The point here is large but can be made succinctly. Immense volumes of personally identifiable data and lightly masked key-coded data, as well as effectively key-coded or anonymized data, are handled by managed-care organizations, pharmaceutical and related companies, and other private-sector institutions. Some State legal controls apply, as may the Privacy Act and Federal laws where there is Federal involvement. Some managed-care organizations have chosen to conduct their research under the scrutiny of Institutional Review Boards.
But for many health data held in the private sector, few legal controls apply in theory or are enforced in practice regarding such matters as data-subject consent, public notification, Institutional Review Board supervision, or transfer of the data for secondary study. Effective privacy, confidentiality, and security safeguards may well be in place, but this may not be fully evident. A complication now is that much important research is being performed on private- sector data by government and other external organizations, and private-sector data are being mixed with, or examined in parallel with, public-sector data for study.
Several of the Federal confidentiality or fair-use laws now being considered in the U.S. would bring these private-sector data under much fuller coverage of law. As was mentioned earlier, lack of legal coverage of these data is seen by Europeans as being a major weakness in U.S. personal-data protections, and a reason they resist allowing transfer of personal data from Europe to the U.S.
The status of private-sector health data deserves to be reviewed. Probably it should brought under a uniform Federal regimen.