Ask most people who owns their health data and they will say "I do." The legal answer is murkier, and that gap is the whole problem. In most of the United States, you have a right to access your records, but the provider, lab, app, or platform that holds them controls what happens next. You generate the data. Someone else owns the copy that matters. Someone else profits from it.
That deal has been the default for two decades. It is broken, and it keeps hurting the people it is supposed to serve.
The pattern: You are the supply. Someone else holds the data. Someone else profits. And when it breaks, you absorb the harm.
The failures are not hypothetical
This is not a thought experiment. It is the public record:
- BetterHelp was found by the FTC to have shared consumers' mental-health information with advertisers, despite promising to keep it private (FTC enforcement action, 2023).
- Cerebral disclosed that it had shared patient data with platforms including TikTok and Facebook (2023).
- 23andMe lost the genetic data of roughly 6.9 million people in a breach (2023), and its later financial collapse raised the question millions never got to answer: what happens to your DNA when the company holding it is sold?
Different companies, same shape. The person whose data it is had the least control and absorbed the most risk.
Why privacy policies do not fix it
The usual response to each scandal is a longer privacy policy and another consent checkbox. It has not worked, for a simple reason: those documents do not change who holds the data or who profits from it. They ask you to trust a promise, after the fact, with no way to verify it and little recourse when it breaks. Consent you cannot enforce is not control. It is paperwork.
You cannot policy your way out of a structural problem. If the data lives with someone whose incentives point at monetizing it, no amount of disclosure changes where it ends up.
What patient-owned data actually looks like
The fix is to flip the structure: put the data, and the keys, with the person it describes. That is the model we are building at Your Data Health with Xanadu, a patient-owned data trust. The principles are simple:
- You hold it. Your records live in an encrypted vault you control, not on someone else's balance sheet.
- You decide. A consent kill-switch means you can grant access, and revoke it, on your terms.
- You share in the value. If you choose to contribute de-identified data to research, you keep 80% of what it earns. No one should profit more from your data than you do.
None of this requires you to become a security expert. It requires the default to change, from "they hold it and you hope" to "you hold it and you decide." (Xanadu is patent-pending and in private preview.)
FAQ
Do I legally own my health data in the US?
You generally have a right to access and get copies of your records under HIPAA, but "access" is not the same as "ownership" or control. The entity holding the data largely controls how it is used and shared, which is the gap newer laws and patient-owned models aim to close.
Doesn't HIPAA protect me?
HIPAA covers specific "covered entities" and their business associates. A lot of consumer health data, mood trackers, period apps, wellness data, falls outside HIPAA entirely, which is why state laws like Washington's My Health My Data Act now reach further.
What is a patient-owned data trust?
A model where the individual holds their own health data in an encrypted store they control, decides who may access it, and shares in any value created when they choose to contribute it, rather than a company holding and monetizing it on their behalf.