Who owns patient data in an electronic health record? The traditional concept of ownership is unraveling as patient data migrates from paper charts to the cloud.
Who owns patient data in an electronic health record (EHR)? It’s a simple question with a complex answer. No longer confined to the shelves of a physician’s office, patient data is now shared and used by a myriad of organizations across healthcare: Other physicians and health systems, the EHR vendor, payers, and researchers, not to mention patients themselves. While primary care physicians often originate the medical record, the resulting data are not theirs alone.
The implication? The traditional concept of ownership is unraveling as patient data migrates away from paper charts and takes up residence in the cloud. Experts now counsel physicians against the concept of data ownership entirely. Instead, they encourage physicians to consider themselves “stewards” of the data within their possession and administrative control.
This grey area has serious consequences for physicians, particularly concerning their relationship with their EHR vendors, the third party who has most access-and control-over patient data. Too often, physicians give vendors the upper hand on data rights by not addressing them when drawing up the contract, says Adam Greene, JD, a partner with the law firm Davis Wright Tremaine and an expert on healthcare technology and privacy. “To be perfectly blunt, more often than not these details are not addressed up front,” Greene says. “You have pretty generic language, and oftentimes that can come back to haunt the physician.
Questions of data rights should be “top of mind when they’re contracting,” Greene adds. “And if they feel like the contract with the EHR vendor does not provide enough details on this front, they should ask the questions, and if they feel like they need to get the answers in writing, they should push for that.”
It can prevent trouble down the road. Full Circle Health Care, a physician’s practice in Presque Isle, Maine, had its access to data for 4,000 patients blocked by its EHR vendor after a dispute over billing practices, according to a report in the Boston Globe.
“I’m incredulous they think it is OK to hold us hostage like that,” E. Victoria Grover, the practice owner, told the newspaper.
Medical practices shouldn’t let a vendor hold them hostage over data rights. The key: protect your practice with a contract that clearly spells outs how and when an EHR vendor can use patient data.
Next: Leveraging your position
One point is clear: EHR vendors do not have outright ownership of patient data, even if it lives within their system.
Under the Health Insurance Portability and Accountability Act (HIPAA), business associates, including EHR vendors, must return or destroy patient health information upon termination of the agreement, Greene says.
“That really kind of undercuts any claim that they have ownership,” Greene says. “While HIPAA doesn’t use the word ownership in any place, it undermines any argument that the vendor owns the data.”
The agreement with the vendor, then, must be about more than wrangling an affordable price, says Deven McGraw, JD, a healthcare attorney with the firm Manatt, Phelps & Phillips.
In practice, the EHR vendor may be the more powerful party, particularly in negotiations with small practices, McGraw says. Not reading or understanding contract terms can lead physicians to sign away “pretty significant rights to that data” to the vendor. During negotiations, physicians should clearly spell out EHR data rights in the business associates agreement and contract with the vendor. But many don’t take advantage of this opportunity for leverage.
The consequences of overlooking data rights can be severe for physicians, McGraw says. The EHR vendor gains the upper hand and increases the likelihood that physicians won’t have the contract language needed to control the relationship as a customer. Furthermore, it can limit their ability to migrate the data easily and inexpensively to a new EHR vendor in the event of a future decision to part ways.
It’s never too late to revisit the contract in an attempt to address these issues, even if the contract has already been signed, and a practice realizes it didn’t pay enough attention to data rights, Greene says. But success “frequently comes down to a matter of leverage.” Unfortunately, the only option a physician would have is to say they don’t like the terms and to go elsewhere. Physicians have limited leverage to negotiate these contracts with big EHR vendors, even at the beginning, but “there’s nothing barring a physician from trying to do so.”
Every physician negotiating a contract with a vendor should have the right to unfettered data access for patient care and follow-up, quality improvement, patient management, reporting and overall population health, says Mary Griskewicz, MS, FHIMSS, senior director of healthcare information systems for the Healthcare Information and Management Systems Society.
That’s not to say EHR vendors have no claim to the use of data residing in their products. The terms of the associate agreement and the purchase contract can grant vendors an array of permitted uses that are within HIPAA parameters, McGraw says. “I’ve seen arrangements as basic as, ‘We’ll store your records and provide you with access to a much more advanced set of services,’ where they’re doing quality reporting for the physician, they’re creating limited data sets out of the data and making them available for research purposes.”
To sweeten the deal, a vendor may reduce the price of services such as record management “in exchange for the ability to mine data out of the record,” McGraw says. HIPAA limits don’t apply to data that are de-identified, e.g. stripped of elements that could trace the identity of patients. “So that business associate agreement may say: ‘You give us permission to de-identify the data.’ That’s all that is needed.”
