Tech

Whose Data Is It Anyway?

A common and somewhat unique aspect to EHR vendor contracts is that the EHR vendor lays claim to the data entered into their system. Rob and I, who co-authored this post, have worked in many industries as analysts. Nowhere, in our collective experience, have we seen such a thing. Manufacturers, retailers, financial institutions, etc. would never think of relinquishing their data to their enterprise software vendor of choice.

It confounds us as to why healthcare organizations let their vendors of choice get away with this and frankly, in this day of increasing concerns about patient privacy, why is this practice allowed in the first place?

The Office of the National Coordinator for Health Information Technology (ONC) released a report this summer defining EHR contract terms and lending some advice on what should and should not be in your EHR vendor’s contract.

The ONC recommendations are good but incomplete and come from a legal perspective.

As we approach the 3-5 year anniversary of the beginning of the upsurge in EHR purchasing via the HITECH Act, cracks are beginning to show. Roughly a third of healthcare organizations are now looking to replace their EHR. To assist HCO clients we wrote an article published in our recent October Monthly Update for CAS clients expanding on some of the points made by the ONC, and adding a few more critical considerations for HCOs trying to lower EHR costs and reduce risk.

The one item in many EHR contracts that is most troubling is the notion the patient data HCOs enter into their EHR is becomes the property in whole, or in-part, of the EHR vendor.

It’s Your Data. Act Like it.

Prior to the internet-age the concept that any data input into software either on the desktop, on-premise or in the cloud (AKA hosted or time sharing) was not owned entirely by the users was unheard of. But with the emergence of search engines and social media, the rights to data have slowly eroded away from the user in favor of the software/service provider.

Facebook is notorious for making subtle changes to its data privacy agreements that raise the ire of privacy rights advocates.


Of course this is not a good situation when we are talking about healthcare, a sector that collects the most personal data one may own. EHR purchasers need to take a hard detailed look at their software agreements to get a clear picture of what rights to data are being transferred to the software vendors and whether or not that is in the best interests of the HCO and the community it serves..

Our recommendation: Do not let EHR vendor have any rights to the data – Period!

The second data ownership challenge to be very careful of is the increasing incorporation of patient generated health data into the healthcare delivery system. We project an explosion in the use of biometric devices, be it consumer purchased or HCO supplied, to monitor the health of patients outside of the exam room. Much of this data will find its way into the EHR. Exactly who owns this data and what rights each party has is still debatable. It is critical that before HCOs accept user data they work out user data ownership processes, procedures, and rights.

If the EHR vendor has retained some rights to data the patients need to be informed and have consented to this sharing agreement. In our experience this is rarely if ever explicitly stated. HCOs need to be careful here as this could become a public relations disaster.

Note: We are not lawyers. We are offering our advice and experience to HCO CEOs, CFOs and CIOs, from the perspective of business risk and economics.

We have deep experience in best practices used in other industries with regards to data use and sharing agreements. We have also spent significant time reviewing the entire software purchasing lifecycle and culture, and are here to help HCOs in reviewing these contracts.

This post originally appeared at Chilmark Research, where Moore is founder and managing partner and Tholomeier is director with a research focus on EHR 2.0, analysis infrastructure, and new costing models for HCOs.

Livongo’s Post Ad Banner 728*90

30
Leave a Reply

21 Comment threads
9 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
19 Comment authors
FranklinDataLadderAshank HarlalkaErnestoRobert Pollack, MD Recent comment authors
newest oldest most voted
Franklin
Member

The unwillingness of competing HCOs to share clinical data is a very valid point that definitely needs to be considered when implementing Health Information Exchange Systems. In order to avoid this potential conflict, EHR purchasers need to understand what rights to data are being transferred to the software vendors and whether or not that is in the best interests of the HCO and the community. Ensuring that EHR vendors do not have the rights to health data is essential for transmission of data between all servers. This minimizes the idea of competition among different HCOs, creating a level playing field… Read more »

DataLadder
Member

Good read. Data-driven decision making will be one of the key factors in changing the future of business. There is so much great work being done with data analysis and data linkage tools in various industries such as healthcare. We know in our business good record linkage happens behind the scenes. No personal information is ever shared, even the smallest of data sets aren’t shared. Several departments have to approve each and every data request individually.

Linda Boudreau
http://DataLadder.com

Ashank Harlalka
Member

Greetings,

We have developed a platform to secure your health records safely. No one can access your data as long as you allow them to access your records in our platform. All your health records will be by default locked and until and unless you unlock it no one gets to see your record.
We have also added an additional SSL to it.

For more information please visit, https://www.medicalui.com

Ernesto
Guest
Ernesto
Ross Koppel, Ph.D., FACMI
Guest
Ross Koppel, Ph.D., FACMI

Dr. Pollack, Sounds great. I urge you to get someone who understands sampling methods, survey methods and statistics if you are going to use the data in any way for advice, comparisons, thought or discussion. In other words, if you want to use the data, you must understand their limitations.
Best wishes for your good works.

Robert Pollack, MD
Guest

Ross, please call me Robert.
Thanks for your suggestion. We are definitely planning on doing that. However just to be clear, what we are NOT going to do is provide analysis of the information we collate. For example we will not make a determination that any course of action or therapy is the preferred one. We will not be in the business of establishing or enforcing standards of care. We will provide the raw data of how the doctor compares to his peers but the doctor is the one who will determine what significance the information has.

