Getting Information Rights Right: Identifying the Rights-related Issues in Health Information Exchange

by Adele A. Waller, JD

To protect the information rights of both individuals and organizations, RHIOs must identify and address the issues from the outset.

The exchange of health information among disparate organizations raises significant issues concerning the rights and responsibilities of all participants with respect to the information being exchanged. For health information exchange initiatives, or regional health information organizations (RHIOs), to get information rights right, they must identify and address the issues in policies and contracts from the outset. This will help ensure that data exchange takes place within the bounds of the law and that the rights of individuals and participating organizations in the information provided to or through the RHIO are protected.

The Legal Framework for Information Rights

Several bodies of law provide the primary legal framework for determining rights in the information stored in or transmitted through a RHIO.

One very important body of law determining rights in health information is comprised of HIPAA and other state and federal privacy laws. Some state statutes and regulations contain provisions specifying ownership and other rights in medical records or medical information. State and federal laws governing intellectual property rights also bear on data rights in health information exchange. Privacy considerations applicable to RHIO participation agreements are addressed primarily in the discussion of rights in protected health information (PHI) below.

A plethora of state statutes, regulations, and cases govern the ownership of health information and the information contained in medical records. The classic statement of the rule concerning ownership of medical records is that the provider owns the medical records maintained by the provider, subject to the patient's rights in the information contained in the record.1 This rule was developed in the era of paper records, when rights in the physical medical record and rights in the information contained in the record were more easily separated than they are today in the information age.

It is important to understand the laws of each state covered by a RHIO concerning the ownership of medical records and the information contained in the records so that the appropriate parties can grant licenses in patient data to other providers participating in a RHIO. For example, under Florida law, a health practitioner creating patient records is the owner of the records, unless the practitioner is employed by a group practice or staff-model health maintenance organization and the practitioner's employment agreement designates the employer as the owner of the records.2

State laws generally grant patients rights to their information but do not provide that the patient owns the information.3 There are, however, exceptions. A New Hampshire statute states that medical records shall be deemed the property of the patient and that the patient is entitled to copy his or her medical record for a reasonable cost.4

At the federal level, the HIPAA privacy and security rules protect patient privacy rights.5 The HIPAA privacy rule also grants individuals several specific rights to their PHI, including the right to inspect and copy their information, the right to request an amendment of their information, the right to request restrictions on use and disclosure of their information, and a right to an accounting of disclosures of their information made for purposes other than treatment, payment, and healthcare operations.6

Intellectual property laws also have important implications for data rights in health information exchange. Copyright and trade secret laws are especially important in determining the data rights of the RHIO, participating provider organizations, and vendors providing software or services to the RHIO.

The federal Copyright Act of 1976 protects "original works of authorship fixed in any tangible medium of expression."7 Such original works of authorship can include databases and compilations of health information. Copyright law protects only the form of expression of a database and does not extend to the data in the database or compilation or to any idea apart from a particular expression of the idea.

State trade secret laws on the other hand, may offer protection for information rather than the expression of the information. Definitions of the term "trade secret" vary among states, but to qualify as a trade secret, generally information must be kept confidential by an enterprise and must give the enterprise a competitive advantage over others who do not have the information.8

Rights and RHIO Structure

The structure a RHIO chooses affects the measures it will need to protect information rights appropriately. Models in which data are held collectively raise greater challenges.

There are two key distinctions among possible structures that affect the measures necessary. The first is between a structure in which each participant holds its own data (with the RHIO locating a patient's data and making them available to authorized users) and one in which participants' data are held by the RHIO itself. In the former structure, ownership issues are much simpler, since each participant retains its own information.

The second distinction is one between a structure in which the RHIO holds participants' data in separate silos within a data warehouse (pulling patient data from applicable silos when particular patient information is requested) and one in which participants' data are combined in a centralized repository to create a community health record.1 Issues related to ownership and other rights in information are more complex for RHIOs following the community health record model.

