Where do our medical records live? In the developing age of EHR interoperability, the question will soon be...Where WILL our medical records live? We are entering a critical decision-making time where we must give serious thought to who has ownership, control, and access to patient records.
Pre-EHR, in the era of paper records, it was pretty straightforward that the provider would keep and maintain the records. Information was transferred via fax as needed. Now, with EHR implementation, inhouse storage, and ownership still exist as does the trusty old fax machine for transfers. Next, with interoperability at our doorstep, the fax machine will end up in the trash and information will be more freely shared between providers. But patient data costs money to store and is at the same time worth a lot of money when aggregated and sold to third parties for research. Here lies the problem of who should own it, who will store it, and who can access it.
Currently, in most cases, the provider and their institution have ownership of the record. The reasoning for this is that the provider creates the record, so the institution they are employed at retains ownership. This is defined by law in several states, while some states have no law. New Hampshire is the lone state that gives the patient ownership.
Although this works in the current model where the patient records live on-site at the providers' institution, how will interoperability affect a record that can freely be passed around and edited? Do all of the institutions get a piece of the ownership? That sounds messy. Furthermore, who is responsible responsible for retaining the information for the patient? Now it's messy AND complicated.
Maybe it is time for patients to own their medical records. Most healthcare institutions are destroying records after 7-10 years if they don't see the patient again. They have pulled the data they want out of the record and start the countdown because, by law, that is how long they are required to retain records. Most patients probably don't know about the retention period laws because they are insured and keep going back regularly. But if they move away or receive treatment from a different institution, they must initiate the transfer of their records. Additionally, moving health information can be difficult and time-consuming. Crucial information can be lost between institutions causing records from childhood or earlier periods of life to be lost.
In a way, we are close to being at patient owned records. Patients may authorize 3rd party apps to access and use their patient data. HHS guidance this year made it clear that if patients authorize 3rd party use, it absolves the providers and EHR vendors from HIPAA liability if there is a breach. That makes the health information the patient downloads their own responsibility. (and in a way, the owner)
That leaves the storage problem. If the patient did have ownership, and there was free flowing information between all institutions, where will the record be kept? It is a problem that Google, Apple, Amazon, and Microsoft all want to solve. They each want to be the go-to for PHI storage, for a good reason. Health data is worth a lot of money. This solution lets the patient access their records and even add data collected from wearable devices, like the Apple Watch. Alternatively, if you don't want anybody to have your data, you could ask for your own copy to maintain and ask that the institution's copy be deleted.
Who will have responsibility for patient data? It's a question that will require some consideration as interoperability becomes a reality.