Who profits from our medical records?

May 29, 2020

And who should?

Medical records, which most patients think are private and protected, are in reality lucrative commodities in a multi-billion-dollar industry. As hospitals and health networks assemble these records, they routinely strip away names and other identifiers and sell millions of HIPAA-compliant files to massive aggregator corporations. Aggregators in turn profit from integrating, analyzing and selling access to data on a massive scale. For example, Truven Health Analytics, part of IBM Watson Health, brought 215 million patient records to IBM when it was purchased in 2016, raising IBM’s total to 300 million records. Access to these records is then sold to pharmaceutical companies, insurers, health systems and government entities for research purposes.

Medical data reside with other owners as well. Since the development of modern pharma, it has been axiomatic that clinical trial data belong to the companies that gather that data. When subjects join a clinical trial, they typically agree that, aside from test entries into their medical records, the data they generate become the property of the sponsor. It makes sense: a typical phase III clinical trial costs about $40 million, and pharma companies want the sole right to profit from the data they’ve spent millions to collect.

Other collectors of medical data have taken a more consumer-facing route. 23andMe and Ancestry.com have built massive genetic testing databases. They acquire subjects by selling DNA test kits for genealogy purposes and using that money to cover testing costs. Subjects get a genealogy report, and 23andMe and Ancestry.com then sell access to identity-stripped analyses of genetic data on millions of people in a way related to how large aggregators like Truven share medical records. Someone performing research can pay 23andMe to identify 250,000 people distributed across multiple genetic groups, launch an IRB approved voluntary email survey to those people, and deliver the results. This business model is by no means clear to consumers who want to trace their family trees, but it is legal and thriving.  More concerning still – analysts have found ways to break anonymity, marry records from multiple sources, including search engines and social media, and sell these amalgamated records to a variety of for-profit enterprises.

These data owners also sell access to medical and genetic data for many beneficial uses. For example, if researchers want to know the long-term side effects of a drug, they can access 10-years of data for 20 million people and check for side-effects or dangerous drug interactions occurred.

The critical point here is that, today, patients do not generally own exclusive rights to their own data. Once a patient shares their data, they have little or no say in how it is used. Most of them do not even know their data is being sold, and never see any direct profit from the sale of their data. But that could change. In an age where consumers know that Facebook, Google, Amazon and others are exploiting their electronic data for profit - and governments in Europe and elsewhere are legislating limits on these data uses - the models for medical data ownership may soon be ripe for overhaul.

Fueled in part by the European General Data Protection Regulation, which reflects a growing societal consensus that each of us should own the biomedical data we generate, new ideas are taking shape. These new European rules are leading many to ask: is it possible to create a transparent model where patients own their medical data and share in any profits derived from it? Will the future of data ownership remain exclusively with large corporations who aggregate that data, or will a more patient-centered approach emerge?

One area where one might imagine change in the near-term is pharma. Big Pharma has, in recent years, been focusing on improving the patient-centricity of its approach to study participants. More broadly, the healthcare industry has been developing new ways to regulate and share data in interoperable formats. With emerging standards like the Fast Healthcare Interoperability Resources (FHIR) format making patient records compatible across platforms, transactions in which data are sold or loaned at the level of individual patients are becoming feasible. Clinical trial data gathered in a drug study could even be back-transferred into patients’ own medical records.

HIPAA presents another opportunity for change. When HIPAA was passed by the US congress in 1996, medical records were still kept on paper in file rooms. The law has been amended in the past, but it is becoming increasingly clear that in our fully digital medical landscape, the Act will need to be revised again. When patients sign a HIPAA form in a hospital waiting room, they authorize providers to strip away 18 pieces of potentially identifying information and then empower their healthcare provider to sell their data without compensation. A new HIPAA could not only retain a patient’s right to access their own data, it could also give them ownership and even some measure of control.

When patients own their medical data in a more exclusive way, the data’s intrinsic value remains with them. They could opt to keep the data completely private and not sell it to any corporation. But with companies willing to pay for access, the potential for profit exists. How could a single patient share their own medical data and reap the profits?

One idea is a medical data “bank”. Patients could elect to store and pool their medical records at the bank in exchange for a slice of the profits. Instead of data ownership residing with private companies, medical data would be aggregated in a patient-centered model where drug companies and others gain access for a fee, and patients receive a share of the profits. It would work much like a savings account, where thousands of account holders deposit their money, the bank makes loans at 7% interest, and the bank returns 3% interest to the savings accounts. Patients who participate in clinical trials would be making their medical records more valuable and thus earn a larger return. This may sound far-fetched, but many people are advocating for a model like this on an ethical level, and it is now being explored commercially by several startups.

Led by regulators in the EU, and in California, parts of the US government are actively exploring changes to data ownership that could significantly alter the contemporary landscape. As our society develops new positions with regard to data privacy, ownership and profit, patients and consumer organizations are likely to join insightful healthcare leaders in building a new medical data system with transparency, privacy and patient control.

Paul W. Glimcher, Ph.D., is a neuroscientist, psychologist, economist and entrepreneur who holds the Julius Silver Professorship at New York University (NYU). At NYU, he is also Professor of Neuroscience and Physiology, NYU SoM Professor of Psychology and Economics, and Co-Director of ISDM. In addition, Glimcher is Chairman and Chief Science Officer of Datacubed Health, developer of new platform-as-a-service (PaaS) technologies for healthcare and biomedical/behavioral research.