Who owns personal data?

Illustration by Victor Kerlow

The issue of who actually owns personal financial data began to gnaw at people when personal financial applications began to emerge, along with the fintech industry as a whole. It became clear that bank data could now be useful outside of the bank. In an effort to balance user priorities, security, and, frankly, monetization interests, it was natural to pan back: Who owns the data, anyway? The consumers? The financial institutions that sit at the heart of transactions? Others?

But it’s not really a question of ownership, exactly—and looking at how a similar debate unraveled the healthcare industry shows why.

After some spats that prevented consumers from being able to easily transfer or access their records, the healthcare industry has been moving toward the idea that no one owns its data: doctors and vendors are stewards of it, and patients have rights to access it.

Data privacy and portability

Where sensitive information is concerned, access to data—or, in contrast, the restriction of access—is a persistent issue in both the financial and healthcare systems. Ownership also implies responsibility—and from responsibility, liability may flow.

To be sure, data privacy is an urgent priority. In healthcare, hackers are increasingly focused on obtaining medical information, which can fetch more than 10 times what credit card information can on the black market. And, as we’ve seen, any breach of the financial system quickly becomes historic.

Yet privacy and portability aren’t mutually exclusive, and neither are security and access.

In fact, they’re married in one of healthcare’s marquee rules. These days, the Health Insurance Portability and Accountability Act, better known as HIPAA, is often associated with security guidelines and its efforts to ensure that a person’s protected health information stays private. But the other big component of HIPAA turns on that third word, portability.

HIPAA entitles everyone the right to access—and make use of—his or her medical records. In other words, patients have the right to keep their medical information private, and they also have the right to share it as they wish. This demonstrates that people can—and should—be protected in a way that isn’t paternalistic.

Patients caught in a pitched battle

Patients officially have a right to have their entire medical record transferred to any provider or be granted access or copies. But that doesn’t mean healthcare providers always make it easy: An entire content industry seems dedicated to explaining just how to do it.

When patients want to change providers, or supplement their care with specialists, they generally have to broker an exchange of information between the two offices.

This whole process was supposed to be simplified in 2009, when the healthcare industry began to move toward electronic medical records in earnest—and by law. At the time, just 9 percent of hospitals were using electronic records. 9 percent!

But, true to form, an industry quickly arose around this new need, fueled by $30 billion in federal subsidies. And that industry didn’t exactly play nice.

At its establishment, the electronic medical records industry suffered from a few key problems, stemming from usability issues and the challenges of changing behavior. Seven years later, many medical providers still struggle to use EMRs; many systems are more complex than the most detailed CRM because of increased security measures, and not mobile-friendly.

Further, these systems lack interoperability. As a recent NPR story put it, “While those systems are supposed to make health care better and more efficient, most of them can't talk to each other.”

Beyond the interoperability problem—which, it should be noted, legacy bank infrastructure also suffers from—there’s also a misalignment in incentives.

As Morning Edition reported:

There has actually been a financial disincentive for doctors and hospitals to share information. For example, if a doctor doesn't have a patient's record immediately available, the doctor may order a test that has already been done — and can bill for that test. Keeping EMRs from talking to each other also makes it easier to keep patients from taking their medical records—and their business —to a competing doctor.

But it isn’t just doctors who failed patients by failing to cooperate. The introduction of EMRs meant that medical information was no longer in the hands of patients, doctors, and hospitals alone; instead, EMR vendors were digitizing, storing, and helping them use these records.

This should have been a boon for consumers. In practice, however, it simply introduced more parties to feud over access. Full Circle Health Care, a physician’s practice in Presque Isle, Maine, had its access to data for 4,000 patients blocked by its EMR vendor during a billing dispute.

Takeaways

There are opportunities for the financial industry to learn from healthcare’s growing pains.

Over time, healthcare has collectively returned to the central issue: How to provide the best patient care possible. To that end, in February, the Secretary of Health and Human Services announced that the nation’s five biggest healthcare systems had agreed to openly share information so that patients could enjoy greater control over their healthcare—a core premise of moving toward EMR in the first place. This cooperative, collaborative behavior is laudable.

By reevaluating priorities around patient care, privacy, and portability, the healthcare industry is gradually moving beyond the concept of ownership. That debate wasn’t helpful. It didn’t serve the consumer, whose choice should be at the center of all of this. Instead, it left records—and people themselves—stuck in limbo. And that’s a situation that the financial industry should work to avoid, especially as stakeholders navigate thorny questions. To be sure, these aren’t issues to be taken lightly. But they would arguably be better addressed by asking the right questions—and by collaborating across the ecosystem to put consumers’ interests first.