When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully see their medical records. But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.
In some case, the vendor contract specifies that the vendor has exclusive access to the health records in its database, according to Dr. Paul Tang, vice president and chief medical information officer of the Palo Alto Medical Foundation, and member of a federal privacy advisory panel.
Tang told ModernHealthCare in 2007 that he’d seen such contracts from large and small vendors. “Some [vendors] say they have ownership to data. There are contracts that say they will have real-time access to the database, that they will have exclusive access to the data, that they can resell the data. I think it would be unlawful that covered entities abide by that.”
According to Sweeney, 87 percent of the U.S. population can be uniquely identified simply from their birthdate, gender and zip code.
Patient advocate groups have called for greater oversight and regulation of the electronic health-record industry to control what software vendors can access and what they can do with the data.