Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Does Your EHR Sell Your EHR Data?

Posted on May 12, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently saw a tongue-in-cheek tweet from Howard Green, MD about how healthcare shares data:

There has always been a disconnect between providers and EHR vendors saying they can’t share data and then EHR vendors can easily sell and share EHR data to the healthcare industry. If you don’t think this happens at large scales in healthcare, then you need to look no further than IMS which last I checked was a multi billion dollar public company on the back of our health data.

The “sharing” or should we say selling of EHR data is big business and happening a lot more than we realize. I know the Patient Privacy Rights organization was trying to make a map of all the ways your health data was being shared. However, you can imagine that’s an almost impossible task to accomplish. I think most of us would be shocked to see how far and wide are health data is shared.

I wonder how many doctors know the answer to this question, “Does your EHR sell your EHR data?”

My guess is that most doctors assume that their EHR data is not being sold. For a number of EHR vendors, that’s probably true. However, my guess is that most doctors don’t know their EHR vendor’s policy on selling EHR data. If you don’t know, you should ask your EHR vendor and find out.

For those EHR vendors that are selling EHR data, you can be sure that they will happily reply that any EHR data they sell is de-identified. They’ll argue that it’s not a violation of HIPAA because it doesn’t have any PHI because they’ve de-identified the data and only sell the data in aggregate. No doubt there are many that would argue that there’s no perfect way to totally de-identify your EHR data and that when combined with other sources, they can often identify your patients.

This is big business and so it’s easy to see why an EHR vendor would give the go ahead to de-identify and sell the data stored in their EHR. Although, it is disappointing when they’re doing this and their users don’t know that’s the case.

If you’ve asked your vendor if they sell your EHR data, we’d love to hear what they say. How did they respond? Are you ok with your EHR selling your de-identified EHR data?

Privacy Group Seeks Rules For Healthcare Clouds

Posted on January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.