Would you sell your own healthcare data to a private company? What if it could help them discover a new treatment? What if you were poor and desperate for income?
Those are the questions patients are faced with in the new world of protected health information (PHI) marketplaces. Data brokers have long bought deidentified data from healthcare organizations, but recently, firms have begun going outside the traditional healthcare system and offering to pay patients directly for their data.
These offers put patients in a tough position. On the one hand, people are almost never offered money for their own data—usually data are sold by a third party, like Facebook or a hospital. And the prospect of getting cash in exchange for something intangible like data could be very attractive to someone who's very sick and/or under tight budget constraints.
On the other hand, it's not out of convenience that firms are going directly to patients. If a patient obtains and sells their own health data, it is no longer considered part of the patient-provider relationship—and therefore is not covered by HIPAA. That's what makes these data so valuable to prospective buyers: unlike data sets acquired from a provider, these do not need to be deidentified.
Such identified data are in high demand, according to Raj Sharma, CEO of Health Wizz, one of the first startups in this area. When pharmaceutical companies want to create specialized designer drugs, for instance, they will often need genomic data or other data sources that providers can't sell them.
Sharma says analyzing genetic data "has become a fundamental principle" for drug developers, particularly in specialties like cancer, heart disease and cardiovascular disease.
"When they talk about AI and machine learning, they need genetic data as an input," Sharma told FierceHealthcare. "We think that's where these identified data will be really, really crucial. Because I'm going to give the pharmaceutical company my genetic data, my clinical data, my wearables data, my environmental data—my social determinants as well—and I'm going to supply all this data to the pharmaceutical company so they can come up with a highly effective drug that works on me and people exactly like me."
A new model for centralizing healthcare data
Health Wizz encourages patients to obtain their healthcare data from providers (a request HIPAA allows) and store it in a personal "filing cabinet" set up by the firm: a central, virtual depository for any type of health data. This is the basic level of service the firm provides, and if patients want, they can move forward to bundling certain types of data together and selling them to interested buyers like pharmaceutical companies.
If patients decide to make a sale, a blockchain system tracks what data has been sold to whom and dispenses payment accordingly (currently only in the form of Amazon gift cards). This works as a security measure by keeping the publicly facing sales data separate from the heavily private health data itself.
Sharma said that Health Wizz vets PHI buyers in its platform, so as long as patients only sell their data through that platform, they should have confidence that buyers are legitimate research entities like established drug developers. But patients will have to be very careful about selling anything off-platform. Once they take ownership of these data, they are free to distribute it as they wish. And if someone makes the mistake of selling their PHI to a malevolent broker, those data could come back to haunt them.
For example, a prospective employer could pay an untoward data broker for PHI and discover a candidate has Type 2 diabetes. That's not disqualifying for the job, but it will cost the employer's health plan. Or a bank considering a home loan finds out from a data broker that the applicant has a renal disease and may not live long enough to pay off a 25-year mortgage. Life insurance companies could also use the date to deny an application.
Privacy protections beyond HIPAA
HIPAA isn't the only privacy law out there, and some of those nightmare scenarios may prompt an investigation by the Securities and Exchange Commission. But some privacy advocates don't think that's sufficient and suggest Congress pass new privacy laws to account for the emerging businesses.
"I have had a growing concern about the fact that we have protections for health data only when it's held by certain kind of entities—by our doctors, by our hospitals, by our health plans, etc.—but not when it's held by other types of entities," Jodi Daniel, a partner in Crowell and Moring's Health Care Group and a former official at the Office of the National Coordinator for Health IT, told FierceHealthcare. "It's very difficult for an individual to understand how their information might be used."
"There are very complex privacy policies, people don't read them, people don't understand them, and it's hard to really have informed consent about what you're agreeing to when how someone might use your data in the future is difficult to predict today," she added.
New privacy laws could provide protections on certain types of data regardless of where they originate. Or they could make it illegal for employers and banks to consider certain types of information when making decisions about people's futures.
Admittedly, these aren't airtight solutions, and a black market for data could certainly crop up. But most privacy advocates prefer one of these approaches to simply banning PHI marketplaces altogether.
"I think it would be helpful to have some kind of baseline protection for health data wherever it resides, but not so much that it interferes with innovation or people's own choices about what they want to do with that data," Daniel explained.
For one thing, some advocates believe the marketplaces will give patients more agency. Consumers are well-accustomed to private companies making money off their data, but this would mark the first time that patients themselves can make money from these sales.
Despite concerns about this business model, it will undeniably produce one valuable output: more data. As Jenn Geetter, a partner at McDermott, Will and Emery, noted, the limited quantities and varieties of data currently available are holding back research. Ultimately, she said researchers need patient-reported data beyond traditional HIPAA-covered entities like plans and providers can offer—what she calls "walkaround data."
"We need all of that data. And that's not necessarily data that's captured in traditional data stores, but often is captured in a lot of the digital apps that people use," Geetter said. "There's so much data out there, if we can find a way to incentivize people to want to pull that together, and get it curated and packaged in a way that makes sense for them, and for customers, that's wonderful."
So, while PHI marketplaces may still justifiably give privacy advocates reason for concern, they do bring a certain kind of value to the healthcare system. Any kind of policy aimed at these businesses should do everything possible to maintain that value, Geetter and Daniel agreed.