The Oregon Health Information Property Act proposes that individuals may give permission to their healthcare providers to sell their health data and receive financial compensation from the transaction.
Democrat Senator Floyd Prozanski proposed Senate Bill 703, more commonly known as the Oregon Health Information Property Act. The bill has more than 40 co-sponsors. If Bill 703 passes, health information would, patients would profit from its sale, much as they would their regular physical possessions.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA rules dictate that covered entities may only use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless patients give their explicit consent. HIPAA prohibits the sale of PHI as described by the Oregon Health Information Property Act.
The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allows an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. This data is sought after by many different industries. It is arguably more valuable to them with the identifying information still in place. Here, the Oregon Health Information Property Act would introduce a significant change from HIPAA; patients could sell their data with the identifiers still attached.
If passed, the Oregon Health Information Property Act would require HIPAA-covered entities and their business associates and subcontractors to obtain a signed authorisation from consumers before they de-identify PHI to sell on to third parties. Consumers would have the power to choose if they want to receive payment in exchange for giving the authorisation to allow their health data to be sold. The bill also prevents healthcare providers from discriminating against consumers who either refuse to sell their data or choose to receive payment for the transaction.
Some detractors have raised concerns that the bill does not place any limitations on the uses of health data once a patient authorises its sale. Information could, therefore, be used for a wide range of purposes once the patient approves. The organisation purchasing the data may not need to inform the patient of all the intended uses when they conduct the initial transaction.
The bill also fails to distinguish between protected health information, health information or de-identified data. By signing a form to receive a small payment, consumers would be relinquishing their privacy and essential protections afforded by HIPAA, which could have unforeseen consequences.
In spite of these concerns, the bill has attracted a great deal of praise. Many argue that if health organisations can profit from the sale of de-identified data, patients should also be able to receive financial compensation from the sale. The move to viewing data as another of an individual’s assets is indicative of the changing attitude that consumers have to their information.