Search the KHIT Blog

Monday, December 12, 2011

Facts © ™ ®

...So on the one hand, we have the push from the government and insurers to have electronic medical records and health outcomes research (HITECH Act), the Sentinel Initiative for postmarketing surveillance of electronic medical records for adverse events, and Medicare reimbursements linked to “meaningful use” (i.e., providing data) of the EMR. On the other hand, we have the specter of HIPAA and more draconian penalties for breaches of personal privacy...

- Judy Stone, MD, Molecules to Medicine: Pharma Trumps HIPAA?

Which "facts" about you can be "owned" by you or others (or no one at all)? i.e., what data/information can be legitimately considered "property," the "title" to and controlling use of which will be defended and enforced by the society at large?
According to traditional copyright principles, the only copyrightable elements of a factual work are the author’s presentation, selection, and arrangement of facts. The underlying facts themselves cannot be copyrighted. In the past, this approach was sufficient to protect factual works against the most opportunistic forms of copying by competitors. Because facts were usually displayed narratively or in tables, authors generally made enough decisions concerning presentation, selection, and arrangement to protect their factual works against wholesale appropriation.

But the rise of electronic and on-line databases has cast doubt upon the validity of the traditional approach. These databases collect and display facts in a pure form, allowing the user to extract them as she sees fit. By dispensing with conventional modes of presentation, selection, and arrangement, they can easily fail to satisfy traditional standards for copyrightability, leaving them with virtually no legal protection against copying. [Michael Steven Green, PhD, Copyrighting Facts (pdf), Indiana Law Journal Vol 78]

Well, more broadly, it goes to the "value" of the facts to various parties. I have blue eyes. Who cares? I am 5'10" and weigh 173 lbs. With those two metrics you can quickly calculate my BMI (Body Mass Index -- mine is 24.8), which is of some economic interest to health insurors and others. I am typing this post in my study located at geocoordinates N36º 2.4018' W115º 8.5265'. Who might want to know that?

What about my blood pressure, my lipids panel results, my PSA? My DNA?
Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control. The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others (Loshin, 2002).

...Scofield (1998) suggest replacing the term ‘ownership’ with ‘stewardship’, “because it implies a broader responsibility where the user must consider the consequences of making changes over ‘his’ data”.

According to Garner (1999), individuals having intellectual property have rights to control intangible objects that are products of human intellect. The range of these products encompasses the fields of art, industry, and science. Research data is recognized as a form of intellectual property and subject to protection by U.S. law.

Importance of data ownership:

According to Loshin (2002), data has [sic] intrinsic value as well as having added value as a byproduct of information processing, “at the core, the degree of ownership (and by corollary, the degree of responsibility) is driven by the value that each interested party derives from the use of that information”...

Considerations/issues in data ownership

Researchers should have a full understanding of various issues related to data ownership to be able to make better decisions regarding data ownership. These issues include paradigm of ownership, data hoarding, data ownership policies, balance of obligations, and technology. Each of these issues gives rise to a number of considerations that impact decisions concerning data ownership

Paradigm of Ownership – Loshin (2002) alludes to the complexity of ownership issues by identifying the range of possible paradigms used to claim data ownership. These claims are based on the type and degree of contribution involved in the research endeavor. Loshin (2002) identifies a list of parties laying a potential claim to data:
  • Creator – The party that creates or generate data
  • Consumer – The party that uses the data owns the data
  • Compiler - This is the entity that selects and compiles information from different information sources
  • Enterprise - All data that enters the enterprise or is created within the enterprise is completely owned by the enterprise
  • Funder - the user that commissions the data creation claims ownership
  • Decoder - In environments where information is “locked” inside particular encoded formats, the party that can unlock the information becomes an owner of that information
  • Packager - the party that collects information for a particular use and adds value through formatting the information for a particular market or set of consumers
  • Reader as owner - the value of any data that can be read is subsumed by the reader and, therefore, the reader gains value through adding that information to an information repository
  • Subject as owner - the subject of the data claims ownership of that data, mostly in reaction to another party claiming ownership of the same data
  • Purchaser/Licenser as Owner – the individual or organization that buys or licenses data may stake a claim to ownership [Data Ownership, Responsible Conduct in Data Management]

It all gets rather complex rather quickly. And, nowhere as complex as with respect to personal health information.

Some recent thoughts on this:
...While banks tend to keep information internally, health care data is handled by many more organizations, said Tom Srail, Cleveland-based senior vp with Willis North America Inc. “The nature of the health care business requires the sharing of that same information,” he said.

Patrick Moylan, New York-based senior associate with Dubraski & Associates Insurance Services L.L.C., said health care institutions are increasing their Internet activity with partners that include physicians, health plans and pharmacies.

