Hospitals Selling Patient Records To Data Brokers: A Violation of Patient Trust and Autonomy

by Craig Klugman, Ph.D.

I recently received an email from a community organization which asked the following question: “Are there any ethical issues with our community health plan selling its medical records to a private company?” This is not an example of a new occurrence. A spate of news in recent months suggests efforts by various private companies to get a hold of private medical records with the goal of finding a way to profit off this information (the commodification of our information). Consider Sloan Kettering’s deal to sell its pathography samples and records to Paige.AI to develop artificial intelligence to help in treating cancer (and with lots of conflicts of interests for the administrators who put together the deal).

These efforts have some big names and some big money behind them. Consider the “CARIN alliance” which has a goal of “enabling consumers and their authorized caregivers to access their digital information with less friction.” Reading deeper though, they seem to be about encouraging patients to give their data to apps, devices, and services that would be owned by tech companies (who could then use the data in any way they want since they are not necessarily entities covered under HIPAA). The alliance states that their efforts will help patients have more control over the data. If the goal of such efforts is really to increase autonomy by permitting patients to have greater access and control over their own medical data, then this would be a good thing. But I suspect that such sentiments fall alongside (or secondarily to) the goal of pursuing profit in terms of charging people for apps with which to access their data, for storage, or by selling the records to other researchers and companies. After all, these data brokers are not purchasing the records to give money to hospitals out of the goodness of their hearts. Most hospitals and doctors’ offices already have patient portals that give patients access to their data. I will grant that these portals are often awful: The one used by my PCP is a Byzantine exercise in exquisite torture to navigate. If simplification is the goal, then perhaps companies should be selling better portals to hospitals rather than trying to control patient data.

One of the major concerns about these deals is that they violate patient autonomy. The biggest risk to self governance is the loss of privacy and violation of confidentiality (A Bloomberg article in 2013 described the danger to privacy by these transactions). Even if the records are distributed anonymously, scientists have shown that it is fairly easy to re-identify these patient records and a study this year in New York City relied on the ability to construct family trees from deidentified records. In addition, a state exemption under federal privacy rules allows for certain hospital information to be sold to data brokers and specialty consumer reporting agencies.

Using patient’s medical data for anything other than their care or quality improvement is unethical as it violates trust. Patients share their private information (i.e. secrets) because their doctors have a duty to maintain confidentiality and to only use the data to treat, diagnose, and improve care. In other words, patients share their secrets with the expectation that this knowledge will be used only to help them. They trust that their secrets will remain confidential because physicians and health care entities have a fiduciary responsibility to do so. However, these private companies and data brokers do not have fiduciary responsibilities toward patients, especially if there is some effort at anonymizing the records. In the case of the email I was sent, the organization maintained records and supported health care for a disadvantaged population (that does not have regular access to the same doctors or even hospital systems). For this group, the betray of trust is even worse since poor and minority populations have faced a history of abuse at the hands of medicine. Plus, these patients trusted this organization when they had nowhere to turn. The fact that they do not have any alternatives means that the group is saying to them—give us your data or you can’t get medical care. This is the equivalent of saying pay us or walk away. In this case, instead of insurance or cash, the payment is privacy.

For any hospital, office, or health system considering entering a contract about data brokering I suggest that there are certain concepts to consider to make such efforts more ethical.

1. The reason for the data transfer must be first and last for the benefit of the patient. This is not finding a silver lining for the patient when the real goal is to monetize data—this means that your organization sees value in doing this even if no money were involved. In fact, the amount of money involved should not be enough to be coercive in decision-making for the institution.
2. Have a separate agreement form independent than the consent forms patients complete for getting care. This separate document would have them opt in to having their records sold. Telling patients they cannot receive care if they do not agree is abandonment of patients. These are patientsnot customers, not revenue sources, and not a commodity.
3. In the case studies that have come to light, there has been no transparency. Patients and often medical staff have not been informed of what is happening to the records. Have a community information campaign through media outlets and physician offices where patients are informed of the sale. This should begin months before the sale actually goes through and continue as long as records are being delivered to the company. The community should be told that their data is being sold, who will own it, and in what ways it will be used. Communication should offer information on how the patient can have their data exempted from the sale. Ideally, such notices would be sent to every patient whose record is involved.
4. The default option should be that patients are not included in having their data sold (opt in; not opt out)
5. Ideally, you would have a contract with the company that allows patients to withdraw participation at any time and to require the company to delete all of their information at that point, even data from before they notified a desire to withdraw consent. Violations would have severe fiscal consequences.
6. To further ensure that there is no coercion whatsoever, permission for the selling of their information should not be done by the health care system or a representative nor by the company trying to purchase the records, but by a third party who does not directly deliver care or benefit from the transaction. Otherwise, patients may feel that signing is a requirement of receiving care.
7. For patients to be able to access their data from an app or a portal might require them to sign a user agreement, which are often written in complicated legal language and is geared to let people know that the company owns the data and can do anything it wants with the information. Patients need to have easy access to their records even if they refuse to sign such an agreement. The hospital will still have to maintain a portal or other system for patient access to their records.
8. Any patient agreement document to a sale of records will have to be written at a 5th grade level—meaning very simply worded, perhaps animated videos or even comics explaining them. It is important to understand that patients understand the risks and alternatives. Also, if this is not meant to benefit the patient, they should be made aware of that.
9. If there is a financial gain for the institution from selling records, how much of that money will go back to the patients? Since they are the source of the data, it is only just that they benefit from the sale. Perhaps the hospital should cover copays and deductibles for those patients (of course this could be coercive for patients to sign an agreement to sell, so they should not be told about any benefits ahead of time). If the institution is not willing to share the bounty with patients, then see number 1 above.

This is a partial list to help guide how these transactions could happen. More broadly though, selling patient records without gaining the agreement of each and every patient is unethical. Personally, knowing these shenanigans are going on, I may refuse to allow my physicians from maintaining medical records in their hospital databases. I will keep the records and will bring them with me when I need medical care. This is what happens when trust is lost.

Using patient information in a way that does not directly benefit patients (really benefit them, not just in marketing blurbs or justifying what you want to do anyway) and are for a use that they were not informed of when they gave general consent to the hospital is a violation of trust and diminishes patient autonomy. No amount of money can repair such moral harms.