Subscribe to RSS
DOI: 10.1055/a-2373-3291
What Do We Mean by Sharing of Patient Data? DaSH: A Data Sharing Hierarchy of Privacy and Ethical Challenges
Abstract
Background Clinical data sharing is common and necessary for patient care, research, public health, and innovation. However, the term “data sharing” is often ambiguous in its many facets and complexities—each of which involves ethical, legal, and social issues. To our knowledge, there is no extant hierarchy of data sharing that assesses these issues.
Objective This study aimed to develop a hierarchy explicating the risks and ethical complexities of data sharing with a particular focus on patient data privacy.
Methods We surveyed the available peer-reviewed and gray literature and with our combined extensive experience in bioethics and medical informatics, created this hierarchy.
Results We present six ways on how data are shared and provide a tiered Data Sharing Hierarchy (DaSH) of risks, showing increasing threats to patients' privacy, clinicians, and organizations as one progresses up the hierarchy from data sharing for direct patient care, public health and safety, scientific research, commercial purposes, complex combinations of the preceding efforts, and among networked third parties. We offer recommendations to enhance the benefits of data sharing while mitigating risks and protecting patients' interests by improving consenting; developing better policies and procedures; clarifying, simplifying, and updating regulations to include all health-related data regardless of source; expanding the scope of bioethics for information technology; and increasing ongoing monitoring and research.
Conclusion Data sharing, while essential for patient care, is increasingly complex, opaque, and perhaps perilous for patients, clinicians, and health care institutions. Risks increase with advances in technology and with more encompassing patient data from wearables and artificial intelligence database mining. Data sharing places responsibilities on all parties: patients, clinicians, researchers, educators, risk managers, attorneys, informaticists, bioethicists, institutions, and policymakers.
Keywords
health data sharing - ethical, legal and social issues - common rule - privacy - clinical and research data management - consent - HIPAAProtection of Human and Animal Subjects
Neither human nor animal subjects were included in the project. Review by an Institutional Review Board was not required.
Publication History
Received: 29 March 2024
Accepted: 24 July 2024
Accepted Manuscript online:
25 July 2024
Article published online:
16 October 2024
© 2024. Thieme. All rights reserved.
Georg Thieme Verlag KG
Rüdigerstraße 14, 70469 Stuttgart, Germany
-
References
- 1 U.S. Department of Health & Human Services. Uses and Disclosures for Treatment, Payment, and Health Care Operations: 45 CFR 164.506. 2003 . Accessed July 30, 2024 at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html
- 2 Kaplan B. PHI Protection under HIPAA: An Overall Analysis. In: LGPD na Saúde (LGPD Applicable to Health). Editora Revista dos Tribunais (Thomsom Reuters); 2021: 61-88 . Accessed July 30, 2024 at: http://ssrn.com/author=2307861
- 3 U.S. Equal Employment Opportunity Commission. Fact Sheet: Genetic Information Nondiscrimination Act. EEOC Headquarters; 2014. . Accessed July 30, 2024 at: https://www.eeoc.gov/laws/guidance/fact-sheet-genetic-information-nondiscrimination-act
- 4 Adler S. What did the HIPAA Omnibus Rule Mandate? The HIPAA Journal. January 12, 2024. Accessed May 21, 2024 at: https://www.hipaajournal.com/what-did-the-hipaa-omnibus-rule-mandate/
- 5 Kaplan B. Selling health data: de-identification, privacy, and speech. Camb Q Healthc Ethics 2015; 24 (03) 256-271
- 6 Kaplan B. How should health data be used?. Camb Q Healthc Ethics 2016; 25 (02) 312-329
- 7 Kushida CA, Nichols DA, Jadrnicek R, Miller R, Walsh JK, Griffin K. Strategies for de-identification and anonymization of electronic health record data for use in multicenter research studies. Med Care 2012; 50 (suppl): S82-S101
