Michael Gill: Patient data for sale

The recent merger of Patients Like Me (PLM) with the research arm of United Health Group raises questions about patient data and exposes some of the vulnerabilities for patients who share their data. Patients Like Me is the world’s largest personalised health network with an estimated 650,000+ members. They are living with 2,900 conditions and have generated more than 43 million data points. The design of the website and its approach to collecting patient data are excellent with good summaries provided to members. 

Under this merger with United Health Group, exactly what now happens to members’ datahow it is stored, and how it is sharedis so far unclear. 

Patients Like Me is a pioneering concept, but patients are active online in relation to their health across a large number of different platforms. They are creating data both actively and passively about their health and conditions. The benefits of big data have been well versed, but when the data are so personal and so commercially valuable, there is much to debate around the principles of ownership and controland this applies across all platforms.

The commercial value of this information makes situations like this all the more common. Access to these data which have been shared with one purpose or remit is transferred to a new third party. This creates some key questions for all data controllers (managers and owners) to think about. If I provide my data, say about daily pain levels, to one group knowingly and then an external third party acquires these data, packages it and links it to medication effectiveness who misses out? I don’t get anything for two years of pain observations whereas a third party accessing the data may benefit. This seems rather unfair. Furthermore, patient online services and products routinely “force” agreement with their terms and conditions. An option would be to separate data use, reuse, and sale provisions from the general contract and give patients the option to restrict or sell their data as appropriate.

Virtually all health jurisdictions in the private and public sectors claim de facto ownership of the data provided through informal and formal processes via hospital admission, GP records, or patient service associations. Why have patients been excluded from discussions about their data, bar complex “small print” that is rarely explicit? With digital advances in big data, personalised care and risk-based insurance policy, de facto ownership means something very different now than it may have a few years ago. Should patients be better informed about how their data are genuinely used beyond generic statements about “anonymity, service improvement, and third parties” that wouldn’t reach the bar of informed decision making for medical issues?

The routine practice among all organisations and academic researchers is that patient data which are collected and then formatted into an unidentifiable aggregated data set is ethically open to use, resell or use in other ways (many of which are yet to be defined in this evolving field). While every individual patient might not be consulted, what patient partnership dialogue exists to involve and engage patients in these decisions about their data? Financial pressures aside, researchers, and data owners have an opportunity to decide if and how to share data when approached, so why are patient representatives not part of that shared decision? 

In order to take part in shared decision making, one needs to understand the options. This requires greater transparency than the description of third parties which is the norm at the moment. 

There is a tension between accessing and using data for the “common good”, a high ground commonly occupied by third party researchers without patients having the right to delete their data at sale or merger, if they wish. While some may consider this sort of approach impractical due to its administrative burden, as seen in the UK recently with Care.Data, the implications of making “good intention” assumptions can be enormously disruptive. None of these aspirations are impossible. New Hampshire for example in the USA, explicitly grants ownership of data to patients. A subtle shift, however, from data ownership to data stewardship suddenly opens the door to considering models of patient compensation.

While data protection and confidentiality are often used as smoke and mirrors and easy excuses not to do things in healthcare, the specifics of this are rarely openly discussed with patients. It is improving, but even amending incorrect records is a feat in itself for many. We often talk about patients’ health literacy and digital literacy, but information literacy is fast becoming an essential tool for patients to navigate their care. I was denied the ability to correct a record of my hospital consultation even when I pointed out a substantial error.

According to the Brookings Institute (2018) “A multibillion dollar industry operates by collecting, merging, analysing and packaging patient data and selling it to the highest bidder.” Even the NHS is under pressure to sell patient data. In Australia there is a push by government to have a national health record for every patient thereby providing the potential to make revenue for the government.

Data sitting stagnant in a bucket helps no-one. Many patient communities are buckets of information which provide enormous value to people with that condition. Those buckets have an enormous dollar sign in front of them, and this makes them liable to “change hands” with potential for exploitation. None of these data and the associated commercial value exists without patients, so they should be central to any decision about its evolving use, not by proxy, but as active partners around the table, to champion genuine ethical “common good” and safeguard and protect any misuse.

Michael Gill is a BMJ patient reviewer and founder of the Charity dragonclaw.net

Competing interests: None declared