An information technology consultant to physician groups has a prescription for doctors confronted by IT system vendors wanting to own, control and sell their patients' data.
Physicians should take control of the contracting process themselves and put limits on how the data can be used to protect both the physician-patient bond of trust and the financial interests of the medical group, said Thomas Roovers, founder and chief executive officer of T.G. Roovers & Associates, Wausau, Wis.
"There are ways to do this to be above-board and honorable," he said. Roovers was a presenter of an educational session Sunday called Negotiating an EMR Agreement at the 24th annual Towards the Electronic Patient Record trade show in Fort Lauderdale, Fla.
Maintaining patient privacy while contracting with IT systems vendors has surfaced as an issue in recent months following a warning by noted physician informaticist Paul Tang about legally troublesome data rights clauses he'd seen in proposed vendor contracts.
Last summer, Tang, vice president and chief medical information officer of the Palo Alto (Calif.) Medical Foundation, a multispecialty group practice, said he'd seen some contracts in which electronic health-record vendors have placed stipulations that would obligate providers to violate privacy rules under the Health Insurance Portability and Accountability Act of 1996. Tang is the past chairman of the board of the American Medical Informatics Association and a member of the National Committee on Vital and Health Statistics and its subcommittee on privacy and confidentiality.
In March, a Silicon Valley genetics research organization, Perlegen Sciences, which has financial ties to the pharmaceutical industry, announced it had entered into a long-term deal with an unnamed EHR vendor that would give its researchers access to the medical records of 4 million patients.
Roovers said he has worked with almost all of the major EHR vendors representing physician groups in negotiations and seen the data use provisions in proposed vendor contracts like those described by Tang. It led him to draft his own contract counterproposal on secondary data use.
First, the IT vendor must tell the group what they are going to do with the data and receive the group's written permission for each separate data use by anyone outside the normal business of the practice of providing patient care. The agreement requires that vendors who want to use or sell patient data from the contracting group must de-identify it "so there is no way to identify the patient or provider."
Finally, if the vendor is going to make money selling the de-identified data, the group should "get a pro rata share of the revenue derived," Roovers said. "To me, it's the way to more honorably deal with the situation."
As Roovers sees it, the vendors have merely a custodial interest in the patient data of a practice to which they have sold an EHR, not an ownership interest in it. Patients own their own data, and the medical group with an EHR on which that data and the data of other patients is stored has an ownership interest in the data in aggregate as well as a say over who has access to it and who can derive use from it.
Roovers said, from his experience, size matters in terms of the ability of a group to effectively press its case with IT vendors over control of patient data.
"It is with a small client that the vendor can take a different attitude, but if the client is large enough, I don't know if there are any vendors out there that won't go along with that leverage," Roovers said.
He agrees with Tang in that, based on his experience, many vendors try to push data control and data-selling provisions into their IT contracts.
"I think it's widespread and I think it's going to be more widespread," Roovers said. "Paid claims data used to be considered to have value on a large, aggregated basis. When you get to true claims data, what's the value of that? It's got to be many times, 10 times more."
Roovers said, so far, he's had one major, well-known IT vendor balk at the privacy language and two others (also large and well-known) that were initially reluctant to agree to his terms. In the end though, Roovers said, the two reluctant major vendors acquiesced. He said he thought the companies concluded that the value of the software business with the large group practices he represented carried more weight than the data business.
The bottom line is not money but ethics, Roovers said.
"I think the provider group has an obligation to protect that data," he added. "The patient has placed their trust in you, the provider. That's a pretty big trust."
Editor's note: Readers who know of IT vendor contracts containing data-ownership provisions such as those described by in this story are encouraged to contact Joseph Conn.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.