An interesting and well-though out post. HIPAA is not the only fruit, however!
In Europe, the approach to Data protection and privacy does actually start with the concept that the individual is “owner” of his/her data, and does have rights for withdrawal, retraction, correction, access etc. throughout the chain. Everything from that point on is more a question of “custodianship” (not this is not a legal term, and I am not a lawyer).
A Dr is the legal custodian of patient clinical data, but still often needs patient permission (“informed consent”) in order to use patient data.
Likewise any company handling data – in addition to having to deal with archiving, auditing, security and other data protection and privacy concerns, is required to have a Data Protection Officer who is responsible for ensuring the data ownership and custodianship path is not breached.
This is enacted in Law (European regulation, and individual country laws, such as the Data Protection Act in the UK), and is enforced, and widely known.
This is not the same, however, as saying that every element is enforced or that there are not significant issues in handling patient data (as this is also considered “sensitive data” on top of already being personal data (and sometimes personally identifiable data).
Anyway, your article has reminded me that I must get around to reading my copy of Meaningful Use!
…Oh, and with regard to John Moerke’s comment – patients are physical things, and health data is nearly always closely related to the physical. Copyright is for works of creation or authorship, so the territory is much less clear than the statement he makes (I believe).
