American Journal of Law & Medicine

Patient data: property, privacy & the public interest.


Changes in technology sometimes raise important public policy choices and require that we clarify key values and reexamine legal concepts. Such is the case with the development of electronic medical records (EMRs), which facilitate obtaining patient data from provider and insurer records. EMRs expand our ability to tap patient data and thereby create great potential benefits as well as risks. This new technology requires that we clarify the ambiguous property interests in patient data. How the law defines ownership of patient data will shape whether its benefits can be developed and also affects patient confidentiality.

EMRs make it feasible to collect aggregate patient data that can be used to vastly improve medical knowledge, patient safety and public health. Researchers have long used patient data from clinical trials to evaluate the benefits and risks of drugs and medical therapy, compare their relative effectiveness, and analyze health care cost and quality. (1) Tapping data from patient records would make possible similar evaluations at much lower costs, yield continually updated information, and facilitate rapid learning. It would provide information on populations and variables not included in clinical trials. (2)

National, longitudinal patient data could be used to monitor and respond to public health problems in ways that are not possible today. (3) We could track adverse effects from drug use. (4) The FDA could use data on physician prescribing to contact physicians who are prime users of a drug that receive a black box warning. The data could help identify the extent of the prescribing of drugs for unapproved uses that lack scientific support. (5) Moreover, the data could help identify a wide range of other public health and safety problems and track differences in various organized health care systems. (6) And it could help manage health care fraud and facilitate oversight of medical institutions. (7) At the same time, the use of patient data also creates risks to confidentiality. Today, although privacy laws restrict providers, hospitals, and insurers from disclosing confidential information, electronic technology and changes in ownership of patient data might compromise confidentiality. (8)

Whoever owns patient data will determine whether its benefits can be tapped. Currently, the law does not clearly define property interests in patient data. In most states, the law treats patient medical records as physical property that physicians and hospitals own, and it allows patients and insurers access to records. (9) But the law does not grant providers exclusive ownership of the record's data, which can be readily transferred. (10) Just as an individual can own a book, but not the intellectual content printed in it, providers own records but not the patient data itself.

Nevertheless, today, organizations with medical, prescription and billing records treat patient data as if it were their private property, and they often sell it. (11) Typically, they sell patient data stripped of personal identifiers, which they refer to as anonymized or de-identified data. Data sellers sometimes use technology that restricts use of data to those whom they have granted permission. Data sellers frequently employ contracts that limit purchasers from disseminating the data to third parties without the original seller's authorization. If legislation does not create an alternative framework, courts might enforce these contracts and all the privatization of patient data, and thereby limit beneficial public uses.

Do entities that compile patient data from multiple records own the data set? American intellectual property law generally protects only creations or inventions. Patent law protects non-obvious inventions, and copyright law protects intellectual creations, such as writing, music and arty This policy developed over time. The 1790 United States Copyright Act granted copyrights for compilations of information, known as "sweat of the brow" protection. However, the 1976 Copyright Act only granted copyright for original selection of data.

In the 1990s, there were legislative proposals in Europe and the U.S. to give compilers of databases protection from others making use of the data. (13) These proposals would have supplemented protection in trade secrecy law, which protected the work of compilers, but would not have precluded others from compiling the same database. (14) The strong versions of these proposals were not adopted. (15) Furthermore, in 1991, the Supreme Court held that only compilations of information involving creativity can be copyrighted. (16) Aggregate patient data is information that courts are unlikely to deem as involving creativity. (17) Although current law recognizes that private ownership of information often inappropriately restricts public use, today commercial interests are trying to turn patient data into private property. Moreover, even if the law does not allow copyright of patient databases, significant obstacles impede access to data for both public and private uses.

In this article, I argue that treating patient data as private property precludes forming comprehensive databases required for many of its most important public health and safety uses. Private ownership will also allow data monopolies that will increase the price of data and limit competition in the market for derived services. I propose that federal law require providers, medical facilities and insurers to report key patient data in anonymized and de-identified form to public authorities, which will create aggregate databases to promote public health, patient safety, and research. Public authorities should also make this data available for private entities to develop data-derived services, subject to public oversight. As we shall see, there is precedent for federal and state governments requiring reporting of data.

