Why do EHR Firms Own Patient Data When Other Software Vendors Don't?

There's a healthy debate going on about healthcare data interoperability and I think the more we discuss it, the better off we'll be. It's absolutely crucial that all healthcare information systems be able to talk to each other in a way that is useful to both physicians/clinicians as well as patients. The only way to have truly interoperable systems is to have free (but safe and secure) data interchange and exchange requires access rights and an understanding of ownership rules.

One part of the discussion that many vendors of electronic health records (EHRs), a large portion of the health IT ecosystem, don't want to have is about the ownership of patient data stored in "their" EHR systems. It still amazes me that both physicians as well as hospitals and health systems have ended up signing deals where the software vendor, not the institution hiring the vendor and certainly not the patient, has either primary or secondary rights to the data. Most small practices and many large practices as well as even hospitals have accidentally signed away, to their EHR or other digital health vendor, broad rights to use, reuse, and share patient data. If that wasn't bad enough, the institution may not have kept even the primary use rights for themselves if they decide to switch vendors or change software.

As a CTO that spends time in multiple environments outside of healthcare, what leaves me scratching my head is that there aren't many other industries that inflict this kind of data lock in on their customers. For example, when you buy an Oracle database they don’t claim to own all the data in those databases. When you use Quicken or QuickBooks, Intuit doesn’t say they own your financial data. Microsoft doesn’t own all the data in your spreadsheets or PPT decks because you use MS Office.

Imagine if cloud based file systems like OneDrive, Box, or Dropbox said "sure, you can pay us to use our cloud but we own all those files and if you'd like to do anything with them you need to get our permission to do so."

For some reason physicians are happy to let an EHR vendor make the same claim and let them get away with it. It would be like saying that the power company that feeds you power in your practice would now own all the devices you connect to the outlet. That sounds insane but it's exactly what some EHR vendors -- both cloud based as well as on-premises ones -- say to their customers.

It's time for physicians, CIOs, CMIOs, and other health tech leads to review the contracts they've signed and see who really owns their data. Is it the institution providing the care or the software vendor? And since you're diving deeper, find out who owns the data in these specific situations:

  • Data created personally by the patient and not used at all by the doctor (something in the tethered PHR)
  • Data created personally by the patient but used by the doctor for care of the patient
  • Data mutually created and managed by the patient and doctor (transactional data like claims codes, messages between employees of the physician practice, etc.)
  • Data institutionally created by the doctor but available to the patient (e.g. the doctor’s private “transactional” notes)
  • Data mutually created by the patient, doctor, and insurance company (mostly transactional)
  • Data mutually created by others that patient didn’t directly interact with (covered by HIPAA BA)

When you look at the complexity of data ownership you'll see why the goals of system and data interoperability may be greatly hampered by existing signed agreements.