Question

  • Creator
    Topic
  • #2210967

    who legally owns the data in a database?

    Locked

    by dkforbus ·

    I have a client that has an EMR (electronic medical records) system. The client is trying to port over the data from her existing system to a new system. The vendor for the old system refuses to give us the user ID and password to the server because they say it will give us access to their proprietary information. I say the data and server belong to the Dr since she had to buy the hardware and software. But the vendor insists that they will not give us the user ID and password to the server and if we want the data, we have to pay $1 per patient to give us a PDF report of the data.

    Question – does anybody know of any legal cases that we can use to reference that gives us the legal right to the data?

    Or, does anybody know how to hack into a SCO Unix box so we can access the database.

All Answers

  • Author
    Replies
    • #2843362

      Clarifications

      by dkforbus ·

      In reply to who legally owns the data in a database?

      Clarifications

      • #2843334

        Request for Clarification

        by charles bundy ·

        In reply to Clarifications

        I need a little clarification here.

        Are you saying they have locked her out of the old system with respect to logon, or do you want an administrative account (e.g. ‘root’)

        Do you have receipts for the server and software? A contract for services? Terms?

        The reason I ask is that I’m not certain your question accurately reflects what they consider proprietary. It may be something above and beyond the EMR database if you are asking for admin access to either the system or the database. Regardless I would assume ultimately EMR data belongs to patients and if they have cut off access completely I would gently remind them that they may not like litigation from any number of directions other than the doctor…

        BTW why hack the DB/SCO? Do you not have access to recent system backup media?

    • #2843359

      proof of purchase

      by purpleskys ·

      In reply to who legally owns the data in a database?

      I’m of the thought that if the Doctor has proof of purchase and a signed contract with said people, she has grounds to charge them if they are in breach of contract.

    • #2843358

      I agree

      by markp24 ·

      In reply to who legally owns the data in a database?

      If you have the signed contract showing that you purchased the hardware and software, and the data was entered by you. i dont see how the vendoer can hold the data. Does you client have a legal dept to discuss this with? the Laws also depend on what country your in.

    • #2843345

      Here it depends on the License of the Software in use

      by oh smeg ·

      In reply to who legally owns the data in a database?

      And what is actually happening.

      Of course if there is a Contract involved that will clearly spell out what is owned by who and so on but to be perfectly honest here it sounds like a system remotely hosted by another company where the Doctor has no expenses in Maintaining, Updating or running the system.

      In effect what is now called a Cloud Solution and if that’s the case I’m willing to bet that the Jury is still out on who owns what and what the person/Company who physically holds the Data can do with it. Things like On-Sell it to Authorities, competition and so on have yet to be determined particularly if there are Receivers Involved.

      A couple of other things that you should be aware of as well is that the possibility of the Data being Portable to another application may be simply impossible and it all needs to be reentered to the new application and that if this is one of those Options that was built to make the Doctors Life easier and allow them to be a Doctor not an IT Specialist the entire idea was to lock the medical partitioner into using their product for all the time so what you are being told may be perfectly correct.

      Like any Long Term Contract there are Penalties to get out and what is quite common with Medical Programs is that you???ll need to reenter all of the records to the new app as you are unable to transfer it from the old application. This is very common with all Specialist Programs no matter the field. 😉

      Col

    • #2843343

      Well at worst the original vendor

      by tony hopkinson ·

      In reply to who legally owns the data in a database?

      has no option but to extract the ‘user’ data for the client in a usable format and supply that to you for the migration.
      Otherwise they are denying the client their data, someone is being a twit, not a chance of winning this, could quite easily end up losing badly.

    • #2843341

      Data owned by the Dr but extract owned by the vendor

      by niall baird ·

      In reply to who legally owns the data in a database?

      I believe there is case law here in Australia that the patient information is owned by the Doctor, however when you need to move from one doctor to another, and request your patient information be sent to your new doctor, they are allowed to charge for the effort in retrieving the data & sending it to the new doctor. (most don’t charge though)

      Using this as a corollory, the vendor is quite within their right to charge for extracting the data, regardless of whether your client has purchased the system or not. I would actually be asking for the cost for extracting the data in CSV format, rather than PDF, because (a) its much more useful to you in CSV, and (b) you could extract it yourself into PDF without using the server. Alternatively, you could research the contract and licensing terms to see if it is possible that you can ask for an extract of the data with no charge.

      I certainly don’t think the issue is the data, its only how you can access it that is the issue.
      You might also want to ask them if they can provide your client with a username & password that is restricted to getting information from the relevant tables – that should allay any of their fears that you would be able to see proprietary information.
      If all else fails, your client might have to front up with the cash.

      As an aside, if you safe the resultant PDF’s as an image (assuming that they will not fold and give you a csv extract), you can use MS One Note 2010 to extract the text from the pdf image.

      Hope you didn’t sign onto this as a fixed price contract….

    • #2843338

      Use a linux boot disc

      by andrew ·

      In reply to who legally owns the data in a database?

      I’d be surprised if linux couldn’t read the SCO partition, in which case a linux boot disc would get you in. Boot up using, say, an ubuntu desktop disc in ‘live’ mode. That’ll get the computer running, yet it’s guaranteed not to modify any data on the SCO machine’s hard disc. Then mount the partition and that’ll give you access to the database files.

      Then it’s just a case of what database they’re using. If it’s one of the standard ones you’ll be able to copy them off to another machine and access them there. If it’s proprietary then things could be trickier!

      Because the above doesn’t involve modifying the SCO hard drive then it should be pretty safe – if it doesn’t work you just remove the linux boot CD and reboot into SCO as usual.