My proposal faces two important challenges. First, prevailing American thought favors private ownership and markets and a minimum role for the federal and state governments. I argue, however, that the economic, legal, and moral reasons typically invoked to justify treating a resource as private property do not support doing so here. There is no need to create private property rights to encourage production of patient data because it already exists. Providers and medical organizations will continue to collect this data in order to perform their work, whether or not they must disclose it, and even if they cannot sell it. Furthermore, public ownership would ensure the aggregation of patient data and promote its beneficial public and private uses. In contrast, private ownership would preclude most public uses and restrict many private uses. Other economic, ethical and legal considerations also favor treating patient data as a public good.

Second, some people believe that public ownership of patient data creates risks for patient privacy. I contend, however, that the risks to privacy are no greater than when the data is private property owned by patients or firms and organizations. Whether publicly or privately owned, we need protective measures to ensure confidentiality. Public ownership, however, allows greater public oversight that can protect patient confidentiality.

To illuminate these issues, this article will describe how the market for patient data emerged and show that commercial interests and public policy have in the past, and continue today, to promote the data's privatization. It then makes the case for public ownership of patient data and responds to objections raised against public ownership of patient data. Next, it assesses the arguments for making patient data private as a means to protect patient confidentiality and finds these are not convincing. The article then suggests what data should be made public and how it should be done. It concludes by asking if the concept of the public interest can illuminate these choices.


Organized medicine took the lead in developing a market for medical data. In the 1950s, the American Medical Association (AMA) commissioned Ben Gaffin and Associates to conduct the Fond du Lac marketing study to determine the influence of advertising, pharmaceutical detailing, peer opinion and other factors on physician drug prescribing. (18) It distributed this study to the Pharmaceutical Manufacturers' Association and leading drug firms to encourage them to advertise in AMA journals and to form a partnership with the AMA on areas of mutual benefit. Then the AMA began to sell to pharmaceutical firms data that identified physicians by their license numbers, practice locations, and practice specialty. Pharmaceutical firms combined physician identifiers with prescription data from pharmacies that included the prescribing physician's license number. They then tracked individual physician prescribing, patient drug use, and pharmaceutical sales for their marketing and promotion. (19)

Later, specialized firms--now referred to as medical information organizations (MIOs)--emerged to broker the purchasing and selling of medical data. (20) They purchased data from the AMA to identify physicians by their license number and other information. They purchased data from pharmacies to identify drugs sold. MIOs combined this information to reveal prescribing patterns and market trends. (21) Pharmaceutical firms purchased the data from MIOs to track sales by individual physicians and medical detailers who visited them. They rewarded their medical detailers who were the best at promoting sales. They also used the data to target physicians for changing their prescribing practices and to evaluate the effect of their advertising and marketing--as well as that of their competitors. Such information also revealed the potential market for each class of drugs, current sales of their own products, the products of competitors and their respective market share. (22) Medical device manufacturers and other medical suppliers also purchased data for similar purposes.

Later, MIOs began to purchase patient data from hospital records stripped of patient identifiers. When combined with other data, these records reveal the diagnosis and profile of patients for which physicians prescribe various drugs and use various therapies. Pharmaceutical firms can thus promote drugs differently for each use and design different strategies to influence different physicians based on the way they use drugs and the patients they serve. The marketing literature explains in detail the uses of such data. (23)

Managed care organizations (MCOs), hospitals, and regulatory authorities can use this information to identify inappropriate drug uses by physicians; to learn whether pharmaceutical firms market drugs for unapproved uses; and to assess the effect of different medical treatments on patient care. Other users of patient data include health service researchers, health economists, the Food and Drug Administration (FDA), and public health departments.

Firms also started to purchase patient data as a tool for their policy advocacy. Regulatory agencies evaluate the safety and effectiveness of drugs and medical devices before approving their sale. Third-party payers, MCOs, and hospitals evaluate drugs before placing them on their formulary. Insurers often evaluate medical devices before covering them or encouraging their use. These entities consider the cost-effectiveness and value of medical drugs and devices compared to alternatives. Organizations that develop clinical practice guidelines also use patient data in forming their recommendations. Knowing this, firms that manufacture and sell medical products now purchase patient data for studies to make their case for their products.

