When we think about personal data, the two categories of information that are often perceived to be the most personal and private are ﬁnancial data and health data. Although numerous laws have been in effect for many decades regarding the privacy of personal ﬁ nancial data, it is only recently that personal health data has come under the attention of legal regulation.
The US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, containing both a Privacy Rule and a Security Rule. The Privacy Rule took effect in 2003, regulating the use and disclosure of “protected health information” (PHI) by “covered entities,” which include doctors and health insurance companies. The Security Rule established measures that covered entities must take to protect PHI. HIPAA speciﬁ cally states that individuals have a right to access and receive a copy of their PHI (www.privacyrights.org/fs/fs8a-hipaa.htm). Covered entities must also protect the PHI and inform patients when PHI is disclosed and to whom. But it does not address data ownership.
- Their own health data
- Know the source of each health data element
- Take possession of a complete copy of their individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form
- Share their health data with others as they see ﬁt
Interesting debate and with the potential to decide future technology.