Who Really Owns Your Health Data? It’s Time to Reclaim Control.

The Trusted Exchange Framework and Common Agreement (TEFCA) has been heralded as a major step forward in healthcare interoperability, promising seamless data exchange between networks. While it tackles the technical barriers to data-sharing, it leaves a critical issue unresolved: who owns the data? In this article, we’ll explore why patient data ownership remains the missing piece in the healthcare puzzle, how we got here, and how disruptive solutions like Data Ownership as a Service (DOaaS) can finally put patients in control of their most valuable asset: their health information.

TL;DR

Why it matters: The Trusted Exchange Framework and Common Agreement (TEFCA) aims to improve interoperability, but it sidesteps a critical issue: patient data ownership. Despite progress in how data flows between healthcare entities, the question remains: why don’t patients own their data?

The problem: Patients generate the most valuable resource in healthcare, data, but they lack control, transparency, and the ability to benefit from it. Meanwhile, healthcare institutions, payors, and tech companies profit. TEFCA offers a framework for trust and security, but it doesn’t address the systemic imbalance of ownership.

The opportunity: It’s time to disrupt the system with Data Ownership as a Service (DOaaS): a model where patients control their health data, decide who accesses it, and even monetize it securely. Think of it as a “digital wallet” for healthcare data, powered by decentralized technologies like blockchain.

Call to action: The future of patient empowerment starts with data ownership. If we don’t push for systemic change now, TEFCA and similar initiatives risk reinforcing the status quo. Let’s put patients in the driver’s seat and redesign healthcare’s data economy.

Introduction: TEFCA is Here, But What About Data Ownership?

I’ve been eagerly awaiting TEFCA’s (Trusted Exchange Framework and Common Agreement) final rule. As someone deeply invested in patient data rights, this document feels like a step forward in interoperability. It addresses the “how” of data exchange between networks, laying down the groundwork for standardization, privacy, and trust between Qualified Health Information Networks (QHINs).

Yet, as I went through the 156 pages, one question keeps nagging me: where is the explicit acknowledgment that patients own their data? TEFCA offers valuable infrastructure for interoperability, but doesn't address the fundamental problem of ownership. Without tackling this, the system risks reinforcing the status quo where everyone but the patient controls their data.

In this article, I’ll connect the dots between TEFCA's provisions and the larger issue of data ownership. I'll argue why this matters and propose a disruptive solution: Data Ownership as a Service (DOaaS).

TEFCA’s Promises and Limitations

TEFCA’s core goal is to ensure seamless, network-to-network exchange of electronic health information (EHI). By establishing QHINs as intermediaries and creating trust policies, the framework aims to simplify data-sharing while ensuring security and privacy.

Additionally, the HTI-2 rule, finalized by the U.S. Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC), complements TEFCA by introducing provisions to enhance interoperability and public health data exchange. These provisions include:

• New Certification Criteria: Enabling health IT systems for public health and payers to meet ONC Health IT Certification Program standards, focusing on APIs that streamline data exchange.

• Adoption of USCDI Version 4: Mandating standardized data elements for better interoperability by January 1, 2028.

• Information Blocking Exceptions: Adding exceptions like the “Protecting Care Access” exception, which allows limits on sharing a patient’s reproductive health information to reduce legal exposure.

While these efforts aim to improve data-sharing across providers, payers, and public health authorities, they still fail to address the most critical piece of the puzzle: ownership. Even with better standards and governance rules, TEFCA and HTI-2 both assume that institutions, not patients, retain control over the data.

For instance, TEFCA's “Manner Exception” sets conditions for how actors can limit access to data via TEFCA pathways, yet it provides no provision to ensure patients themselves have the final say in how their data is shared or monetized. While interoperability ensures data flows efficiently, ownership remains outside patients’ hands. This isn’t just a technical oversight, it’s a systemic flaw.

Patients Have Access, But Who Owns the Data?

When it comes to health data, access is often confused with ownership. Under HIPAA, patients have the right to view and receive copies of their records, but that’s where their power ends. The real owners? Hospitals, providers, and EHR systems like Epic. These entities store, manage, and control data, often monetizing it without patient involvement. It’s as if your health history is on permanent loan from a library you didn’t sign up for.

Why This Matters:

• Patients lose control over how their data is shared or sold.

• Researchers and healthcare systems profit from data that patients cannot monetize themselves.

• Patients are sidelined in decisions about their own health, perpetuating a system where they’re treated as subjects, not stakeholders.

Ownership isn't just about fairness, it's about creating a healthcare system that works with patients, not around them.

Why Patient Data Ownership Should Be the New Standard

Patient data ownership has the potential to transform healthcare by:

• Enabling choice: Patients decide who can access their data and for what purposes.

• Improving trust: Transparent ownership builds confidence in the system.

• Monetizing participation: Patients could opt to share their data for research or innovation and be compensated.

An Ethical Imperative: Right now, patients generate the most valuable resource in healthcare, their own personal health data, but have little say in how it’s used. It’s time to flip the script and align the healthcare economy with ethical, patient-first principles.

