More Than Just a Free Newsletter
Become a Tame Your Practice member for FREE and receive our newsletter, special offers, and exclusive members-only content.
Does Your EHR Vendor Sell Your Patients’ Data?
Many of us are concerned, even wary, about what health insurance companies do with the medical data they collect about us and our clients. What’s perhaps even more concerning is the prevalence of such data being used, traded, and sold by other entities, including some EHR (Electronic Health Record) vendors.
Practice Fusion, for example, clearly states in its User Agreement for patients:
“Practice Fusion maintains the right to de-identify personal information placed on its Internet site, and to use, disclose, sell and otherwise commercialize de-identified information without restriction.”
There are certainly some positive uses for this kind of information and Practice Fusion readily points them out. Two of the primary benefits are the potential for improvement of care and the study of the pattern of viral outbreaks. To be clear, there is also great potential for monetary gain in the sale of this kind of data.
This practice of de-identifying and then using or selling medical information, is all perfectly acceptable under HIPAA. In fact, they offer guidance on two acceptable methods and state that,
“De-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI.”
The Safe Harbor method, requires that 18 different identifiers be removed, while the “Expert Determination” method simply requires that a qualified person verifies that there’s a “very small risk” that the data might be re-identified (i.e. associated with the actual patient). In typical HIPAA fashion, the guidelines for the Expert Determination are somewhat open to interpretation.
Can Data Truly be De-Identified?
In 2010 the Federal Trade Commission (FTC) hosted public roundtables focused on various aspects of consumer privacy. Many serious concerns were raised regarding the practice of using, selling, and trading de-identified medical data. Primary among those concerns was the relative ease at which some data can be re-identified and attached to things like a person’s credit record and easily found by potential employers. In most cases, with just a Date Of Birth, Gender, and Zip Code, a patient can be re-identified.
Mental health professionals are increasingly using cloud-based services and have an obligation to inform our clients of our privacy policies and what happens to their personal information once they provide it to us. As such, it is important to ask your EMR/EHR/Practice Management System Vendor the following questions:
- Who owns the data once it is entered into the system?
- If the Vendor claims ownership, do they use, trade, or sell de-identified information to others?
- If they do, what method of de-identification do they use.
From there, it’s up to each mental health professional to decide whether they want to utilize the services of a vendor that engages in this practice.
June 04, 2013: Practice Fusion announces new product called “Insight”, a sale of de-identified data providing demographic trends and more. There is no longer any question as to whether Practice Fusion sells de-identified data.
Feb 11, 2014: In October of 2013, an article was published noting another questionable business decision by Practice Fusion. They invited patients to publish interviews of their doctors online. It would seem possible that these patients may not have known these would be publicly available reviews that include their name as well as sensitive information.
Similar articles you might be interested in!
Tame Your Practice membership is free and provides therapists access to exclusive content, discounts, and deals from partners!
Recommendations for technology, web sites, secure email, phone, credit card processing, therapy tools/interventions, podcasts, and much more!
In addition to using strong-passwords, and a password manager (I use LastPass), I strongly encourage everyone to use Multi-Factor Authentication (now, more commonly referred to as Two-Factor Authentication or 2FA) whenever possible.
About the Author
Rob has been covering technology and business news for mental health professionals since 2011. His extensive experience in IT, business, and private practice allow him to synthesize information in a friendly, digestible manner. He also enjoys time with his family, ultimate frisbee, and board gaming.