"Control Over Outcome": A Strategic Framework for Data Sovereignty in Orthopedics, Based on Knee Arthroplasty Experience

Nanne P. Kort, MD, PhD, NETHERLANDS Fabrizio Billi, PhD, UNITED STATES Hiroshi Watanabe, MD, PhD, JAPAN Nicolaas C. Budhiparama, MD, PhD (LUMC, NL), PhD (UGM, ID), FICS, Prof., INDONESIA Rèmigio Kort, MSc Epidemiology, MSc science, NETHERLANDS

ISAKOS eNewsletters   Current Perspective 2026   rating

Introduction: The Digital Walls of Healthcare

Let’s be honest: as orthopedic surgeons, we now spend almost as much time feeding computer systems as we do treating patients. We live in a paradox. On the one hand, we have access to advanced robotics, smart implants, and AI-assisted diagnostics. On the other hand, the data documenting our patients’ recovery remains locked in silos, inaccessible across the very care pathway we are trying to optimize.

This problem is not unique to any single healthcare system. Whether in a high-volume arthroplasty center in the Netherlands, a university hospital in the United States, or a private clinic in Japan, the architectural failure is consistent: data were designed to be captured, not to move. The EHR (electronic health record) does not communicate with the physiotherapist’s platform. Rehabilitation data from wearable devices goes unread. AI-based outcome prediction stalls in a swamp of legal uncertainty and “vendor lock-ins.” The result is well-documented globally: clinical burnout (driven in significant part by administrative redundancy) and a fragmented patient experience that forces individuals to retell their story at every point of contact.

In orthopedics, this failure is outcome-critical. The arthroplasty pathway is inherently longitudinal: the preoperative state, intraoperative decision-making, rehabilitation, and months of recovery together constitute a single clinical narrative. When those phases are digitally disconnected, we lose not just efficiency—we lose the systematic ability to detect early deviations from expected recovery trajectories and to intervene before complications compound.

This article presents a practical perspective grounded in our experience at Cortoclinics, a private orthopedic clinic in the Netherlands. We present it not as a Dutch solution, but as a proof of concept for a universally applicable approach. The regulatory specifics will vary by context; the underlying principles do not.

The Pain: Why the Current Route Fails

The problem is not a lack of data, but a lack of flow. And the failure modes are remarkably consistent across healthcare systems, geographies, and practice models.

For the surgeon, data are captured multiple times because each system wants to be the “source of truth.” Export is technically possible but clinically unusable: PDFs, screenshots, proprietary formats, or “API access” requiring expensive middleware. The data generated in a surgeon’s operating room is often more accessible to a vendor’s analytics team than to the surgeon themselves.

For the patient: having to retell their medical history at every point of contact reflects a structural failure to treat the patient’s trajectory as a single, continuous clinical entity. Each handoff is a potential data-loss event.

For researchers, data-sharing agreements, anonymization requirements, and legal uncertainty under frameworks such as the GDPR—or its equivalents in other jurisdictions—can delay AI-driven outcome-prediction projects for months or years.

The arthroplasty pathway makes these failures particularly consequential. A deviation in week 3 of rehabilitation may be traced directly to an intraoperative alignment decision—but only if those data points are connected. Not occasionally. Systematically.

The Solution: The Four-Corner Model and FAIR Data

The architectural response to fragmented data flow is not a new platform. It is a new principle: stop moving raw data around as the default. Instead, keep data at or near the point of creation and make data retrievable through controlled, standardized interfaces when the clinical pathway, or approved analytics process, requires it.

This principle is operationalized through two complementary frameworks: the four-corner model and FAIR data stations.

