Hospital execs say they are getting flooded with requests for your health data

Hospitals, many of which are increasingly in dire financial straits, are weighing a lucrative new opportunity: Selling patient health information to tech companies.

Aaron Miri is a chief information officer at Dell Medical School and University of Texas Health in Austin, so he gets plenty of tech start-ups approaching him to pitch deals and partnerships. Five years ago, he’d get about one pitch per quarter. But these days, with huge data-driven players like Amazon and Google making incursions into the health space, and venture money flooding into Silicon Valley start-ups aiming to bring machine learning to health care, the cadence is far more frequent.

“It’s all the time,” he said via phone. “Often, once a day or more.”

Hospitals have access to vast amounts of people’s health information, including lab and imaging results and medication lists. This data can help software programmers train their systems to recognize patterns that in turn can lead to better care. For example, it can help recognize signs of disease to make a diagnosis. But health systems administrators say it could also be used in unintended or harmful ways, like being cross-referenced with other data to identify individuals at higher risk of diseases and then raise their health premiums, or to target advertising to individuals.

“We are getting inundated with requests from companies who tell us they want to make our medical record more searchable,” said Stephen Klasko, CEO of Jefferson Health. “I’ll hear about something like this at least once a week.”

Klasko and his colleague Karen Knudson, who’s the chair of Jefferson’s cancer center, say some start-ups won’t let a “no” from hospital officials stop them, but and will then search for and pitch individual physicians or scientists.

“We often find, once we look deeper into the pitch, that it starts as a joint development project and ends up somehow with us being both the product and the customer that pays for the product,” adds Knudson.

Some requests are for research partnerships with a goal to publish in academic publications, such as Google Brain’s work to detect a condition known as diabetic retinopathy.

But more often than not, Miri said, there’s a commercial component that involves developing some kind of product.

For instance, Flatiron Health, a Google-backed health-tech company, is just one of the businesses that partners with health systems to gather up and patient data, which it analyzes for insights about how different drugs are performing in the real world and sells to pharma. The company says on its website that it has 2.2. million active patient records available for research. When it sold for $1.9 billion to Roche last year, some health-tech experts noted that the sale amounted to roughly $1,000 per record.

Google, which boasts a variety of health system partners, is looking to build software tools to predict a patient’s potential risk of sepsis, a potentially life-threatening condition. It’s also working with health systems’ data, including Ascension’s, to build a search tool for the electronic medical record.

Miri said his team is extremely cautious about these requests, and there’s an extensive process in place to determine what the company intends to do with the data.

But he’s concerned that other hospital networks — especially if they’re under financial pressure — won’t be so careful.

Typically, data from health systems is stripped of characteristics that could be used to identify individual patients, like Social Security numbers and dates of service, before it gets shared. (Sometimes the data is not anonymized, but in those cases parties are typically bound by strict agreements forbidding them from using the data for commercial purposes or anything beyond patient care.)

This de-identified patient data has become its own small economy: There’s a whole market of brokers that compile the data from providers and other health care organizations and sell it to buyers. Just one company alone, IVQIA, said on its website that it has access to more than 600 million patient records globally that are non identified, much of which it accesses through provider organizations. The buyers, which include pharma marketers, will often use it for things like clinical trial recruiting.

But hospital execs worry that this data may be used in unintended ways, and not always in the patient’s best interest.

For starters, researchers have shown that de-identified data does not always stay that way, as it’s possible to cross-reference information from multiple data sets to associate a person with particular information.

For instance, a study by Carnegie Mellon University from 2000 showed how anonymized U.S. census data could identify some individuals simply by combining a few rare characteristics such as city of birth and current ZIP code. Earlier this year, researchers in Europe published a method they claim was able to correctly identify 99.98% of Americans in de-identified data-sets using 15 demographic attributes.

Beyond that, health care companies — including health insurers — are tapping third-parties to purchase data from brokers about people’s habits that could be used to identify them, like what they post on social media or what they order online, according to a recent series of reports from NPR and ProPublica. Health insurers might be able to use this data to figure out what a potential customer might cost them, the reports suggest, justifying higher premiums.

Tech companies are also under particular scrutiny because they already have access to massive trove of information about people, which they use to serve their own needs. For instance, the health data Google collects could eventually help it micro-target advertisements to people with particular health conditions. Policymakers are proactively calling for a revision and potential upgrade of the health privacy rules known as HIPAA, out of concern for what might happen as tech companies continue to march into the medical sector.

This uncertainty is why some hospital administrators take a skeptical eye to all the requests they get.

“All of this outreach is putting tremendous pressure on us provider organizations as we generally want to do the right thing,” said Miri.

“I don’t believe that most people are in it for the wrong reason, but it’s often not easy to make heads or tails of what’s legitimate and what isn’t, and the real intention behind it.”

Follow @CNBCtech on Twitter for the latest tech industry news.