The deep integration of digital technology and healthcare services has generated vast amounts of medical data, whose scenario-based applications have become the core driving force behind healthcare innovation. However, no consensus has yet been reached on the regulatory framework for allocating medical data rights. Patients, healthcare institutions, and regulatory authorities form the core three-dimensional framework, where significant tensions exist between patients’ assertions of control over their medical data, healthcare institutions’ demands for data utilization rights, and the public governance responsibilities of regulatory bodies. Value conflicts among these diverse stakeholders are increasingly coming to the fore. Compared to other data types, healthcare data possesses distinctive characteristics in terms of its personal nature, public attributes, and sensitivity. The interplay of these three attributes not only exacerbates the ambiguity in defining rights holders and the boundaries of rights but also imposes higher academic and practical demands on the refined and differentiated construction of rights allocation rules. The existing legal framework lacks clear definitions for the nature of rights in medical data and provides insufficient guidance on ownership allocation, further exacerbating the imbalance between data utilization and rights protection in practice. Data rights theory, interest balancing theory, and the principle of consistency between rights and responsibilities provide core legal foundations for allocating rights over medical data. Through introspective examination of the inherent conflicts in data, combined with the varying control capacities of multiple stakeholders and the logic of corresponding rights and responsibilities, there is an urgent need to establish a tiered and categorized rights allocation mechanism. Based on their formation patterns, healthcare data can be categorized into primary and derived types. The personal rights embedded in source medical data should be vested in patients to safeguard their health interests. The limited property rights inherent in derived medical data should belong to healthcare institutions, providing material support for their data utilization. The responsibility for full-cycle oversight of medical data should be entrusted to a designated regulatory authority. By clearly defining regulatory boundaries and establishing detailed standards for end-to-end supervision, this approach ensures the compliant and orderly utilization of medical data, achieving the organic synergy between its public value and market value.