Four-Corner Model

The Four-Corner Model separates four distinct roles in any data exchange: the Data Owner (the patient or institution holding legal or custodial rights over the data), the Data Provider (the system or party making the data technically accessible), the Data Consumer (the system or party requesting access to the data), and the Data User (the system, party, or process ultimately applying the data). When no single party controls both the data asset and its governance, misuse becomes structurally harder, and auditability becomes structurally easier. A rehabilitation platform can consume intraoperative alignment data without ever owning it; a researcher can model outcomes data without ever seeing the raw records. Originally developed within European data infrastructure initiatives and embedded in the EHDS (European Health Dataspace), the Four-Corner Model reflects an emerging international consensus. Analogous principles are reflected in United States frameworks governing Substitutable Medical Applications and Reusable Technologies on Fast Healthcare Interoperability Resources (SMART on FHIR) application authorization, as well as in emerging data trust models in the United Kingdom and Australia.

FAIR Data Stations

FAIR Data Stations define how that data is structured and surfaced. FAIR—Findable, Accessible, Interoperable, Reusable—is a set of principles originally articulated for scientific data management, but with direct and consequential implications for clinical practice¹.

Findable means locating the correct PROM, radiograph, or intraoperative record without detective work. Accessible means access-controlled: not “open,” but achievable with appropriate permissions and fully logged. The distinction between “accessible” and “open” is critical: FAIR is not a privacy risk; it is a governed access model. Interoperable means that the variable that you call “ROM” and your rehabilitation partner calls “range of motion” resolves to the same defined concept, expressed using the same clinical standard—whether Fast Healthcare Interoperability Resources (FHIR), Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT), or internationally recognized Zorginformatiebouwstenen (ZIB) equivalents. Without interoperability, comparison is not analysis; it is guesswork. Reusable means that your outcomes pipeline does not collapse when you change vendors, update your EHR, or onboard a new rehabilitation partner.

Together, these frameworks produce a dynamic Digital Twin of the patient's clinical trajectory^2,3—not a static export, but a continuously enriched, longitudinal representation from preoperative baseline through rehabilitation, designed to be simultaneously accessible to the surgeon, the physiotherapist, the patient, and, under appropriate governance, the researcher. Standardization is not a compliance cost. It is the foundation on which outcome learning becomes possible (Fig. 1).

Figure 1. From Data Source to Clinical Insight—Without Losing Control. The Cortoclinics Federated Data Hub receives data from all clinical systems, applies FAIR principles and four governance gates (Purpose Check, Consent and Legal Basis, Data Minimization, Audit Logging), and routes governed queries to authorized consumers without transferring raw data.

Secure Data Environment: Trust-by-Design

Our governance concept is “trust-by-design”: rather than demand blind trust from partners or patients, we engineer constraints that make misuse harder and auditing easier⁴. Before data can move or be used, it must pass an explicit ruleset that addresses the following questions:

• Is the purpose legitimate (care delivery vs. quality improvement vs. research)?
• Is there an appropriate legal basis and/or consent where required?
• Is data minimization applied (only what is needed)?
• Is access logged and reviewable?

In this framework, governance and accountability become operational conditions built into every data exchange, rather than documentation added after the fact.

Data Sovereignty: The Patient as CEO

In the dominant model of healthcare data management, the patient is a passive subject. Consent is typically a checkbox at the bottom of an admission form. The EHDS, now in implementation across EU member states, places patient data rights at the center of health data governance⁵. But the underlying principle—that individuals should be active administrators of their own health data—reflects a global shift, not a European regulatory artifact.

At Cortoclinics, patients determine who can access their data, for what purposes, and under which conditions through a consent-based sovereignty model. In the Dutch context, this is implemented via a Personal Health Environment (PGO) using the MedMij exchange framework. For international readers, functional equivalents exist across jurisdictions, including SMART on FHIR patient applications in the United States, the NHS App in the United Kingdom, and emerging HL7 FHIR personal health record frameworks across the Asia-Pacific region. Despite jurisdictional differences, the underlying governance logic remains consistent: the patient holds the key, and the institution provides the lock.

Our experience confirms a consistent finding in health data research: patients are significantly more willing to contribute data—including sensitive movement and rehabilitation metrics—when they understand that they retain meaningful control over how those data are used. Voluntary, informed contribution also yields higher-quality data. A patient who understands that their step-count data contributes to a recovery model from which they directly benefit is a patient who charges their wearable device. When sovereignty is engineered into the workflow from the outset rather than retrofitted as a compliance measure, the administrative overhead is minimal—and the governance record is automatic. The result is less time reconciling data and more time interpreting data.

