Patients should have a similar capability for their healthcare data, whether stored in an EHR or HIS, or in a patient-centered data home (such as those that health information exchanges and hospital information networks are aiming to create).

2. What if the patient wants his or her data deleted? Put plainly, the law is not on the patient’s side on this issue. That goes for both federal and state law. For example, CMS requires Medicare providers to retain patient records for a certain number of years, while various states have patient record retention laws in place. Sharing de-identified data is regulated but allowed in many instances. And while the selling of patient data is mostly forbidden, there are some exceptions.

Still, it is the patient’s data, and such requests should be respectfully handled. And to the fullest extent possible, patient should have the ability to decline to have their identified data shared with third parties beyond providers and payers.

You can view the rest of the article here.