Why patients and providers need a model patient data use agreement

The health and wellness data group lead at The MITRE Corporation offers a sneak preview of her HIMSS20 session on the topic.
By Bill Siwicki
12:24 PM
Why patients and providers need a model patient data use agreement

Update: HIMSS20 has been canceled due to the coronavirus. Read more here.

Opportunities are growing for individuals to access and aggregate their health data using health apps and patient portals. Most of these services require individuals to enter into agreements with terms that typically do not favor the individual or give the individual agency over their data.

A model patient data use agreement with terms that empower individuals can provide people with the opportunity to truly manage and control their aggregated health data. Personal agency over data may also increase patient engagement and activation, improve self-management and outcomes, and improve the breadth and depth of data available for shared decision-making, care management and research.

“The problem is that people lack access to and agency, or power, over their complete health data for managing their own health and engaging in their care,” said Katherine Mikk, health and wellness data group lead at The MITRE Corporation, who will be presenting on the subject at HIMSS20.

Individuals have the least control

“Right now, personal control over personal health data is governed by a mixture of federal, state and local laws, including privacy law and contract law,” she explained. “Unfortunately, within this framework, out of all the parties with an interest in health data, individuals have the least ability to access, control and direct their own information.”

Laws such as HIPAA enable access to copies of clinical information maintained in medical records, but state licensure laws assign control over the records to providers, and other privacy laws can add confusion as to what can be conveyed to patients and how.

"This lack of access to and leverage over personal data can result in uninformed decision making, worse health outcomes, and a lack of transparency over data use."

Katherine Mikk, The MITRE Corporation

“Other organizations that are not covered by HIPAA but that touch personal health data in some way – for example, as purchasers of deidentified, aggregated data for marketing and analytics purposes, or applications that offer services to individuals, such as personal health records or daily trackers – either do not engage with individuals or offer their services with onerous terms and conditions on a ‘take-it-or-leave-it’ basis,” said Mikk.

Some of those terms allow the organizations to profit from the data gathered on request of the individual, perhaps when the individual also is paying a fee to use the service. These terms and conditions may also be written in a way that are difficult and time-consuming to read and often only are skimmed by the individual purchasing the service.

Uninformed decision-making

“This lack of access to and leverage over personal data can result in uninformed decision-making, worse health outcomes, and a lack of transparency over data use,” Mikk said. “In addition, not being able to collect and use personal health information is frustrating. This problem is growing more acute as increasingly more data about health and wellness is gathered, shared and analyzed, and individuals who are the source of the data are least privy to the information.”

Further, without the ability to aggregate and manage their own data, individuals are unable to use it or apply it in ways that could benefit the greater good, she added. This issue has been drawn into sharp relief by the recent focus of the Department of Health & Human Services on patient access to personal health information and new requirements for sharing information with patients incorporated into CMS and ONC proposed rules, she said.

“Individual access to and engagement with personal health information has been demonstrated in research to result in improved health outcomes, improved medication adherence, and identification of errors in medical records,” she explained. “Access to personal health information enables a thorough understanding of conditions and risks, providing education and context to people so that they can better participate in healthcare decision making.”

With advances in technology and more services offered to people to help them collect their health information in one place, people can combine clinical data with other data, such as data from wearables, to enhance that decision making and assert control over their health. With the current state of law and practice, however, individuals have little ability to fully engage and use their information to the extent they may seek, Mikk said.

A stronger mechanism

Individuals need a mechanism to ensure they have equal or stronger control over their personal information that they rely on third parties to collect, Mikk insisted.

“This is particularly true for personal health record services that collect and display their data, and may reuse or sell that data with only passing disclosure of this in dense, lengthy terms and conditions,” she said. “Currently, existing law as well as common procedures for signing up for data services do not provide individuals with an ability to genuinely engage with and manage their data.”

A model patient data use agreement rewrites terms and conditions to bring the patient into the agreement as an equal party, she explained.

“Privacy policies, terms and conditions, and other documents presented to individuals are presently all given to patients in a one-sided manner,” she stated. “The individual must take or leave the terms. A model agreement instead rewrites many boilerplate terms to equally distribute rights and responsibilities between patient and organization, shifting the typical approach to consumer engagement on large scale that is found with most online or other consumer services.”

Transparency, accountability, readability

A model agreement should focus on transparency, accountability and readability, and ensure clarity about the organization’s other activities with data beyond supporting the service the individual has requested, she added.

“A model patient data use agreement, written in clear and simple language or offered in graphical format, can convey more than just terms and conditions to patients or direct them to privacy policies,” she continued. “It can give options for shaping the terms of the agreement itself. In addition, used as a baseline, the model agreement can also provide a way for individuals to assess the trustworthiness or practices of a third party app.”

In other words, an app that offers terms based on the model agreement can provide evidence to individuals shopping for services that individuals will have visibility into the organization’s relationships with entities purchasing aggregated data or that the individuals can seek redress in the event that their data is misused or breached, she explained.

“An app that does not base terms on a model agreement may be approached with more caution,” she warned. “A model patient data use agreement can serve as a shorthand way for individuals to determine with which service they want to do business.”

Clear, simple language

The model patient data use agreement is a two-page document written in clear, simple language, Mikk explained.

“It is intended to give individuals a way to engage thoughtfully with the organization that will manage or collect their data and to be presented in a way that is least burdensome to people accustomed to click-through agreements and little to no engagement with actual terms,” she said. “It can be downloaded for a reference but when presented as a part of a sign-up to a service can be reviewed section by section without unduly burdening individuals or using too much time.”

The walk-through also provides a way for individuals to identify specific uses or preferences about their data as well as the agreement that can be set at that time or changed in the future, she added.

For example, the model patient data use agreement enables individuals to make enforceable decisions about access to the data, including who has access and how much. Organizations adopting the model agreement should be prepared to disclose the entities to whom they sell or with whom they share some or all data, and should enable individuals to opt in or out of specific such arrangements, she said.

Transition, integrity, security

The model agreement also suggests options for data transition if the agreement is terminated, discusses data integrity to enable the aggregated data to be trusted by providers, and data security, she added.

“Across the healthcare industry, documents are provided to patients that are one-sided, such as privacy policies, click-through agreements, and even informed consent,” she said.

“Individuals typically accept these documents as they are, either because there are no other options – in the case of policies or contracts of adhesion – or because they are not aware that they can agree with amended terms.”

The model patient data use agreement not only seeks to give individuals true agency over their data where able, but also to give them leverage and equal footing with the organizations who engage with their data as well. The model agreement, in its current form, is an initial proposal to the industry and to individuals, and in this environment of recognition of the importance of data control and access MITRE thinks it is time to introduce individuals into the conversation at the contractual level, Mikk said.

“At HIMSS20, I’ll describe why a model patient data use agreement is needed, the development of the model, and highlight important provisions within it,” she noted. “I’ll talk about how the model patient data use agreement is different from the terms and conditions we normally see. As moving our personal health information to third-party entities becomes even easier through APIs, it is even more important to provide a model agreement that works for both individuals and the organizations offering data aggregation and related analytics, and predictive services.”

Mikk will offer more detail during her HIMSS20 session, “Increasing Patient Agency: The Patient Data Use Agreement.” It’s scheduled for Tuesday, March 10, from 4:15-5:15 in room W209C.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
Healthcare IT News is a HIMSS Media publication.

Full coverage of HIMSS20

An inside look at the innovation, education, technology, networking and key events at the HIMSS20 global conference in Orlando.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.