Who Owns Patient Data in Electronic Health Records?

by Doug Pollack

I recently began exploring the question of who, or what entity, owns the data that is incorporated in our patient electronic health records (EHRs). I originally began thinking about this because I was imagining that the “owner” would be responsible under circumstances where there was an unauthorized disclosure of such protected health information (PHI), in other words a data breach. It seemed like such a simple question, I had assumed I would find the answer to be just as straightforward. As it turns out, many have pondered this question and suggest that the question of “ownership” of medical data may be a misplaced one, an unanswerable question, and that the more relevant question is what control the patient, and other members of the health ecosystem, have relative to accessing, modifying, appending and transmission of this data. In other words, how is patient privacy provided for within the new EHR universe?

The dimensions of legal ownership were investigated by Hall and Shulman in their article “Ownership of Medical Information” published in 2009 in the Journal of the American Medical Association.  They explored how property law would be only one of several “legal regimes that control the rights and responsibilities over economic goods” and that contract, tort and regulatory law would also come into play.

They discuss the overlapping rights that exist to patient health records, and note the economic obstacles that inhibit those with some possession of health records, as a result of their IT systems, from having financial motivation to share this information. They also discuss the question of whether the patient has any rights relative to the monetization of their health data. Specifically the ask “should patients be allowed to commercialize access to their medical information?” But they did little to answer my simple question of “who owns patient data”.

In an article aptly titled “Who owns patient data?” by Trotter published in O’Reilly Radar posits that the “notion of ownership is inadequate for health information.” While it seems like it should be an answerable question, he argues that it is inherently unanswerable. That “ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data.” It is with this insight that I began to realize that ownership may be the wrong question, and that the better question is who has what rights to access, modify, append, and share our health records.

In exploring the question (as it turns out it really is a debate) of patient privacy control of their electronic health records, a paper by Rothstein titled “Debate over patient privacy control in electronic health records” was published in 2011 in the Bioethics Forum. In reviewing Dr. Rothstein’s learned analysis, I realize that while there has been an exponential increase in the number of physicians using EHRs and patient records housed in EHRs, that the thorny question as to exactly what rights patients have to control the sharing of their health records, along with the mechanisms for sequestering highly sensitive information such as psychotherapy notes, reproductive issues, sexually transmitted disease information, and drug use history, and how any rights would be operationalized, are severely lacking.

In his overview of public hearings for two advisory committees of the Department of Health and Human Services (HHS) regarding privacy concerns raised as a result of EHRs in Washington, D.C. in February, 2011, he highlights three dimensions of the patient privacy concerns.While HIPAA privacy laws are extensive, they don't appear to address any of these three issues and concerns.

1. That healthcare providers will have access to information that they do not need to know. For example, your dentist probably doesn’t need access to your reproductive health history.

2. That individuals applying for jobs and insurance typically are required to authorize disclosure of their entire health record. Given that there are around 25MM such disclosures per year, the concern is broad and the potential for embarrassment, stigma and discrimination is high.

3. That many patients engage in defensive practices with their physicians to limit the sensitive information in their health records. So they either lie, or lie by omission, and may even risk sub-optimal medical care in order to protect the privacy of what they may view as sensitive or embarrassing information.

Rothstein goes on to describe three potential approaches to providing for patient privacy in this new era of networked EHRs. What is very scary to me, however, is that this conversation as to how to implement privacy controls is being carried on just as massive numbers of hospitals and physicians are implementing EHRs and testing their interoperability with Health Information Exchanges (HIEs) in order to capture billions of dollars in funding from the federal government via Meaningful Use grants.

He notes that “many physicians assert that patients should not be able to control the content of their health records because doing so would fundamentally change medical practice.” This position and perspective is one that is fundamentally at odds with that of patient privacy advocates.

The recent second annual Health Privacy Summit, organized by Patient Privacy Rights and its founder, Dr. Deborah Peel, recently took place in Washington, D.C. It brought together a who’s who of experts from every area of the patient privacy ecosystem, including Joy Pritts, Chief Privacy Officer, and Farzad Mostashari, National Coordinator, from the Office of the National Coordinator (ONC) at HHS, and these exact issues were discussed. In an article published in O’Reilly Radar titled “Health care privacy discussed as an aspect of patient control” by Oram just after the conference, he noted the “tension between privacy and the kind of data sharing needed to improve patient care” that existed among and between the speakers.

So the good news is that the question as to how patients will be able to control the accuracy of information in their health record, and the sharing of highly sensitive information that could lead to negative outcomes if shared, and potentially misused, is being discussed and debated. The “other news” is that this debate is taking place while our health information is being amassed into EHRs that are popping up at virtually every location where we are receiving medical services. It really would have been nice if such issues had been discussed and resolved PRIOR to a massive incentive plan and rollout of EHRs. But better late than never.

And of course, the question of “ownership” of our health records is one that is likely to go down as unanswerable or ultimately irrelevant. I’ll try to ask a more intelligent question next time.

About the Author

Doug Pollack's avatar
Doug Pollack

CIPP, MBA. With over 25 years experience in technology industry products and services, Doug is an expert in personal information privacy and security. He is currently a senior executive at ID Experts.


