When talking about healthcare data we usually define it as the currency of the future; what we ignore is that they are already a currency at present times. Israel and the United States provide compelling examples of potential future directions. Israel, for instance, had reached an agreement wherein data exchange was conducted in return for vaccines to address the challenges posed by the Covid-19 pandemic. On the other hand, the United States represents a deregulated market where the advantages of greater accessibility to medical information, facilitated by government open data policies and private sector initiatives, clash with privacy concerns due to insufficient law protection of anonymized data that remains susceptible to re-identification at a later stage.
The data-for-vaccines agreement between Israel and Pfizer.
The clearest example on how healthcare data could be one of the most valuable assets to the general public was given by Israel and Pfizer during the pandemic. In fact, on January 6, 2021, the Israeli government signed an agreement with Pfizer, under which the Ministry of Health agreed to purchase the Covid19 vaccine, while Pfizer agreed to manufacture and supply the product. The novelty of this agreement lays in the fact that both parties agreed that their aim was to generate and analyze epidemiological and population-level vaccine data. Depending on the product delivery rate by Pfizer, the Ministry of Health committed to maintain a vaccination rate sufficient on one hand to achieve herd immunity and on the other hand to generate enough data.
Surely, the exchange of vaccines for data ignited a heated discussion in Israel among experts in data privacy, biotech researchers, and the nation’s medical ethics board, in which the risks of potential misuse or infringement upon the privacy of millions of personal medical records were weighted. Notwithstanding that, as of June 26, 2021, about 64% of eligible Israelis received at least one dose, and, based on a study published in The Lancet in September 2021, COVID-19 vaccination in Israel effectively averted an extra 158,665 infections, 24,597 hospitalizations, 17,432 instances of severe or critical hospitalizations, and 5,532 deaths between December 20, 2020, and April 10, 2021.[1]This could be read as a transaction where prompt vaccines, in an emergency time, were exchanged for data.
However, Israel was not the only one thinking in that direction. The healthcare data market is rapidly growing and expanding, with many different stakeholders evaluating how they can tap into it and benefit from it.
The US healthcare data market: a bridge between the healthcare and the tech industries that rises privacy issues.
Indeed, it is estimated that an average comprehensive electronic health record could hold an approximate value of $250.[2] However, when integrated with genetic data, its value would further increase to over $6,500.[3] Nevertheless, this assessment merely touches upon the potential worth of your health data, which has predominantly been confined to momentary clinical information gathered in hospitals and medical practices.
To understand the extent of this phenomenon we should look at what is happening on the other side of the Atlantic Ocean. In the US, due to the specific provisions within the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations can leverage the wealth of data at their disposal. Upon a de-identification process of the records, which involves removing patient names, locations, phone numbers, and other identifying information, these organizations have the freedom to share or sell entire dataset to research partners. A key element lays in the fact that they are not required to obtain patient consent or inform them about the data sharing process. This enables healthcare organizations to utilize the data effectively while upholding privacy regulations outlined by HIPAA.
In 2020, fourteen healthcare systems in the United States joined forces to establish a company dedicated to aggregating and selling de-identified data, Truveta. Today, Truveta is backed by more than 30 health systems that provide more than 17% of the daily clinical care across all 50 US states from 800 hospitals and 20,000 clinics. The growth of this market has caught the eye of the major tech companies ready to tap into the exponential revenue generation stream of the data currency market. Microsoft was a first mover from the big techs standpoint with an undisclosed amount invested in the startup. Furthermore, in May 2021, healthcare company HCA (6 hospitals and 2,000 medical clinics nationwide) made an announcement regarding a new data agreement with Google in order to develop new analytics capabilities around patient care and administrative workflows. These examples demonstrate the growing trend of healthcare organizations forming strategic alliances to leverage data for various purposes. It also shows how this new market bridges capabilities, business generation and revenue across sectors such as the healthcare and the tech industries, resulting in the establishment of new forms of companies and organizations. Healthcare companies are now data companies, with all the implications that arise from this: for example, on July 5, 2023, HCA suffered a major hack that risked the data of at least 11 million patients, while the suspected HCA hacker tried to sell the data and apparently extort HCA.
Thus, privacy issues arise strongly, especially in the US resulting in a legal blind spot that needs to be addressed by scholars, practitioners and judges. When de-identified data is merged with other datasets, there is a significant risk of re-identification and, currently, the sole safeguard against this is the agreement of the data recipient not to engage in re-identification.[4] Additionally, the existing regulations have given rise to a cumbersome and unmanaged free market for de-identified data, resulting in a costly and excessively intricate system that poses obstacles to research aiming to leverage electronic healthcare record (EHR) data for enhancing care.
Lastly, a potential escalation and unmanaged system generates a reselling market that poses potential hinders to privacy and secondary identification: according to a lawsuit filed on February 3, 2023 against Cedars-Sinai Health System and Cedars-Sinai Medical Center in Los Angeles, the hospital shared patient data with third parties. Allegedly, when a patient entered any of the following information — types of medical treatment sought; name, sex, language and specialty of a physician; searches related to COVID-19 information and treatment; locations where treatment was sought; or that a telephone was made to schedule an appointment — it was shared simultaneously with Meta. This would not be an isolated case: when the Markup looked at the top 100 hospitals in 2022, it found that 33 of their websites told Meta every time a patient tried to book an appointment.[5]
Conclusion.
A reflection is needed on who the real owner of the healthcare data is, and how research and public interest can benefit from a trustworthy and privacy secured share of data. Indeed, this scenario inhibits the potential for valuable research that could otherwise contribute to advancements in healthcare.[6] When the HIPAA was adopted, in 1996, no one had in mind what would have happened in the next years. Now that we are witnessing it, it is time to decide who the real owner of the data is, how they can dispose of their data, and who should profit from them. Just to give on example of one of the possible implications, if people were able to sell their individual data, the latter one could also become a new currency for patients to pay for medical cures. In fact, in this landscape there is only one thing that is certain: HIPAA is not a law about medical data, and US regulation, as the one of the rest of the world, need to be prepared to face this new challenge and the new data market.
[1] E. J. Haas; J. M. McLaughlin; F. Khan; F. J. Angulo; E. Anis; M. Lipsitch; S. R. Singer; G. Mircus; N. Brooks; M. Smaja; K. Pan, “Infections, hospitalisations, and deaths averted via a nationwide vaccination campaign using the Pfizer–BioNTech BNT162b2 mRNA COVID-19 vaccine in Israel: a retrospective surveillance study”, 2021.
[2] Trustwave Global Security Report, 2018.
[3] EY, Realising the value of health care data: a framework for the future, 2019.
[4] C. Porter, Constitutional and Regulatory: De-Identified Data and Third Party Data Mining: The Risk of Re-Identification of Personal Information, in Shidler Journal of Law, Commerce & Technology, 2008.
[5] P. Hunt, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, in The Markup, 2022.
[6] C. Millet, De-Identifying Medical Patient Data Doesn’t Protect Our Privacy, in Stanford HAI, 2021.
