How third par­ties har­vest health data from providers, pay­ers and phar­ma­cies

Modern Healthcare - - Insurance - By Rachel Z. Arndt

As the health­care in­dus­try con­tin­ues to strug­gle with in­ter­op­er­abil­ity, there’s one realm in which pa­tient data move re­mark­ably freely: the se­condary mar­ket. In­deed, hackers aren’t the only ones mak­ing money off of pa­tient health data. Le­git­i­mate com­pa­nies are cash­ing in too, in­clud­ing health sys­tems, phar­ma­cies and oc­ca­sion­ally elec­tronic health record ven­dors—and the third par­ties pur­chas­ing the data.

These third par­ties get de-iden­ti­fied health in­for­ma­tion from a vast ar­ray of sources and then sell the in­for­ma­tion on a se­condary mar­ket to buy­ers in­ter­ested in glean­ing strat­egy in­sights. Buy­ers might be phar­ma­ceu­ti­cal firms in­tent on re­fin­ing their mar­ket­ing strate­gies, fig­ur­ing out where to in­vest next, or how to tar­get clin­i­cal tri­als. A large phar­ma­ceu­ti­cal com­pany might pay be­tween $10 mil­lion and $40 mil­lion per year for data, con­sult­ing and ser­vices from Iqvia (for­merly IMS Health), one of the dom­i­nant play­ers in the mar­ket, ac­cord­ing to Adam Tan­ner in the book Our Bod­ies, Our Data: How Com­pa­nies Make Bil­lions Sell­ing Our Med­i­cal Records.

As long as the data are de-iden­ti­fied, shar­ing them is fine un­der the HIPAA pri­vacy and se­cu­rity rules.

“Even small pools of data about pa­tients that have the ex­act dis­ease a com­pany is try­ing to sell into are very valu­able,” said John Gard­ner, a part­ner with NGP Cap­i­tal.

The data come from such third par­ties as Iqvia, which had $8 bil­lion in rev­enue in 2017 and has agree­ments with more than 120,000 sources around the world to get anony­mous pa­tient data. It col­lects the data from providers, pay­ers, and phar­ma­cies, ac­cord­ing to Kim Gray, Iqvia’s chief pri­vacy of­fi­cer. Rarely, she said, do they get data from EHR ven­dors.

Gray would not say defini­tively whether Iqvia pays hos­pi­tal sys­tems for pa­tient data. “There are a wide va­ri­ety of ar­range­ments that ex­ist among our data sources that com­pen­sate them,” she said.

Even when data ap­pear to come from a hos­pi­tal, they are tech­ni­cally ar­riv­ing via a tech­nol­ogy part­ner. Ven­dor con­tracts with health sys­tems some­times in­clude clauses that au­tho­rize the ven­dor to fa­cil­i­tate the data trans­fer, said Nilesh Chan­dra, se­nior leader in PA Con­sult­ing’s health­care busi­ness.

While health sys­tems them­selves own their pa­tient data, EHR ven­dors still have a great deal of con­trol over it, both legally and tech­no­log­i­cally. It can be tough, how­ever, to nail down which ven­dors are ac­tu­ally sell­ing pa­tient data to third par­ties.

“It’s the EHR ven­dor who’s ag­gre­gat­ing provider data, then de-iden­ti­fy­ing them, and then, at their dis­cre­tion, mon­e­tiz­ing or com­mer­cial­iz­ing them,” said Scott Kole­sar, Ernst & Young’s U.S. health tech in­no­va­tion leader. “The own­ers of the in­for­ma­tion in terms of be­ing in a po­si­tion to take it into the se­condary mar­ket are the EHR ven­dors them­selves. In many of their con­tracts, they seek the use of de-iden­ti­fied data to do re­search or to pro­vide broad­based an­a­lyt­ics to a larger com­mu­nity.”

For in­stance, Prac­tice Fu­sion’s provider user agree­ment in­cludes pro­vi­sions that al­low it to sell de-iden­ti­fied in­for­ma­tion “for any pur­pose with­out restric­tion.” The com­pany has charged $50,000 to $2 mil­lion for lon­gi­tu­di­nal data sets, ac­cord­ing to Tan­ner.

Not all ven­dors con­duct such prac­tices or in­clude such clauses. Epic Sys­tems Corp., for one, doesn’t, ac­cord­ing to a com­pany spokesper­son.

But just be­cause a com­pany isn’t sell­ing pa­tient data now doesn’t mean it won’t in the fu­ture. “They’re think­ing about do­ing it as a way of ex­tend­ing their busi­ness model and to take ad­van­tage of the value in the data,” Kole­sar said. That’s a strate­gic de­ci­sion, he added, be­cause these ven­dors un­der­stand that their en­ter­prise ap­pli­ca­tions are be­com­ing less and less nec­es­sary as smaller apps gain ground.

As more play­ers get into the data-shar­ing game, more pa­tients’ data are at risk of breaches that af­fect se­cu­rity and pri­vacy alike. “Just be­cause some­thing is anonymized, it is still pos­si­ble to iden­tify who that is when you merge that record with other records that are avail­able,” said Sam Hanna, di­rec­tor of Ge­orge Wash­ing­ton Univer­sity’s on­line master’s de­gree in health in­for­mat­ics pro­gram.

Hanna com­pared what’s pos­si­ble with pa­tient data to what hap­pened with Cam­bridge An­a­lyt­ica, the firm that com­bined data from per­son­al­ity tests and Face­book pro­files with voter records and other in­for­ma­tion. “That could hap­pen in the health­care field,” he said. “De­tailed con­sent is key for the pa­tient to un­der­stand that their data could be used for some­thing like this.”

Health­care or­ga­ni­za­tions should also be look­ing at how to make the data even harder to re-iden­tify, said Eric Gascho, vice pres­i­dent of gov­ern­ment af­fairs and pol­icy for the Na­tional Health Coun­cil. “It’s of ut­most con­cern,” he said.

Even when the data are used for good—for re­search and pre­ci­sion medicine, for ex­am­ple—there are still risks.

“Har­ness­ing that data for re­search pur­poses and tar­geted ther­a­pies is all great un­less it falls into the wrong hands,” Hanna said. It’s cru­cial, there­fore, that the or­ga­ni­za­tions hold­ing the data pro­tect it, he said. “It’s a bal­ance be­tween data pri­vacy and data util­ity.”

ISTOCK

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.