A closely related question is who will serve as the RHIO. A RHIO may not be a separate entity at all. It may simply be a web of contractual arrangement among the participants. The RHIO may be an entity specifically created to serve as a RHIO, or one of the participants, such as a hospital, may serve as a RHIO. When the RHIO is a legal entity, it will generally be a business associate of the participants and will need to enter into a business associate agreement with them. The business associate agreement can be incorporated into the participation agreement.

Special Issues for Centralized Repositories

When information provided by multiple participants in a RHIO is comingled in a central repository, additional important issues concerning information rights arise. It is important that these issues be addressed in participation agreements.

Ownership of Information. It is advisable for the participation agreement to state that, as among the parties, each party shall be deemed to own the data it originates. In some instances, it may be advisable to tag certain data, such as laboratory results, to multiple "owners" to mirror what would be included in the medical records maintained by participating providers in a paper record environment. The perpetual nature of the license given other participants in the RHIO is important in the event that a participant relied on data provided by other participants to provide care to a patient who suffers a medical misadventure and later sues the participant providing the care for malpractice.

Disclosure Compelled by Legal Process. The participation agreement should also specify the procedures to be followed when the RHIO or a RHIO participant receives a subpoena, court order, or other demand for a compulsory disclosure of data originating with another participant. For example, consideration should be given to include in the participation agreement a provision that a party receiving a demand for compulsory disclosure of data originating elsewhere must promptly notify the party originating the data of the demand and must cooperate with the originating party in contesting disclosure if requested to do so.


  1. American Health Lawyers Association. "The Quest for Interoperable Electronic Health Records: A Guide to Legal Issues in Establishing Health Information Networks." Member briefing. July 2005.

Participation Agreements

It is important for RHIO members to enter into participation agreements that address data rights and responsibilities both among participants and between the RHIO and each participant. These agreements should specify the rights and duties of each participant with respect to the data it originates. Participation agreements should also contain provisions to protect the rights of individuals in their health information and make certain that the exchange of health information complies with HIPAA and state health information privacy laws.9

Prior to the drafting of the participation agreement, all potential types of health data exchange should be identified so that participants' respective rights and duties can be appropriately addressed in the agreement. It is important to consider the types of participants who will be involved in the exchange of health information and the types of individual users who will be authorized by participants to initiate health information exchange. The role of the RHIO or other organization and any vendors that may be involved in the exchange is another important consideration for the participation agreement.

To avoid a participation agreement that is unduly long and complex, it may be advisable to include the more general provisions in the participation agreement and leave more detailed provisions for the RHIO's policies and procedures. If this approach is adopted, the participation agreement should require each participant to comply with the RHIO's policies and procedures as in effect from time to time, unless such compliance would violate applicable law.

Grant of Rights to RHIO and Participants

Rights to use the RHIO and the information available through the RHIO should be granted to participants and their authorized users in the form of a license. A license does not confer ownership. It is simply a right to use. A participant providing PHI should grant a limited license to the RHIO to use the data provided by the participant and to sublicense the data to participants in the RHIO-all in accordance with the participation agreement and the RHIO's policies and procedures. Key limitations on the license granted to the RHIO and each participant in data provided by other participants are discussed below.

To address the problems that could arise when one provider relies on data originating with another provider to provide care to a patient who suffers a therapeutic misadventure, it is also wise for the participation agreement to grant the RHIO a perpetual license to access or maintain the data made available or provided to the RHIO by participants. This license should be subject to the RHIO's continuing obligation to comply with its privacy and security obligations.10

Protected Health Information

It is crucial that the participation agreement limit the rights of each party to PHI not provided by the party. Such provisions enable HIPAA compliance by covered entities providing data through the RHIO and provide important protections to the rights of individuals whose PHI is exchanged via the RHIO.

Access. The participation agreement should provide that only authorized RHIO users will be permitted to request or access PHI through the RHIO. The agreement should further provide that a participant and its authorized users shall not access or request PHI except in full compliance with all applicable federal, state, and local laws and regulations and with the policies and procedures of the RHIO. Because the HIPAA provisions applicable to the participant disclosing PHI are somewhat more restrictive than those applicable to the participant receiving PHI, the participation agreement should also provide that the participant requesting or accessing PHI from another participant through the RHIO will not do so for any purpose for which the disclosing participant would not be permitted to disclose PHI under applicable law.

