Five Red Flags in De-Identification and Monetization of Data for Healthcare Companies

Healthcare providers operating on razor-thin margins or simply seeking new (and in the case of tax-exempt providers, permissible) revenue streams may jump at the opportunity when third-party vendors offer to help monetize patient data. However, such ventures are fraught with danger for providers without a robust regulatory compliance program that adheres to all applicable laws, rules, and regulations, including those related to privacy and security. Providers entering into such arrangements must exercise extreme caution when investigating and structuring such arrangements, and should consider the following red flags:

1. Ignoring applicable laws, rules and regulations

Any transaction involving individually identifiable personal information will require careful consideration of applicable law. Entities considering a data sale, licensing agreement, or joint venture that contemplates the use of patient data must review applicable federal law, as well as the laws of the states in which the parties are located and the states in which the individuals whose information is being collected reside. Different laws may apply depending on the nature of the information. For example, federal privacy and security regulations implementing parts of the Health Insurance Portability and Accountability Act (HIPAA) impose restrictions on the use and disclosure of protected health information (PHI). With limited exceptions, HIPAA requires written authorization from an individual if PHI will be used or disclosed for any purpose other than treatment, payment, or health care operations.

Other laws may also apply, depending on the nature of the data. Providers offering substance use disorder treatment programs will likely have to comply with the regulations in 42 CFR Part 2. The Federal Trade Commission seeks to protect consumers by requiring companies to follow their own privacy policies when it comes to protecting personal information. If those privacy policies contain broad statements that suggest that information about an individual will only be used for specific, limited purposes, those policies can make it difficult for a company to monetize the data.

In addition, different states have different restrictions based on a variety of factors, including health status and how the data was collected and produced. These restrictions may be more stringent or address issues other than HIPAA.

2. Receiving something of value in exchange for access to PHI

HIPAA violations can result in criminal penalties. Selling, transferring, or using PHI for commercial advantage, personal gain, or malicious harm can result in fines of up to $250,000 and imprisonment for up to 10 years. Sharing PHI in exchange for money or other valuable consideration can also result in this prohibition. Additionally, for tax-exempt entities, selling, transferring, or using PHI for commercial advantage may be inconsistent with the charitable purposes of the entity.

3. Improper de-identification

Once PHI is properly anonymized, HIPAA no longer applies. Sometimes companies buy or sell data sets that they believe are completely anonymized because names, addresses, Social Security numbers, and other direct identifiers have been removed. However, this does not guarantee that the information is sufficiently anonymized. HIPAA has two methods of anonymization: the so-called safe harbor method and the expert determination method. Under the safe harbor method, a number of data points must be removed, including all dates associated with an individual other than the year. So if a company wants to buy a data set that includes the day, week, or month of a lab test or other medical service, the information is not anonymized unless a suitably qualified statistician or other expert properly documents that the information is in fact anonymized and will remain so.

4. Insufficient verification of business partners

Before disclosing PHI to a collaborator, HIPAA requires that a covered entity obtain satisfactory assurances in a written agreement from the collaborator that the collaborator will use and disclose PHI only as permitted in the agreement. Except in very specific circumstances involving its own proper management and administration or fulfilling its legal obligations, collaborators may not use PHI for its own purposes. If the collaborator will anonymize PHI so that it can be licensed or sold, the collaborator agreement must permit such activity. The collaborator must have in place sufficient HIPAA compliance programs and the ability to anonymize PHI as required by the regulations. Collaborators that wish to retain PHI for purposes other than anonymization raise an immediate red flag.

5. Losing control over data usage downstream

Even if the data is properly anonymized and no longer subject to HIPAA, this can lead to significant risk if the entity providing the anonymized information relinquishes all control. A limited license to continue to use and disclose the dataset, as opposed to an outright sale, can help ensure privacy protections in the future. For example, if the information is anonymized pursuant to an expert determination method, the expert may require continued protection of the data. The information may still be subject to a contract that restricts how the recipient may use it and that prevents the recipient from attempting to re-identify it.

Green flag

An overarching guiding principle when evaluating data monetization opportunities can be found by asking the following question: “What would a patient expect?” If a provider can point to disclosures or communications to the patient that adequately explain the anticipated use of the data, or if the proposed arrangements are necessary for the provider’s own treatment, payment and health care operations activities, red flags are likely to cease to appear.