Money symbol and data The market for de-identified health care data is growing rapidly, but as consumers have become more willing to share data, they also want to have more control over how their data is used. (Image: Shutterstock)

What’s in your personal health data? Even though it may be personal, it may have considerable value. And today this information is often put up for sale—in non-identifiable form—leading to the question: should patients get a cut of whatever money is made from the sale of their health information?

Oregon lawmakers have proposed a bill that would do just that: require that patients to give their authorization to any entity that sells their health data. The legislation further stipulates that they should have the right to be compensated as part of that sale.

Related: Google’s foray into health records raises privacy concerns

As most consumers know, personal health information is protected by HIPAA (Health Insurance Portability and Accountability Act of 1996), which regulates what medical data health providers can share.

However, when medical data has personal information such as names and addresses removed, that information can be—and often is—sold for all sorts of purposes, such as research, marketing or fundraising. The market for this information is growing rapidly, and that dynamic is part of how health care consumerism is also changing. Consumers have become more willing to share data, but they also want to have more control over how their data is used.

According to the Oregon bill’s sponsors, that state’s new Health Information Property Act will enhance patient privacy and control by requiring companies to get a patient’s permission before selling their de-identified medical data.

The sponsors of the bill say it has three main elements:

  1. It requires HIPAA-covered providers, along with any business partners or subcontractors, to get signed authorization from consumers before de-identifying their personal health information (PHI) in order to sell the data to a third party.
  2. It would allow consumers to choose to receive payment in exchange for authorizing the de-identification of their PHI for the purpose of sale.
  3. It would also prohibit discrimination against a consumer who refuses to sign such an authorization or who wants to get paid for it.

“Consumers are now realizing how little privacy we have and how often we sign it away,” said Oregon state representative Rep. David Gomberg, one of the bill’s co-sponsors. “By treating personal data as property, legislators can empower individuals to better control information about themselves and how it is used by others.”

Other states are looking at similar laws. California has a new law that allows state residents to learn what health-related companies know about them and stop those companies from selling that information. On a national level, Sen. Ron Wyden of Washington state has drafted similar legislation.

In a story about the Oregon announcement, ZDNet noted that Gomberg learned about the idea to treat personal data as property from, a company that uses a blockchain-based app to allow consumers to sell their personal data. The company is exploring the possibility of promoting legislation supporting this concept in other states, including New Jersey.

Richie Etwaru, CEO of, recently told NPR an individual’s medical data should be his or her personal property—which it isn’t, under the current system. “The data’s being used without being classified as property and without explicit consent and authorization,” he said. “And as a result there’s really this whole gray area about, ‘Can you really make billions of dollars off of a discovery that came from me?’”

Read more: