Whose data is it anyway?

Legally Speaking

Daniel F. Shay
Alice G. Gosfield

Daniel F. Shay, Esq. and Alice G. Gosfield, Esq., are health care attorneys at Alice G. Gosfield and Associates, P.C.

Bookmark and Share

Physician usage of electronic health records (EHRs) is growing increasingly common. To some extent, the Meaningful Use program, alongside other federal programs such as the Electronic Prescribing Incentive Program (E-Rx) and the Physician Quality Reporting System (PQRS), has helped to drive EHR adoption with a combination of carrots and sticks: $44,000 in recent years for those who demonstrated meaningful use, alongside a 2 percent reduction in all of the physician’s Medicare payments for those who don’t, starting this year. (For details on all of Medicare’s penalties, see last month’s Answers in Practice column.)

While some physicians may adopt enthusiastically, and others only grudgingly, key questions are sure to arise regarding the data that physicians enter into their EHR software. Can the physician claim ownership of the data? What are the implications of how such data is stored? What are the benefits and downsides of allowing the EHR vendor to own or otherwise utilize data from your records? This article addresses these issues, and provides guidance for physicians concerned about data usage and ownership.

Whose data is it, anyway?

Under HIPAA, individually identifiable protected health information (which may be found in individual medical records and claims for payment) is the property of the patient, but the physician acts as custodian of these records. Physicians have certain legal obligations with regard to this information under HIPAA, as well as state confidentiality laws. For example, most states require a physician to retain copies of medical records for several years after treating a patient. Because of these laws, physicians must legally maintain control of and access to this information.

However, the question of ownership may be less clear with respect to de-identified (within the meaning of HIPAA privacy regulations), aggregated data, such as utilization data, prescribing trends, or quality metrics. In general, absent any reference in the software license agreement itself or its exhibits or other incorporated documents, such data is generally owned by the physician. It is ultimately the physician (or the physician’s staff or agents) who enter such data into the EHR in the first place. Even if the EHR manipulates raw, individually identifiable PHI to create de-identified, aggregate data, unless the license agreement says otherwise, the physician owns the data.

Not surprisingly, most vendors include clauses in their EHR software license agreements that either assert ownership of the aggregate data, or which at least give them permission to use and disclose such data; such clauses often also appear in the business associate agreements, as required under HIPAA.

The data itself has independent commercial value. For a larger EHR vendor, there is real value in being able to track and monitor such information, both with respect to individual physician practices, and as a large package of information provided to other interested third parties. These third parties may include pharmaceutical companies, device manufacturers, or marketing companies. The larger the bundle of information the vendor can present, the more value it holds. As a result, smaller physician practices should not expect to wield much leverage with respect to their practice’s data when attempting to negotiate software license agreement terms.[pagebreak]

That said, the practice should still carefully read the provisions of the license agreement, and — if curious — ask how the data will be used by the vendor. Physicians should also make certain that the license does not assign or otherwise transfer ownership of the data to the vendor; just because the vendor is allowed to use the data doesn’t mean the physician cannot also commercialize this de-identified, aggregate data and sell it to a third party itself.

The upsides of losing control...

Many physicians these days use Web-based EHR software, which stores medical records, claims data, and other information off-site on a server owned or leased by the vendor at a server farm who-knows-where. This approach is replacing the older model of software installed on the physician’s office computers, with both the software and records stored locally. In addition, as discussed above, most EHR software license agreements require the physician to allow the vendor to use and disclose de-identified aggregate data about the physician. However, this permission does offer certain advantages.

For example, many software packages include the ability to track and manipulate data, to provide the physician with useful information such as internal quality metrics and comparisons to other physicians in the same specialty. Such information can help a physician improve practice performance with respect to quality and efficiency. What is measured is what improves.

This value of data-tracking for practice improvement should not be taken lightly. We have entered an era where quality — and the ability to demonstrate it — is becoming ever more important to the practice of medicine. Federal health care programs like Medicare continue to impose quality reporting requirements on physicians, and such scrutiny will be increasingly tied to payments in the years to come. Likewise, private insurance plans are becoming more attuned to tracking quality, and may gradually impose quality-related requirements on participating physicians.

Yet many physicians have no personal experience in tracking, aggregating, and deciphering the data they generate to distill it into quality metrics. An EHR software package that includes modules and/or services that can do this on the physician’s behalf can help eliminate what could otherwise be an administrative burden. All that is required is that the physician continue paying license fees and grant the EHR vendor access to certain data for the vendor’s own use.

The use of Web-based software can also help improve productivity and offer greater flexibility and convenience to the physician. In exchange for giving up direct control of the data, the physician can access patient information anywhere he or she can find a Web browser. This, in turn, can make it easier for physicians to, for example, perform administrative work from home or while traveling.

...But at what cost?

Unfortunately, there is no such thing as a free lunch, and whatever advantages and conveniences come from storing data off-site to be accessed through Web portals, and/or from quality tracking tools, they come with costs.

The most obvious cost is the loss of direct control over the data itself. To some extent, this is unavoidable when implementing an EHR. There is no single standard form in which EHR files are stored, and thus there is no single file format that can be read by every EHR. As a result, data conversion can be tricky and costly. Accordingly, if and when the software license agreement terminates for any reason, physicians will have to convert data to some other format to use it in other software, or simply re-enter the information. In many cases, the best a physician will have is a PDF file and/or a hard-copy printout. This is an unfortunate effect of a fragmented EHR industry that lacks unifying data standards.[pagebreak]

However, when data is stored off-site, providers give up an additional measure of control, unless they regularly make local backups of the stored data. While it may seem incredible, we have represented clients who have had their data “held hostage” by their EHR companies. Typically, this occurs in the context of a payment dispute, where the physician fails or refuses to pay license fees, and the vendor cuts off access to the software and/or refuses to return data. In some cases, this even happens in spite of contractual language requiring the contrary — even in the event of a payment default. Unfortunately, contract language alone may not force another party to act, absent the will to enforce such language through timely, costly, and aggravating litigation.

Another downside to granting vendors access to data comes from how the vendors may use the data. Vendors who commercialize aggregate physician data may sell such information (as discussed above, usually packaged with other physicians’ data) to third parties such as pharmaceutical companies, device manufacturers, etc. These companies, in turn, use this data to market their products to the very physicians who created the data. This can be an annoyance for physician practices who are already satisfied with their drug and/or device suppliers.

Lastly, depending on how the software license agreement is worded, physicians could give up all rights to commercialize their own de-identified, aggregated data. If, for example, the license agreement asserts that the vendor owns all such data, or that the physician grants the vendor an exclusive license to use such data, the physician could be prohibited from allowing any other party to use such data. While this might not be a serious concern for some physicians, it is still worth bearing in mind when reviewing a software license agreement.

Final thoughts

Ultimately, if a physician is considering adopting an EHR, he or she will have to make some sacrifices with respect to control of data. Even an older-style EHR that is installed on the physician’s computers may involve risking creating data that cannot easily be converted to another format if the physician decides to change EHRs. With the industry-wide drive towards EHR adoption and quality reporting and measurement, however, many physicians will find themselves more drawn (or in some cases, more pressured) to finally “go electronic” (if not necessarily truly paperless).

Physicians in the process of purchasing an EHR should find out how their data will be treated, including how it will be stored, how and whether it will be converted following termination for any reason, the EHR vendor’s history with returning or improperly retaining physician data, and how the EHR vendor will use aggregate data. When presented with a software license agreement, physicians should carefully review the agreement for language relating to data use and ownership. An attorney experienced in reviewing and negotiating EHR software licenses can help in these efforts.