Privacy office to check on sale of health data

February 27, 2019

data privacyTORONTO – The Office of the Information and Privacy Commissioner of Ontario is launching an investigation after the Toronto Star newspaper published a story about the sale of anonymized medical records in the province.

U.S. health data giant IQVIA says it has the potential to access the health records of five million Ontarians. It regularly anonymizes and sells one million of them, mainly to pharmaceutical companies.

This month, the privacy commissioner’s office said it would launch a “review of the circumstances described” in the Star story.

“The article indicates that information from patient records is being provided to private sector organizations,” the IPC wrote in a statement to the Star. “We have reason to believe that these arrangements may be contrary to the law.”

IQVIA obtains the data from one of the companies that sells and supports electronic medical record software to physicians in the province. It’s a booming field, as doctors switch en masse from paper records to electronic patient charts.

The company “anonymizes” the data – strips names and other identifying information from the health records – and then sells it to IQVIA, which describes the process but does not name the EMR company selling the data in its promotional documents.

IQVIA’s main customer is the pharmaceutical industry, which uses the EMR data to track use of their drugs, identify untapped markets and plot marketing strategies. The sale of data is in a grey area of privacy law.

Once patient records are anonymized, they are no longer considered personal health information and, in the view of some experts, can be sold without patient consent.

However, the sale of anonymized health data raises important concerns. There is always a small risk of re-identification of an individual from the data set. This risk increases when data sets are linked, as IQVIA states it does in its promotional documents.

Additionally, there is no active monitoring of the physicians and EMR companies that gather, anonymize and sell the data, or of the company that buys and resells the data. By contrast, the Privacy Commissioner conducts regular audits of the non-profit research organizations that collect the data for public health and research purposes.

The privacy commissioner, however, has the mandate to investigate physicians and EMR companies when “there are reasonable grounds to believe that the [privacy] act is being contravened.”