Health IT advances make it increasingly easier to share de-identified patient data—but even though HIPAA allows for such information sharing, some experts warn the practice carries privacy and security concerns, Rachel Arndt reports for Modern Healthcare.

Access our health care cheat sheets on top-of-mind legal landmarks

Why data is so valuable in the health care industry

Privacy and security experts have been closely watching companies' user data sharing practices, and warning against instances in which user data are shared without explicit consent. In the health care sector, entities covered under HIPAA are permitted to share patient data as long as the data are de-identified. As a result, third parties can legally purchase de-identified data from "a vast array of sources," including health systems, pharmacies, and in some cases EHR vendors, Arndt reports, and then re-sell the de-identified information on the secondary market.

According to Arndt, buyers on the secondary market, including pharmaceutical companies, might use the data to:

How to be a cybersecurity sentinel

• Determine investments;
• Decide how to target clinical trials; and
• Refine marketing strategies.

John Gardner, a partner with NGP Capital, said, "Even small pools of data about patients that have the exact disease a company is trying to sell into are very valuable." For instance, Adam Tanner in his book, "Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records," detailed how a big drugmaker might pay $10 million and $40 million annually for data, consulting, and services from Iqvia, a third-party purchaser of health information.

Kim Gray, the chief privacy officer at Iqvia, said "a wide variety of arrangements" exist between Iqvia and sources that provide patient data. According to Modern Healthcare, Iqvia has data sharing agreements with more than 120,000 sources, which Gray said include payers, pharmacies, providers, and in rare cases, EHR vendors. Gray would not confirm whether Iqvia pays hospital systems for access to patient data, Arndt reports.

The sometimes-murky sources of patient data

According to Modern Healthcare, it can be difficult to determine which stakeholders in the health care industry sell de-identified patient data.

For instance, Nilesh Chandra, senior leader at PA Consulting, pointed out that even in instances when data might appear to come directly from a hospital, the information may actually arrive to third parties through their EHR. Chandra explained that EHR vendors have a significant amount of legal and technological control of patient data, even if health systems own the patient data.

For instance, Tanner in his book pointed out that one EHR vendor, Practice Fusion, has charged firms between $50,000 to $2 million for access to longitudinal datasets of personal health information. But not all EHR vendors engage in such contracts or sale practices, Modern Healthcare reports—a spokesperson for Epic, for instance, said the organization doesn't participate in such practices.

Data-sharing risks

According to Modern Healthcare, while sharing anonymized health data may support innovation, it may also place patients at risk of privacy breaches.

Sam Hanna, director of George Washington University's online master's degree in health informatics program, said, "Just because something is anonymized, it is still possible to identify who that is when you merge that record with other records that are available." Hanna added, "Harnessing [de-identified patient] data for research purposes and targeted therapies is all great unless it falls into the wrong hands."

Separately, Eric Gascho, vice president of government affairs and policy at the National Health Council, said health care organizations should be examining how to make it more difficult to re-identify patient data, calling it an "utmost concern" (Arndt, Modern Healthcare, 4/7).

Just updated: Your cheat sheet for understanding health care's legal landscape

With the new tax law, antitrust laws, HIPAA, and countless others, the health care landscape has become an alphabet soup of legislation. To help you keep up, we've created a series of cheat sheets for some of the most important—and complicated—legal landmarks.

Check them out now for everything you need to know about the Affordable Care Act, antitrust laws, fraud and abuse prevention measures, HIPAA, MACRA, and the two-midnight rule.

Get the Cheat Sheets