Who actually has control of your EMR data? It might not be who you think it is…
It wasn’t that long ago that people discussed who owned the data stored in Electronic Medical Record systems in Canada. Even though there were laws defining this – they were not commonly understood (or perhaps possibly willfully misunderstood?). In 2006 I actually had a conversation with a vendor in Western Canada who stated quite clearly that they ‘owned’ the data and that they had every right to restrict the clinic’s access to it. This incorrect understanding of who owned the data led to a few vendors encrypting fields in a database or entire databases in order to restrict the clinic’s ability to access their data. Or using database licensing or contract clauses to ensure that the clinic had no right to interact with their EMR data without using the EMR. Now, there are a few very valid reasons for doing this, such as a desire to not allow a clinic to accidentally alter the live EMR data – which could cause problems with the use of the EMR. However, this could be accomplished without removing control from the physician/custodian.
Since 2006 the EMR world has changed quite a bit. No longer is there any doubt that the patient owns their data and that the doctor is the legally responsible custodian of that data. However, now the issue is about Control. Who actually has control of that data? It is not the patient, as they do not have access to it other than when they visit their physician. Yes, they can request a copy, etc. – but that is not real control. The physician while legally responsible for the data (custodian) does not, in many cases, have control of the data either. Especially those who are using an ASP style EMR (see our article on the Unintended Consequences of ASP EMRs). In many cases it is the EMR Vendor who has the control of the data. They host it on their ASP systems, they have encrypted fields or licensing contracts that prevent queries from being run by tools other than the EMR itself, and charge large fees to provide the clinic with a ‘copy’ of their ‘own’ data.
This has become a huge issue for some clinics in Canada as they try to better understand their data, provide better patient care, generate reports, and do research.
For full disclosure, TimeAcct is a company that specializes in accessing EMR data, data conversions and helping clinics move from one EMR to another. As such we have an interest in making sure that clinics have full access to their data. We also get to see how all parties (government, vendors and clinics) treat, deal with, and utilize the data in the EMR.
There is an old saying “Those who do not control their own data, will be controlled by those that do!” What this means is that if you do not have control over the data you use to run your business, you will be controlled by whomever has control over that data. In 2017 data is usually the most important business asset of any company. You do not see companies like the Royal Bank saying, you know we should give control of all of our financial data over to some hosting company – where we have to pay to access it and have to beg them to get access to it. No, they see their data as their most important asset and they take steps to not only safeguard it, but make sure they have full control over that very important asset.
In years gone by the vendors used to be able to charge physicians a lot more for their EMRs, as the government paid up to 70% of the monthly costs. However, as the various funding programs have ended, the vendors had no choice but to lower the monthly fees. This has resulted in many changes in the industry, including the vendors (and many others) realizing how valuable the data stored in the EMRs actually was. This value can take many forms and is potentially different depending on whether you are the clinic, a research company, ‘big pharma’, or the EMR vendors themselves. For the EMR vendors, with the drop in what they could charge for the ‘base’ EMR, they have had to look at other ways of generating revenue from their clinics – and many times this involves the clinic’s data. Now – I am not talking about the vendors secretly selling off patient data – there are none doing it, that I am aware of. What I am referring to is selling the clinics additional services based on their data. Things like selling portals, data extraction tools, backups, and specialized reporting, etc. In many cases the clinic has no choice but to take the services from the vendor – as the clinic does not control access to its own data!! And in many cases the vendor will charge very high fees for you to be able to get even something as simple as a database backup for you to then access an off-line copy of your data.
So, if you as a physician want to access and report on your data in specialized ways (most vendors provide the standard reports), or do research, etc. and you are using an EMR from a vendor that does not provide easy access to your own data – then you are in effect being controlled by the organization that controls your data.
Another interesting time when this lack of control over your own data may come into play is when you are leaving your current vendor for a new EMR company. Now, many of the contracts that the EMR vendors put forth may comment on that they will provide an extract of the data in your EMR when you leave. In the past you could be certain that in Western Canada they would provide the data in the POSP defined COPD/TOPD format – or in Ontario in the OntarioMD CDS format. However, recently some vendors have softened their support for those formats – as they allow the easy exchange of data and allow clinics to change vendors relatively easily. This is not in the interest of the vendor you are leaving. So – some vendors have taken it upon themselves to create their own data export formats (and thus basically abandon the government formats) – which means it makes it harder for a clinic to move to other vendors. What boggles my mind about this is none of the medical associations or government agencies are standing up to the vendors and protecting the physicians and their data. This begs the question as to why?
In my opinion, this move away from a standard data format is not being done because the vendor formats are so much better than the government formats (which admittedly have their own issues) – but because it creates an additional barrier to a clinic looking to move to a new vendor. The new vendor now must write an import program for that new format – thus increasing the costs of the data conversion – and the time it will take to move them to the new EMR. In fact we have recently seen one vendor in particular start to take extraordinary steps to restrict data movement from their EMR, like trying to force Non-Disclosure agreements on other organizations (and clinics) looking to use their data export format when doing a data conversion. This has nothing to do with protecting their data structures – after all it is an export format – not the database structure of their application. Once again – this is an issue of CONTROL over the EMR data – being exercised by a vendor – not the custodian of that data (the physician) who has all the legal liability regarding that data.
The only way to avoid this is to have special clauses in your EMR contract – allowing you access to all of your own data when you want it and when you are leaving a vendor. The only time a clinic has any ability to negotiate these clauses is when they are first agreeing to move to that vendor’s EMR. And if you do not have those types of clauses in your contract, you are at the mercy of the EMR vendor… and will be controlled by the entity that controls your data!