New a Senate bill has proposed that individuals should be allowed to permit their healthcare providers to sell their health data and receive financial compensation if their health information is sold to a third party.
Senate Bill 703, more commonly known as the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has more than 40 co-sponsors. Should it be passed, the bill would see consumers health information treated in a similar way to an individual’s property. Patients would allow them to profit from its sale, much as they would their regular physical possessions.
This bill is a stark change to current legislation. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless patients give their explicit consent.
The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allows an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. A vast number of organisations would be interested in purchasing the data of healthcare patients, such as research organisations.
The Oregon Health Information Property Act
The Oregon Health Information Property Act has three main components:
1) It would require HIPAA-covered entities and their business associates and subcontractors to obtain a signed authorisation from consumers before they de-identify PHI to sell on to third parties.
2) Consumers could choose if they want to receive payment in exchange for giving the authorisation to allow their health data to be sold.
3) The bill also prevents consumers from being discriminated against for refusing to sign an authorisation or choosing to receive payment.
HIPAA-covered entities can profit from selling de-identified data, so many argue that patients should also be able financially compensated from the sale. However, despite having attracted considerable support, concern has been voiced about the impact of these authorisations.
The bill, in its current form, does not place any limitations on the uses of health data once a patient authorises its sale. Information could, therefore, be used for a wide range of purposes once the patient approves. The organisation purchasing the data may not need to list all of the ways they intend to use the data on the authorisation form.
The bill also makes no distinction between an individual’s protected health information, health information or de-identified data. By signing a form to receive a small payment, consumers would be relinquishing their privacy and essential protections afforded by HIPAA, which could have various unintended repercussions.