Hospitals and health plans are increasingly using the huge amount of medical data they collect for research. It's a business worth billions of dollars, and sometimes those discoveries can be the foundation of new profit-making products and companies.
When a company profits from your data, should you get a cut?
This isn't just a hypothetical question. When Steven Petrow was 26 years old, back in 1984, he was treated for testicular cancer at Memorial Sloan Kettering Cancer Center in New York City.
"At that time I know a lot of lymph nodes and other bodily parts were removed from me, and I didn't really pay attention to where they went," he says.
So he read with alarm a recent article in The New York Times that the cancer center had decided to grant exclusive access to scans of its vast pathology collection to a private for-profit company, presumably including his tissue samples. According to the cancer center, the samples were to be linked to medical records with personal details removed.
"It really made me wonder, first of all, where are [the tissue samples]? Do they belong to me? Do they belong to the hospital? Do I have any rights over them? Should I have been notified?" he says. "And the fact that it might have been commercialized — monetized — that's deeply upsetting."
Companies are exploiting medical data to develop new drugs, devices and algorithms to help diagnose disease and to help future patients. Had they asked his permission, he says he would have granted it, provided he was assured of his privacy.
"The answer is absolutely yes," he says, "I want my body parts to be used to help others."
Would he also have expected a financial cut if this material gets developed by a profit-making company? He laughs. "Yes, I've always wondered how much that testicle was really worth."
Right now that is a laughable question, because patients don't see a share of the billions of dollars made off information like this. But does it have to be that way?
State law across the country is clear that "the health care provider owns the data" in medical records, says Jodi Daniel, an attorney at Crowell & Moring in Washington, D.C. Only New Hampshire says patients have some ownership rights as well.
Federal law, which Daniel helped write back in 1996, says that the health care providers can't out-and-out sell the data. But from there, the rules get blurry. For example, under federal HIPAA privacy rules, a doctor can use patient data for research or to improve "health care operations," Daniel says.
"If he's trying to use your information in order to develop a product that he can then sell and make millions of dollars off of, that might not be a 'health care operation,' " she says. "But there isn't a clear interpretation at this point."
And there's growing public concern about issues of privacy and ownership.
Milind Kamkolkar, chief data officer at the drug company Sanofi, says it's already difficult to track the many murky transactions having to do with people's personal medical data.
"Sometimes it just feels like it's 'blood diamonds' in the world of data sharing," he says. "We can't really track how that data came through, but someone's making money off this, and making an incredible amount of money off this. Personally, I think there are going to be regulations as we start waking up to this phenomenon."
He says companies like his, seeing big changes ahead, would be willing to pay individuals something for their data, if that gave them clear rules about how they could use it. And there are now companies springing up to explore this idea. Kamkolkar serves as an adviser for one such firm — Hu-manity.co.
Richie Etwaru, CEO of Hu-manity.co, says his long-term goal is to make personal medical data a person's legal property — to get away from the current system.
"The data's being used without being classified as property and without explicit consent and authorization," he says. "And as a result there's really this whole gray area about, 'Can you really make billions of dollars off of a discovery that came from me?' "
Etwaru's company has just rolled out an app that would let people specify how their medical data can and cannot be used. Individuals' preferences would be added to their electronic medical records and similar data from pharmacies, Etwaru says. Those data sets are major starting points for the use of "big data" to prospect for new ideas that could lead to novel drugs.
Individuals still wouldn't own their data under this arrangement, but they could agree to do business with companies that want a more explicit agreement about how it can be used. (They also could explicitly donate their data to nonprofits.)
Pharmaceutical companies could potentially pay each user $10 a month for access to their data, Etwaru says. The drug companies would also pay Hu-manity.co for access to these preferences.
Hu-manity.co is framing its for-profit business as a fight for a new human right.
"The data absolutely has a fair value," says Michael DePalma, the company's founder and president. "It's a $60 billion business right now, just in medical data, right? So why should we not have some component of that?"
DePalma and Etwaru say they're taking a key step in that direction: building a technical framework to make these transactions possible.
Changing data ownership laws, state by state, seems like a distant prospect. But that may not be necessary to start changing the relationship between the companies making use of medical records and the people documented in those records.
You can reach Richard Harris at email@example.com.