Who Owns Patient Data?

Who Owns Patient Data?

  • Category All Articles
  • Date Published Nov 13, 2019
  • Written by Fred M Behlen, PhD
  • Share This Article

And Why Does it Matter?

Who owns patient data?

The answer you get depends on whom you ask, and even on the context in which you ask it.

The reason is that “ownership” is not an elemental right, but a bundle of rights. This is illustrated in the legal field of financial trusts, which separate (and usually assign to different parties) the aspects of ownership: Control, Income, initial value, increase in value over some time period, sale, pledges as collateral, disposal and other rights. One can easily go down a rabbit hole here, and if you are so inclined, you can start here: https://en.wikipedia.org/wiki/Ownership

The point here is that the specific rights of ownership may depend on the type of property. And, the rights may be constrained by contract or by public policy.

Historically, patient records were regarded as business records, owned by the provider. But over the decades, patient records have become subject to more and more constraints of public policy. If you are the provider, you have requirements to keep records, retain them, with certain responsibilities and constraints, subject to the rights of others. Recordkeeping and maintenance requirements vary by jurisdiction, and may be defined by statute, regulation, or standards of practice (violation of which may expose the provider to tort liability).

By these measures, we can say that patient’s rights to their own records do not constitute literal ownership.

Patients have rights to:

  • Get a copy of their records (but most states allow providers to curtail or redact psychiatric records if in the opinion of the provider, disclosure to the patient could endanger the patient or others).
  • Offer amendments to the provider’s records where they believe they see errors, but not necessarily change what is there. However, the right to edit the record remains with the provider. (Incidentally, I was told by one patient records administrator that most of the patient-requested changes are ones of lay opinion, like “Well, I like my liquor, but I wouldn’t say I’m an alcoholic.”)
  • Once they have a copy, they are pretty much free to disclose it to others or use it as they wish.

Returning to the Title Question: Given the rights and responsibilities in current practice and public policy, the closest to an “owner” of patient records remains the provider, once one understands that owning patient records data is not like owning a toaster or a dog.

The general concept of ownership is that the owner of any property will also own the economic benefits of that property. One benefit of high interest today is the use of data to train machine learning applications. Providers have fairly broad discretion to use patient data for the improvement of the provider’s operations (“analytics”), but creation of generalizable knowledge (“research”) is highly constrained by public policy on human subjects. In my next post, I will go into research policy in some detail.

So what does LAITEK mean when we say “Own Your Data”?

As a healthcare provider organization, while you have to respect the rights of other stakeholders, the primary responsibilities of patient records are yours. You have to maintain it, retain it, protect it and make it available for use in patient care, even in disasters natural and man-made.

Human use of any electronic data requires software tools. You need an app. The app provides useful services from and for the data. To read a Web page, you need a browser. To read or modify a .docx file, you need a word processor supporting the Microsoft file format. To read a medical image, you need a PACS or similar viewer. The more specialized the app, the more dependent your operations become on the app vendor. You protect yourself with contractual support from the vendor.

But over the years, things change, people change, vendors change, and contracts have limits to what they can achieve. You will eventually need to change vendors, and to do that you will need a way to get your patient data to new application software. This is the messy field of data migration in which LAITEK toils. You need a way to get the data out, and into a form usable to other vendors, and imported into the new system.

This is what standards are for. Standards define the data at the interface between systems, and those systems that are internally based on standards have the least semantic gap to be bridged in system conversions. Communication standards like DICOM and HL7 handle data transfers over the wire for daily practice, but for bulk transfers of data spanning many years, media transfer of files is the most robust method. DICOM Media File-Sets and HL7 CDA are also defined in these standards, and greater use of media standards will facilitate system transitions and minimize dependence on any particular vendor.

You need control of your data and you need options to change the tools you use with your data. Vendor transitions should be “connecting a new system to your data”, rather than “sending your data to a new system”. Then you will truly Own Your Data.


Fred Behlen, PhD is the President and Found of Laitek, a former faculty member of the University of Chicago, and past co-chair (1999-2010) of the DICOM-HL7 joint working groups (DICOM Working Group 20 / HL7 Imaging Integration SIG). He is also past co-chair of the HL7 Structured Documents Technical Committee and a Co-Editor of the HL7 Clinical Document Architecture Release 2 (CDA).