Because arthroplasty data generated within vendor platforms have clear economic value, it is unrealistic to assume that all manufacturers will freely open their ecosystems by default. In practice, patient-authorized delegation to the treating surgeon or clinic as data steward may provide the most workable mechanism to ensure that clinically relevant data remain accessible to the care team without creating uncontrolled copies.

Innovation: The Digital Twin in Knee Arthroplasty

A Digital Twin, as used here, is a longitudinal, structured representation of a patient’s knee arthroplasty trajectory, continuously enriched with clinically relevant data points across the full arc of care. It is not a predictive model or a dashboard. It is the data substrate that makes those tools meaningful or, in its absence, impossible^2,3.

What follows is an honest account of this framework, organized by clinical phase.

• Phase 1: Preoperative: Clinical data and PROMs are collected via secure online tools and structured within our FAIR data layer. Intended extension: wearable-derived functional baselines—gait, activity, balance—to complement self-reported measures.
• Phase 2: Intraoperative: A minimal dataset, including planned versus achieved alignment parameters and implant metadata, is exported to a clinic-controlled FAIR station following each procedure and is embedded into the standard workflow without manual action. Intended extension: contractual mandates requiring all robotic and implant system vendors to support open, standards-based data export as a condition of procurement. This is not a technical challenge—the capability exists. Rather, it is a challenge of institutional will, and one that the broader field must collectively address.
• Phase 3: Postoperative: Registry reporting is automated to the Dutch Arthroplasty Registry (LROI). A PGO-enabled clinic-patient view allows patients to contribute self-measured data and manage sharing preferences directly. Intended extension: wearable and rehabilitation platform data feeds (currently being implemented), with feasibility confirmed through preliminary testing.

The Digital Twin, as described here, is a data infrastructure, not a decision-support system. It does not yet generate automated clinical alerts or outcome predictions across the entire perioperative process. Those capabilities are a natural next step, and the infrastructure described here is precisely what will make them trustworthy when they arrive. Building the data layer first, before the algorithmic layer, is a deliberate choice. Outcome prediction built on fragmented, ungoverned data is not innovation; it is noise presented with confidence (Figure 2). The objective is continuity of care: clinically relevant data generated across the arthroplasty pathway should remain accessible—through governed data-sharing frameworks—to the institutions responsible for that patient’s treatment and to the patient themselves.

Figure 2. The Digital Twin in Knee Arthroplasty: From First Visit to Full Recovery. Each phase of the arthroplasty pathway generates governed clinical data, building a longitudinal patient record that enables earlier intervention, clinic-owned surgical records, and continuous recovery monitoring.

Pitfalls and Lessons

• Premature Scale: The instinct to connect everything at once is reliably counterproductive. Start with one use case and one chain partner. Map before automating. Do not automate a broken process—standardize it first.
• The Culture Gap: Technology is the easier half of this problem. Clinicians must develop trust in data originating outside their own EHRs through transparent audit trails and demonstrated reliability. Critically, governance is not an IT function. Legal, compliance, and administrative teams must be active participants in governance design, not downstream recipients of a technical architecture they are asked to ratify.
• The Interoperability Illusion: Adopting FHIR does not automatically produce interoperability. Local implementations diverge in ways that only become apparent at the point of actual data exchange. True interoperability requires shared semantics—agreed meaning, not just agreed syntax. Include clinical staff, not only informaticists, in this process.
• Vendor Dependency: Proprietary data formats, restrictive API contracts, and opaque export mechanisms are business model features, not accidents. Enforce open API requirements and FAIR data export obligations in procurement contracts. A single clinic carries limited leverage. Professional societies, hospital networks, and regulatory bodies that establish open data export as a field-wide standard fundamentally change the negotiating landscape. The orthopedic community’s willingness to make this a shared demand will determine how quickly the vendor ecosystem responds (Figure 3).

Figure 3. Vendor lock-in risk across the orthopedic data ecosystem. The matrix shows where clinical data are most vulnerable to platform dependency and identifies the contractual or technical mitigation needed to preserve clinic control, patient access, and governed reuse.