      Failing that you might be able to hack the username/password on the SCO box using linux by mounting the SCO drive and editing the password/shadow/security files, but if you mess that up then you’re in trouble 🙂

      • #2843331

        Reponse To Answer

        by charles bundy ·

        In reply to Use a linux boot disc

        I wouldn’t follow the above unless I knew there were solid backups somewhere. And if you have those, ya don’t need to mess with a physician’s production system.

    • #2843335

      thanks for the feedback

      by dkforbus ·

      In reply to who legally owns the data in a database?

      Thanks for the replies.

      The doctor physically has the server in her office. Like most small (1 to 3) doctor offices, they have purchased a system from a vendor for a set price. The server is purchased by the doctor as well as the software. The doctor then pays a set amount per year for maintenance of the system (i.e. technical support, upgrades, bug fixes, etc). In this case, the doctor has not paid a maintenance fee for about 2 years because she knew she would be changing to a newer system.

      I guess the real answer lies in the contract. Problem is, she does not know where it is. Typical end user, huh.

      • #2843333

        Reponse To Answer

        by charles bundy ·

        In reply to thanks for the feedback

        Ahh that clarifies possession from my earlier request. I’d say a contract is moot at this point if they haven’t been paying for the service for two years. So, as this is onsite and hasn’t had any support for two years, who does the backups? Backup tapes would be your ticket to data extraction. Assuming they exist…

        Gosh I hate to say this but while the contractors sound like extortionists, the provider sounds like a deadbeat as she admits there was a contract, she doesn’t know the terms and just decided to stop paying…

    • #2843329

      That makes things easier

      by oh smeg ·

      In reply to who legally owns the data in a database?

      If the system is still working just do a Backup of the Data File after all that is all that is required.

      I can understand the vendor not wanting to give you unlimited access to this system because they are quite right it would give you access to the IP which could be copied from a past customer.

      But in relation to the Backup of the DBase it may still require the reenter of all of the data into the new system by hand as quite a few of these Propriety D Base Systems do not support Transportable Data and then a cost to extract this as a usable Form is quite acceptable and understandable. 😉

      If there is currently no backup you should do one immediately because Hardware does fail and attempting to recover a dead HDD is very expensive or reentering all of the Data by hand is not only expensive but time consuming.

      Col

    • #2843323

      My two cent

      by rjethro ·

      In reply to who legally owns the data in a database?

      The data ultimately belong to the client/customer. Infact after changing vendor, the customer needs a proof that the previous vendor has no such data. The vendor is however right to charge for the effort of transferring data to the new system. Alternatively, the vendor can give the client the data in a backup media and the client to sort out the migration issues. PS. The vendors usually are just custodian of the data.

    • #2843309

      Maybe

      by oldbaritone ·

      In reply to who legally owns the data in a database?

      The old saying “Possession is 9/10 of the law” might have some truth, but it may not do much good.

      EMR systems (are supposed to) have many layers of control and protection to prevent unauthorized access to patient records. It wouldn’t surprise me to learn there are several different password layers protecting the data, including encrypted drive, encrypted folder on the encrypted drive, and encrypted database in the encrypted folder. All of those passwords would probably be high-security and hard-coded into the MR system, never used by the doctor, and a proprietary “Top-Secret” of the vendor. Most likely even the field support tech doesn’t have those passwords; a software engineer from home office would have to connect in remotely if they were ever needed. If that’s the case, the backup probably won’t be much use to you, nor will the physical access to the machine. You’ll be able to get the database file, but it will be of little use to you – as it should be.

      From the business side, the doctor wouldn’t want a computer-savvy janitor to be able to scrape data out of the MR system with no audit trail, just because they have a key to empty the wastebasket in the server room in the middle of the night.

      It’s also unreasonable for the doctor to expect the vendor to extract the data for free, especially since the doctor hasn’t paid for maintenance in 2 years.

      The doctor doesn’t work for free, and I’ll bet she charges patients for requested copies of medical records at the going rate – especially if they are changing to another doctor and haven’t seen this doctor in 2 years. The new doctor requests copies of the patient records, the new doctor gets the records, and the patient (or insurance company) gets a bill for the records transfer. Can she understand the parallel to her current situation?

      I’d agree with @Niall that CSV would be a better format than PDF if you can get it, but personally I believe that $1.00 per patient for a vendor data extract is very reasonable, especially in this case. When I have requested records, I was charged $1.00 per PAGE, and the record was many pages. I wouldn’t have been surprised if you had said the vendor wanted a (large) flat fee plus 5 or 10 bucks per patient for the first thousand patients, before the per-patient charge went down some.

      Last I knew, there weren’t too many doctors in the welfare lines. The decision to change EMR systems and the decision not to pay the support fees for 2 years were business decisions. Business decisions have consequences and costs. This is a cost that is a consequence of the practice’s business decisions. They saved money “then”, and that is resulting in additional costs “now.” That’s business.

      A “small (1 to 3) doctor office” has how many patients in the EMR system? One thousand? Five thousand? Ten thousand? I cannot imagine it would be much more than that with so few doctors. They spend many thousands to purchase an EKG machine, or a portable Ultrasound machine that will only be used on a select few patients. The EMR system is used for EVERY patient, hundreds of times a day. It can be amortized over a much larger base than any of the diagnostic or treatment devices.

      Sorry, doc, it’s a cost of doing business. Pony up or shut down. Or hire a bunch of temps to type the data from one system to the other, and worry about HIPAA confidentiality. It will end up costing about the same, or maybe more, to do it that way.

      Or affiliate the practice into a large institutional system. They will handle the business details and bring in their EMR, and you won’t have to worry about things like this, but you will lose a lot of your freedom to run the practice the way you and your partners want.

      • #2843179

        Reponse To Answer

        by niall baird ·

        In reply to Maybe

        Great line of thinking there. Totally agree.

Viewing 10 reply threads