Patient portals, medical office check-ins, telehealth apps, virtual visit platforms and more, are collecting, using and selling protected patient health information.
Pharmaceutical companies are buying it, as are medical device companies, and any business that considers the data profile to be that of a potential customer.
For a software developer, collected patient data may be the largest stream of revenue. Physicians may not know that their patients' data is so easily being harvested. But they should be concerned about anti-kickback statutes if they receive a discount or anything of value in exchange for allowing a tech company to ask for their patients' permission. And as always, patients, beware.
When HIPAA was written in the 1990's, privacy meant paper charts. Today, very little of clinical chart exists on paper anymore. Every software program that contributes to a chart, houses it, transmits it, or bills for it, has access to its contents as needed for business purposes.
HIPAA and many state privacy laws require tech products companies to ask the permission of the physician's practice and of each patient, and get an affirmative opt-in consent in advance, before harvesting patient data.
If you are the developer of software for use in a clinical setting, the opt-in choice should be clear and explain plainly that it can be declined. IN many cases, you cannot make the choice automatic and require patients to opt-out.
Like privacy policies and opt-in agreements on apps, the opt-in consents for medical program releases of PHI - Protected Health Information, can be difficult to distinguish from required releases for other purposes such as billing. The opt-in language may be buried in thousands of words and may not make it clear that patients can decline.
What happens to patient data that has been harvested? Sometimes it stays with the software company to target patients with ads from drug companies, health product companies, or service providers that may consider a patient a potential target customer. Every ad they place in front of a patient represents money paid by the marketer to the software vendor. Alternately, a software vendor may sell a patient's data outright to others that deal in the wholesale transaction of consumer data for sale to a wide variety of for-profit businesses that use it themselves, or re-sell it to others for a variety of purposes.
Physicians are covered entities under HIPAA who owe a duty to safeguard their patients data. Software companies are not covered entities under HIPAA, they are business associates that may owe no further duty to the patients or to the physician practice from whom they collected patient data, once they have proof of an electronic opt-in. Patients and physicians can, however, opt-out at any time. Those who have software, a telehealth portal, app, or a sign-in program at a medical office that is targeting patients, and believe it may have harvested data without their understanding, can contact the software company directly and instruct that the consent is revoked.
"Everybody who is trying to get to a secondary use of your data should be required to have clear understandable consent,” said Caplan, medical ethicist.