Only a few decades ago, the answer to this question seemed simple. Medical records lived in a doctor’s office—paper files stacked neatly in cabinets, accessed only with a patient’s permission. Back then, ownership was generally understood to rest with the doctor or hospital that created and safeguarded them.

Today, those cabinets have gone digital. Every doctor’s visit, blood test, and fitness tracker now adds to a growing trail of personal health data. Electronic medical records (EMRs) make this information easier than ever to store and share, a transformation that’s reshaped how we think about ownership and privacy. According to the American Hospital Association, 96% of physicians now use EMRs, signaling a near-universal shift to digital care.

But with that convenience comes confusion around who truly owns health data. As Jessica Plonchak, Licensed Clinical Social Worker and the Executive Clinical Director at ChoicePoint explains: “From an ethical viewpoint…patients should be the moral owners of their health data. But in most scenarios, healthcare providers hold the ownership of the data because they generate and store it in regulated systems.”

When a person’s health history, diagnoses, and treatment plans can be shared across systems with a few clicks, the lines of ownership blur even further. This question of whether health records belong to patients or providers remains one of the most complex and consequential debates in modern medicine.

Providers V Patients: Who Owns Medical Data?

Health data encompasses information that captures an individual’s health status, including doctor prescriptions, clinical observations, lab results, self-reported symptoms, and metrics from wearable devices. This input is produced from a split between healthcare providers who supply expertise and infrastructure, and patients who contribute real-world data, sparking the great debate over who truly owns health data.

Since hospitals function as guardians and custodians of electronic health records (EHRs), claims of ownership often tilt towards these institutions. Data privacy expert, Gerry Miller, founder and CEO of Cloudticity, captures the tension: “Patients may want to own data they can't interpret, a blood test result means nothing if you don't know normal ranges, drug interactions, or patient history.”

Still, both HIPAA and the American Health Information Management Association (AHIMA) draw a careful line between record ownership and data stewardship. Under HIPAA healthcare providers are designated as “covered entities”, emphasizing their duty to protect and preserve patient information. Providers also bear the liability when something goes wrong.

Yet, as Miller points out, those same providers often want to use patient data for “quality improvement” or “research.” “In many cases,” he explains, “that means monetizing the data without sharing any of the revenue.” This rift between ethical stewardship and financial incentive continues to blur the boundaries of trust in digital healthcare.

While providers act as custodians of health records, patients retain specific rights of access, use, and control over the information those records contain. In previous years, AHIMA has maintained: “The physician, practice, or organization is the owner of the physical medical record because it is its business record and property, and the patient owns the information in the record.” A stance reinforced by many state laws.

Advocates for patient data ownership argue that medical information should be under the control of the person whose identity it represents. In the United Kingdom, this principle is enshrined in the NHS Act of 2006, and the UK GDPR and Data Protection Act 2018, which grant patients the right to access, correct, delete, and limit how their data is used, preserving the right to have their data transferred to another provider.

Despite these frameworks, however, ownership remains a gray area shaded by ethical and legal considerations, plus the evolving role of patients as active participants in their care.

Concerns Over Patient Privacy

According to SNS Insider, the global big data in healthcare market was valued at $68.56 billion in 2023 and is projected to soar to $283.43 billion by 2032. This explosive growth underscores the immense value and vulnerability of health information. As medical databases now store everything from Social Security numbers to financial details, cyberattacks on healthcare systems have become increasingly lucrative. In 2024, U.S. healthcare breaches exposed 275 million records, with the average cost of a breach reaching $7.42 million in 2025. “The digitalization of health records and the rise of AI-based tools increase the risk of breaches, data misuse, and secondary data sales without informed consent,” notes Jessica Plonchak.

For patients, whose most intimate details are stored in these records, the risks go beyond privacy breaches. Many fear their data, freely shared in the course of receiving care, may be repurposed for commercial gain without their knowledge or consent. One notable example came when London’s Royal Free Hospital granted Google’s AI subsidiary, DeepMind, access to 1.6 million patient health records to develop an app for detecting early signs of acute kidney injury, raising public concern about consent and transparency. The NHS alone holds over 55 million patient records, collectively valued at an estimated £5 billion, underscoring the massive financial potential of personal health data.

Adding to widespread mistrust is the ongoing uncertainty about how health organizsations manage and share patient information. As Miller explains: “When a patient signs a consent form, they give their data to the hospital's EHR vendor, the hospital's cloud provider, analytics partners, AI training contractors, etc. In general, patients have no visibility into who actually has their information.”

Over the years, repeated incidents have revealed not only vulnerabilities in data protection, but also what could be a disregard for the ethical management of medical records. Other high-profile UK health data controversies include vulnerabilities in GP IT systems, that risked exposing 26 million patient records, plus an NHS sexual health clinic that mistakenly revealed the HIV status of almost 800 patients.  

Balancing Data Access With Individual Privacy

With data at the heart of modern healthcare, the challenge of the decade lies in balancing seamless access to information with the protection of individual privacy.

Data interoperability has transformed personalized medicine, preventing redundant testing, and accelerating research and public health initiatives through insights derived from large datasets.

Yet, this same data-driven progress comes with growing concerns around privacy and control. According to Health Gorilla’s Patient Privacy Report, 71% of patients are comfortable with sharing their data for treatment, but that trust falls sharply to 39% for payment-related use, and drops further to just 23% for public health purposes. This trust gap highlights the urgent need for greater transparency and accountability in how health data is collected, shared, and used.

To close that gap, healthcare organizations must adopt visible, patient-centered data practices. Individuals should be able to see, manage, and decide who accesses their records, and why they do so. As Gerry Miller notes, “Patients should be able to delete sensitive records after some time period. Mental health, substance abuse, reproductive care—these are deeply personal topics that shouldn’t necessarily follow someone throughout their entire life.”

Stronger safeguards are also needed. Access should be limited to a need-to-know basis, supported by rigorous oversight of third-party vendors through regular audits and clearly defined accountability frameworks. Miller continues: “Penalties need to be existential. HIPAA fines are trivial compared to the value of medical data. Breaches should risk putting companies out of business. Executives should face criminal charges for knowing violations. Otherwise, it's just the cost of doing business.”

Organisations should also establish clear internal policies that delineate who is responsible for data use, disclosures, and external partnerships, creating the transparency and structure necessary to strengthen patient trust at its core.

The Future of Trust for Digital Healthcare

The question of who owns medical data may never have a definitive answer, maybe rightfully so, since information isn’t property in the traditional sense. What is clear, however, is that the next era of digital care will hinge less on technological innovation and more on trust: the confidence patients have that their most private details will be handled with integrity.

Real progress will come not from how much data we can collect, but from how responsibly we use it. Health information should never be treated as a commodity, but as a shared responsibility built on transparency, consent, and respect for the people whose stories those records tell.