Skip to content

Data Ownership and Privacy 

Posted byWritten by David

Your healthcare data might be about you, but it’s not yours – not really. Current regulations seem to protect your data. Despite the appearance of strong privacy regulations, there’s a lot of grey area and rampant misuse. Yes, let’s fix the laws, but we need higher ethical standards and principles for data capture and use. 


A key question in our data-rich and data-enrichening world is: who owns the data? 

In healthcare and healthcare-related activities, the answer should be a no-brainer: you, the patient-client-participant own the data.  

It. Is. Your. Data. 

Providers, payers, technology, and analytics companies (see Commonly Well) … we’re just stewards of your data. 

In recent months, dozens of telehealth startups were alleged to have shared or sold sensitive mental health and substance use data to Facebook and other big tech companies.  

Where the laws and regulations are a squishy, lawyers for those companies have gotten comfortable in the grey area and have taken up residence. 

This essay is not about navigating the nuanced legal landscape. Instead, we explore the ethical foundations that can and should supersede whatever laws are on the books. There absolutely must be strong regulation. But underneath that regulation must sit the highest ethics and principles for data capture and use. 



Healthcare captures a lot of data. According to Statista: 2,314 exabytes of new data was generated in 2020. What’s an exabyte? 1 billion gigabytes. It’s estimated that if there was a record of every word spoken by humans, it would equal 5 exabytes. Healthcare is expected to have an annual 36% growth rate of data by 2025, greater and faster than other large industries like media, manufacturing, and financial services.  

But to what end is it all used? Some data has greater value than other data. A radiology image likely outweighs a person’s hair color – but that might depend on context. So, for the sake of this discussion, let’s treat all healthcare data equally. 

The United States is not the healthiest of nations. We spend more money per capita on healthcare and have far worse health outcomes than most industrial nations. Check out these highlights, nay, lowlights from the Commonwealth Fund’s, U.S. Health Care from a Global Perspective (2022): 

  • Health care spending, both per person and as a share of GDP, continues to be far higher in the United States than in other high-income countries. Yet the U.S. is the only country that doesn’t have universal health coverage. 

  • The U.S. has the lowest life expectancy at birth, the highest death rates for avoidable or treatable conditions, the highest maternal and infant mortality, and among the highest suicide rates. 

  • The U.S. has the highest rate of people with multiple chronic conditions and an obesity rate nearly twice the OECD average. 

  • Americans see physicians less often than people in most other countries and have among the lowest rate of practicing physicians and hospital beds per 1,000 population. 

  • Screening rates for breast and colorectal cancer and vaccination for flu in the U.S. are among the highest, but COVID-19 vaccination trails many nations. 

The Commonwealth report does not consider overdose deaths, nor the increased rates of substance use disorder. It does note the “increased burden” of mental health issues and that we have the third highest suicide rate.   

So, with thousands of exabytes of data, we should be smarter, right? Shouldn’t we be healthier? 

We’re not.  

Why not? 

My guess is the data is captured in segregated black boxes. Healthcare data is not shared between systems or within communities. As noted above, the U.S. is the only OECD nation without a national health system. Unless you’ve received care from one clinic or hospital in your lifetime, your care providers almost never have your full medical record. Additionally, patients have a difficult time getting their data. Some even have to pay for it. But, even if patients can access their data, it’s difficult to understand, even by the most data literate of us. 



Given our global standing in terms of expenditures versus outcomes, we need to come at our healthcare data in a completely different way.  

For all the right reasons, privacy and security drive our concerns for how our sensitive healthcare data is used. The heart of the issue is trust. The COVID-19 pandemic was not helpful. A recent poll found that 30% of physicians do not trust their healthcare organization’s leadership, with even lower trust for general industry executives. And 32% of patients said their trust in the healthcare system declined during the pandemic, while indicating higher trust in doctors and nurses over systems. 

All this demise sets up an opportunity. The opportunity is to look at our healthcare data as a public asset and benefit. A difficult leap given the numbers around trust. This is why we must start with an ethical framework built around trust, transparency, and ownership. 

Before founding Commonly Well, I worked for a nonprofit that provided peer coaching to those overcoming addiction. My job was to digitize the organization and make our services data-driven. This was a decade ago when becoming “data-driven” was the trend. Of course, we had to mind the various national, state, and local laws and regulations even though many of those very laws didn’t technically apply to us. The technicality did not matter to me. We were entering into a relationship with someone who was trusting us with very sensitive data about their mental health. Trust was paramount. 

