Empower patients to own their healthcare data
In recent years, patient empowerment has emerged as a groundbreaking trend. It prioritises patients' decision-making power over any providers', heralding a new era for modern healthcare.
But the concept of patient empowerment presents numerous ambiguities. The persistent question is: how do we empower patients? At its core, experts agree on three fundamental factors that need to be ensured: patient data privacy, their rights to manage consent on who can access their data, and patients' unrestricted access to their health information.
Health data privacy is the most traditionally recognised challenge that must be overcome to allow patients to own their healthcare. Data breaches happen more often than even knowledge workers assume. Cybercriminals and bad actors have increasingly focused on healthcare data as a soft target, switching gears from the more traditional victims, such as banking and financial sectors, who continue to fortify their systems against unauthorised intrusions. Given the recent rise of phishing and malware attacks against health information systems, we must safeguard sensitive data. When patient data is compromised, it can risk the victim's privacy and finances, and even their life in the worst-case scenario.
Health data is everywhere around us: on personal computers, government registries, hospital computers, by printers and fax machines, and in the cabinets and paper files at doctors' offices, on sticky notes. Hence, traditional go-to controls such as role-based access, encryption, unique identifiers, multi-factor authentications, security audits, and employee training and drills must be implemented more realistically to safeguard data.
Of course, robust regulations and privacy laws can enhance traditional impediments to illegal data access. The United States enacted the Health Insurance Portability and Accountability Act, also known as the Privacy Law, in 1996 to provide technical, physical, and administrative safeguards to patient data. It addresses protecting data in all healthcare delivery systems. Many countries adopted their own health data privacy measures. Unfortunately, Bangladesh has not yet passed a strong health data protection law, but we must establish a comprehensive legal data privacy infrastructure.
In the age of digital health, we need to recognise that patients must have the autonomy to grant consent to share their data. In the ever-expanding world of digital health, managing consent to electronically transmit data in a safe, secure, and timely manner is easier said than done.
One widely used control is the utilisation of certified technology. The question arises, who will certify and accredit that a system, software, or platform is privacy-protected? This requires ultimate integrity and a vendor-agnostic approach. The US has established processes and mechanisms to authenticate technical products and systems as secure before funding a programme.
With electronic health records systems emerging in Bangladesh, we must take proactive measures to shield these infrastructures. We must develop proper guidelines to protect all health and personal information. Passing a strong data privacy law is not enough; the government also must ensure that it provides a proper certification system of health information technology.
The two most utilised tools are "opt-in" and "opt-out" services, which make it seamless for patients to manage their consent around data sharing. The opt-in system requires patients to give explicit written or documented verbal consent to share their data with whomever they wish. Without consent, data remains siloed at the source. Other than certain emergencies, such as saving a patient from an active crime, fire, etc, their records cannot be shared without their agreement. The opt-out system presumes allowing data transactions for authorised and legal purposes unless the patient explicitly withdraws consent.
Patients should even be able to decide what specific health data sets they want to share. For example, they may choose to share only their medical data but not their behavioural and mental health records, given that they carry social stigma and even cause legal dilemmas for patients. They may be fearful that their drug abuse records can be used against them in criminal court. Based on these concerns, US laws provide patients with the assurance that their health information will not be used against them in legal proceedings, encouraging them to seek care without fear.
Lastly, we must ensure that patients have unlimited access to their data through electronic health record systems, patient portals, electronic devices, and all other digital and non-digital means. This is paramount in that patients can review their medical records, diagnosis, lab tests, encounters, and so on, and decide on their medical care. Access to their prescriptions on a mobile device saves them from missing doses or taking the wrong medication. They can see the prognosis of their conditions over time, enhancing their ability to schedule doctor's visits in a timelier manner. All of these can dramatically improve patients' health outcomes.
The concept of empowering patients entails striking a balance between privacy protection and providing improved health outcomes. It is the patient who owns their data, not their healthcare providers, and they should be able to decide whom they are comfortable sharing their health information with. There is no better way to empower patients than to allow them to manage and understand their data when it comes to making their own healthcare choices.
ABM Uddin is a healthcare consultant for the Florida Agency for Health Care Administration. Views expressed in this article are the author's own.