The Oregon Health Information Property Act is a proposal that allows patients to give consent to their healthcare providers to sell their health information and to get payment in return for permitting third parties to use their data.
At present, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule the allowable uses and disclosures of ‘Protected Health Information’ (PHI) is restricted. HIPAA-covered entities can only use or disclose PHI for reasons associated with providing treatment, paying for medical care, or medical operations. Although there are a few exceptions, uses and disclosures of PHI other than the three mentioned are forbidden except if the patient gives his consent first.
The HIPAA Privacy Rule applies to PHI, which is considered as identifiable patient information. When information that permit a person to be identified is removed from PHI, it is not regarded as PHI any longer and does not fall under the control of the Privacy Rule. That suggests that once a HIPAA-covered entity has de-identified PHI, they can in that case sell that data to make money. That data can be useful to research institutions and other entities.
Senator Floyd Prozanski (D-Eugene) and 40 others sponsored Senate Bill 703, referred to as the Oregon Health Information Property Act. Basically, the bill would consider the health information of consumers just like a property and would permit the owners/consumers to profit by selling it.
There are three major components in the Oregon Health Information Property Act:
It would necessitate HIPAA-covered entities and their business associates and subcontractors to get a signed consent from consumers prior to the de-identification of the PHI and then sell the information to third parties. Consumers can decide if they would like to be paid in return for providing consent to let their health information to be sold.
The bill additionally protects consumers from discrimination when declining to sign a consent or choose to get payment.
HIPAA-covered entities can make money from selling de-identified information and so it is contended that patients ought to get a slice of the payment; nonetheless, in spite of substantial support this bill has attracted, there is concern regarding the effect of these authorizations.
The bill, in its present form, doesn’t put any restrictions on the uses of health information when authorization has been given. Information can therefore be employed for an assortment of purposes as soon as the consent has been given, including reasons that may not really be stated on the authorization form.
The bill furthermore makes no differentiation between a person’s PHI, health data or de-identified information. When a patients signs a form obtain a small fee, consumers are giving up their privacy and essential protections provided by HIPAA, which may have a number of unintended consequences.