George Hill, an analyst at Leerink Swann, a health care investment bank, told the Times that the market for health record systems is $8 billion to $10 billion annually. About 5 percent of this income comes not from the sale of information systems but from the sale of data and analysis. As more physicians and hospitals — spurred by federal incentives — switch to electronic recordkeeping, revenue from the sale of health data could grow to $5 billion, Hill said. In some case, the vendor contract specifies that the vendor has exclusive access to the health records in its database, according to Dr. Paul Tang, vice president and chief medical information officer of the Palo Alto Medical Foundation, and member of a federal privacy advisory panel. Tang told ModernHealthCare in 2007 that he’d seen such contracts from large and small vendors. “Some [vendors] say they have ownership to data. There are contracts that say they will have real-time access to the database, that they will have exclusive access to the data, that they can resell the data. I think it would be unlawful that covered entities abide by that.” Giving vendors access to such data would apparently violate the Health Insurance Portability and Accountability Act (HIPAA), which prohibits doctors from providing medical records to anyone not involved in providing health care or payment for health care or involved in health care research. Although the law does provide a loophole for “business associates” hired by health care providers, privacy rights lawyer Robert Gellman told ModernHealthCare that this likely wouldn’t protect health care providers in these cases.