When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully see their medical records.

But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.

The revelation comes in a recent New York Times article about how so-called “scrubbed” patient data isn’t as anonymous as people think. The piece focuses primarily on how anonymized data can be cross-bred with other publicly available databases, such as voting records, which subverts the anonymity. Buried near the end of the article is the news that medical data is collected, anonymized and sold, not by insurance agencies and health care providers, but by third-party vendors who provide medical-record storage in the cloud.

Electronic health record (EHR) services have been a growing industry in the last few years, according to Sue Reber, marketing director of the Certification Commission for Health Information Technology. Reber says most vendors used to simply sell software packages; once the product was sold, the vendor had no connection to the data stored in it. But an increasing number of companies have begun to offer web-based software-management applications that include database storage controlled and managed by the vendor.





Reber told Threat Level that such products generally come with security and privacy provisions that prevent the software provider from having access to the data, even though they’re managing it. But others say this isn’t always the case.

As part of their contracts with the vendors, doctors are agreeing to let some vendors access and collect the patient data, scrub it of personally identifying information, and sell it in bulk to pharmaceutical companies and other buyers, the Times reports.



George Hill, an analyst at Leerink Swann, a health care investment bank, told the Times that the market for health record systems is $8 billion to $10 billion annually. About 5 percent of this income comes not from the sale of information systems but from the sale of data and analysis. As more physicians and hospitals — spurred by federal incentives — switch to electronic recordkeeping, revenue from the sale of health data could grow to $5 billion, Hill said.

In some case, the vendor contract specifies that the vendor has exclusive access to the health records in its database, according to Dr. Paul Tang, vice president and chief medical information officer of the Palo Alto Medical Foundation, and member of a federal privacy advisory panel.

Tang told ModernHealthCare in 2007 that he’d seen such contracts from large and small vendors. “Some [vendors] say they have ownership to data. There are contracts that say they will have real-time access to the database, that they will have exclusive access to the data, that they can resell the data. I think it would be unlawful that covered entities abide by that.”

Giving vendors access to such data would apparently violate the Health Insurance Portability and Accountability Act (HIPAA), which prohibits doctors from providing medical records to anyone not involved in providing health care or payment for health care or involved in health care research. Although the law does provide a loophole for “business associates” hired by health care providers, privacy rights lawyer Robert Gellman told ModernHealthCare that this likely wouldn’t protect health care providers in these cases.

“Any contract that deals with ownership of medical data is pretty meaningless, because laws and medical ethics control the rights and responsibilities of medical records,” Gellman said. “Whoever holds the records as a covered entity has certain obligations and limits under law, regardless of how the contracts are written. As long as a doctor is covered by HIPAA, those rules for disclosure hold. If a doctor signs an agreement like that, the doctor has certainly violated HIPAA, and may be pursued by OCR and may be sued by the patient for all kinds of things.”

Vendors say they re-sell the data for research purposes and scrub it of identifying information first to protect patient privacy. But in 1997, Latanya Sweeney, director of the Data Privacy Lab at Carnegie Mellon University, showed how she was able to pick out the medical records of William Weld (then the governor of Massachusetts) from scrubbed medical information published by the state’s insurance commission by simply correlating the anonymized data with birthdays, ZIP codes and gender information published in the state’s voter-registration rolls.

According to Sweeney, 87 percent of the U.S. population can be uniquely identified simply from their birthdate, gender and zip code.

Patient advocate groups have called for greater oversight and regulation of the electronic health-record industry to control what software vendors can access and what they can do with the data.

Image showing who has legal access to medical records courtesy of PatientPrivacyRights.org.