Who profits from medical records?

Medical records, which most patients think are private and protected, are in reality lucrative commodities in a multibillion-dollar industry. As hospitals and health networks assemble these records, they routinely strip away names and other identifiers and sell millions of HIPAA-compliant files to massive aggregator corporations. Aggregators in turn profit from integrating, analyzing and selling access to data on a massive scale. For example, Truven Health Analytics, part of IBM Watson Health, brought 215 million patient records to IBM when it was purchased in 2016, raising IBM’s total to about 300 million records. Access to these records is sold to pharmaceutical companies, insurers, health systems and government entities for research purposes.

Medical data reside with other owners, as well. Since the development of modern pharma, it has been axiomatic that clinical trial data belong to the companies that gather that data. When participants join a clinical trial, they typically agree that, aside from test entries into their medical records, the data they generate become the property of the sponsor. It makes sense: A typical phase 3 clinical trial costs about $40 million, and pharma companies want the sole right to profit from the data they’ve spent millions to collect.

Other collectors of medical data have taken a more consumer-facing route. 23andMe and Ancestry.com have built massive genetic testing databases. They acquire data by selling DNA test kits for genealogy purposes and using that money to cover testing costs. Consumers get a genealogy report, and 23andMe and Ancestry.com then sell access to the identity-stripped analyses of genetic data on millions of people similar to the way large aggregators such as Truven share medical records. An investigator can pay 23andMe to identify 250,000 people distributed across multiple genetic groups, launch an Institutional Review Board-approved voluntary email survey to those people and deliver the research results. This business model is by no means clear to consumers who want to trace their family trees, but it is legal and thriving.More concerning still is that analysts have found ways to break anonymity, marry records from multiple sources (including search engines and social media) and sell these amalgamated records to a variety of for-profit enterprises.

These data owners also sell access to medical and genetic data for many beneficial uses. For example, if investigators want to know the long-term adverse effects of a drug, they can access 10 years of data for 20 million people and check how often adverse effects or dangerous drug interactions occurred.

It’s critical to understand that patients generally do not have exclusive rights to their data. Once a patient shares their data, they have little or no say in how it is used. Most do not even know their data are being sold and never see any direct profit from the sale. But that could change. In an age where consumers know that Facebook, Google, Amazon and others are exploiting their electronic data for profit, the models for medical data ownership soon may be ripe for overhaul. Governments in Europe and elsewhere already are legislating limits on these data uses.

Fueled in part by European Union’s General Data Protection Regulation, which reflects a growing societal consensus that each of us should own the biomedical data we generate, new ideas are taking shape. These new European rules are leading many to ask: Is it possible to create a transparent model where patients own their medical data and share in any profits derived from it? Will the future of data ownership remain exclusively with large corporations who aggregate that data, or will a more patient-centered approach emerge?

One area where one might imagine change in the near term is pharma. Big Pharma has, in recent years, been making its approach to study participants increasingly patient-centric. More broadly, the health care industry has been developing new ways to regulate and share data in interoperable formats. With emerging standards such as the Fast Healthcare Interoperability Resources, a format that makes patient records compatible across platforms, transactions in which data are sold or loaned at the level of individual patients are becoming feasible. Clinical trial data gathered in a drug study could even be transferred back into patients’ medical records.

HIPAA presents another opportunity for change. When Congress passed the Health Insurance Portability and Accountability Act of 1996, medical records were still kept on paper in file rooms. The law has been amended in the past, but it is becoming increasingly clear that, in our fully digital medical landscape, it will need to be revised again. When patients sign a HIPAA form in a hospital waiting room, they authorize providers to strip away 18 pieces of potentially identifying information and then empower their health care provider to sell their data without compensating them. A new HIPAA could not only retain a patient’s right to access their data, it could also give them ownership and even some measure of control.

When patients own their medical data in a more exclusive way, the data’s intrinsic value remains with them. They could opt to keep the data completely private and not sell it to any corporation. But with companies willing to pay for access, the potential for profit exists.

How can patients share their medical data and reap the profits? One possibility is a medical data “bank.” Patients could elect to store and pool their medical records at the bank in exchange for a slice of the profits. Instead of data ownership residing with private companies, medical data would be aggregated in a patient-centered model where drug companies and others gain access for a fee, and patients receive a share of the profits. It would work much like a savings account, where thousands of account holders deposit their money, the bank makes loans at 7% interest and the bank returns 3% interest to the savings accounts. Patients who participate in clinical trials would be making their medical records more valuable and thus earn a larger return. This may sound far-fetched, but many people are advocating for a model such as this on an ethical level, and it is now being explored commercially by several startups.

Led by regulators in the European Union and California, parts of the U.S. government are actively exploring changes to data ownership that could significantly alter the contemporary landscape. As our society develops new positions with regard to data privacy, ownership and profit, patients and consumer organizations are likely to join insightful health care leaders in building a new medical data system with transparency, privacy and patient control.

Paul W. Glimcher, Ph.D., is a neuroscientist, psychologist, economist and entrepreneur who holds the Julius Silver Professorship at New York University. At NYU, he is also a professor of neuroscience and physiology, NYU Grossman School of Medicine professor of psychology and economics, and codirector of the Institute for the Study of Decision Making. In addition, Glimcher is chairman and chief science officer of Datacubed Health, developer of new platform-as-a-service (PaaS) technologies for health care and biomedical/behavioral research.