I think orgs that sell patient data should be required to reveal who they're selling that data to. I think there are great use cases in research but there's always a dark side, too. Patients should be able to opt out. Did anyone watch The Great Hack??
Bill - 5 years ago
If you are going to sell my data cut me in.
Chris - 5 years ago
I'm unable to participate as you overlooked the option that no permission is required. I believe vendors have the right to sell properly identified data for whatever purpose they so choose, hopefully in the interest of improving patient care.
Deidentified - 5 years ago
Truly deindentified data should be freely shared with legitimate research organizations. With no identification attached the data no longer 'belongs to' the patient. The data should not be sold for personal or corporate gain, but used to advance our knowledge and care of everyone.
Anonymous - 5 years ago
De identified data should only be allowed for sharing for legitimate research purposes with appropriate protections in place. Selling data without patient/provider knowledge and with no patient/provider recourse is especially egregious given how easy it is to re identify such data. Cerner should focus its business model on improving its product.
IAmNotALawyer - 5 years ago
I think controls are more important. Most patient data can be easily re-identified. If you are implementing adequate logging and review of data access, have tight control over where the data gets stored, etc. you will be doing 10 times better than how most providers currently treat PHI.
what about the status quo? - 5 years ago
Why didn't you include the status quo as an option? Nothing -- HIPAA-covered entities can sell or do whatever they want with the data (except re-identify it) as long as the data's been de-identified as defined by HIPAA.
That gets my vote.
Carl S - 5 years ago
Epic is now allowing sites to opt into Cosmos at no cost where they collect a HIPAA defined limited data set and then anyone who opts in can have access to the data set for research. This seems like the a reasonable use of sharing limited patient data. It needs good governance, and Epic indirectly profits from this as a software feature, but it's in the right spirit.
Related:
https://www.npr.org/2018/04/12/601759872/should-social-media-companies-pay-us-for-our-data
I think orgs that sell patient data should be required to reveal who they're selling that data to. I think there are great use cases in research but there's always a dark side, too. Patients should be able to opt out. Did anyone watch The Great Hack??
If you are going to sell my data cut me in.
I'm unable to participate as you overlooked the option that no permission is required. I believe vendors have the right to sell properly identified data for whatever purpose they so choose, hopefully in the interest of improving patient care.
Truly deindentified data should be freely shared with legitimate research organizations. With no identification attached the data no longer 'belongs to' the patient. The data should not be sold for personal or corporate gain, but used to advance our knowledge and care of everyone.
De identified data should only be allowed for sharing for legitimate research purposes with appropriate protections in place. Selling data without patient/provider knowledge and with no patient/provider recourse is especially egregious given how easy it is to re identify such data. Cerner should focus its business model on improving its product.
I think controls are more important. Most patient data can be easily re-identified. If you are implementing adequate logging and review of data access, have tight control over where the data gets stored, etc. you will be doing 10 times better than how most providers currently treat PHI.
Why didn't you include the status quo as an option? Nothing -- HIPAA-covered entities can sell or do whatever they want with the data (except re-identify it) as long as the data's been de-identified as defined by HIPAA.
That gets my vote.
Epic is now allowing sites to opt into Cosmos at no cost where they collect a HIPAA defined limited data set and then anyone who opts in can have access to the data set for research. This seems like the a reasonable use of sharing limited patient data. It needs good governance, and Epic indirectly profits from this as a software feature, but it's in the right spirit.