From left: Kenneth C. Bartholomew and Judith F. Albright
Health care providers and facilities often use patients’ medical records in their research. The results of this research may be worth money — sometimes, quite a lot of money. Who owns the patient’s medical record/the contents of that record, and the proceeds it generates?
1. HIPAA is not the issue
The Health Insurance Portability and Accountability Act of 1996, (HIPAA) sets federal privacy standards for most health care records. The information in those records may be used, with certain safeguards, for research without patient authorization. Data that has been de-identified, and can no longer be connected to an individual patient, is no longer protected and simply not subject to the privacy rule. The HIPAA privacy rules also do not clearly address the issue of ownership, only of access.
2. State law: The doctor or hospital may well “own” the patient record
In most states, patients have a right to a copy of their health care record. Some state laws also expressly provide that, nonetheless, a health care provider “owns” the physical record (Florida Stat. 456.057); other states have no clear legal standard. New Hampshire law is different. It provides that “medical information” contained in the medical record is the property of the patient. NH RSA 332-I:1; see also NH RSA 151:21. In our present-day world of electronic medical records, what’s in the medical record may be much more important than the record itself: big data.
3. Informed consent: That may be the issue
In the past, there were cases in which the patient’s body held monetizable value leading to litigation: Tissue, organs and cells removed from the body during diagnosis or treatment had value for which researchers were willing to pay. (See Petrow, Steven, The Washington Post Nov. 25, 2018; see also Skloot, Rebecca, “The Immortal Life of Henrietta Lacks,” MacMillan (2010)). Those cases may be instructive now, because, today, ownership of information in the health care record has value that can be monetized.
Henrietta Lacks died of cervical cancer in Maryland in the 1950s. Cells taken from her cervix during treatment were retained and used, without her permission, to create a particularly replicable, and therefore particularly lucrative, cell culture line. She saw none of the millions of dollars in royalties from those cells; her family had no knowledge of what happened to the cell line (called He-La cells, after her name) until long after she died. Eventually, her family and the National Institutes of Health reached an agreement that gave the family some control over access to the cells’ DNA sequence and a promise of acknowledgement in scientific papers.
In Moore v. Regents of the University of California, 51 Cal. 3d. 120 (1990), John Moore argued that he retained ownership of cells removed from his body during leukemia treatment, which were then used, without his permission, for highly profitable medical research. Moore filed suit for lack of informed consent/breach of fiduciary duty and conversion. The trial court ruled against him, and he appealed. Ultimately, the California Supreme Court ruled that Moore did not retain any property right in his cells once they left his body, and that to hold otherwise would frustrate medical research. The tissue was his doctor’s to sell. See Moore, 51 Cal. 3d. at 163-164.
However, important for our purposes, the Moore court stated that “liability based on existing disclosure obligations . . . protects patients’ rights of privacy and autonomy.” Id. at 144 (emphasis added). The court remanded the case back to the trial court for disposition on a theory of lack of informed consent, and the parties eventually settled for what was reported as a “token” amount. Under the logic of Moore, Henrietta Lacks also waived any property rights when the tissue left her body, and the intellectual property that may be derived from it belonged to someone else.
4. Where does that leave us?
Now, flash forward to 2019: Researchers don’t necessarily need access to your body when they have wide-ranging access to your (de-identified, but still all about you) health care record. De-identified health care records can hold value for a number of reasons; the data in those records can be sold or assigned for data mining, for the development of artificial intelligence platforms, or for statistical analysis. Further, most informed consent paperwork, in the fine print, contains a waiver of at least property rights in tissues and cells removed from the patient’s body.
In other words, even if no privacy right exists in de-identified records, and no property right exists in tissues taken from the body for diagnosis and treatment, does Moore suggest that a doctor cannot use a patient’s medical record without meaningful informed consent? Is this a cautionary tale for providers and entities today? Facebook and Amazon have both seen wide-ranging scandals that directly impacted market value and arose from allegedly mishandled data. If medical providers make a profit from the information patients give them without having disclosed how that information will be monetized, is that failure an actionable lack of informed consent?
In Massachusetts, the law of informed consent has focused on disclosure of the risks and benefits of a procedure, and which risks would be “material” to a reasonable patient. However, at bottom, “[a] physician's failure to divulge in a reasonable manner to a competent adult patient sufficient information to enable the patient to make an informed judgment whether to give or withhold consent to a medical or surgical procedure” is a recoverable tort. Mass. Civil Pattern Jury Instr. 4.13.
And what of New Hampshire’s statute: “Medical information” contained in the record is the property of the patient. Does the statutory language mean that doctors in that state cannot use that information unless there is a clear, knowing release, supported by consideration? That statutory language has existed for over a decade, and the issue has never been adjudicated.
says informed consent may extend to the use of excised tissue, who knows how much further the concept may go? If we make the release of data part of the informed-consent form — and nearly every health care facility does — we have made that link. We have made the data the subject of informed consent, and now the question is whether the release is binding. And what if a patient reads that language and strikes it through before signing the consent form? Essentially, the patient has modified a contract and made a counteroffer, which may be deemed accepted if not challenged by the health care provider or facility. However, denying care to a patient solely because they refuse to consent to such an ancillary term — which has a clear, underlying profit motive — might be viewed in a dim light by oversight agencies (including licensing boards). Providers may be well-advised to train staff to stamp such consent forms “Modified Consent — Under Legal Review” (and follow through on that) until the law catches up with big data in health care.Kenneth C. Bartholomew is a shareholder at Rath, Young and Pignatelli PC in Concord, New Hampshire. He is chair of the firm’s Health Care Practice Group and a member of the Litigation and Labor and Employment practice groups. Bartholomew advises health care clients on regulatory, licensing, transactional, insurance, and labor and employment issues, and also defends health care providers in litigation and in front of professional practice boards, such as the New Hampshire Board of Medicine.
Judith F. Albright is a health care attorney at Rath Young and Pignatelli PC in Boston, Massachusetts, and Concord, New Hampshire. She represents health care providers in litigation, including medical malpractice defense, and in administrative law matters before multiple agencies in both states.