Global Implementation: Start with Governance, Not Technology

A federated data-sovereignty model should be interpreted as a practical registry principle, not as requiring every clinic, region, or country to begin with a fully digital infrastructure. In many healthcare systems, the first step will not be a Digital Twin, a wearable-data pipeline, or a patient-facing application. The first step is more basic: define the minimum clinically meaningful dataset, determine who is allowed to access it, specify for what purpose, and ensure that each access event is documented.

For lower-resource or partially digitized settings, implementation can begin with a staged model. At the most basic level, clinics can standardize arthroplasty datasets and convert them into structured digital records at defined clinical transition points: preoperative assessment, surgery, discharge, rehabilitation follow-up, and complication review. Where patient devices are unavailable, recovery data can still be captured through PROMs, structured telephone follow-up, community physiotherapy reports, or clinic-based functional assessments. Wearables and connected platforms should be viewed as accelerators of data continuity, not prerequisites for participation.

Legal and regulatory heterogeneity also argues for a modular approach. In countries such as the United States, where electronic medical record sharing, software-based access agreements, and health information exchanges already exist, the proposed model should be understood not as a replacement for current infrastructure but as a governance layer that clarifies stewardship, purpose limitation, auditability, and patient-authorized secondary use. Each jurisdiction will need to define its own consent language, stewardship roles, data-retention rules, and permissible uses for quality improvement or research. However, the underlying governance logic remains transferable: minimize unnecessary data movement, preserve local control, document access, and separate the right to use data from the act of owning or copying it. In this sense, data sovereignty is not a European luxury or a high-resource technical architecture. It is a practical implementation principle that can scale from a single clinic registry to a national arthroplasty dataspace as digital maturity increases.

Conclusion: A New Standard

Data sovereignty is the operational capacity to reliably answer outcome questions without drowning in administration, without ceding clinical data to vendor ecosystems, and without turning patient information into uncontrolled copies that serve neither the surgeon nor the patient.

As described in this article, Cortoclinics represents a proof of concept that the pieces fit together, and that, when they do, data can strengthen the clinical relationship rather than complicating it. But the failure modes described in this article—duplicate data capture, vendor lock-in, ungoverned secondary use, fragmented patient trajectories—are field-wide problems requiring field-wide responses. Professional societies such as ISAKOS are uniquely positioned to accelerate this transition by establishing minimum FAIR-compliant data standards for arthroplasty outcome reporting, defining open data export requirements as a procurement standard, and developing shared governance frameworks for multicenter research.

The call to action is practical: build governance as an operational system, not as documentation after the fact. Start with one use case. Enforce open standards in procurement. Give patients the key to their own data.

References

1. Wilkinson MD, Dumontier M, Aalbersberg IjJ, et al. The FAIR Guiding Principles for scientific data management and stewardship. Scientific Data 2016 3:1. 2016;3(1):160018-. doi:10.1038/sdata.2016.18
2. Singh M, Fuenmayor E, Hinchy EP, Qiao Y, Murray N, Devine D. Digital Twin: Origin to Future. Applied System Innovation 2021, Vol 4,. 2021;4(2). doi:10.3390/asi4020036
3. Bruynseels K, de Sio FS, van den Hoven J. Digital Twins in Health Care: Ethical Implications of an Emerging Engineering Paradigm. Front Genet. 2018;9(FEB). doi:10.3389/fgene.2018.00031
4. Zhang P, Kamel Boulos MN. Privacy-by-Design Environments for Large-Scale Health Research and Federated Learning from Data. Int J Environ Res Public Health. 2022;19(19). doi:10.3390/ijerph191911876
5. European Health Data Space (EHDS) | Data voor gezondheid. Accessed March 7, 2026. https://www.datavoorgezondheid.nl/onderwerpen/e/european-health-data-space

Please note: ISAKOS Newsletter Current Perspectives are not peer-reviewed articles. For peer-reviewed articles, please visit the Journal of ISAKOS at jisakos.com.