The data come from such third parties as Iqvia, which had $8 billion in revenue in 2017 and has agreements with more than 120,000 sources around the world to get anonymous patient data. It collects the data from providers, payers, and pharmacies, according to Kim Gray, Iqvia's chief privacy officer. Rarely, she said, do they get data from EHR vendors.
Gray would not say definitively whether Iqvia pays hospital systems for patient data. "There are a wide variety of arrangements that exist among our data sources that compensate them," she said.
Even when data appear to come from a hospital, they are technically arriving via a technology partner. Vendor contracts with health systems sometimes include clauses that authorize the vendor to facilitate the data transfer, said Nilesh Chandra, senior leader in PA Consulting's healthcare business.
While health systems themselves own their patient data, EHR vendors still have a great deal of control over it, both legally and technologically. It can be tough, however, to nail down which vendors are actually selling patient data to third parties.
"It's the EHR vendor who's aggregating provider data, then de-identifying them, and then, at their discretion, monetizing or commercializing them," said Scott Kolesar, Ernst & Young's U.S. health tech innovation leader. "The owners of the information in terms of being in a position to take it into the secondary market are the EHR vendors themselves. In many of their contracts, they seek the use of de-identified data to do research or to provide broad-based analytics to a larger community."
For instance, Practice Fusion's provider user agreement includes provisions that allow it to sell de-identified information "for any purpose without restriction." The company has charged $50,000 to $2 million for longitudinal data sets, according to Tanner.
Not all vendors conduct such practices or include such clauses. Epic Systems Corp., for one, doesn't, according to a company spokesperson.
But just because a company isn't selling patient data now doesn't mean it won't in the future. "They're thinking about doing it as a way of extending their business model and to take advantage of the value in the data," Kolesar said. That's a strategic decision, he added, because these vendors understand that their enterprise applications are becoming less and less necessary as smaller apps gain ground.
As more players get into the data-sharing game, more patients' data are at risk of breaches that affect security and privacy alike. "Just because something is anonymized, it is still possible to identify who that is when you merge that record with other records that are available," said Sam Hanna, director of George Washington University's online master's degree in health informatics program.
Hanna compared what's possible with patient data to what happened with Cambridge Analytica, the firm that combined data from personality tests and Facebook profiles with voter records and other information. "That could happen in the healthcare field," he said. "Detailed consent is key for the patient to understand that their data could be used for something like this."
Healthcare organizations should also be looking at how to make the data even harder to re-identify, said Eric Gascho, vice president of government affairs and policy for the National Health Council. "It's of utmost concern," he said
Even when the data are used for good—for research and precision medicine, for example—there are still risks.
"Harnessing that data for research purposes and targeted therapies is all great unless it falls into the wrong hands," Hanna said. It's crucial, therefore, that the organizations holding the data protect it, he said. "It's a balance between data privacy and data utility."