I was fortunate to become acquainted with the people running the Digital Civil Society Lab (DCSL) at Stanford University. The purpose of this lab was to provide an understanding of how digital technologies would shape civil society and democracy. Civil society may be a new term to you. Think of it as the realm of organizations and communities that are non-governmental and non-profit. 

(However, I could argue all day long that many for-profits operate in the realm of civil society too.)  

As of 2016, 51% of U.S. hospitals were not-for-profit. The percentage of addiction treatment facilities operated by government or nonprofit organizations steadily dropped from 2004 to 2016, whereas for-profit entities increased by 21 percent

No matter the legal formation of hospitals, clinics, and behavioral health centers, I submit that given the dismal and desperate circumstances of our health and healthcare system, we should treat all healthcare data within a civil society framework.  



The Stanford CSL created a toolkit for how civil society should manage digital data. Within that toolkit are four principles that guide civil society’s use of data: Permission, Privacy, Openness, and Pluralism. Throughout these principles there is an understanding that the participant is engaged in a voluntary relationship with the organization. It is also understood that a civil society organization has been granted the capacity to use private resources for public benefit. 

The private resource here is a patient’s sensitive healthcare data. 

Public benefit is the sticky bit. Current healthcare privacy laws treat sensitive healthcare data as individual, secure, and limited between the provider and patient – with certain exceptions. This is why we have so many data black boxes and limited interoperability – a solution for a problem with compounding complexity. 

For seamless data sharing and usage throughout healthcare, we essentially need a shift to a stewardship mindset. Healthcare organizations, whether for-profit or non-profit, must recognize that they don’t own patients’ data. The organization is merely a steward of that data with the limited capacity of providing specific healthcare services. The healthcare privacy laws embody this notion in the spirit of the law, but the technical execution is something else.  

As Micky Tripathi notes, the problem of interoperability isn’t due to technical impossibility nor is it even due to patient objection, it’s widespread fragmentation of data with no unified system.  

“[We still have a lot of gaps and part of that is due to the fragmentation of the healthcare delivery system in this country. It’s not really a system. It’s just a bunch of providers — like physician offices and hospitals — doing their best to connect with each other. But it’s a fragmented system both on the supply side and the demand side. That makes it difficult for everyone to come to an agreement on an industry-wide approach for interoperability.” 

Tripathi leads the Office of the National Coordinator for Health Information Technology at The U.S. Department of Health and Human Services. 

We have a hard time coming to agreement on industry-wide standards because health systems are not paid to play together. Look around the digital healthcare landscape, specifically the population health space. Many population health companies are for-profit spinoffs from large integrated health systems. Why? The enormous value of patient data. Interoperability or democratization of patient data reduces the value of that data staying in a silo.  

But again, missing from this equation is the first principle that should drive all this: the patient owns the data. 

Advances in blockchain and digital identification make full-patient ownership of the data possible. Given the right mechanisms and tools via a smart contract on the blockchain, patients can navigate and control access and use of their data. Want doctor A to see your lab results but not doctor B – you have the control. Want your data off-limits for purposes not directly related to your care? Want your data used for real-time intelligence so the entire healthcare system is smarter and can provide better care for others in your community or around the world? 



This is incredibly important in the addiction and mental health space. Many of the additional protections on substance use and mental health data (see 42 CFR Part 2) were devised because of stigma and discrimination against patients with these conditions. While those stigmas and discriminations still exist, the one-size-fits-all creates more barriers and harms in the seamless delivery of care. When a general practice or emergency physician cannot see all your record because your addiction treatment record is restricted, lifesaving care could be withheld. 

Would interoperability solve this? Not really. Plenty of systems can move and open the data. But the laws are antiquated and not patient-centered.  

But even if the laws don’t change, it doesn’t mean we cannot implement better standards and ethics for use with the current legal framework. We could shift to patient ownership and provider stewardship orientation. We could make consent and requests for access and sharing easier, not harder. Large community systems could view patient data and what they do as a public benefit. We could do all those things right now. Most simply choose not to. 

Commonly Well uses a text messaging platform to design custom automated and
personalized engagement strategies for data capture, performance monitoring, and
outcomes measurement.

Got questions or want to learn more about our Recovery Intelligence Model?

Text: OUTCOMES to 833.280.3781

Call: 917.672.6665