Although the health care and technology industries see big bucks in patient data, that information is not theirs to own.

Health care data belongs to patients, said Dr. B. Vindell Washington, the national coordinator for health information technology at the U.S. Department of Health and Human Services.

Contrary to what some people may believe, patients have the right to ask their health care providers for access to their personal data. Additionally, obtaining that information should be for “little or no cost,” he said Wednesday during Fortune’s Brainstorm Health conference in San Diego.

But even though the Office of Civil Rights may say that health care data belongs to patients, 20 individual states say the data “belongs to the care provider,” he said.

Washington’s comments come amid an increased interest by companies to mine and crunch patient data to help doctors make better diagnoses and to make money.

Dr. Amy Abernethy, the ‎chief medical officer of health care data startup Flatiron Health, agreed that patients own their health care data. Flatiron Health’s business model involves cleaning messy health care data so it can be processed by cutting-edge data analytics technologies.

Get Brainstorm Health Daily, Fortune’s health care newsletter.

Dr. Kyu Rhee, the chief health officer for IBM’s ibm Watson health unit, emphasized that patients must “be aware of how that data is being used.”

For more about health care, watch:

There’s been a cultural shift in the U.S., Washington explained, in which patients believe that their health care data is “a shared record” between themselves and health care providers. And health care providers have “some responsibility to guard that data,” presumably from hackers or misuse, he said.

For more from Brainstorm Health, click here.

Regardless of whether personal health data is both owned by companies or patients, it’s “pretty clear” that it’s the patients who have the rights to their own data sets, Washington said. Still, Washington said that there are challenges “in making sure providers get that message” that they need to hand over patient data when asked, and that “patients know they have that right.”