February 15, 2019
The Oregon Health Information Property Act suggests that healthcare patients must be allowed to legally allow their healthcare providers to sell their health data and for them to pay if their health information is sold to a third party.
Presently, the Health Insurance Portability and Accountability Act (HIPAA) Secrecy Rule limits the permissible uses and disclosures of ‘Protected Health Information.’ HIPAA-protected bodies are only permitted to use or disclose PHI for purposes linked to the provision of cure, payment for healthcare, or healthcare operations. Though there are some exclusions, other uses and disclosures are not permitted unless approval is first received from patients.
The HIPAA Privacy Rule includes PHI, which is recognizable patient information. If PHI is stripped of information that allows an individual to be identified, it is no longer supposed of as PHI and is no longer subject to Privacy Rule limitations. That means that if a HIPAA-protected body de-identifies PHI, they are then permitted to sell that information for profit. That information can be valuable to research groups and other organizations.
Senate Bill 703, labeled the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has the support of more than 40 co-sponsors. At its core, the bill would see users health information treated in a similar way to property and would allow them to profit from selling it.
The Oregon Health Information Property Act
The Oregon Health Information Property Act has three key elements:
- It would require HIPAA-covered organizations and their business partners and subcontractors to complete a signed approval from users before they de-identify PHI to sell on to third parties.
- Consumers could opt to get payment in exchange for giving approval to allow their health data to be sold.
- The bill also prevents consumers from being victimized against for not signing an approval or deciding to get paid.
HIPAA-covered bodies are able to gain from selling de-identified data, therefore, it is claimed that patients should get a cut of the payment; however, in spite of having garnered substantial support, concern has been voiced about the effect of these approvals.
The bill, in its current form, does not place any limitations on the uses of health data once approval has been given. Information could, therefore, be used for a wide variety of reasons once authorization has been given – Causes that may not necessarily be included on the approval form.
The bill also does not state the difference between a person’s protected health information, health information or de-identified data. By completing a form to get a small payment, consumers would be giving up their secrecy and important safeguards afforded by HIPAA, which could have different unintended consequences.