Government and private-sector efforts to build a nationwide health information infrastructure are ignoring the issues posed by secondary uses of data from patients' records, according to a new report from the American Medical Informatics Association (AMIA).

Although most hospitals, physicians and patients don't know about it, the report states, "A multimillion-dollar industry based on the sale of health and heath-related data has prospered and appears to be growing."

The lack of regulation and oversight over sales of information from medical records "presents a significant impediment to the goal of strengthening the U.S. health system," it states.

"The development of policies, standards and legal/regulatory remedies regarding the secondary use, abuse and misuse of health data requires leadership on a national level with input from a broad range of stakeholders in the public and private sectors," according to the report.

Titled "Toward a National Framework for the Secondary Use of Health Data," the document is based largely on proceedings of a meeting of experts convened by AMIA in April and was endorsed by AMIA's board of directors.

While pointing to the value of health data for research and the need to improve the practice of medicine, it calls for more public discussion of the issues and development of policies and best practices.

The report says many regional health information organizations are considering the sale of data to generate revenue for their operations. "Many of the regional efforts to establish health information exchanges face a business challenge to provide an information utility to the community at the lowest possible cost," it states. "Although usually unstated, the stewards of these data exchanges and their business partners are exploring nonsubscription models of revenue which almost always include selling clinically rich data to those industries that already purchase surrogates for this data."

Although health information often is scrubbed of identifying information such as names, addresses and Social Security numbers before it is sent to third parties, the report says the efficacy of these steps in protecting patients' identities is not always certain. "Further, there are reports of ongoing buying and selling of non-anonymized patient and provider data by the medical industry without explicit consent of either patients or physicians,

including pressuring or coercing patients to consent to data disclosure for use not covered by regulation, and abuse of commercially available, identifiable patient information."

Although the Health Insurance Portability and Accountability Act of 1996 requires some protection of patients' private information, it does not apply to every business or organization that may handle data, including RHIOs.

The report also notes that in the interest of detecting an outbreak of disease or a bioterrorism attack, government agencies are collecting health data in real time "from hospitals and other providers across the country without public dialogue."

"At a minimum, a public dialogue is needed," it states.

"The issues surrounding the secondary use of health data are not new," according to the report. "Fresh consideration of them is, however, critical as both public- and private-sector organizations are focusing on the design of systems that enable secondary use of health data for clinical, public health, biomedical, policy and health services research applications."