- 8 Walters KM, Jojic A, Pfaff ER. et al. Supporting research, protecting data: one institution's approach to clinical data warehouse governance. J Am Med Inform Assoc 2022; 29: 707-712
- 9 Benitez K, Malin B. Evaluating re-identification risks with respect to the HIPAA privacy rule. J Am Med Inform Assoc 2010; 17 (02) 169-177
- 10 Jackson BR, Schreiber R, Koppel R. et al. Variation in Data Sharing Practices and Privacy Gaps in US Hospitals and Health Systems. American Medical Informatics Association Annual Symposium, Session 84, New Orleans, LA, November 2023. Accessed August 16, 2024 at: SSRN: https://ssrn.com/abstract=4544350
- 11 Walker J, Koppel R. For Healthcare Cybersecurity the Whole is Weaker Than the Sum of the Parts. The Health Care Blog. 2016 . Accessed August 16, 2024 at: https://thehealthcareblog.com/blog/2016/09/23/for-healthcare-cybersecurity-the-whole-is-weaker-than-the-sum-of-the-parts/
- 12 Koppel R, Thimbleby H. Lessons From the 100 Nation Ransomware Attack. The Health Care Blog. 2017 . Accessed August 16, 2024 at: https://thehealthcareblog.com/blog/2017/05/14/lessons-from-the-100-nation-ransomware-attack/
- 13 Subbian V, Solomonides A, Clarkson M. et al. Ethics and informatics in the age of COVID-19: challenges and recommendations for public health organization and public policy. J Am Med Inform Assoc 2021; 28 (01) 184-189
- 14 Sanyer O, Butler JM, Fortenberry K, Webb-Allen T, Ose D. Information sharing via electronic health records in team-based care: the patient perspective. Fam Pract 2021; 38 (04) 468-472
- 15 Anthony D, Stablein T, Carian EK. Big brother in the Information Age: concerns about government information gathering over time. IEEE Secur Priv 2015; 13 (04) 12-19
- 16 U.S. Department of Health & Human Services. HHS.gov. 45 CFR 46. Accessed August 16, 2024 at: https://www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html
- 17 Anthony DL, Campos-Castillo C. Do Health Care Users Think Electronic Health Records are Important for Themselves and Their Providers? Exploring Group Differences in a National Survey. In: 2013 IEEE International Conference on Healthcare Informatics. Philadelphia, PA: IEEE; 2013: 141-146
- 18 Campos-Castillo C, Anthony DL. The double-edged sword of electronic health records: implications for patient disclosure. J Am Med Inform Assoc 2015; 22 (e1): e130-e140
- 19 Fussell S. Google's Totally Creepy, Totally Legal Health-Data Harvesting. The Atlantic. 2019 . Accessed August 16, 2024 at: https://www.theatlantic.com/technology/archive/2019/11/google-project-nightingale-all-your-health-data/601999/
- 20 Cohen JK. Google, Ascension data partnership sparks federal probe. Modern Healthcare. 2019 . Accessed March 14, 2022 at: https://www.modernhealthcare.com/information-technology/google-ascension-data-partnership-sparks-federal-probe
- 21 Cross B. Health secrets for sale: Interview with Dr. Deborah Peel. CBS Austin; 2016. . Accessed August 16, 2024 at: https://cbsaustin.com/news/local/health-secrets-for-sale
- 22 Winkler EC, Jungkunz M, Thorogood A, Lotz V, Schickhardt C. Patient data for commercial companies? An ethical framework for sharing patients' data with for-profit companies for research. J Med Ethics 2023 ;jme-2022–108781
- 23 Ozeran L, Solomonides A, Schreiber R. Privacy versus convenience: a historical perspective, analysis of risks, and an informatics call to action. Appl Clin Inform 2021; 12 (02) 274-284
- 24 Anthony DL, Campos-Castillo C. A looming digital divide? Group differences in the perceived importance of electronic health records. Inf Commun Soc 2015; 18 (07) 1-15
- 25 Anthony DL, Stablein T. Privacy in practice: professional discourse about information control in health care. J Health Organ Manag 2016; 30 (02) 207-226
- 26 Campos-Castillo C, Anthony D. Situated trust in a physician: patient health characteristics and trust in physician confidentiality. Sociol Quart 2019; 60 (04) 1-24
