Whose data is it anyway?

By John Moore
10:10 AM

Rob Tholemeier, Director, Chilmark Research, co-authored this post.

A common and somewhat unique aspect to EHR vendor contracts is that the EHR vendor lays claim to the data entered into their system. Rob and I have worked in many industries as analysts. Nowhere, in our collective experience, have we seen such a thing. Manufacturers, retailers, financial institutions, etc. would never think of relinquishing their data to their enterprise software vendor of choice.

It confounds us as to why healthcare organizations let their vendors of choice get away with this and frankly, in this day of increasing concerns about patient privacy, why is this practice allowed in the first place?

The Office of the National Coordinator for Health Information Technology (ONC) released a report this summer defining EHR contract terms and lending some advice on what should and should not be in your EHR vendor’s contract.

The ONC recommendations are good but incomplete and come from a legal perspective.

As we approach the 3-5 year anniversary of the beginning of the upsurge in EHR purchasing via the HITECH Act, cracks are beginning to show. Roughly a third of healthcare organizations are now looking to replace their EHR. To assist HCO clients we wrote an article published in our recent October Monthly Update for CAS clients expanding on some of the points made by the ONC, and adding a few more critical considerations for HCOs trying to lower EHR costs and reduce risk.

The one item in many EHR contracts that is most troubling is the notion the patient data HCOs enter into their EHR is becomes the property in whole, or in-part, of the EHR vendor.

It’s Your Data -- Act Like it
Prior to the internet-age the concept that any data input into software either on the desktop, on-premise or in the cloud (AKA hosted or time sharing) was not owned entirely by the users was unheard of. But with the emergence of search engines and social media, the rights to data have slowly eroded away from the user in favor of the software/service provider. Facebook is notorious for making subtle changes to its data privacy agreements that raise the ire of privacy rights advocates.

Of course this is not a good situation when we are talking about healthcare, a sector that collects the most personal data one may own. EHR purchasers need to take a hard detailed look at their software agreements to get a clear picture of what rights to data are being transferred to the software vendors and whether or not that is in the best interests of the HCO and the community it serves..

Our recommendation: Do not let EHR vendor have any rights to the data – Period!

The second data ownership challenge to be very careful of is the increasing incorporation of patient generated health data into the healthcare delivery system. We project an explosion in the use of biometric devices, be it consumer purchased or HCO supplied, to monitor the health of patients outside of the exam room. Much of this data will find its way into the EHR. Exactly who owns this data and what rights each party has is still debatable. It is critical that before HCOs accept user data they work out user data ownership processes, procedures, and rights.

If the EHR vendor has retained some rights to data the patients need to be informed and have consented to this sharing agreement. In our experience this is rarely if ever explicitly stated. HCOs need to be careful here as this could become a public relations disaster.

We are not lawyers, we are offering our advice and experience to HCO CEOs, CFOs and CIOs, from the perspective of business risk and economics. At Chilmark we have deep experience in best practices used in other industries with regards to data use and sharing agreements. We have also spent significant time reviewing the entire software purchasing lifecycle and culture, and are here to help HCOs in reviewing these contracts.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.