More Than Just a Free Newsletter
Become a Tame Your Practice member for FREE and receive our newsletter, special offers, and exclusive members-only content.
Who Owns The Data In Your EHR?
We’ve probably all done it. Signed a contract or checked an “I agree to the terms and conditions” box on a web site without a thorough reading of the terms. I’ll readily admit that I’ve done it dozens of times. There are certain instances, however, when it’s imperative that we read through such agreements. Signing up for an EMR/EHR/Practice Management System is one of those times. There are several reasons for this, including (but definitely not limited to) noting the responsibilities of each party, whether the vendor includes a Business Associate Agreement, and what happens to the data if the relationship is terminated.
Another, “must examine” topic in this context is the ownership and use of the data. As healthcare providers, we have have ethical and legal obligations to protect our clients’ confidentiality as well as inform them of how their Protected Health Information (PHI) is used, stored, and secured. To do this, we must first gather that information ourselves.
Two things you’ll want to look for are:
- A clear statement about ownership of the data
- Clear statements about how the data can be used, both by you and the vendor
In the terms and conditions for most of these systems, you will find it clearly stated that the clinician/user is the owner of the data. Some systems, however, also grant the vendor license to do things with the data you might not expect.
I originally discussed this topic in relation to Practice Fusion, a free EHR that has made it clear that they sell de-identified PHI placed in their system by the users. That article discusses the potential pitfalls of such a practice. It was in reviewing a new system on the market that this topic was brought to light again.
TherapyMate is a new comer to the scene, having launched in December of 2013. At the time, they required that you input credit card information in order to gain access to a free trial period. That is concerning to me, but I was willing to proceed. That is, until I read through their agreement. Following are excerpts from their agreement as of the date of this article. Examples of the verbiage to be on the look out for:
4.1.4 We may De-Identify Your Health Information and Your Information, and use and disclose De-Identified Information as provided by Section 5 and Section 7.2.
4.1.5 We may create limited data sets from Your Health Information, and disclose them for any purpose for which you may disclose a limited data set; and you hereby authorize us to enter into data use agreements on your behalf for the use of limited data sets, in accordance with applicable law and regulation.
5. Providing Physician Data to Payers
Without limiting the provisions of Section 7.2, you agree that we may provide De-Identified Health Information and other information (including Your Personal Information and information concerning your practice) to any medical group, independent practice association of physicians, health plan or other organization with which you have a contract to provide medical services, or to whose members or enrollees you provide medical services. Such information may identify you, but will not identify any individual to whom you provide services. Such information may include aggregated data concerning your patients, diagnoses, procedures, orders and the like.
7.2 De-Identified Information.
In consideration of our provision of the Services, you hereby transfer and assign to us all right, title and interest in and to all De-Identified Information that we make from Your Health Information or Your Personal Information pursuant to Section 4.1.5. You agree that we may use, disclose, market, license and sell such De-Identified Information for any purpose without restriction, and that you have no interest in such information, or in the proceeds of any sale, license, or other commercialization thereof. You acknowledge that the rights conferred by this Section are the principal consideration for the provision of the Services, without which we would not enter into this Agreement.
In short, users grant TherapyMate the right to de-identify the PHI they enter into the system and grant them:
- Complete ownership of the de-identified data
- Permission to provide that information (including your personal practice information) to anyone you have a contract with to provide services (I.e. insurance companies)
- Full license to use that data however they wish, “without restriction”, including selling it to third parties.
So, in addition to the monthly fee you pay TherapyMate, they would also be able to de-identify the PHI of your clients and make money off of it by selling it to whomever they choose. And, no, you don’t get any part of that compensation.
It’s important to note that all of this is legal. HIPAA/HITECH for all of it’s emphasis on privacy and security, allows for the practice of selling de-identified data. The concerns, covered in my previous article, are whether data can ever truly be fully de-identified and whether we think such a practice is ethically sound to begin with. If you decide you’re ok with such a practice and use such a system, be sure to make your clients aware of how their data might be used. In my opinion, to cover yourself, this should be covered in both your HIPAA Privacy Notice and your Informed Consent documentation. I encourage you to consult your attorney and peers regarding your specific situation.
UPDATE 7/8/2014 I brought my concerns to the attention of the owner of TherapyMate who stated that they weren’t “planning to use, disclose, market, license, or sell de-identified information”, that they’d remove this from their terms, and possibly re-visit it later. This brings up the question of why this was in the terms if there was no plan, but it is good to know that the company was responsive to concerns. I encourage those evaluating TherapyMate (and any other application) to thoroughly review the terms and conditions.
Similar articles you might be interested in!
Tame Your Practice membership is free and provides therapists access to exclusive content, discounts, and deals from partners!
Recommendations for technology, web sites, secure email, phone, credit card processing, therapy tools/interventions, podcasts, and much more!
In addition to using strong-passwords, and a password manager (I use LastPass), I strongly encourage everyone to use Multi-Factor Authentication (now, more commonly referred to as Two-Factor Authentication or 2FA) whenever possible.
About the Author
Rob has been covering technology and business news for mental health professionals since 2011. His extensive experience in IT, business, and private practice allow him to synthesize information in a friendly, digestible manner. He also enjoys time with his family, ultimate frisbee, and board gaming.