Data Use: Who Should Control?

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Questions around the state of privacy for healthcare and other information are being left unanswered in many regards. Many services and tools fall outside the “traditional” healthcare realm, which means HIPAA and state-level legal protections focused on the healthcare industry do not provide coverage. Services that ostensibly protected data are also frequently found to have either not been entirely forthcoming or always using data just without readily apparent disclosure.

The summary of privacy woes may seem like a litany applicable only to individual or consumer use. Unfortunately, the same may hold true for healthcare clinicians as well. Digital or cloud-based tools can offer a seemingly great deal, but that great deal may come with a catch: the ability to de-identify data and use it for other purposes. While that can be a negotiated point when working with a vendor or consultant, a knowing negotiation is not problematic. What happens though when the ability to use data is inserted after use has already started or is part of the terms of use when signing up for an electronic medical record?

The hypothetical around a cloud-based electronic medical record (EMR) reserving to itself the ability to de-identify patient information is neither a hypothetical nor far-fetched. Instead, it appears frequently in the terms of use of many EMRs. Examples of such terms can be found in the terms of use for systems supporting all types of clinicians from physicians to mental health professionals to dentists and more.

The provisions can be very generous in favor of the EMR vendor, such as this language (which appears identically in at least two products): “In consideration of our provision of the Service, you hereby transfer and assign to us all right, title and interest in and to all De-Identified Information that we make from Your Information pursuant to Section 4.1.5. You agree that we may use, disclose, market, license and sell such De-Identified Information for any purpose without restriction, and that you have no interest in such information, or in the proceeds of any sale, license, or other commercialization thereof. You acknowledge that the rights conferred by this Section are a principal consideration for the provision of the Service, without which we would not enter into these TOS.​”

Another version looks like this: “[Vendor] may use protected health information to provide you with data aggregation services (as that term is defined by HIPAA) and to create de-identified data in accordance with 45 CFR 164.514(a)-(c) retaining any and all ownership claims related to the de-identified data it creates from protected health information. [Vendor] may use, during and after this agreement, all aggregate anonymized information and de-identified data for purposes of enhancing the Service, technical support and other business purposes, all in compliance with the HIPAA Privacy Standards, including without limitation the limited data set and de-identification of information regulations.”

An underlying question is why an EMR, which is purpose-built to store patient data for the clinician, wants the ability to go into the data it is holding and de-identify it. One obvious answer is that de-identifying data could enable the EMR to amass a large database of valuable information that can be sold in other avenues and providing a better profit. The aggregated data could also be used to enhance analytics, which could be an add-on feature that can be obtained for a fee. Ultimately, with data becoming the predominant commodity in the market, any ability to get vast quantities for free (or arguably to have someone pay to give it you) will be pursued.

Leaving aside the reasons for wanting the unbridled ability to de-identify data, the discussion may shift back to whether some services should stay out of that game or at least make it very plain upfront. That discussion seems especially relevant in the EMR field because clinicians may not have a choice of whether to adopt the EMR and little to no practical choice as to which one will be chosen. Further, the EMR may be viewed as a secure electronic version of a clinician’s old paper records, which is an area that no one would previously have thought would be freely available to a third party.

Despite all of the questions, the imposition of the ability to de-identify, so long as it is done consistent with HIPAA requirements, likely does not necessarily result in conduct contrary to HIPAA requirements. As noted in one of the provisions, HIPAA specifically identifies how data may be de-identified and goes on to state that once data are de-identified, the de-identified data are outside the bounds of HIPAA.

While HIPAA may permit the activity, if the right is done through a bait and switch method or hidden, then the Federal Trade Commission may be interested in the issue as an unfair or deceptive business practice. While the argument is possible, it could be an uphill battle in terms of being able to establish or prove.

Regardless of the legality, an EMR vendor reserving to itself the ability to de-identify data in its product may create a practical problem. Distaste for the practice could drive away customers (unless there are no other options) and create public backlash. That is not necessarily farfetched as Practice Fusion did receive a fine from the FTC or deceptive practices around patient contacts. The issue was not centered on de-identification, but a case could be brought.

As noted at the start, privacy concerns are coming to the fore and being debated with more nuance and attention. As those discussions continue and delve into new areas, de-identification practices could very well receive some time in the sun.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.