Oregon lawmakers roll out bill to let patients get paid for health data

As data becomes more valuable, and privacy seems increasingly elusive, state lawmakers in Oregon are starting a conversation about a new way to empower consumers.
Written by Stephanie Condon, Senior Writer

On a daily basis, consumers readily hand over their data to businesses. They share their location with mobile applications. They let supermarkets track their purchases with club cards. They may even share their DNA with a consumer genetic testing firm.

In some cases, consumers may have a greater expectation that the data they share will be kept private and secure. When it comes to medical data, some of the main players -- such as health insurers, hospitals, academic medical centers and physicians -- are bound by the HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy Rule

The Privacy Rule, however, is only protects personal data when it has a patient's protected health information (PHI) attached -- that includes information like a patient's name and address. Once your data has been "de-identified," there are basically no limits on how it can be used. The data could be used for medical research, for fundraising efforts or for marketing and ad campaigns. And with new analytics tools that can glean insight from just about any information -- even the bend of one's fingernails, says IBM's Ginni Rommetty --  that medical data is becoming increasingly valuable.

That's why this week, a group of Oregon lawmakers have introduced legislation that would empower Oregon residents to get a cut of the value of their medical data.

Also: Why your smartwatch and wearable devices are the next big privacy nightmare

"If somebody was using my personal data, selling it -- which is a huge, huge industry -- then perhaps I should be compensated for the information I am providing," Oregon Rep. David Gomberg said to ZDNet.

Gomberg is one of the sponsors of the Health Information Property Act, which effectively treats personal health data like property. The bill has three components. It would:

  • Require HIPAA-covered entities -- as well as their business associates or subcontractors -- to get signed authorization from consumers before de-identifying their personal health information (PHI) to sell the data to a third party.
  • Allow consumers to elect to receive payment in exchange for authorizing the de-identification of their PHI for the purpose of sale.
  • Prohibit companies subject to HIPAA from discriminating against a consumer who refuses to sign such an authorization or who wants to get paid for it.

The bill was introduced Tuesday, just a week into the start of the new legislative session, and it already has 40 co-sponsors, including both Democrats and Republicans.

"Historically, what have people sold?" Gomberg asked, explaining his interest in the matter. "When they emerged from slavery and serfdom, they sold their labor. Millennia later, they began to sell their ideas and protected them through patents and trademarks. I think a fascinating new aspect of personal commerce will be the buying and selling of personal data."

It's a novel approach to an issue that's getting more attention everywhere. Companies handling health care data already have to consider the European Union's General Data Protection Regulation policies. In 2020, they'll have to comply with the new California Consumer Privacy Act, which will entitle Californians to what learn companies know about them and stop those companies from selling that information. In Washington, DC, US lawmakers have floated some policy proposals to better protect consumer data. Oregon's own Sen. Ron Wyden, for instance, drafted the Consumer Data Protection Act.

Gomberg heard about the idea to treat personal data as property from Humanity.co, a company that's built a blockchain-based app that lets people sell their personal data. Humanity.co has had similar conversations about introducing this kind of legislation in other states, including New Jersey.

Also: Humanity.co Android app launches: Can blockchain bring property rights to your data?

The Humanity.co platform isn't just for health data, but the company has chosen to focus on that sector first -- specifically, HIPAA-covered entities -- because it's "low-hanging fruit," Michael DePalma, Humanity.co co-founder and president, told ZDNet.

"It's a space we know well, we understand the law well, we understand the industry well," he said. "It's an opportunity for us to get started where we felt we could make the most impact in people's lives."

Humanity.co couches its mission in lofty terms, describing the right to claim your data as property as a "basic human right" and "the first digital human right." Because the UN has enumerated 30 human rights, its app is called #My31.

In addition to working with state lawmakers, DePalma said the company has consulted with legal experts, economists, ethicists and patient advocates to develop its approach to the issue.

Also: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) 

They've also talked to industry insiders -- "the people who actually buy this data," DePalma said -- and haven't had any pushback. In fact, given the growing public awareness of privacy matters, DePalma said, "a lot of the data aggregators are reaching out to us and saying, 'We recognize this is the natural evolution of our business model.'"

Indeed, Efthimios Parasidis, a professor of law and public health at Ohio State University, expressed concern that the framework of the Oregon law may -- somewhat counter-intuitively -- make it easier for businesses to leverage health data in ways that consumers don't want. Businesses may be slowed down a bit if they're required to receive authorization from a consumer before de-identifying their data. On the other hand, Parasidis said, consumers have become accustomed to simply agreeing to terms of use and signing consent forms without really reading them.

Also: Download the report as a PDF (TechRepublic)  

"While the proposed law may provide people with a small payment, in the long run it may have the perverse impact of sanctioning widespread use of health data for purposes beyond medical care and health research," Parasidis said.

Generally, he said, consumers don't really consider marketing and advertising campaigns as appropriate uses of health data. However, he noted, "the proposed legislation does not provide any limits on how health information is actually used once consent has been obtained." 

Must read

Meanwhile, embracing the concept of data as property means forgoing some sense of privacy. As DePalma said, it would enable businesses purchasing data "to have a relationship with the people [they're] trying to serve."

DePalma argues, though, that in the current era, "data is never truly and totally de-identifiable." While a hospital may remove your personally identifiable information from your health records, that record can be cross-referenced against geolocation data, income information, prescription records, insurance claims and a whole host of other pieces of information.

"Twenty-two, 23 years ago when HIPAA was written, it made perfect sense," DePalma said. "Removing certain fields from a single record... was sufficiently de-identified because I didn't have this constellation of other data sources that I could apply to get a more complete view of a person."

Gomberg acknowledged there are still big questions to work through.

"I wanted to start a conversation about this," he said. "It's very early in the legislative process. Bills that are introduced in January can evolve, they can change, but if we don't have a bill in January, then we don't have a conversation."


Augmented reality in the operating theatre: How surgeons are using Microsoft's HoloLens to make operations better
Surgeons at St Mary's Hospital have been using a HoloLens-based system to pick out blood vessels before surgery.

Smart watches, fitness trackers and the NHS: Are wearables just what the doctor ordered?
While more and more of us are wearing fitness trackers, the real benefits of wearables may come from another quarter.

Why the NHS is killing paper records to save lives
The NHS still relies on paper for many patient records. Getting rid of it could free up time, and money.

Robots and the NHS: How automation will change surgery and patient care
The rise of robots is inevitable in healthcare, but for now, keeping it simple is just what the doctor ordered.

VR, AR and the NHS: How virtual and augmented reality will change healthcare
Against a background of growing enterprise adoption of virtual reality, mixed reality and similar technologies are beginning to gain a foothold in the NHS.

Editorial standards