David Brooks 06/19/12


Excellent article.  Not sure that this contributes anything to your discussion, but I have always considered electronic health records to be very similar to personal credit reports.  For starters, while everyone’s true medical information exists in a Platonic sense, health care providers only ever have a small glimpse of that information.  They take what they know - from forms filled out by patients, objective and subjective information garnered during patient encounters - and create their own version of a medical record. 

About 10 years ago or so SNOMED released some research showing that the average American had something like 12.2 medical records.  Oddly enough, this makes total sense.  Every provider a person sees essentially creates there own version.  This has always been problematic as each “record” really only ever represented a sliver of the true total picture.

In theory, with the push towards electronic medical record systems, combined with the development of health information exchange infrastructure, we will eventually evolve to a point where patients only have one record.  Not sure if this will ever really happen.  After all, we have 3 national credit bureaus to keep things more or less in balance.

Furthermore, when you factor into the equation that healthcare providers and provider organizations trust patients with their own information about as much as credit agencies are inclined to take the word of a consumer, you can quickly see that it is not so much about ownership as it is checks and balances…

BobbyG 06/19/12

Very nice post. I’m glad I ran across this. I will add you to my blogroll.

Thu Pham 06/21/12

How do patients control the accuracy of their information in their health records now? Health information exchange isn’t inherently dangerous unless we design it as such. Security should be designed into the EHR software itself, and employees trained on how to handle ePHI.

I agree with you about ownership - it is more like access and authorization to do a number of things with the health data that is disconcerting. Again, these are principles mandated by HIPAA and need to be addressed accordingly by IT business associates.

Chuck Johnson 06/27/12

I have poendered this question before as it relates to “paper” records and concluded that the provider owns the paper but the patient owns the data or content.  This almost sounds like distinct tenancies in the same real property—by analogy of course.  I wonder if this anology will help in addressing EHR issues.

Christopher Leonard, DO 07/1/12

Great article. This is a fascinating topic as it involves knowledge of health care, IT, law, philosophy, politics and maybe some common sense. I am working through these questions right now and am interested in leveraging some very useful data. I would love to speak with you about this and glean from your insight. I would rather develop this program correctly from the ground up but keep delving deeper and deeper the more I look into it.
The link between EMR interfaces, human behavior in terms of data entry and accurate outcomes data is particularly interesting to me. There seems to be a potential misalignment of outcomes-based medicine (which obviously requires good data and data transfer and accessibility) and patient privacy issues, which I fully value. HITCH has put this issue on steroids by incentivising EHR while trying to regulate ePHI, which will be a natural byproduct of this explosion.
I’d love to hear your thoughts on this balance. Thanks for the good read and the references and I would love to network. Respectfully, CJL

Spydyee 07/16/12

David Brooks stated: “In theory, with the push towards electronic medical record systems, combined with the development of health information exchange infrastructure, we will eventually evolve to a point where patients only have one record.  Not sure if this will ever really happen. “

David, the only thing that stands between now and the single permanent patient record is a universal identification system not relying on social security numbers and a single repository for that data. Of course when it was proposed back when Hillary was the President’s Wife and that little lady that he turned loose onto the Washington insiders the screams of socialism were just as loud as they are right now over the individual mandate in the current healthcare law.

With regard to this article and who owns what if we had a single repository and implemented the PPR that almost every Medical Information System has or can interface with then ownership would remain with that single repository and the patient.

Of course you will need several large containers of socks and some duct tape if you want this to actually happen because you will have to stuff a sock into the mouth of every person that screams socialism and use the duct tape to hold it in place along with keeping their hands from removing it. (OF COURSE I AM BEING FACETIOUS) If we do not stop seeing Communist spies lurking around every corner attempting to infiltrate our government with their evil ideals then we will never have anything worthwhile.

My mother worked for a medical information systems corporation. She was on the R&D team that helped develop her company’s PPR. They were the first to develop one but eventually this became a industry standard. The idea was that he hospital would have this record and all the doctors that practiced at that hospital would purchase the medical office interface and this would allow them to access the records of their patients from the PPR at the hospital. It would also allow them to create a PPR at the hospital that showed all the patient data. This meant that any doctor connected to the system would know the entire patient history. Several large hospitals that operate numerous outpatient clinics and had multiple independent physicians could then effectively stop a patient from using multiple doctors to get addicting drugs. The goal when these records were built was not about ease for doctors or nurses. For that matter the doctors and nurses back then fought tooth and nail in most hospitals to avoid going to these automated systems. The goal back then was to prevent the elderly and those dealing with addiction issues from harming themselves and to stem the flow of prescription drugs that were making it onto the black market.

The ability to use a PPR has been available since my 30+ year old children were in high school. The first clinical system with a PPR was the Eclipsys 7000 system and they stopped selling it because it was outdated at the end of the 1990s. We have had the ability to do this for a long, long time. What we have not had is a congress with the intestinal fortitude to do the right thing!

Add a Comment

Your comment may need to be approved before it will appear on the site. Thanks for waiting.




Submit the word you see below *