In addition, the participation agreement should provide that applicable law requires certain documentation exist or that other conditions be met prior to using or disclosing health information for a particular purpose. Further, the requesting participant shall be responsible for obtaining the required documentation or otherwise meeting the requisite conditions and shall provide evidence of such upon the request of the disclosing participant.11 RHIO policies and procedures that spell out permissible and impermissible types of access to other participants' PHI in some detail may be helpful to participants and their authorized users.

Use. Participants should agree to use PHI accessed through the RHIO in a manner that is consistent with all applicable federal, state, and local laws and regulations and with the policies and procedures of the RHIO. The participation agreement should also provide that the participants will not use PHI obtained through the RHIO for any discriminatory or otherwise unlawful purpose and should specifically prohibit use for marketing or related purposes.

Disclosure. The participation agreement should require that participants not redisclose PHI accessed through the RHIO except for the purposes for which the information was accessed, as required by applicable law, or as otherwise expressly permitted by the participation agreement.

Individual Rights. The participation agreement should include provisions obligating parties to the agreement to comply with RHIO policies and procedures or to take other steps specified in the agreement to enable RHIO participants providing PHI through the network to comply with their HIPAA obligations regarding the right of individuals to access and copy their PHI, to request amendment of their information, to receive an accounting of disclosures, and to request that additional restrictions be placed on the use and disclosure of their PHI.

De-identified Health Information

When personal health information is de-identified in a manner that satisfies HIPAA standards, the law generally places few restrictions on the use of this information and generally terminates patient rights to the information.12 HIPAA and most statutes and regulations protecting the privacy of PHI apply only if the information is, or can be, linked to the identity of the patient.

This rule is implied by definitions of the medical information protected by many health information privacy statutes and rules. For example, the California Confidentiality of Medical Information Act defines protected "medical information" as "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, or contractor regarding a patient's medical history, mental or physical condition, or treatment."13

If the identity of individuals cannot be determined from data, whether alone or combined or crossmatched with other data or databases, the general rule is that anyone who has acquired a legitimate right in the data can own them. In instances where information has been de-identified pursuant to the HIPAA standard for de-identification, contractual provisions, possession of data, or copyright laws will generally determine rights to the data.

Thus it is important that the participation agreement spell out the rights of participants and the RHIO to de-identified health information. Otherwise participants will not retain control of data that can reveal important things about them (e.g., a surgeon's track record relative to those of other surgeons on a hospital's medical staff). Such provisions are especially important for RHIOs structured with central repositories of patient data.

Participant and User Profiles and Comparative Studies

For a variety of reasons, practitioners and organizations participating in health information exchange may wish to have the right to aggregate and mine the data of one or more of the other participants for purposes such as physician or provider profiling, benchmarking, or obtaining competitive intelligence. The participation agreement should clearly state whether any such data aggregation and mining is permitted and, if so, under what circumstances, for what purposes, and subject to what restrictions on use and dissemination of the results.

Because of competitive and other concerns of participants, most RHIOs have participation agreements that prohibit such data aggregation and mining, subject to limited exceptions for public health authorities. Others often exempted include those who may have legal mandates or a compelling need to obtain population information, to produce profiles of some classes of RHIO participants, or otherwise to mine data available through the RHIO. A clause in the Model Contract for Information Exchange developed by Connecting for Health prohibits participants from aggregating data to compare the performance of other participants and authorized users, except with the express written consent of the RHIO and of each participant and authorized user being compared.14

Proprietary Information

The aggregation of health data into databases or other compilations of data may result in the creation of a database protected under copyright law. In order for copyright protection to attach to a database, therefore, the underlying facts and data must be selected and arranged in an original format.15

Once an original selection or arrangement of data has been created, however, the author or owner of the database obtains several valuable and exclusive ownership rights. These rights include the right to control the creation of copies of the database, the distribution of such copies, and the alteration or modification of the database into a new "derivative" work.16

Given the value of these potential ownership rights, it is of utmost importance that RHIOs specify in the participation agreement what databases may be created under the agreement and who will own the copyrights attached to any health information database created pursuant to the agreement. There should be appropriate agreements with vendors, consultants, and employees of the RHIO and participants so that rights in any databases or other copyrighted material created by a vendor, consultant, or employee are protected appropriately.

