Five Red Flags in De-Identification and Data Monetization for Healthcare Companies
Healthcare providers running on thin margins or just seeking new – and in the case of tax-exempt providers, permissible – revenue sources may jump at the chance when third party vendors offer to help them monetize their patient data. Such ventures, however, are fraught with peril for providers without a solid regulatory compliance program that adheres to all applicable laws, rules and regulations, including those with respect to privacy and security. Providers entertaining such arrangements must use extreme caution as they explore and structure such arrangements, and should consider the following red flags:
1. Ignoring Applicable Laws, Rules and Regulations
Any transaction involving individually identifiable personal data will require careful analysis of applicable law. Entities considering a data sale, licensing agreement or joint venture that contemplates the use of patient data need to review applicable federal law, as well as the laws of the states where the parties are located and the states where the individuals who are the subjects of the information live. Different laws may apply depending on the nature of the data. For example, the federal privacy and security regulations implementing portions of the Health Insurance Portability and Accountability Act (HIPAA) impose restrictions on the use and disclosure of protected health information (PHI). With limited exceptions, HIPAA requires written authorization from an individual if the PHI will be used or disclosed for something other than treatment, payment or healthcare operations.
Other laws may apply as well, depending on the type of data involved. Providers offering substance use disorder treatment programs will likely have to comply with confidentiality and privacy regulations found at 42 C.F.R. Part 2. The Federal Trade Commission strives to protect consumers by requiring companies to abide by their own privacy policies when it comes to protecting an individual's data. If those privacy policies contain broad statements suggesting that an individual's information will only be used for certain limited purposes, those policies could impede the company's ability to monetize data.
In addition, different states have different restrictions depending on various factors, including the health condition involved and how the data was sourced and produced. These restrictions may be more stringent or address different matters than HIPAA.
2. Receiving Something of Value in Exchange for Access to PHI
HIPAA violations can lead to criminal penalties. Selling, transferring or using PHI for commercial advantage, personal gain or malicious harm can result in fines of up to $250,000 and imprisonment for up to 10 years. Providing access to PHI in exchange for money or other valuable consideration could implicate this prohibition. Further, for tax-exempt entities, selling, transferring or using PHI for commercial advantage may be inconsistent with the charitable purposes of the organization.
3. Improper De-Identification
Once PHI is properly de-identified, HIPAA no longer applies. Sometimes companies will buy or sell data sets they believe are completely de-identified because names, addresses, social security numbers and other direct identifiers have been scrubbed. This does not guarantee, however, the information is sufficiently de-identified. HIPAA has two methods of de-identification: the so-called safe harbor method and the expert determination method. Under the safe harbor, a number of data points must be removed, including all dates related to an individual other than the year. Therefore, if a company wants to purchase a data set that contains the day, week or month of a lab test or some other medical service, the information is not de-identified unless an appropriately qualified statistician or other expert properly documents that the information is, in fact, de-identified and will remain so.
4. Insufficient Vetting of Business Associates
Before a covered entity discloses PHI to business associates, HIPAA requires the covered entity to obtain satisfactory assurances, in the form of a written business associate agreement, that the business associate will use and disclose the PHI only as permitted by that agreement. Except under very specific circumstances relating to its own proper management and administration or to fulfill its legal responsibilities, business associates cannot use PHI for their own purposes. If a business associate will be de-identifying PHI so it can be licensed or sold, the business associate agreement must permit that activity. The business associate must have sufficient HIPAA compliance programs in place and the ability to de-identify PHI in accordance with the regulations. Business associates that wish to retain PHI for purposes other than de-identification should generate an immediate red flag.
5. Losing Control Over Downstream Data Use
Even if data is properly de-identified and no longer subject to HIPAA, it can lead to significant risk if the entity providing the de-identified information relinquishes all control. A limited license to further use and disclose the data set, as opposed to an outright sale, can help ensure that privacy is protected going forward. For example, if information is de-identified in accordance with the expert determination method, the expert may require further protections of the data. The information may still need to be subject to a contract that restricts how the recipient will be allowed to use it, and that prevents the recipient from trying to re-identify it.
A Green Flag
An overarching guiding principle when evaluating data monetization opportunities can be found by asking the following question: "What would the patient expect?" If the provider can point to patient-facing disclosures or communications that adequately explain how the anticipated data use, or the proposed arrangement is necessary for the provider's own treatment, payment and healthcare operations efforts, the red flags are likely to stop waving.