Home » Time Capsule » Currently Reading:

Time Capsule: EMR Vendor Starts Secretive, Lucrative Business: Pimping the Patient Data of its Provider Customers

January 4, 2013 Time Capsule 3 Comments

I wrote weekly editorials for a boutique industry newsletter for several years, anxious for both audience and income. I learned a lot about coming up with ideas for the weekly grind, trying to be simultaneously opinionated and entertaining in a few hundred words, and not sleeping much because I was working all the time. They’re fun to read as a look back at what was important then (and often still important now).

I wrote this piece in March 2008.

EMR Vendor Starts Secretive, Lucrative Business: Pimping the Patient Data of its Provider Customers
By Mr. HIStalk


Genetic medicine company Perlegen Sciences probably never saw the controversy coming. Its March 18 press release innocently and proudly announced an exclusive collaboration agreement with an unnamed EMR vendor to mine that vendor’s database, which is said to hold medical information on four million patients. To egghead scientists who don’t get out much, that sounds like a victorious achievement for medical research.

Perlegen will sift through mountains of data to select patients who meet its research criteria. The company will then contact the providers of those patients, asking them to contact the patient on the company’s behalf and offering them cash for providing a DNA sample. (Everbody’s watched enough CSI to know about the Q-Tip cheek swab thing, of course).

Perlegen’s intentions sound noble, at least when they’re the ones reciting them. The company is hoping to find genetic markers that can predict the individual response of patients to specific drugs. That correlation could improve patient safety and drug efficacy. And boost drug company profits, of course, which is the real point (some of its investors are drug companies).

The fastidiously unnamed EMR vendor is being paid to provide massive amounts of supposedly de-identified patient data (that methodology wasn’t specified). They get a cut of the take. Perlegen gets an ownership stake in the EMR vendor. Everybody’s happy.

Except perhaps those patients whose information is being probed by a company they’ve never heard of. Generously provided by another company they’ve also never heard of. Do they really want a genetic research firm peeking into their medical records, obtained in an open-air bazaar?

You’ll be hearing more about this story. It opens up a number of legal and ethical questions that are sure to tickle the fancy of journalists, privacy advocates, and software vendors.

The document trail will be interesting. Did the providers’ Notice of Privacy Practices indicate to patients that their data would be marketed since this goes well beyond the usual treatment, payment, and operations? Did the EMR vendor’s contracts with its customers reserve the right to not just store their data, but to sell it?

Perlegen drops the words “HIPAA” and “IRB” to make everything sound on the up-and-up. They’re HIPAA-immune, however (they’re not providers) and it’s not clear whose IRB will oversee the project. In other words, it’s not illegal, but it sounds a bit loophole-ish. So much for HIPAA offering broad privacy protection.

The biggest villain here appears to be the EMR vendor. It has no contractual agreement with patients as far as we know, so what is it doing selling their information?

Don’t blame Perlegen – they should have been told ‘no’. Blame lax privacy protections, the unnamed EMR vendor, and poor IT market conditions for leading to such a desperate cash grab. When that vendor is named – and it will be – we’ll know how it worked out such a sneaky deal, how it’s de-identifying the data of its customers, and how it justifies being partially owned by drug company interests.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there are "3 comments" on this Article:

  1. So how is healthcare supposed to benefit from big data is nobody is allowed to look at it? A company is paid to help identify patients, and then the patients themselves are paid to participate. Sounds like those devious contract research organizations out there paying doctors to review charts and then paying patients to participate in studies. Patients need to be educated about devious companies like Quintiles and Covance paying to access their charts and recruit them for managed studies. Imagine the chaos if academic hospitals were to have clinical research units where patient charts are reviewed without their knowledge so they can be paid to participate in research studies sponsored through grants at the hospital. I shudder at all those nameless, faceless researchers and CROs taking advantage of all that innocent data just so patients can be paid for research participation.

  2. Disgusting is all I can say. I dont want my medical history shared with anyone, de-identified or not. Certainly I would like the right to provide my consent. There is a world of difference being asked vs having it taken.

    These companies do this stuff because they can get away with it….just like the banks. Publish the names of this data thiefs and this practice will stop. E.g., Humedica.

  3. It’s important to understand that what is described relates to looking at de-identified data. Not arguing whether the manner of de-identification is strong enough, the practice of looking through aggregated, deidentified data to support research feasibility is pretty much common practice and is allowed by both HIPAA and under IRB guidelines. It happens in every academic hospital today. This is not the same as sniffing through individual charts to recruit patients. Even if that were practical, it is not allowed under HIPAA. It’s also important to understand that a trial that has received IRB approval is no longer subject to HIPAA. It has it’s own human subjects protection standards that it must follow (in many cases, more stringent than HIPAA). In addition, IRB’s are not organizationally based. This means any, legitimate IRB can provide approval for a specific study that may be across numerous organizations.

    I fully agree that privacy is something we need to devote more attention to but we can’t knee jerk react to it. We all benefit from research focused on curing us of our most threatening ills and we have to accept that research is costly; therefore, it requires business models to support it. Making it harder for the research community to access trial candidates isn’t the answer. It will only hurt society in more fundamental ways than privacy.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors






























































Gold Sponsors
















Reader Comments

  • Money Doc: Come on, Dr. Nguyen. You are talking about "lost revenue" but you don't worry about gaps in patient care? Are you reimbu...
  • Anonymouse: You are ultimately responsible for not properly vetting your provider and signing the contract that probably states the ...
  • Conrad Black: That will happen at the same time my doctor starts reimbursing me for a two hour wait in his office or a mistaken/late d...
  • Conrad Black: The same people that pay for any other services/products the organization provides...
  • Anonymous: The SamSam ransomware has been around for 2 years... shame on Allscripts for not patching their main servers to allow at...
  • Anonymous Reply: Kathy: Anti-Ransomware protection?? lol, Its a joke because the programmers that are making the protection, always hav...
  • John Jones: Who pays to notify all these patients of a potential breach of their protected health information? Someone do that math ...
  • Don't think twice it's alright...: It isn't surprising that the State of Illinois procurement office rejected Cerner's shortsighted protest of Epic winning...
  • Thomas Nguyen: I am one of the many doctors affected by this. If allscripts had any ethics, they would reimburse the doctors affected f...
  • Kathie: As of August 4, 2017, hackers accounted for 75 healthcare breaches and in November 2017 Ransomware knocked out North Car...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links