Robert Pollack, MD
Guest

As a practicing plastic surgeon and co-founder of an EHR for surgeons that is under development I can tell you we realized early on this was an issue. One of the features we decided on was to have all the practice data freely downloadable in common format by our providers at any time. We would never consider our company to own any of the information that either the doctors or the patients provide. However, one of the benefits of a web-based app is we do have a repository of practice data from a multitude of providers. Our plastic surgery society… Read more »

Adrian Gropper, MD
Guest

Rob, look both ways before you cross this street! The chain of custody – and value – of private patient data goes in both directions. Your focus on enterprise software is artificial in the age of smartphones and web services. Apple benevolently manages my apps for a 30% cut and Google has trained us all to barter our data in return for valuable services. The patient data value chain is marked by choices enabled by technology. Patients can choose to be anonymous, at least if they get medical services on-line. Doctors can choose to not use an enterprise EHR by… Read more »

Rob Tholemeier
Guest
Rob Tholemeier

The point we are making is that in no other industry that we know of do users, as part of the basic enterprise software contact, allow the software vendor rights to access the information for any reason. There are times when the user may request that the vendor access the system to fix bugs, and their are times when the user may wish to sell its OWN formation, but I do not recall ever seeing users granting the type of access we see in EHRs. We suspect that in most cases the topic does not come up in the software… Read more »

Ross Koppel, Ph.D., FACMI
Guest
Ross Koppel, Ph.D., FACMI

Matt, The fact that Practice Fusion takes the the patients’ data as payment for the docs’ free use of an EHR does not mean it’s safe, moral or sensible. The patient’s didn’t sign on to having their data mined and there are no protections built into the process. How would a wife/girlfriend/husband like to receive an advt about how to protect him/herself from an HIV-infected lover? Your point about who cares about ownership as long as the data are accessible is indeed interesting. If the data are in fact always available, you make an important point. But if they disappear,… Read more »

Matthew Holt
Guest

Ross–so I think on my major you agree with me. Data access is crucial. I dont care who “owns” the data so long as I can get a copy (or my doctor cna) when I want. To me this is FAR more important than who gets to mine the data for interesting inferences and sell that to pharma–which anyway is a smaller business than most people think it is. On my minor point, we indeed may need a whole new set of regulations and transparency into how data are being used for secondary purposes, but as far as I can… Read more »

Adrian Gropper MD
Guest

Secret source and secret sauce are the same. If your goal is to keep competitors from criticizing, reproducing or improving your medicine, then having a secret recipe or adding a secret ingredient are pretty much equivalent.

Deborah C. Peel, MD
Guest

Actually the concept of health data “ownership” IS very relevant to the public. The leading candidate for Governor of Texas just raised this very question–he thinks Texans deserve property rights in their DNA. He also believes states should not sell any data without residents’ consent, wants to prohibit data resale and anonymous purchasing by third parties, and intends to ban re-identification of data. This is a very significant and POWERFUL set of data privacy protections coming from the likely next Governor of Texas. See: 1) http://townhall254.gregabbott.com/wp-content/uploads/2013/08/GregAbbottsWethePeoplePlanFINAL.pdf 2) http://www.texastribune.org/2013/11/21/abbotts-privacy-rights-proposals-gain-support/ The public hasn’t known about the systemic health data theft industry—BUT the… Read more »

Adrian Gropper MD
Guest

This issue has a larger context of interface costs and the regulation of medicine. Unless we address all aspects of interface costs, the problem of vendor lock-in will continue to limit our control over our clinical tools and regulators will step in to fill the void. Asking for more regulation is ok, but it needs to be matched by professional initiatives directed at self-regulation if we are to retain our role in the evolving health care enterprise. If physicians do not choose our software, others will step in and do it for us. Locked-in EHR vendors need to compete to… Read more »

Matthew Holt
Editor

hmm…this is an old conversation, and we need a new version. Ownership is irrelevant. Most important questions are 1) Can the provider EASILY get all the data out of the system in case they want to change systems in a way that it can be easily stored and later uploaded to another system (think credit cards and .csv files, in Legacy Flyers Russ Koppel’s example of vendor going bust) 2) can the patient EASILY get all the data (Blue Button) 3) can another provider on the patients behalf get the data (Blue Button/Direct) 4) What is the agreement about a… Read more »

Paul
Guest
Paul

EMR is one of those things that sound better than they really are. Different systems can’t “talk” to each other. My health system has one EMR for the hospital and another for over 600 doc offices. The trouble is they can’t communicate with each other. PPP. Also, being basically lazy or cost conscious, or both, they did not isolate each office, so that anyone in one office can access the patient record from any other office. They get a broad patient release which they feel protects them from privacy suits. The problem is that there are aspects of many records… Read more »

Dr. Rick Lippin
Guest
Dr. Rick Lippin

Andrian Gropper is speaking at this event – these are the people who can lead us out of the wilderness

http://www.new-health-project.net/2013/11/19/towards-a-universal-name-space-dec-6-2013-workshop-in-cambridge-ma/

Rick Lippin

John@Chilmark
Guest

We have seen contracts wherein the EHR vendor states that they own the data. More common is that the EHR vendor lays claim to access the data and use as they see fit. The example below comes from the Practice Fusion website: 4.1 Ownership You retain ownership of the intellectual property rights you hold in Content you submit on our Services. When you submit Content on our Services, you grant us and those we work with a worldwide, royalty-free right to store, host, reproduce, create derivative works of (such as translations, adaptations, reformatted versions and anonymized or de-identified versions), publish,… Read more »

Bobby Gladd
Guest

“More common is that the EHR vendor lays claim to access the data and use as they see fit”
__

Yeah. And, that’s a distinction without a difference. The very legal concept of “ownership” means usage control over that which is “owned.”

Bobby Gladd
Guest

“..create derivative works…”
__

That goes to the heart of “Copyright.” They’re claiming to copyright.