Breaking Down Barriers to Ownership

The HTI-2 rule and TEFCA governance represent strides toward a more connected healthcare ecosystem, but the systemic barriers to ownership remain unchallenged. For example:

• Standardization vs. Ownership: While the adoption of USCDI Version 4 ensures that data elements are standardized across systems, it doesn’t empower patients to dictate how their data is used.

• Institutional Gatekeeping: New certification criteria for public health and payer systems focus on improving interoperability but don’t include mechanisms to give patients decision-making power over data-sharing agreements.

• Exceptions vs. Transparency: The inclusion of information blocking exceptions, such as protecting reproductive health information, addresses immediate concerns but stops short of ensuring transparency or empowering patients to take ownership of their health data.

These initiatives enhance data portability and accessibility, but without a shift in ownership, patients remain passive participants in a system designed to benefit institutions. Data Ownership as a Service (DOaaS) could change that by giving patients the tools to control, share, and even monetize their health information. The current healthcare data ecosystem isn’t just outdated, it’s actively resistant to change:

• Legal Ambiguity: U.S. laws stop short of recognizing patients as outright owners of their data.

• Entrenched EHR Systems: Platforms like Epic or Oracle benefit from controlling data, making interoperability a fight against profit motives.

• Intermediary Interests: Payors, researchers, and tech companies rely on aggregated data, complicating the transition to a patient-owned model.

Disrupting the Status Quo:

This is where we introduce Data Ownership as a Service (DOaaS). I don’t think that it’s too far fetched to introduce a platform where patients control their data like a digital asset, choosing how it’s shared, stored, or monetized. Here’s what it might look like:

• Patients use blockchain-enabled systems to grant or revoke access with a single click.

• Healthcare systems become partners, not gatekeepers, aligning their incentives with patient outcomes.

• Researchers and payors compensate patients directly for using their data, fostering collaboration over exploitation.

The Disruption Blueprint: Data Ownership as a Service (DOaaS)

What is DOaaS?

DOaaS is a transformative model that puts patients at the center of the healthcare data ecosystem, offering them tools to control, share, and monetize their data securely and transparently. It operates on the principle that healthcare data, like financial assets, should be owned, managed, and leveraged by the individual who generates it: the patient.

How DOaaS Works:

1. Decentralized Data Storage
   Patients store their health data in secure, blockchain-enabled environments that ensure tamper-proof and transparent data management.

2. Permissioned Sharing
   Through user-friendly interfaces, patients can grant or revoke access to their data with healthcare providers, researchers and payors.

3. Monetization Opportunities
   Patients can opt into programs where they earn compensation for sharing their anonymized data with research institutions, pharmaceutical companies, or public health initiatives.

4. Integration with Existing Systems
   DOaaS platforms seamlessly integrate with current EHR systems, integrations and APIs, making it easier for healthcare organizations to adopt this model without reinventing the wheel.

Real-World Applications and Disruption Blueprint

• Chronic disease management, precision medicine, public health initiatives, and employer-sponsored wellness programs can all benefit from patient-controlled data ecosystems.

Early Movers Leading the Way

• Nebula Genomics enables patients to sell access to their genomic data for research.

• Embleema uses blockchain for patient-controlled data sharing.

• GoInvo advocates for universal principles of data ownership.

How Did We Get Here? The Origins of Patient Data Control

The History of Healthcare Data Ownership

Medical records originated as tools for providers, not patients. Early EHR systems prioritized institutional needs, and HIPAA laws granted patients access, but stopped short of ownership rights. This entrenched a system where providers, payors, and tech companies retained control.

Who Decided Patients Shouldn’t Own Their Data?

Patients were never at the table. The healthcare industry built data systems based on its own priorities: clinical efficiency, profit motives and proprietary control.

A Vision for Healthcare’s Data Future

Imagine a healthcare system where:

• Patients own their data and earn from its use.

• Providers and payors collaborate with patients, not against them.

• Interoperability becomes seamless, ensuring patients are empowered in a data-driven healthcare economy.

Ownership equals empowerment and that’s how we revolutionize healthcare.

Sources:

1. Trusted Exchange Framework and Common Agreement (TEFCA)
   U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONC). TEFCA Overview and Documentation

2. HIPAA and Patient Data Rights
   U.S. Department of Health and Human Services. Summary of the HIPAA Privacy Rule

3. Nebula Genomics
   Company website and resources on genomic data ownership. Nebula Genomics

4. Embleema
   Blockchain technology for patient data control and sharing. Embleema

5. GoInvo’s Advocacy for Data Ownership
   Whitepapers and principles for universal data ownership. GoInvo

6. Manner Exceptions in TEFCA
   TEFCA Final Rule documentation. TEFCA Documentation

7. Blockchain and Healthcare Data
   Journal of Medical Internet Research. Blockchain Applications in Health Data Management

8. Data Monetization in Healthcare
   Forbes article on the value of health data. Who Really Owns Your Health Data?