The Oregon Health Information Property Act proposes that healthcare patients should be permitted to legally authorize their healthcare suppliers to sell their health data and for them to paid if their health information is sold to a third party.
At present, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule restricts the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered bodies are only allowed to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. Though there are some exceptions, other uses and disclosures are not allowed unless consent is first received from patients.
The HIPAA Privacy Rule incorporates PHI, which is identifiable patient information. If PHI is stripped of information that permits an individual to be identified, it is no longer thought of as PHI and is no longer subject to Privacy Rule restrictions. That means that if a HIPAA-covered body de-identifies PHI, they are then allowed to sell that information on for profit. That information can be valuable to research groups and other bodies.
Senate Bill 703, labelled the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has the backing of than 40 co-sponsors. At its essence, the bill would see consumers health information treated in a similar manner to property and would permit them to profit from selling it.
The Oregon Health Information Property Act
The Oregon Health Information Property Act has three main elements:
- It would obligate HIPAA-covered bodies and their business associates and subcontractors to complete a signed authorization from consumers before they de-identify PHI to sell on to third parties.
- Consumers could opt to receive payment in exchange for giving authorization to permit their health data to be sold.
- The bill also stops consumers from being discriminated against for not signing an authorization or deciding to receive payment.
HIPAA-covered bodies are able to profit from selling de-identified data so it is claimed that patients should receive a cut of the payment; however, despite having garnered considerable support, concern has been voiced about the affect of these authorizations.
The bill, in its present form, does not place any restrictions on the uses of health data once authorization has been given. Information could therefore be used for a wide range of reasons once authorization has been given – Reasons that may not necessarily be included on the authorization form.
The bill also does not state the difference between an individual’s protected health information, health information or de-identified data. By completing a form to receive a small payment, consumers would be giving up their privacy and important protections afforded by HIPAA, which could have various unintended outcomes.