There is no circumstance we can envision in which a company could obtain this data without first directly obtaining patient authorization to do so. The company would then have to meet all other data release requirements including showing how this information would improve health, care or lower costs. Similar to HIPAA laws that govern providers or payers, release of specific names of patients can only occur in the most unusual public health circumstances or under research protocols that under HIPAA laws require patient authorization or Institutional Review Board research approval.

in Data ReleasePrivacy and Security