Full Text

As the healthcare industry continues to struggle with interoperability, there's one realm in which patient data move remarkably freely: the secondary market.

Indeed, hackers aren't the only ones making money off of patient health data. Legitimate companies are cashing in too, including health systems, pharmacies and occasionally electronic health record vendors--and the third parties purchasing the data.

These third parties get de-identified health information from a vast array of sources and then sell the information on a secondary market to buyers interested in gleaning strategy insights. Buyers might be pharmaceutical firms intent on refining their marketing strategies, figuring out where to invest next, or how to target clinical trials. A large pharmaceutical company might pay between $10 million and $40 million per year for data, consulting and services from Iqvia (formerly IMS Health), one of the dominant players in the market, according to Adam Tanner in the book Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records.

As long as the data are de-identified, sharing them is fine under the HIPAA privacy and security rules.

"Even small pools of data about patients that have the exact disease a company is trying to sell into are very valuable," said John Gardner, a partner with NGP Capital.