Published 4/1/2010
Jonathan L. Schaffer, MD, MBA; Jackie Ryan, MPA

Who owns the data?

Electronic medical records are protected health information

One of the most important aspects of an electronic medical record (EMR) is the data it houses. The physical location of that data becomes an important issue for consideration when orthopaedic surgeons contract with a vendor for an EMR system.

Physicians have two basic options when choosing an EMR system, and each offers a different data storage model. But regardless of the model selected, medical groups are asking—and being asked—“Who owns the data?” Over the last several years, the question of data ownership has become a critical component of contract negotiations.

Data storage models for EMR systems may be either computer-based (a value-added reseller, or VAR model) or Internet-based (an application service provider, or ASP model).

In the VAR model, or locally hosted system, the computer hardware and software are physically housed at the practice and patient information is stored in a server at this location.

Under the ASP model, commonly referred to as “cloud computing,” the practice connects to a remote system via the Internet. The computer hardware and software and your patient data are in an off-site server that is out of the physical control of the practice (Figure 1). The practice does not “possess” the data but “outsources” their computer technology services and storage devices.

When buying an EMR system, which is better—VAR or ASP? Unfortunately, there is no one “best” EMR system. Each approach has pros and cons. You have to look at your own practice situation and budget.

Recently, the ASP model has gained momentum in the marketplace, in part due to vendor promises of lower cost of ownership, greater flexibility, and easier implementation and maintenance. But to protect your practice’s long-term interests, the following “must haves” need to be included in the service agreement for an ASP EMR system.

Ownership of the patient data
Your patient data are valuable—to your practice and potentially to vendors. According to Rick Hindmand, JD, from the Chicago-based law firm McDonald Hopkins, “It is generally in the interest of a physician group to include a clear statement in the ASP agreement recognizing that the EMR data are owned by the covered entity or, in the case of an organized healthcare arrangement (eg, hospital and several practices across medical specialties), explaining the ownership structure and rights of the physician group and others to access the data relating to the physician practice’s services.”

Patient data are considered protected health information owned by the physician practice. Mr. Hindmand suggests, however, that “ownership of the data may vary depending on the underlying circumstances and relationships, as well as state law. For example, if the EMR within the ASP system integrates information from the physician practice, the hospital, and other physicians on the hospital’s medical staff through an organized healthcare arrangement, the physician practice may have the right to access the EMR but not necessarily ownership of the information.”

An additional issue is to require that your data be physically separated from the data of other ASP users, on separate drives or computers, and that appropriate firewalls be established to prevent other users from accessing your data. Data stewardship and governance are important issues.

Ownership of your personal templates
If you spend time and resources developing templates for clinical notes, your EMR systems agreement should state that any template you create is your property. A vendor should never own the copyright to your custom templates; they are your intellectual property.

Contractual rights for thevendor to use the data
Never accept a clause that gives the vendor the right to use your data for “research” purposes. Not only is “research” a vague term, it may be subject to Institutional Review Board issues.

Any agreement for vendor use of the data should specifically state how the data will be used and give you the right to review, audit, and approve their use of the data. The agreement must preclude the vendor from realizing any financial gain from the use of the data.

Software or source code escrow
If the vendor sells the company or declares bankruptcy, your patient data may be inaccessible to you. You have the right to request that the vendor put the software and documentation in escrow in case the vendor is not there in the future.

The agreement should also include any fees for converting data so they are accessible for review and use on another EMR system. Also include a clause that allows you to transfer the license to the new practice entity if you sell your practice.

Access to data schema
The data schema is the road map to presenting data on screen and navigating the program. Patient data must be in a format that can be readily converted to a usable form during the agreement or if the agreement terminates for any reason. Ask that the database schema, including all associated documentation, be included as an exhibit to the agreement.

Contract termination
How you disengage from an ASP vendor is a critical question. The vendor agreement should ensure that the practice can retrieve its data upon the termination of services. Because the data do not reside at the practice, the agreement should include the processes and costs involved in retrieving any patient information. The following tips can help:

  • Obtain assurances that your practice will be able to promptly access its information at all times both during and after the term of the ASP agreement.
  • Make sure the vendor agrees to help you transition to another system, if you decide to do so. For example, the agreement should state whether the vendor will convert data into a readable format that can be used with another EMR system, translate the data into the language used by the next EMR system you choose, or sell you the application or “reader” software. You do not want to end up with unreadable data or have to re-enter data into a new system.
  • If the vendor charges a separation fee, the terms of the separation service and the fees must be specified in the agreement.

Practice EMR governance
Designate a physician leader (a larger practice may also have a small support committee) to monitor EMR issues such as implementation, maintenance, compliance, and performance metrics, including up-time reports and confirmation of events such as back-ups.

Selecting an EMR system is no small matter to your practice, and negotiating an EMR agreement may happen only once every 5–7 years. On the other hand, EMR vendors negotiate dozens of agreements every year, giving them an advantage in negotiations.

Make sure you consult with an attorney who has software contract experience. The attorney can review the contract and help identify and reword clauses to protect your interests and those of your patients. Although there is no fail-safe way to negotiate a vendor agreement, having an experienced software attorney review the details of the agreement gives you a good start on the road to a successful relationship.

Jonathan L. Schaffer, MD, MBA, is a member of the AAOS Board of Directors’ Project Team on Electronic Medical Records. He can be reached at schaffj@ccf.org

Jackie Ryan, MPA, a program coordinator in the AAOS practice management group, can be reached at ryan@aaos.org