The most valuable thing inside a hospital's walls may not be its care services or expensive equipment; it might be the troves of patient data stored on EHRs, according to a June 5 article published in the New England Journal of Medicine.
Hospitals are increasingly selling troves of deidentified medical data. Rochester, Minn.-based Mayo Clinic is using its patient data to create an artificial intelligence factory with Google. Nashville, Tenn.-based HCA Healthcare and Google inked a multiyear collaboration to build a health data analytics platform to support its operational workflows. Fourteen health systems partnered to create a firm that aggregates and sells deidentified data and gives more insight on medical conditions such as rare diseases and COVID-19.
The article's authors are researchers from Boston Children's Hospital, Boston-based Harvard Medical School and Durham, N.C.-based Duke University Medical Center.
Five things to know:
- HIPAA allows covered healthcare providers, payers and clearinghouses to use patient data freely once it has been deidentified. These policies enable a multibillion-dollar industry of companies who aggregate patient data for profit. Even as patients and physicians navigate difficulties obtaining medical record details in a timely fashion, hoards of unregulated patient data are passing through hospital networks and into the hands of tech companies, the article noted.
- Open data can help drive better treatment decisions, yet where the data goes after this might not serve the public. In one example, a data aggregation firm may use the data to target patients for pharmaceutical detailing and encourage physicians to push their products, which can increase drug costs and the overprescription of medicine.
- Patients are at risk for being reidentified. Since the U.S. doesn't have a comprehensive data privacy law, there are no regulations to protect patients from the harm that could come from being reidentified. There are also no regulations requiring hospitals to notify the patients if they have been reidentified, the authors said.
- Some health systems may view data sharing as a way to short-term financial gains. Health systems enter agreements with data-sharing companies that might offload the data to marketing teams. If a health system's goal is to make money, there are financial gains in selling patient data. If its goal is to provide high-quality patient care or commit to being transparent with patients, then there are better strategies, the report said.
- To mitigate patient risks, health systems should treat deidentified data the same as protected health information, and ask patients for their permission to use their data. Health systems and data-aggregation firms need to have contracts so the data doesn't go toward unintended uses. Another approach would be to allow data-aggregation companies to look at records, but not allowing the files to leave the health system.