Which should be required before health IT vendors sell the de-identified data of patients treated by their provider clients? (multiple answers OK) (Poll Closed)

  • The provider's explicit, case-by-case permission.
    25 votes

  • Compensation to the provider from the vendor and/or data buyer.
    33 votes

  • Compensation to the patient from the vendor, client, or data buyer .
    74 votes

  • The patient's explicit, case-by-case permission.
    118 votes

  • Nothing -- the data should never be sold.
    104 votes



  • Cosmos - 5 months ago


  • Jess - 5 months ago

    I think orgs that sell patient data should be required to reveal who they're selling that data to. I think there are great use cases in research but there's always a dark side, too. Patients should be able to opt out. Did anyone watch The Great Hack??

  • Bill - 5 months ago

    If you are going to sell my data cut me in.

  • Chris - 5 months ago

    I'm unable to participate as you overlooked the option that no permission is required. I believe vendors have the right to sell properly identified data for whatever purpose they so choose, hopefully in the interest of improving patient care.

  • Deidentified - 5 months ago

    Truly deindentified data should be freely shared with legitimate research organizations. With no identification attached the data no longer 'belongs to' the patient. The data should not be sold for personal or corporate gain, but used to advance our knowledge and care of everyone.

  • Anonymous - 6 months ago

    De identified data should only be allowed for sharing for legitimate research purposes with appropriate protections in place. Selling data without patient/provider knowledge and with no patient/provider recourse is especially egregious given how easy it is to re identify such data. Cerner should focus its business model on improving its product.

  • IAmNotALawyer - 6 months ago

    I think controls are more important. Most patient data can be easily re-identified. If you are implementing adequate logging and review of data access, have tight control over where the data gets stored, etc. you will be doing 10 times better than how most providers currently treat PHI.

  • what about the status quo? - 6 months ago

    Why didn't you include the status quo as an option? Nothing -- HIPAA-covered entities can sell or do whatever they want with the data (except re-identify it) as long as the data's been de-identified as defined by HIPAA.

    That gets my vote.

  • Carl S - 6 months ago

    Epic is now allowing sites to opt into Cosmos at no cost where they collect a HIPAA defined limited data set and then anyone who opts in can have access to the data set for research. This seems like the a reasonable use of sharing limited patient data. It needs good governance, and Epic indirectly profits from this as a software feature, but it's in the right spirit.

Leave a Comment

0/4000 chars

Submit Comment