The business associates agreement, Greene says, should bind the vendor to use or disclose data only in the same manner as the healthcare provider can under HIPAA, in addition to these two provisions:
Next: Making the switch
While haggling over the initial contract, make sure terms are in place to protect your practice if you decide to terminate the relationship and switch to a different EHR vendor.
Physician dissatisfaction with EHRs is at an all-time high, and many physicians are looking to change systems. Yet questions about migrating data hang over these transactions, often making physicians leery about jumping ship even when it’s the best decision for their practice.
“A pretty significant number of practices either had to dump their own EHR or are planning on doing it,” says Robert Tennant, senior policy adviser at the Medical Group Management Association (MGMA). “So the question becomes, boy, what do you do then? Yes, they own the record, but it’s not in a format that easily translates over to the new one.”
Making matters worse, the situation calls for the loser of a customer to cooperate with the winner. “There’s not much incentive for EHR vendors to make it easy for their customers to take their business elsewhere,” Greene says.
That possible scenario heightens the need to review the contract at the signing, says Pritts. One part of thinking through the agreement is “to identify these issues about what happens if they want to leave a specific vendor; and that should be, as a practical matter, in the contract.” If that day arrives, the responsibilities are already spelled out.
It may not seem like the best environment to bring up the breakup, but think of it like a prenuptial agreement for this business relationship. Remember that it’s much more difficult to accomplish once the ink is dry and, years later, the contract drives the separation, Griskewicz says.
Consider, though, that a vendor may reserve continuous rights to a departing provider’s data, McGraw says. The return-or-destroy requirement applies only to patient health information, and “it doesn’t necessarily cut off the business associate from being able to continue to use the de-identified data that they may have created from the identifiable data when they had it,” she explains.
Beyond data ownership questions, switching vendors requires a challenging feat: migrating data that’s formatted and optimized for one proprietary system into a new system. “A particular vendor has designed software, and the data are created in that software, for that software, not created in a manner that can be used by other vendors’ software,” Greene says.
Next: Surviving the switch
If your practice is contemplating an EHR switch, remember that it will be expensive, disruptive and riddled with technical issues related to data conversion. Yet it could still be the best decision your practice ever makes.
Five years ago, a 10-provider practice based in Independence, Missouri became an early case of converting its data to another EHR, at a cost of $65,000 above the purchase price of software and implementation, says Bryan Wood, practice administrator of Cockerell & McIntosh Pediatrics. Starting over without the data from the old system was never considered.
“So we just did it and we just planned on that extra cost,” Wood says.
The practice received its raw data, written on “one compact disc, it didn’t include much technical detail, or clues as to what the elements represent.” With a background in IT, Wood had to use a computer tool to extract the data into a more beneficial form. Then he worked closely with database experts from the new vendor to convert, test and refine the data’ a process that took four months.
Wood says his experience with the new vendor’s database technicians was positive, but not without hitches. For example, errors sprouted up because the new system was looking for data elements that the old EHR did not collect, such as additional immunization details. “They did as good a job as they could with the data we received, but there were issues that we couldn’t solve,” he says.
There is no recourse for the manner in which data transfer takes place if the original contract did not cover it, Griskewicz says. “Vendors actually make money off providing that as a service of the exit strategy,” she says. “They can say that if it’s not in the contract, ‘Well, we can do this for X amount of dollars.’” The price “depends on the vendor, there’s no standard fee. It depends on the volume of the data that you’re trying to migrate.”
It may also depend on the new vendor, she adds. “You bring them in, have them look at the file formats, the data--how it was stored. Can they take that information and help you with the migration? Because they’re going to be much more motivated to help you down that road.”
Jernigan Surgery Clinic, a small practice in Union City, Tennessee, went live with a new EHR in April. “They do everything they say; it pulls everything exactly how you have it,” says Samantha Jernigan, practice administrator.
A vendor database specialist went through the previous EHR’s data step by step with her, asking whether a certain data set should be pulled in or not. That allowed the practice to cull some information fields with little use, such as a second phone number or the third line of an address, which was rarely needed in the town of 11,000. Her master’s degree in IT helped.
In the search for a replacement vendor, “other vendors would tell me, ‘If anyone’s offering you data migration for free, it’s a trick. No one can do that for free.’ And that’s not true, they can. And you keep waiting for the, ‘Okay, yeah, we can do that, but it’s an extra charge.’ No, it’s really free.”
And that could be the competitive spark for a reasonable solution to what happens to data in EHR vendors that go out of business. “I can’t imagine there would be a system out there that you just couldn’t convert into a format that you needed,” says Jernigan. “They might say, ‘Oh, we can’t do that, it’s not in the right format.’ Well let’s figure out how we can.”
Practice and technical progress are lowering the conversion bar even for small practices, says Justin Barnes, formerly a healthcare IT executive and now a consultant. “Due to unified standards, innovative tools and the need for consolidated data and quality reporting, these migrations have become much less cumbersome than in the past.”