July 23, 2014

Open Source Licenses for Healthcare Information Technology

Noticing that I have not been blogging as much, I want to share some perspectives on open source distribution licenses within the domain of healthcare information technology.

If well-designed, healthcare information technology solutions can improve the patient-clinician relationship, the accuracy of the patient’s health data, the diagnosis and management the patient’s health, and the efficiency and job satisfaction of clinicians.

Open source software (OSS) can play a foundational role in realizing digital healthcare delivery.  Open source software communities are intrinsically better positioned to support collaborative, community-driven demonstration of novel concepts.

Additionally, open source software lowers the barrier of entry for individuals and organizations to contribute and adopt vendor-neutral solutions in healthcare information technology.

Some of the most popular open source licenses that are used in industry are:
  • Apache License 2.0 - A permissive license that provides an express grant of patent rights from contributors to users.  The Apache Software Foundation (ASF) developed the license prose, and ASF adopted the Apache License version 2.0 in January 2004.  Similar to the MIT license, the Apache 2.0 license is compatible with version 3 of the GNU General Public License (GPL) also detailed in this table. 
  • GNU General Public License (GPL) v3 - A “copyleft” license that requires anyone who distributes the software source code or a derivative work to make the source available under the same terms.   Formally introduced in 2007, the Free Software Foundation (FSF) upgraded the GPL v2 with the GPL v3.  The most important changes introduced were in relation to software patents, free software license compatibility, the definition of "source code", and hardware restrictions on software modification. It is considered “viral” and negatively by some for-profit organizations.  I am not a fan of the GPL license because I feel it is too opinionated and tends to scare for-profit organizations away from open source.
  • MIT License - Another permissive license that is similar to the Apache 2.0 license, and very short and loose regarding requirements.  The MIT license allows users to use, copy, and modify the software source code.  As the name would imply... this distribution license originates at the Massachusetts Institute of Technology... duh.  The MIT license is GPL-compatible, meaning that it can be combined with a program under the GPL license without conflict.  The MIT license is very similar to the BSD license.  The primary difference from the BSD license is that the BSD license contains a notice prohibiting the use of the name of the copyright holder in promotion.
  • BSD License 2.0 - A permissive, free software license imposing minimal restrictions on the redistribution of covered software.  The BSD allows proprietary use and allows the software released under the license to be incorporated into proprietary products.  Similar to Apache 2.0 but lacks a patent grant, which means that the authors of the code are not giving rights needed for the authors' patents, which might happen to be in the code being used.  
My preferred open source license for use in the domain of healthcare information technology is the Apache 2.0 license.

For 7 years, I have successfully used the Apache 2.0 license for numerous healthcare projects that I have led.  The Apache 2.0 license is arguably the most commercial-friendly of all of these options due to wide adoption by industry, its permissive nature avoiding of “viral” requirements upon redistribution of derivative works, and the broad adoption of the associated Apache web server software which is used by most of commercial industry.

From my experience, one of the most important aspects of the Apache 2.0 license is the Apache brand.

Whenever I am telling a healthcare CIO about one of our open source projects licensed under the Apache 2.0 open source license, if they do not know the details of open source, I can usually talk them away from the ledge with Apache.  Talking about if they have/use an Apache web server, they usually they say "yes, I use an Apache web server".  At that point it is easier to explain that other software made available under an Apache 2.0 open source distribution license would represent no greater risk to viral release of an enterprise's intellectual property than using an Apache web server.

With the big disclaimer that I am not a lawyer... 

I also feel that the Apache 2.0 license is the superior distribution license to use in healthcare information technology because allows for software that is free to download, use, re-purpose, re-distribute, or even sell.  Yes, you are even allowed to sell someone else's software that is distributed via an Apache 2.0 license.  The only really hard requirements are attribution back to the copyright owner, and you cannot sue the original author if something bad happens.  That responsibility is on you, the user of the software.

By only requiring attribution, there is flexibility in the way that anyone would like use a derivative work.  If a healthcare open source project were to be better positioned as a paid commercial product, the Apache license provides for an immediate technology transfer mechanism to that market with no barriers... none.  Such a decision could even be made with or without agreement from all the open source project community that created the original project.  

While I am not endorsing that open source projects be "poached" and turned into commercial for-profit services, I do like that freedom that the Apache 2.0 license provides.

I hope this is helpful.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. © Rob McCready, 2014.
Creative Commons License