What Oregon’s Move to Redefine Data Privacy Means for PHI

Change is coming to the way government and healthcare providers treat personal medical data. In early January 2019, legislators in Oregon introduced Senate Bill 703 — the Oregon Health Information Property Act — which would effectively change how personal health information is treated under the law by labeling it as the patient’s property. The change would pave the way for individuals to authorize and be compensated for third-party access to PHI. 

The Oregon bill is part of a growing trend of government initiatives that address data privacy issues. The European Union’s General Data Protection Regulation and the California Consumer Privacy Act are the two most notable pieces of legislation that seek to provide consumers with more control over the data that companies collect. This reverses the common practice of how personal data is treated by businesses, where the user checks an online terms-of-service box to hand over access to personal data, which companies then sell for a profit to third parties.

MORE FROM HEALTHTECH: What it takes to tackle data privacy in the Big Data era.

The Business of Consumer Data in Healthcare

Currently, under the Health Insurance Portability and Accountability Act of 1996, healthcare providers, such as insurers, hospitals and physicians, are bound by the Privacy Rule, which protects PHI. But if a patient’s data is “de-identified” — meaning the individual patient’s identity cannot be construed from it — healthcare providers are free to use that data for any purpose. This includes research, marketing or selling to data aggregators.

When HIPAA was passed, it was primarily concerned with maintaining patient privacy; there was no understanding of how PHI might turn into a valuable commodity. But, in fact, data has become a very valuable asset: In 2017, the market for buying, selling and trading medical data was $14 billion, a number that is projected to skyrocket to over $68 billion in 2025.

MORE FROM HEALTHTECH: Here’s our checklist for staying HIPAA-compliant in the cloud.

The Value of PHI Beyond Providers

One of the sponsors of the Oregon Health Information Property Act, Rep. David Gomberg, recently said in an interview that the aftermarket for the sale of patient data among data aggregators is huge, and that patients should be appropriately compensated for the use of their data. Gomberg also believes that by treating data as personal property, individuals will be more empowered to better control their PHI and how it is used by others.

The bill would require companies that are subject to HIPAA regulations to obtain signed authorization from individual consumers before de-identifying their data for sale to a third party. Moreover, it would allow individuals to receive payment in exchange for authorizing the de-identification of their PHI by a company looking to sell the data. Companies will not be allowed to discriminate against consumers who choose not to authorize the use of their data.

Ultimately, such regulation may be good news for third-party data aggregators that rely on the medical data industry. Currently, regulations guiding this lucrative business are scarce, which can lead to questionable data sourcing and open up third parties to lawsuits. More clarity could change that.

Many aggregators see compensation as the next step in the growth of this business. Clearly defined rules will put the practice on firm legal ground and also provide new business opportunities to companies like Hu-manity.co, which recently rolled out an app that allows users to specify how their data can be used, who can use it and if they wish to be compensated.