A vendor’s view on selling of data

As long as there have been EMRs, there have been vendors selling aggregated, de-identified data. And there have been people worried about privacy.

That issue came up last week AHIMA Legal EHR Summit right here in Chicago, during a session exploring issues related to data ownership and stewardship in the era of cloud computing. (I’ll have a more complete rundown of the session Monday in InformationWeek Healthcare.)

Near the start of the panel, Daniel Orenstein, senior VP and general counsel of Athenahealth tried to put any lingering questions to rest right away. “I think data monetization is kind of a red herring,” Nussbaum said of people who criticize vendors for selling sensitive patient information. According to Nussbaum, de-identified data no longer includes any protected health information as defined by HIPAA, and only has value in the aggregate.

What he didn’t mention—and what nobody on the panel or in the audience brought up— is the possibility that data that supposedly were de-identified could be re-identified to a reasonable degree of precision. I’ve heard this for years, but I don’t know if anyone’s actually re-identified patient data outside of academia. Is this a real threat, or is Nussbaum right about it being a red herring?

UPDATE, August 22, 4:25 pm CDT: Here’s the InformationWeek story I referenced.