IMS Health, the largest supplier of medical information for market research, now markets patient data for policy advocacy. (24) It promotes data from its General Practice Research Database, for studies of cost, effectiveness, impact on health care spending, and medical outcomes. Its web page says, "[a]chieving a favorable endorsement from healthcare authorities is critical to ensure that new innovations reach the market and patients more quickly and are incorporated into appropriate guidelines of care." (25) It adds that product use is boosted by studies of "efficacy, safety, and cost-effectiveness as presented in peer-reviewed medical and scientific journals or via specialized conference[s]." (26) IMS also markets its consulting services, which write "manuscripts and reviews for submission to peer-reviewed journals, clinical trial reports, expert reports, investigator brochures, abstracts, posters, slide sets." (27) In addition, consulting firms, group purchase organizations, software vendors and other commercial enterprises purchase patient data for various commercial uses. (28)

Already, the market for patient data is worldwide. IMS sells it for marketing in over 100 countries and earned over $2 billion in 2006. (29) It sells data to all major pharmaceutical and biotechnology companies. (30) MIOs anticipate the emergence of a new industry of data warehouses, data exchanges, data-related products and services. In recent years, academic medical centers, such as Boston's Massachusetts General Hospital and Brigham & Women's Hospital, explored how to sell their patient data to biotech companies, insurers, consulting companies, investment analysts, publishers, and government agencies. (31) Also, insurers, group medical practices, and other entities may commercialize patient data.


Today, firms, foundations and government policy all promote private data markets. The conventional wisdom supports private ownership of patient data or maintaining current default rules. For example, a 2006 Heritage Foundation report advocates private ownership and contends that governmental authorities should have to purchase patient data on the same terms as all other parties. (32) In a similar vein, most writers hold that private entities should develop voluntary standards for confidentiality and stewardship of data instead of the government setting legal standards. While George W. Bush was president, the Office of the National Coordinator for Health Information Technology--part of the Department of Health and Human Services (DHHS)--promoted the development of voluntary standards for the sharing, aggregation and use of patient data by private for-profit and not-for-profit entities. Those who advocate for voluntarily sharing data typically ignore the obstacles to this occurring. As the Markle Foundation acknowledges in one report, "providers treat patient information as a highly proprietary asset that serves as a means of differential from the competition." (33) This tendency creates an obstacle to voluntarily sharing data or to individuals purchasing it. In 2006, the American Medical Informatics Association (AMIA)

published a white paper of its expert panel that proposed a policy framework for the secondary use of patient data. (34) The AMIA asked the panel to address several questions, including, "Who owns health data and who has the right to access the data and for what purposes?" (35) The expert panel responded that "the focus needs to be on data access and control, not data ownership." (36) Yet, the property rights in patient data will determine access and control. If legislation does not resolve the ownership of patient data, courts are likely to grant property interests to those who possess that data and preserve the status quo.

In a 2007 report, the AMIA advocated that stakeholders voluntarily adopt guidelines for data stewardship and shared access. The report included the following groups as stakeholders with rights to access data: provider organizations; personal health record service providers; insurance companies; health data exchanges; and health data banks, as well as patients. (37) Notably, governmental health authorities are not included as stakeholders. It assumed that firms that sell and purchase patient data should develop a consensus on their own oversight. The standards that these private entities develop will reflect the interests of those who want to sell data but not the interests of patients or the public. (38)

In June 2007, the Agency for Healthcare Research and Quality (AHRQ) proposed the creation of a National Health Care Data Stewardship Entity to set uniform operating rules for sharing and aggregating public and private sector data on quality and efficiency. (39) It assumed that private parties would hold the data and have no obligations to supply data to the national government or state authorities. Nevertheless, many groups responded to the AHRQ proposal by explicitly opposing the idea of public ownership. The AMIA commented that "there should be no central repository of aggregate data--whether at the national or regional level." (40) The Markle Foundation's Connecting for Health project stated, "A single data repository for aggregating and reporting quality data could fail to meet user needs, increase the risk of large scale privacy violations and undermine public trust." (41)

In response to the AHRQ proposal, three private organizations--the National Commission on Quality Assurance, the National Quality Forum and the Joint Commission--suggested that they operate the national stewardship entity and charge fees for their work. They said they would determine data control and ownership rights. In brief, they would decide what data will be public, and what access would flow to data-contributors. (42) They explained that those "that have the most data ... must be assured that their data will be properly protected," and that those who contribute data "want to maintain a competitive advantage, based on the value of their data." (43)

Writing in 2009, Enrico Coiera described current American health information policy as following a "bottom-up approach." He explained that "service providers have formed regional coalitions to interconnect their existing systems as best they can into health information exchanges (HIE). The expectation is that regional HIEs will eventually aggregate into a nationscale system." (44) This bottom-up approach is notable for its lack of success. Several attempts to create health information exchanges that voluntarily share data have failed. …

Log in to your account to read this article – and millions more.