Having “more people in the line of that chain that have the potential to handle sensitive data simply increases the risk that data will be accessed by accident, or by a third party,” with the potential that it could be used fraudulently, he said.

The sheer breadth of personal information that health care institutions hold complicates the issue.

“More than any other industry, the health care industry really has all of a complete set of information security and privacy exposures to contend with,” said Mr. Economidis.

Mr. Srail said retailers may have credit card numbers and financial institutions may have Social Security numbers, but health care entities “have all that as well as protected health care information,” so “it really can be problematic for those organizations when that data is lost and troublesome to its customers.”

“There's so many ways that the information gets compromised” and “just when you think you've got it figured out, you've got a twist in it,” said Lynn Sessions, counsel at law firm Baker & Hostetler L.L.P. and a former risk manager at Texas Children's Hospital, both in Houston.

Robert Parisi, senior vp at Marsh Inc.'s FINPRO practice in New York, said, “hospitals tend to be less secure than banks, and you've got a situation that obviously can be fairly risky and financially troubling to any medical center.”

Meanwhile, a black market for stolen medical identities has developed among people who are underinsured or have no insurance, observers say.

By some estimates, medical information is twice as valuable as more traditional identity information, said Mr. Silvestri. “That becomes a motivation for the criminal element to actually target that so they can sell it to the black market,” he said...

"Twice as valuable"? I'd never thought of it that way. Makes sense upon reflection, though. No one can really profit from the fact that I have blue eyes. But, other information about me can indeed have commercial value to others (particularly if they are of the sort not directly observable but instead only explicable via intermediary measurement/assay -- ranging from the simple arithmetic of BMI to the complex methods of DNA analytics).

...Federal law pulls health care institutions in opposite directions, said Mr. Srail. On one hand, it “wants health care to be open and portable and interactive” and to facilitate the process so the patient has choices in his health care with accessible medical information. On the other hand, however, “everything has to be kept secret” with no privacy breaches.

In addition, state laws, while similar, also differ from each other and federal law. HIPAA, for example, requires notification of data breaches within 60 days, while several states have a 45-day notification period, said Ms. Sessions.

Another complication is that hospitals must abide by the laws of the jurisdiction where their patient is a resident, even if it is in another state. Because the patients' resident state is the determining factor, Texas Children's Hospital, for instance, which has patients from all 50 states and foreign countries, must comply with all these jurisdictions' statutes, said Ms. Sessions...

My Nevada HIE Privacy and Security Task Force attorneys are gonna love that last paragraph.

Yeah, they'll probably love this too. On Dec 7th 2011 the California Office of Health Information Integrity (CalOHII) issued a patient consent/privacy report entitled "Research and Background For Patient Consent Policy Recommendation White Paper," (large PDF) wherein across pp 154-157 is a table of various states' PHI/HIE privacy policies to date. On page 156 is the reference to Nevada:

Click to enlarge. In the "Education" cell on the right is a link to my July 12th, 2011 blog post,
in which I voiced concerns regarding some of our facile assumptions made regarding Nevada HIE privacy policy.

Interesting. Nice to know that someone is reading my stuff.


Dec 15th O/T UPDATE

Yet another interesting blog to read.

Dear friends and colleagues,

This is a watershed moment for the U.S. healthcare system. Costs continue to climb, tens of millions of Americans lack insurance, and there is unacceptable variation in quality. Politicians from across the ideological spectrum are proposing potentially far reaching policy changes. Some of the proposals are promising; too many others seem fraught with danger. After 25 years as a researcher, teacher, and policy analyst, I continue to be disappointed by the lack of basic understanding of health economics among those who are most vocal about effecting change. No one has done more to shape my thinking about the links between economics and policy than my friend and colleague, William White, who is the director of the Sloan Program in Health Administration at Cornell University’s School of Human Ecology. Over the past two decades, we have had long conversations about virtually every aspect of our healthcare system, from the rise of HMOs in the 1980s to current trends in consumer driven healthcare.

Will and I have decided to put our conversations into a blog and share them with our friends at Kellogg and Human Ecology. We have even asked some of the nation’s top economists to take a look. We will respond to the best of your comments as time allows. We promise not to grade them!

There is a lot at stake in the upcoming years. We hope that this free exchange of ideas can help bring about positive change in our healthcare system.


David Dranove
Walter McNerney Distinguished Professor of Health Industry Management
Kellogg School of Management

I've read Dr. Dranove's stuff for a while now (mostly at The Health Care Blog), but had never seen this blog. Lots of great new material to read, I would guess.

More to come...

1 comment:

  1. Selection and arrangement of facts helps in future projects. I like health care technology article too.

    Intellectual Property forms