Waiving Your Privacy Goodbye: Privacy Waivers and the HITECH Act’s Regulated Price for Sale of Health Data to Researchers
Univ. of Houston Public Law and Legal Theory Working Paper No. 2010-A-22
46 Pages Posted: 24 Aug 2010
Date Written: August 23, 2010
How much should an insurer or healthcare provider be able to charge when selling people’s personal health data without their permission to a researcher? This question is being addressed now in proceedings to amend the HIPAA Privacy Rule. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 allows such sales but limits pricing to a cost-based fee for data preparation and transmission. The requirement that individuals authorize the release of their data can be waived under existing provisions of the HIPAA Privacy Rule. This article explains why supplying data to researchers is set to become a profitable line of business for entities that hold large stores of health data in electronic form. Health information systems are a form of infrastructure, and Congress’s cost-based fee for data preparation and transmission echoes pricing schemes traditionally used in other infrastructure industries such as railroads, electric power transmission, and telecommunications. Cost-based fees for infrastructure services, of constitutional necessity, must allow recovery of operating and capital costs including a return on invested capital - in other words, a profit margin.
This fee structure is being launched in an emerging 21st-century research landscape where biomedical discovery will depend more than it has in the past on studies that harness existing stores of data - such as insurance claims and healthcare data - that were created for purposes other than the research itself. This article explores why, in this environment, the new fee structure has the potential to destabilize already-fragile public trust and invite state-law responses that could override key provisions of federal privacy regulations, with devastating consequences for researchers’ future access to data. To avoid this outcome, the cost-based fee must be thoughtfully implemented and accompanied by reform of the HIPAA waiver provision now used to approve nonconsensual use of people’s health data in research. This article identifies specific defects of the existing framework for approving nonconsensual uses of data with the aim of eliciting a wider debate about what the reforms ought to be.
Keywords: HITECH Act, HIPAA Privacy Rule, consent waiver, privacy waiver, health IT, informational privacy
JEL Classification: I1, I18, K23
Suggested Citation: Suggested Citation