Who Owns Health Data? A Shift in Control Sparks a Debate
The ongoing debate regarding the ownership and control of health data has been reignited with the passage of comprehensive data privacy laws. These laws aim to shift control from institutions back to the individuals on whom the data was collected. While rights-based data privacy laws are praised by individuals, researchers see them as problematic due to the distributed nature of data control. Efforts like the European Health Data Space initiative seek to establish a new mechanism for secondary use that prioritizes broader research but erodes individual control. However, there are health information sharing platforms that embrace rights-based data privacy while providing ample opportunities for secondary data use in research. Embracing rights-based data privacy not only promotes transparency of data usage but also allows individuals to exercise control over their participation, ultimately building the necessary trust for more inclusive and diverse clinical research.
For several decades, health data has been de-identified to facilitate its open sharing for secondary research purposes. De-identifying health data involves removing directly identifying information like names and birthdates, as well as indirect identifiers that increase the risk of re-identification when combined. But with the rapid advancement of computing power, machine learning and artificial intelligence algorithms have emerged, enabling the re-identification of individuals from these supposedly de-identified datasets. As a result, the assessment of re-identification risks becomes crucial before releasing data, making the interpretation of de-identified data under HIPAA (Health Insurance Portability and Accountability Act) more nuanced. In light of this present-day reality, involving individuals in the sharing of their health data for research becomes critical, especially when it comes to transparency regarding the researchers involved and the purpose of the research.
The implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018 has inspired a family of rights-based data privacy regulations. GDPR acknowledges data protection as a fundamental human right and recognizes that all data collected on an individual poses risks, such as re-identification and reputational harm. It empowers individuals by granting them the right to control the use of their data. Unlike previous regulations, GDPR doesn’t specify the direct or indirect identifiers that must be removed for de-identification. Instead, it considers all information collected on an individual as pseudonymous data that can be evaluated for potential risks. Data assessed as low risk to the individual is classified as anonymous and can be freely shared for research and other purposes. These precise definitions of data differ from the commonly understood concept of de-identified data, which is simply a form of pseudonymous data with reduced risks of re-identification.
When it comes to health data, merely removing directly and indirectly identifying data types does not completely separate the data from the individual. The data remains personal and should be treated as such, particularly when the risks of re-association are high. While the ownership of data collected by healthcare providers for medical purposes may be a topic of debate, the control of such data for secondary research should unquestionably rest with the individual or their authorized representative. This distinction is central to the principles of data protection as a human right, but it presents several challenges in terms of data governance and managing informed consent. In the past, blanket consent could be obtained for all potential research uses, but providing the necessary information for individuals to make such decisions, especially when seeking medical care, is impractical. Furthermore, a significant portion of health-related data is collected outside of traditional healthcare settings, such as through applications and wearable devices. Although not bound by healthcare regulations, these data sources are still subject to data protection regulations. Therefore, any discussion on ownership and control of data must encompass these non-clinical data types as well.
As the emphasis on real-world data and patient-reported outcomes grows, it becomes imperative to include a range of perspectives in the discussions surrounding data ownership and control. Balancing individual rights and privacy with the needs of researchers and society as a whole requires careful deliberation. Striking the right balance will ensure that data is shared transparently, responsibly, and ethically for the advancement of health research and innovation.
In conclusion, the ownership and control of health data are at the center of a renewed debate sparked by comprehensive data privacy laws. Rights-based data privacy regulations, inspired by GDPR, have shifted control from institutions to individuals in an effort to protect data subjects. However, reconciling individual control with the distributed nature of data and the requirements of researchers poses significant challenges. Striving for transparency, inclusivity, and diverse representation in clinical research is achievable by embracing rights-based data privacy regulations. Nonetheless, the nuanced process of de-identifying health data and the risks of re-identification necessitate careful evaluation and active involvement of individuals in the sharing of their data. By finding a balance between individual rights and the need for beneficial health research, the trust necessary for a robust research environment can be fostered, advancing medical knowledge and ultimately improving patient outcomes.
