HIPAA lawyer Jeff Drummond is critical of a proposed law in Oregon. Here’s why:
Oregon wants to pass a law to prohibit the sale of de-identified data without the data subject’s consent. That is dumb — de-identified data does not have a data subject. And if it’s truly de-identified, there is no downside to its being shared, at least no downside to the data subject (because, again, there is data subject if it’s de-identified).
I understand the “property rights” concept, but it really doesn’t work with data. Data isn’t a thing like that; data is a fact, and you can’t own a fact. The exact same data can be possessed by multiple people at the same time, without diminution of the value to any other holder. Plus the data may only connect to a particular subject in a particular situation.
Read more on HIPAA Blog.