When “Free” Patient Registries Aren’t Really Free

July 13, 2023

Authored by Troy Keyser, Vice President of Partnerships at Array Insights.

There’s no such thing as a free lunch — and there’s certainly no such thing as a “free” patient data registry.

Leaders of patient advocacy organizations are typically laser-focused on their goals: amplifying the voices of their patients and championing efforts that reduce or eliminate the impact of their disease.

These are noble missions. They’re difficult to achieve when budget constraints limit the pool of resources available. Naturally, any resource that touts itself as a “free” or deeply discounted offering will capture the attention of non-profit leaders — especially for groups built around a rare condition. If you can further your mission and help your patients without zapping your whole budget, why wouldn’t you?

But it’s essential to remember: free isn’t really free, especially when you’re dealing with sensitive and, quite frankly, monetarily valuable patient data. We don’t need to look far for examples of so-called “free” services collecting, transferring and proliferating their users’ data; TikTok and Facebook are generating headlines for shady and sometimes-abusive data usage.

A number of companies have surfaced recently, offering “free” patient data registry solutions for non-profit health entities. The idea seems great — patients should have the power to donate their data to a central hub that allows researchers to use it to fuel life-saving discoveries. However, these “free” options come from companies that typically operate as data brokers and data profiteers. The data use agreements provided are intentionally broad and convoluted to allow them to share data with third parties for profit. 

It’s all technically legal, but there’s a tangible cost to improper data usage. Using these technologies will erode patient trust and put patients at serious risk for data rights abuses. Patient advocacy organizations must do their due diligence before signing up with a new data partner.

Let’s explore a little more about data brokers, profiteers and patient privacy. We’ll outline a list of questions that patient advocacy organizations can use to vet their prospective data partners. Additionally, we’ll introduce Array Insights, an agnostic software provider that offers an alternative to these “free isn’t free” models.

Beware of data brokers and data profiteers

Data brokerage isn’t a new concept, but it certainly sets dangerous precedents for patient privacy and data ethics.

In early 2023, a study from Duke University’s Sanford School of Public Policy found that 11 companies in the mental telehealth and therapy space were willing to sell bundles of healthcare data. Third parties could easily find out which antidepressants people were taking, which conditions they struggled with and more. Some brokers even offered personally identifiable data that included names, addresses and incomes.

These “free” patient data registries operate in a similar way. They offer advocacy organizations technology and other free services needed to create a patient registry. Some services provide a tool for a patient to log into their hospital EHR and provide their medical records as well. 

But the data use agreements for these technologies are broad. Any de-identified data is fair game for just about any use. Given that de-identifying data doesn’t provide meaningful privacy protection, it’s a truly slippery slope.

Why “free” models are dangerous for patients and non-profits

There are tremendous risks any time that patient data falls into the hands of a third party. Patient data that’s supposed to be confidential is no longer so.

Drug manufacturers could purchase this data and start pushing their treatments on certain individuals. Hackers and cyber attackers can steal patient records and re-sell them in a bustling dark web market. Even if someone isn’t being a bad actor, they could make a silly mistake — such as downloading data onto a USB that’s later lost, or viewing the data on a public WiFi network that could easily be hacked — and that puts this data at risk.

Potentially worst of all, these types of risks further erode the trust of patients. There’s already plenty of skepticism around the ethics of clinical trials and medical data. The more reasons we give patients to be wary, the less likely they’ll be to donate their data or join a data cooperative. That means fewer opportunities for groundbreaking research, which is counterintuitive to the goal of every non-profit health organization.

Questions to ask your patient data partners

Patient advocacy organizations have a duty and obligation to champion responsible data usage. Not only does this protect patients, but it also encourages patients to share their data, which then leads to more breakthroughs and more mission-aligned funding. 

So how can you vet patient registry solution providers before you entrust them with patient data? We’ve got a few questions you may want to ask:

  • What is your business model? How do you make money? Do you make money off of the data our patients provide?
  • Does your platform make available any version or subset of the data our patients provide to a third-party? If so:
    • Which third-parties and for what use? Please be as specific as possible in describing all the current or potential future uses of the data and who the third-parties are or could be. What is the process for those uses to be approved of by your company?
    • Do those third-parties have the right to permission other entities to use or access any version of the data our patients provide?
  • Do you outright sell to third-parties any version or subset of the data our patients provide? If so, to who and why?
  • If intellectual property is created with the data our patients provide; do you claim ownership, revenue, or use rights to it? 

How the right technology partner and business model ensures patient privacy and ethical data usage

As the famous artist Richard Serra said back in 1973, “if something is free, you’re the product”. We believe patient data should never be the product.

A relatively modest monetary investment in the right data technology can pay dividends. Leading patient advocacy organizations are using Array Insights to enable patient-centric privacy to fuel their research. 

Array Insights offers a next-generation data federation platform that enables patient advocacy organizations and non-profit health entities to gather, manage and permission the data their patients provide for more representative, secure and collaborative health research. Our solutions help accelerate research goals with technology that puts patient privacy first.

We are an agnostic software and service provider, not a data profiteer or broker. You dictate the mission-driven uses of your data and we give you the tech and support to accomplish your vision. That’s it.

Array Insights uses a cutting-edge form of AI technology — analytics on federated data — to make sure patient data stays cryptographically contained in one spot, and all data uses are logged and auditable. We also use Microsoft Azure’s latest secure computational technology so data is encrypted at every stage, even at time of analysis. 

Researchers’ queries move to the contained patient datasets and only the insights or results are sent back to the researcher. Data can’t be copied and pasted, emailed, forwarded, downloaded or end up on unauthorized servers – our tech is human-error proof. 

If patient privacy and clinical breakthroughs are your priorities, schedule a call with the Array Insights team. And ask yourself: would you rather have a data solution that’s “free”….or worry-free?


Troy Keyser is the Vice President of Partnerships at Array Insights. Troy has over 15 years of experience in healthcare and health innovation as an entrepreneur and intrapreneur. One previous initiative he led while working at Harvard-affiliated hospitals was developing data use and sharing policies in the age of advanced data sciences, reviewing and advising 100s of requests for hospital data access.