Your continuous glucose monitor is generating data right now. Who owns it?

Not you, legally. Not your clinician, exactly. Possibly the device manufacturer who wrote the terms of service you accepted during setup. Possibly a data broker who acquired it downstream. The answer depends on jurisdiction, contract law, and how the data moved - and in most jurisdictions, there is no clear answer at all.

That is the central argument of a new letter published in the Journal of Translational Medicine by Klonoff, Scheideman, Heinemann, and colleagues from the Diabetes Technology Society and Mills-Peninsula Medical Center. The piece is concise and deliberately practical, grounded in the specific context of wearable diabetes devices and patient-generated data, but the regulatory problem it describes applies across the full landscape of digital health and connected medical devices.

The core finding is deceptively simple: no specific legislation in the United States or in EU member states explicitly establishes ownership rights over medical data. HIPAA guarantees patients the right to access and copy their records, and limits how covered entities can use protected health information - but it does not confer ownership. The EU's GDPR establishes data privacy as a fundamental right and requires explicit consent for processing health data, but it also does not address ownership. The most recent major framework initiatives - TEFCA in the US and the European Health Data Space Regulation approved by the European Parliament in 2024 - both strengthen patient access and control, but neither creates ownership rights. There is an elaborate architecture of privacy law in both jurisdictions. There is essentially no ownership law.

This gap matters for a reason that goes beyond individual patient rights. The paper's primary concern is translational research. An estimated $61 billion global market in healthcare big data is built substantially on patient-generated information, most of it flowing from devices, EHRs, and wearables under legal arrangements that were not designed with this secondary use in mind. When ownership is ambiguous, data stays siloed. Researchers cannot access what they need. Manufacturers claim usage rights through terms of service that patients accepted without reading and often without understanding. IRB review may or may not apply depending on whether the data was de-identified before sharing - and de-identification is increasingly imperfect as linkage risk grows. The result is a situation where, as the authors put it, "if one side advances, then the other side may regress": more ownership authority for patients means less data available for research, and weaker patient rights means more data available but ethically compromised.

The paper maps five stakeholder categories who can plausibly claim some form of ownership or control over patient-generated health data: patients, clinicians, researchers, public health professionals, and medical device companies. Their claims are not equally grounded. Patients argue that health data is constitutively personal - inseparable from the individual in a way that implies ownership. Clinicians argue that they own the physical medical record and have invested resources in compiling and organizing it, entitling them to some consideration for secondary use. Researchers argue they have invested in collecting and analyzing large datasets and have intellectual property interests in their derivations. Public health professionals assert not ownership but a legitimate public interest right to use anonymized population data. Device companies assert ownership through contractual terms of service and the legal ambiguity that, in the absence of contrary law, tends to favor whichever party holds the data.

The legal cases the authors cite give texture to the consequences of this ambiguity. In Dinerstein v. Google (2020), the plaintiff challenged the University of Chicago's sharing of de-identified patient data with Google for machine-learning purposes, on the grounds that metadata in the records made re-identification possible and patients had not meaningfully consented to that use. In Particle Health v. Epic Systems (still ongoing), a data interoperability company alleged that Epic was blocking access to patient records in ways that harmed patients and competitors alike. Both cases turn on disputes about who controls patient data and under what terms - disputes that clear ownership law would have reduced, if not eliminated.

The paper's treatment of emerging controversies is worth particular attention for anyone working on AI in healthcare. Three issues are identified as increasingly contested: the shift from study-specific to broad consent, which reduces participants' ability to understand what specific uses they are authorizing; the question of who controls and who benefits from de-identified data used to train AI algorithms, where individual contributions are indistinguishable in the aggregate but cumulatively valuable; and the question of liability and remuneration when AI trained on patient data produces adverse outcomes. None of these questions has a settled legal answer. The proposed Collaborative Healthcare Data Ownership framework, which would establish shared ownership between patients, providers, researchers, and AI developers with defined governance rules, has not been adopted anywhere.

The paper's conclusion is measured: "It will fall to attorneys and regulators to address this tradeoff." That is accurate, but the tradeoff it describes is genuinely structural. More patient ownership rights = less available data for research and product development. Less patient ownership = more available data but weaker ethical foundations for its use. The existing compromise - strong privacy, no ownership - satisfies neither side fully and leaves the most contested questions legally unresolved.

What the healthcare AI field needs to reckon with is that every AI system trained on patient data exists within this unresolved ownership landscape. The training data for an FDA-cleared diagnostic algorithm may have been acquired under terms of service that patients accepted without understanding, organized by a healthcare institution with its own competing interests, and used by a manufacturer under contractual arrangements that do not clearly establish patient rights to the value generated. That is not a scandal - it is the current legal normal. Whether it is sustainable as the scale and commercial value of patient-generated data continues to grow is a different question, and one that regulators on both sides of the Atlantic have not yet squarely answered.

Full paper: https://pmc.ncbi.nlm.nih.gov/articles/PMC12763853/