Creation and operation of the RHIO may require that participants disclose trade secrets or other proprietary information to the RHIO or vendors. Similarly, vendors and RHIOs may need to share proprietary information with each other. It is also possible that some proprietary information of participants may be disclosed to other participants as a result of the operation of the RHIO.

It is important that the participation agreement and agreements with vendors provide that a party receiving the confidential or proprietary information of another shall maintain that information in confidence and not disclose or use such information except as expressly permitted in the agreement. The remedies provisions in these agreements should be crafted so that an injured party can obtain appropriate legal and equitable relief for breaches of these provisions.

Agreements with Vendors

Health IT vendors often provide key technology and services necessary to the operation of RHIOs. These vendors often have an interest in owning or licensing data from the RHIO, which they may use for purposes such as product development, testing, marketing, and creating proprietary information products for distribution to third parties.

Contracts between the RHIO and vendors should address the RHIO participants' exclusive ownership of all data maintained by or transmitted through the RHIO and should place strict limits on the vendor's ability to use the data for other than provision of services to the RHIO and its participants. Assuming that many vendors will be business associates pursuant to the HIPAA privacy rule, the business associate agreement entered into by the vendor would typically contain these provisions.

Rights That Should Survive Termination of Agreements

To protect rights in information appropriately, some provisions should survive the termination of the participation and vendor agreements. These include provisions concerning ownership of information, licenses to data and confidentiality obligations (including applicable provisions of any business associate agreements), and provisions regarding indemnification and other remedies for breaches of such provisions.

Rights in information are an important consideration in the formation and operation of RHIOs. Advance planning, guidance from attorneys knowledgeable about health law and intellectual property law, and appropriately crafted agreements can protect rights in information and prevent unhappy surprises and unnecessary legal liability.


  1. See Roach, W.H., et al. Medical Records and the Law, 4th ed. Boston, MA: Jones and Bartlett, 2006.
  2. Fl. Stat. 456.057(1) (2006).
  3. Waller, Adele A., and Oscar L. Alcantara. "Ownership of Health Information in the Information Age." Journal of AHIMA 69, no. 3 (March 1998): 28–38.
  4. N.H. Rev. Stat. Ann. § 151:21 (2006).
  5. 45 C.F.R. Parts 160, 162 and 164 (2005).
  6. 45 C.F.R. §§ 164.522, 164.524, 164.526 and 164.528 (2005).
  7. 17 USC § 102(a) (2006).
  8. Rosati, Kristen, and Marilyn Lamar, editors. The Quest for Interoperable Electronic Health Records. Washington, D.C.: American Health Lawyers Association, 2005.
  9. See Connecting for Health Common Framework, "A Model Contract for Health Information Exchange," for an example of an agreement among a RHIO and participants and the topics customarily addressed therein. Available online at
  10. The Connecting for Health Common Framework "Model Contract for Health Information Exchange" calls for each participant providing data to the RHIO to grant a "perpetual, fully paid, worldwide, non-exclusive, royalty-free right and license" to the patient data provided by the participant.
  11. Connecting for Health. "Model Privacy Policies and Procedures for Health Information Exchange." The Common Framework. 2005. Available online at
  12. 45 C.F.R. § 164.512.
  13. Cal. Civil Code § 56.05(g) (2006).
  14. Connecting for Health. "Model Contract for Health Information Exchange."
  15. Feist Publications, Inc. v Rural Telephone Service Co., 499 US 340 (1991).
  16. 17 USC § 106.

Adele A. Waller ( practices healthcare and health information technology law in the Chicago office of Barnes & Thornburg LLP.

Article citation:
Waller, Adele A.. "Getting Information Rights Right: Identifying the Rights-related Issues in Health Information Exchange." Journal of AHIMA 77, no.10 (November-December 2006): 28-34.