Oregon bill moves to ban unauthorized sale of deidentified data

Oregon
Lobbyists submitted the bill to the Oregon legislature on Tuesday morning. (Wikipedia/Shaundd)

A new bill under consideration in Oregon would move one step closer to treating personal data as property.

And while the measure would surely pull patients further into the data sharing process, it also has the potential to inhibit the flow of clinical data to researchers. This could stymie precision medicine efforts and other research that relies on large quantities of data.

The Health Information Property Act, to be introduced on Wednesday, would put restrictions on the sale of deidentified health data. When they're being sold to business associates, like data brokers, those entities must first obtain the authorization of the patients in the data sets.

New White Paper

Fuel Top Line Growth Across All Lines of Business

Read the latest white paper on how health plans can empower brokers, sales, and marketing teams to increase acquisition and retention rates to achieve their 2020 revenue goals.

"We're focused on this concept of a property right—the idea that data can be owned as property—which is a fundamental shift in the way we think about data as a strategic model," said Michael DePalma, founder, co-president and COO of Hu-manity.co, a data privacy firm that is advocating for the act, in an interview.

This approach is a major step away from previous data privacy laws like the ones passed in California and Delaware. Those laws focused on giving patients access to their data, which doesn't grant the same protections or control as property rights.

Furthermore, such laws depend on consumers knowing where their health data is—and they usually don't. As a nonrivalrous good, deidentified data can be sold and resold countless times without a patient or even a doctor's knowledge.

"We need to evolve the method by which we create and enforce privacy," DePalma said. "What the whole industry really needs if you think about it is transparency. That's really what it's all about. It's 'How do I know where my data is?' Right now you, I, we have no idea where our data is. We don't know what data is held by whom."

RELATED: The quest for identified data: Why some firms are bypassing hospitals to buy data directly from patient

DePalma said that his organization isn't trying to stanch the flow of healthcare data but rather involve the patient further in the sale process. All things being equal, it wants to accelerate data transfers. Still, the act would likely result in marginally fewer data sales if passed, since prospective data brokers would have to obtain consent each time.

The bill was sponsored by State Assemblymen David Gomberg, D-Central Coast, and Floyd Prozanski, D-South Lane and North Douglas, and would go into effect in 2021.

Property is governed by state law, so this approach only works at the state level. But over a dozen states are considering similar bills, DePalma said, so all eyes will be on Oregon if the law passes.

Editor's Note: This article was updated to reflect the fact that Oregon Democrats did not caucus on Tuesday as originally planned. This moved the bill's release to Wednesday.

Read more on

Suggested Articles

Welcome to this week's Chutes & Ladders, our roundup of hirings, firings and retirings throughout the industry.

Federal lawmakers are taking a hard look at how the VA protects patient data shared with VA-approved health apps.

Health technology company Seqster brings patients' data into one place and secured investment from a major drug company.