Home » Time Capsule » Currently Reading:

Time Capsule: EMR Vendor Starts Secretive, Lucrative Business: Pimping the Patient Data of its Provider Customers

January 4, 2013 Time Capsule 3 Comments

I wrote weekly editorials for a boutique industry newsletter for several years, anxious for both audience and income. I learned a lot about coming up with ideas for the weekly grind, trying to be simultaneously opinionated and entertaining in a few hundred words, and not sleeping much because I was working all the time. They’re fun to read as a look back at what was important then (and often still important now).

I wrote this piece in March 2008.

EMR Vendor Starts Secretive, Lucrative Business: Pimping the Patient Data of its Provider Customers
By Mr. HIStalk


Genetic medicine company Perlegen Sciences probably never saw the controversy coming. Its March 18 press release innocently and proudly announced an exclusive collaboration agreement with an unnamed EMR vendor to mine that vendor’s database, which is said to hold medical information on four million patients. To egghead scientists who don’t get out much, that sounds like a victorious achievement for medical research.

Perlegen will sift through mountains of data to select patients who meet its research criteria. The company will then contact the providers of those patients, asking them to contact the patient on the company’s behalf and offering them cash for providing a DNA sample. (Everbody’s watched enough CSI to know about the Q-Tip cheek swab thing, of course).

Perlegen’s intentions sound noble, at least when they’re the ones reciting them. The company is hoping to find genetic markers that can predict the individual response of patients to specific drugs. That correlation could improve patient safety and drug efficacy. And boost drug company profits, of course, which is the real point (some of its investors are drug companies).

The fastidiously unnamed EMR vendor is being paid to provide massive amounts of supposedly de-identified patient data (that methodology wasn’t specified). They get a cut of the take. Perlegen gets an ownership stake in the EMR vendor. Everybody’s happy.

Except perhaps those patients whose information is being probed by a company they’ve never heard of. Generously provided by another company they’ve also never heard of. Do they really want a genetic research firm peeking into their medical records, obtained in an open-air bazaar?

You’ll be hearing more about this story. It opens up a number of legal and ethical questions that are sure to tickle the fancy of journalists, privacy advocates, and software vendors.

The document trail will be interesting. Did the providers’ Notice of Privacy Practices indicate to patients that their data would be marketed since this goes well beyond the usual treatment, payment, and operations? Did the EMR vendor’s contracts with its customers reserve the right to not just store their data, but to sell it?

Perlegen drops the words “HIPAA” and “IRB” to make everything sound on the up-and-up. They’re HIPAA-immune, however (they’re not providers) and it’s not clear whose IRB will oversee the project. In other words, it’s not illegal, but it sounds a bit loophole-ish. So much for HIPAA offering broad privacy protection.

The biggest villain here appears to be the EMR vendor. It has no contractual agreement with patients as far as we know, so what is it doing selling their information?

Don’t blame Perlegen – they should have been told ‘no’. Blame lax privacy protections, the unnamed EMR vendor, and poor IT market conditions for leading to such a desperate cash grab. When that vendor is named – and it will be – we’ll know how it worked out such a sneaky deal, how it’s de-identifying the data of its customers, and how it justifies being partially owned by drug company interests.

HIStalk Featured Sponsors


Currently there are "3 comments" on this Article:

  1. So how is healthcare supposed to benefit from big data is nobody is allowed to look at it? A company is paid to help identify patients, and then the patients themselves are paid to participate. Sounds like those devious contract research organizations out there paying doctors to review charts and then paying patients to participate in studies. Patients need to be educated about devious companies like Quintiles and Covance paying to access their charts and recruit them for managed studies. Imagine the chaos if academic hospitals were to have clinical research units where patient charts are reviewed without their knowledge so they can be paid to participate in research studies sponsored through grants at the hospital. I shudder at all those nameless, faceless researchers and CROs taking advantage of all that innocent data just so patients can be paid for research participation.

  2. Disgusting is all I can say. I dont want my medical history shared with anyone, de-identified or not. Certainly I would like the right to provide my consent. There is a world of difference being asked vs having it taken.

    These companies do this stuff because they can get away with it….just like the banks. Publish the names of this data thiefs and this practice will stop. E.g., Humedica.

  3. It’s important to understand that what is described relates to looking at de-identified data. Not arguing whether the manner of de-identification is strong enough, the practice of looking through aggregated, deidentified data to support research feasibility is pretty much common practice and is allowed by both HIPAA and under IRB guidelines. It happens in every academic hospital today. This is not the same as sniffing through individual charts to recruit patients. Even if that were practical, it is not allowed under HIPAA. It’s also important to understand that a trial that has received IRB approval is no longer subject to HIPAA. It has it’s own human subjects protection standards that it must follow (in many cases, more stringent than HIPAA). In addition, IRB’s are not organizationally based. This means any, legitimate IRB can provide approval for a specific study that may be across numerous organizations.

    I fully agree that privacy is something we need to devote more attention to but we can’t knee jerk react to it. We all benefit from research focused on curing us of our most threatening ills and we have to accept that research is costly; therefore, it requires business models to support it. Making it harder for the research community to access trial candidates isn’t the answer. It will only hurt society in more fundamental ways than privacy.

Founding Sponsors


Platinum Sponsors


















































Gold Sponsors













Reader Comments

  • Eddy T. Head: EMR vs EHR - This distinction was started around the time ONC was created. At that time EMR meant an ambulatory practice...
  • AnInteropGuy: So there is Northwell of course, but there are about 90 other sites running Sunrise. That is on the acute side, but t...
  • at least one: Northwell, although I'm not sure you can call it "running" Allscripts so much as "having Allscripts by the balls"...
  • Chuck: With Baylor going Epic, are there any systems left running Allscripts? How much longer can they survive the duopoly?...
  • Jim Beall: Re: COVID 19 news. FWIW the Florida DOH website DOES report daily deaths, although they don't report hospitalization nu...

Sponsor Quick Links