I recently saw a tongue-in-cheek tweet from Howard Green, MD about how healthcare shares data:
#hdpalooza Here's how we share data. I enter data into my EMR into the late evening hours and my EMR company sells that data to industry.
— Howard Green, MD (@DermHAG) April 27, 2017
There has always been a disconnect between providers and EHR vendors saying they can’t share data and then EHR vendors can easily sell and share EHR data to the healthcare industry. If you don’t think this happens at large scales in healthcare, then you need to look no further than IMS which last I checked was a multi billion dollar public company on the back of our health data.
The “sharing” or should we say selling of EHR data is big business and happening a lot more than we realize. I know the Patient Privacy Rights organization was trying to make a map of all the ways your health data was being shared. However, you can imagine that’s an almost impossible task to accomplish. I think most of us would be shocked to see how far and wide are health data is shared.
I wonder how many doctors know the answer to this question, “Does your EHR sell your EHR data?”
My guess is that most doctors assume that their EHR data is not being sold. For a number of EHR vendors, that’s probably true. However, my guess is that most doctors don’t know their EHR vendor’s policy on selling EHR data. If you don’t know, you should ask your EHR vendor and find out.
For those EHR vendors that are selling EHR data, you can be sure that they will happily reply that any EHR data they sell is de-identified. They’ll argue that it’s not a violation of HIPAA because it doesn’t have any PHI because they’ve de-identified the data and only sell the data in aggregate. No doubt there are many that would argue that there’s no perfect way to totally de-identify your EHR data and that when combined with other sources, they can often identify your patients.
This is big business and so it’s easy to see why an EHR vendor would give the go ahead to de-identify and sell the data stored in their EHR. Although, it is disappointing when they’re doing this and their users don’t know that’s the case.
If you’ve asked your vendor if they sell your EHR data, we’d love to hear what they say. How did they respond? Are you ok with your EHR selling your de-identified EHR data?