Oregon wants to pass a law
to prohibit the sale of de-identified
data without the data subject's consent. That is dumb -- de-identified data does not have a data subject. And if it's truly de-identified, there is no downside to its being shared, at least no downside to the data subject (because, again, there is data subject if it's de-identified).
I understand the "property rights" concept, but it really doesn't work with data. Data isn't a thing like that; data is a fact, and you can't own a fact. The exact same data can be possessed by multiple people at the same time, without diminution of the value to any other holder. Plus the data may only connect to a particular subject in a particular situation.
For example, let's say my birthday is January 1, 1960. 1/1/60 is in my medical record at my doctor's office, which means that data ("1/1/60") is PHI. Let's also say I went to my doctor today, January 23, 2019 (1/23/19), for my annual physical. That data ("1/23/19") is also PHI. Do I own 1/1/60 or 1/23/19? If those data are my property, can I keep other people from using them? How about other people who were born on the first day of 1960? Do they own the data and I don't? Tenants in common?
Now, I do have some interest in the connection between those two dates, me, and my doctor's office, but do I own all that data as long as it's connected?
More importantly, what if you de-identified it by HIPAA standards? All you'd know is that some 59-year-old person went to that doctor's office in 2019. In Oregon, I would still own that data, even though you don't know it's me. There will be other people aged 59 who come to that doctor's office in 2019, and that data will belong to them; how can you tell which data is theirs and which is mine once it's de-identified?
Even if it's not de-identified, the doctor's office should have some
right to the data in its own records. It should not have unfettered rights to do with it whatever it wants (and it doesn't, because of HIPAA and other privacy laws), but it surely has the right to use the data to run its business.
I shouldn't complain -- like the Illinois Biometric Privacy Law, this is good for lawyers. But it's unnecessary and dumb.
Blogger: HIPAA Blog - Edit your Template