Whose Data is it Anyway?

by | Nov 18, 2013

privacyA common and somewhat unique aspect to EHR vendor contracts is that the EHR vendor lays claim to the data entered into their system. Rob and I, who co-authored this post have worked in many industries as analysts. Nowhere, in our collective experience, have we seen such a thing. Manufacturers, retailers, financial institutions, etc. would never think of relinquishing their data to their enterprise software vendor of choice.

It confounds us as to why healthcare organizations let their vendors of choice get away with this and frankly, in this day of increasing concerns about patient privacy, why is this practice allowed in the first place?

The Office of the National Coordinator for Health Information Technology (ONC) released a report this summer defining EHR contract terms and lending some advice on what should and should not be in your EHR vendor’s contract.

The ONC recommendations are good but incomplete and come from a legal perspective.

As we approach the 3-5 year anniversary of the beginning of the upsurge in EHR purchasing via the HITECH Act, cracks are beginning to show. Roughly a third of healthcare organizations are now looking to replace their EHR. To assist HCO clients we wrote an article published in our recent October Monthly Update for CAS clients expanding on some of the points made by the ONC, and adding a few more critical considerations for HCOs trying to lower EHR costs and reduce risk.

The one item in many EHR contracts that is most troubling is the notion the patient data HCOs enter into their EHR is becomes the property in whole, or in-part, of the EHR vendor.

It’s Your Data Act Like it
Prior to the internet-age the concept that any data input into software either on the desktop, on-premise or in the cloud (AKA hosted or time sharing) was not owned entirely by the users was unheard of. But with the emergence of search engines and social media, the rights to data have slowly eroded away from the user in favor of the software/service provider. Facebook is notorious for making subtle changes to its data privacy agreements that raise the ire of privacy rights advocates.

Of course this is not a good situation when we are talking about healthcare, a sector that collects the most personal data one may own. EHR purchasers need to take a hard detailed look at their software agreements to get a clear picture of what rights to data are being transferred to the software vendors and whether or not that is in the best interests of the HCO and the community it serves..

Our recommendation: Do not let EHR vendor have any rights to the data – Period!

The second data ownership challenge to be very careful of is the increasing incorporation of patient generated health data into the healthcare delivery system. We project an explosion in the use of biometric devices, be it consumer purchased or HCO supplied, to monitor the health of patients outside of the exam room. Much of this data will find its way into the EHR. Exactly who owns this data and what rights each party has is still debatable. It is critical that before HCOs accept user data they work out user data ownership processes, procedures, and rights.

If the EHR vendor has retained some rights to data the patients need to be informed and have consented to this sharing agreement. In our experience this is rarely if ever explicitly stated. HCOs need to be careful here as this could become a public relations disaster.

We are not lawyers, we are offering our advice and experience to HCO CEOs, CFOs and CIOs, from the perspective of business risk and economics. At Chilmark we have deep experience in best practices used in other industries with regards to data use and sharing agreements. We have also spent significant time reviewing the entire software purchasing lifecycle and culture, and are here to help HCOs in reviewing these contracts.

Addendum: Rob and I worked together on this post but our WordPress backend doesn’t like to do co-authored posts.


  1. Bill Archer

    Great article. This is extremely important for physicians to understand their data ownership. Also physicians need to their data as an asset of the practice just like other tangible assets.

  2. e-Patient Dave

    So, John (and Rob) – I’m late in commenting, as I said in email.

    Am I correct in understanding what my eyes can’t believe? Are you saying that big-iron EMR vendors, e.g. Epic and Cerner, force providers to sign something saying that the VENDOR (e.g. Epic/Cerner) *owns* what my doctor writes about me?

    Owns in what sense? Like, the vendor can do anything with it that they want? And the provider can’t? And I can’t?? How is that legal?

    Under HIPAA rules I’m entitled to a copy, but as I recall, I still don’t own it – right?

    • John

      Hi Dave,
      Embedded in the contracts we have seen is language whereby the healthcare institution relinquishes ownership of patient data to the EHR vendor. Surprisingly, it is quite the common practice. For example, ambulatory vendor Practice Fusion makes it quite clear that to access their “free EHR” the physician gives up the data.

      Sure, these vendors sign all the appropriate BA agreements and comply to HIPAA but at the end of the day it is the vendor that owns the data, which they then oft-times sell as de-identified data to third parties (pharma, etc.).

      Yes, you are correct – under HIPAA you have access rights to your health data but you do not actual own t.

    • John

      Here is one example from Practice Fusion wherein they clearly state that you own the content but they have free access to it to do as they please.

      4.1 Ownership
      You retain ownership of the intellectual property rights you hold in Content you submit on our Services. When you submit Content on our Services, you grant us and those we work with a worldwide, royalty-free right to store, host, reproduce, create derivative works of (such as translations, adaptations, reformatted versions and anonymized or de-identified versions), publish, publicly perform, display, use and distribute such Content as further described in our Privacy Policy and, if applicable, in your User Agreement. For some of our Services, your User Agreement or settings may narrow the scope of our use of Content you submit. You can find more information about how we use and store Content in our Privacy Policy or, if applicable, your User Agreement.

      • e-Patient Dave

        This has fresh relevance in light of Susannah Fox’s post Recognizing the value of data (which cites you several times, as you probably know).

        In the comments, ownership comes up again, which reminded me of this discussion. So:

        > they clearly state that you [the doc] own the content
        > but they have free access to it to do as they please.

        So, in this PracticeFusion example, the vendor can use the data, but the HCP still owns it. (I the patient don’t, but in this case I’m talking about whether the vendor owns and can limit its use.

        In this post you said

        …the notion that the patient data HCOs enter into their EHR is becomes the property in whole, or in-part, of the EHR vendor.

        Has this situation evolved at all? Did any regulations come down that decided this one way or another?

        • John

          Dave, it all depends on the contract between vendor and buyer. In most cases, the buyer owns the data but the vendor has access to the “de-identified data” that they then often sell to others, eg pharma, clinical research orgs, etc.

  3. Walter Oles

    Great article and comments. I did not realize HIPAA took away my right own my personal information. Just like credit scores. Others profit from my information while I pay to create it.

  4. Peg Graham

    I am amazed by the thought that anyone but the patient “owns” the data. Everyone else is a steward of that data, right?

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Content

Epic UGM 2023: Some News, Some Olds, and the March of Progress Continues

Epic UGM 2023: Some News, Some Olds, and the March of Progress Continues

Green FHIR APIs,
Climb Mount Fuji,
Come see the sunlight!
*Variation on Kobayashi Issa “O, Snail”

My second UGM (Epic’s User Group Meeting) offered a great perspective on the thousands of users on Epic coming together to share, exchange, learn, and advance their practices. Gathering around 13,000 attendees, Epic’s team has done a wonderful job just like a year before, making the atmosphere friendly while highly professional. The unique charm of Wisconsin, and Madison in particular, makes it a truly outstanding conference with a myriad of learning opportunities.

read more
ChilCast May 2023 Update

ChilCast May 2023 Update

On this episode of ChilCast: Healthcare Tech Talks, the Chilmark team explores the headlines from May 2023 in the world of healthcare IT.

We’ve also released our latest report on Hospital at Home technologies, featuring a new format!

read more
Powered By MemberPress WooCommerce Plus Integration