Skip to main content
Best Practices

The Fight for Patient Data Ownership

By November 26, 2019No Comments
The Fight for Patient Data Ownership

In the argument over who owns patient data, there are two active combatants and one largely silent party. The two parties who regularly spar over this debate are the medical practice and the EHR company. The silent party is the patient, pretty much oblivious to the scuttle over their own data. The ownership debate comes down to one question:

Is the patient a consumer?

If the answer is ‘yes’, then the debate about patient data ownership is over. In the business world, customer information is the intellectual property of the business. Privacy and consumer protection laws provide an orderly marketplace, but the data belongs to the business. Therefore, every healthcare practice, under the assumption that a patient is a consumer, would own patient information and the EHR companies would be third parties; ownership would be stipulated by contract between the EHR and the practice.

But, the patient is NOT a consumer.

By definition, patients may be consumers of healthcare, but only because they must pay for the service (at least in the United States). In other countries, wherein healthcare is provided by the government and paid by tax revenues, the government compensates the doctor for their service, not the patient.

But, given a choice, patients would rather skip out on a trip to the doctor’s office. Seeking healthcare is not necessarily a choice when the implied definition of a consumer is one who is voluntarily and or actively willing to exchange dollars for a product or service. Breaking your leg or contracting an illness is not a voluntary act.

Granted, the argument is a bit messy. What about utilities? What about accidents or natural disasters that destroy property? Those seeking oil to heat their home or a carpenter to repair their home are not necessarily volunteering to exchange dollars for a product or service; they do so out of necessity.

In this instance, on its face value, regardless of the murky eddies, the patient is not a consumer. By drawing a line in the sand with that declaration, the rightful owner of patient medical information is the patient.

The Practice is Generating Information

Most information one finds in the typical patient record is generated and recorded by a healthcare professional or administrator. Most of the information, as much as pertains to the patient’s medical condition, assists the provider in caring for the patient and is a byproduct of providing care.

Over a lifetime, the typical US citizen will jump from one doctor to another. According to a survey conducted by GfK Roper for Practice Fusion, the average US citizen will see 18.7 different doctors during their lifetime. Obviously, when one doctor is picking up what another doctor put down, the quality of care is threatened. Access to data becomes paramount.

If patient data ownership is claimed by the practice, the sharing of patient information becomes troublesome. Healthcare in the US is a highly competitive, $3.5 trillion business. Why would a practice want to share patient information to a competing entity? Of course, the answer to that question is the patient’s well-being trumps any other claim. For that reason alone, the patient is the owner of their own patient data, not the practice.

The EHR is a Steward of Information

The EHR has no claim to patient information. The EHR brings value to the practice through its input, organization, security, and delivery of patient information. The EHR is not creating data.

As a steward, the EHR is beholden to the desires of the practice. If it’s in the best interest of the practice for the data to be shared with another software application, as a steward, the EHR’s responsibility is to facilitate the transfer of information safely and securely. As a steward, the EHR counsels the practice on best practices and makes recommendations.

An EHR that usurps the position of ultimate gatekeeper to the data is in the wrong.


Because the data is not theirs. Protecting the data is the EHR’s responsibility and it is expected to keep at bay all unauthorized access. However, if the practice wishes for another software application to access the data, the EHR is subject to that wish.

Unfortunately, EHRs typically seize the position as overlord of the patient data. Too often access is subject to terms set by the EHR, rather than the practice.

What Medical Practices Can Do

When choosing an EHR partner, the end-user license agreement or terms of service (or both) should clearly define patient data ownership. The practice should also clearly understand how available the data is to them or a favored third-party. At the very least, the practice must be able to easily export any desired data from the EHR to a csv file. The optimum situation is for the EHR to provide an API to which other applications can access.

The practice is generating data that belongs to the patient and the EHR is but a steward of the data. The practice should make sure the contract with their EHR reflects that declaration, that they have unfettered access to the data.

Andy Jensen

Andy Jensen is an accomplished columnist, writer, and hands-on marketing soldier with more than 25 years of in-the-trenches marketing experience in healthcare technology. Andy can be reached via email at

Leave a Reply