Back to Blog

Who Owns the Data in Your EHR?

Who Owns the Data in Your EHR?
21 May 2016

What if your healthcare information was widely and easily available to everyone? What if a prospective employee, your partner, or even your friends and family were able to see your private data? That is a terrifying concept. And it has happened, thanks to unprofessional and criminal actions by certain EHRs and by hackers.

The concept of healthcare and EHR data ownership carries many implications for patients, providers and medical practices. While it is widely agreed that EHR vendors do not own the medical data, that has not prevented unscrupulous vendors from winning court disputes that resulted in serious financial losses and massive PR hits for medical providers.

Because of this, practices can often feel as though they are in a dangerous relationship with vendors, who are holding their data hostage for ransom. These considerations make the discussion of data ownership critical for any physician or medical practice that utilizes Electronic Health Records.

Design and Build you own SOAP notes and WIN $1000. Join the blueEHR Form Builder Challenge! Register Now. (Aug 22 – Aug 26)

Defining Data and Data Ownership

Healthcare data comes from a variety of sources. The main source is the patient themselves. They are the ones who provide data to providers(who input it into their EHR system) and to platforms such as patient portals. Another source of data is from the physician or healthcare team, in the form of clinical findings and observations. Results from laboratory studies or radiology, along with data from other external healthcare providers or practices, also contribute to EHRs.

There are a number of parties who can lay claim to healthcare data. This makes grappling with who has more of a claim over EHR data ownership, even more complicated. Patients, providers, vendors, and the medical practice itself all have an investment in healthcare data and there is often uncertainty over who has the most right to EHR data ownership.

According to the Journal of Medical Internet Research, over 53% of patients believe that they own their healthcare data. There is a valid argument here, since the data is the patients. But then why do 43% of providers believe they own the healthcare data? Well, without them, the data would not be in the system. Same goes for any additional findings that came to light after the patient was admitted.

Feeling confused on which side seems more right? You’re not alone. Amazingly, both of these groups report that 20% simply don’t know who owns the data.

Establishing Data Ownership

The best method of minimizing disputes over EHR data ownership is prevention. Measures such as establishing data ownership early, defining terms and enforcing guidelines are critical to minimizing trouble down the road. With EHR vendors, defining conditions of data exportation, in the event the practice wishes to end a business relationship, is critical.

For all parties, the concept of access must also be clearly defined. Terms include practice or provider access to data from the vendor’s servers, as well as patient access to healthcare data via portals or other mechanisms. The most common source of disputes is when a party wishes to leave the relationship; either the practice decides to select a different EHR vendor, or a patient wishes to port their data to a new provider.

Vendor Red Flags

For a medical practice, establishing terms of EHR data ownership must begin at the time of vendor selection. Identifying warning signs during this process can help providers avoid much larger issues in the future.

When choosing an EHR, keep an eye out for red flags such as unstructured data formatting (i.e. PDF instead of CCDA), an inability to meet the National Coordinator for Health Information Technology’s certification requirements, or restrictive contracts that demand exorbitant financial charges to port data in the event of a vendor switch.

Establishing productive EHR data ownership for a healthcare organization, takes careful planning.

While it might be more expensive upfront, every practice would benefit from finding an EHR that is designed with your needs in mind, meaning, among other things, that you own your data and have complete administrative control.

HIPAA violations are not only a source of bad PR and an expensive lawsuit, it is also news that will lead to decreased trust from patients, which would lead to them leaving. This means that: 1. There will be decreased revenue. 2. The practice taking a hit overall. 3. Most importantly, lots of people missing out on getting care.