- 27 Orrick WH. Doe v. Meta Platforms, Inc. Casetext; 2023 . Accessed July 30, 2024 at: https://casetext.com/case/doe-v-meta-platforms-inc-2
- 28 Feathers T, Fondrie-Teitler S, Waller A, Mattu S, Chan A. Pixel Hunt: Facebook Is Receiving Sensitive Medical Information from Hospital Websites. The Markup. 2022 . Accessed August 16, 2024 at: https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites
- 29 Kim J, Kim H, Bell E. et al. Patient perspectives about decisions to share medical data and biospecimens for research. JAMA Netw Open 2019; 2 (08) e199550
- 30 Siwicki B. Privacy & Security Perspectives: Interoperability, Prospects for HIPAA Refresh, More. Healthcare IT News. 2020 . Accessed February 22, 2022 at: https://www.healthcareitnews.com/news/privacy-security-perspectives-interoperability-prospects-hipaa-refresh-more
- 31 Kaplan B. Seeing through health information technology: the need for transparency in software, algorithms, data privacy, and regulation. J Law Biosci 2020; 7 (01) lsaa062
- 32 Liyanage H, Liaw ST, Di Iorio CT. et al. Contribution of the Primary Health Care Informatics Working Group. Building a privacy, ethics, and data access framework for real world computerised medical record system data: a Delphi study. Yearb Med Inform 2016; (01) 138-145
- 33 Ryan M, Stahl BC. Artificial intelligence ethics guidelines for developers and users: clarifying their content and normative implications. J Inf Commun Ethics Soc 2021; 19 (01) 61-86
- 34 Hagendorff T. The ethics of AI ethics: an evaluation of guidelines. Minds Mach 2020; 30 (01) 99-120
- 35 Jobin A, Ienca M, Vayena E. The global landscape of AI ethics guidelines. Nat Mach Intell 2019; 1 (09) 389-399
- 36 Schröder C, Yavorsky S, O'Donovan DAI. Update: EU High-Level Expert Group Publishes Requirements for Trustworthy AI and European Commission Unveils Plans for AI Regulation. Orrick, Herrington & Sutcliffe LLP. Accessed August 16, 2024 at: https://www.jdsupra.com/legalnews/ai-update-eu-high-level-expert-group-73340/
- 37 Solomonides AE, Koski E, Atabaki SM. et al. Defining AMIA's artificial intelligence principles. J Am Med Inform Assoc 2022; 29 (04) 585-591
- 38 Anonymous.. Guide to the General Data Protection Regulation (GDPR).. Accessed August 16, 2024. at: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
- 39 GDPR.EU. What is GDPR, the EU's new data protection law?. Accessed August 16, 2024 at: https://gdpr.eu/what-is-gdpr/
- 40 Rockwern B, Johnson D, Snyder Sulmasy L. Medical Informatics Committee and Ethics, Professionalism and Human Rights Committee of the American College of Physicians. Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem: A Position Paper of the American College of Physicians. Ann Intern Med 2021; 174 (07) 994-998
- 41 Supreme Court of the Unites States. DOBBS, STATE HEALTH OFFICER OF THE MISSISSIPPI DEPARTMENT OF HEALTH, ET AL. v. JACKSON WOMEN'S HEALTH ORGANIZATION ET AL. 597 U.S. 2021. Accessed August 16, 2024 at: https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf
- 42 Brown M, Puente K. Vanderbilt turns over transgender patient records to state in attorney general probe. The Tennessean. 2023 . Accessed July 30, 2024 at: https://www.tennessean.com/story/news/health/2023/06/20/vanderbilt-university-m-turns-over-transgender-patient-medical-records-to-tennessee-attorney-general/70338356007/
- 43 Chevrier R, Foufi V, Gaudet-Blavignac C, Robert A, Lovis C. Use and understanding of anonymization and de-identification in the biomedical literature: scoping review. J Med Internet Res 2019; 21 (05) e13484
- 44 Lin GT, Mitchell MB, Hammack-Aviran C, Gao Y, Liu D, Langerman A. Content and readability of US Procedure consent forms. JAMA Intern Med 2024; 184 (02) 214-216
- 45 Kaplan B. Ethics, guidelines, standards, and policy: telemedicine, COVID-19, and broadening the ethical scope. Camb Q Healthc Ethics 2022; 31 (01) 105-118 . Accessed August 16, 2024 at: https://www.cambridge.org/core/product/identifier/S0963180121000852/type/journal_article