Download PDF
Appl Clin Inform 2024; 15(05): 833-841
DOI: 10.1055/a-2373-3291
Best Practice Paper

What Do We Mean by Sharing of Patient Data? DaSH: A Data Sharing Hierarchy of Privacy and Ethical Challenges

Authors

  • Richard Schreiber

    1   Information Services, Penn State Health, Hershey, Pennsylvania, United States
    2   Department of Biomedical Informatics and Data Science, Johns Hopkins School of Medicine University of Maryland Graduate School, Baltimore, Maryland, United States

  • Ross Koppel

    3   Department of Biomedical Informatics, Perelman School of Medicine and The Leonard Davis Institute of Health Economics, University of Pennsylvania, Philadelphia, Pennsylvania, United States
    4   Department of Biomedical Informatics, Jacobs School of Medicine, University at Buffalo, Buffalo, New York, United States

  • Bonnie Kaplan

    5   Department of Biostatistics (Health Informatics), Bioethics Center, Information Society Project, Solomon Center for Health Law and Policy, Center for Biomedical Data Science, and Program for Biomedical Ethics, Yale University, New Haven, Connecticut, United States
Further Information
Also available at
 
 PDF Download Permissions and Reprints

Abstract

Background Clinical data sharing is common and necessary for patient care, research, public health, and innovation. However, the term “data sharing” is often ambiguous in its many facets and complexities—each of which involves ethical, legal, and social issues. To our knowledge, there is no extant hierarchy of data sharing that assesses these issues.

Objective This study aimed to develop a hierarchy explicating the risks and ethical complexities of data sharing with a particular focus on patient data privacy.

Methods We surveyed the available peer-reviewed and gray literature and with our combined extensive experience in bioethics and medical informatics, created this hierarchy.

Results We present six ways on how data are shared and provide a tiered Data Sharing Hierarchy (DaSH) of risks, showing increasing threats to patients' privacy, clinicians, and organizations as one progresses up the hierarchy from data sharing for direct patient care, public health and safety, scientific research, commercial purposes, complex combinations of the preceding efforts, and among networked third parties. We offer recommendations to enhance the benefits of data sharing while mitigating risks and protecting patients' interests by improving consenting; developing better policies and procedures; clarifying, simplifying, and updating regulations to include all health-related data regardless of source; expanding the scope of bioethics for information technology; and increasing ongoing monitoring and research.

Conclusion Data sharing, while essential for patient care, is increasingly complex, opaque, and perhaps perilous for patients, clinicians, and health care institutions. Risks increase with advances in technology and with more encompassing patient data from wearables and artificial intelligence database mining. Data sharing places responsibilities on all parties: patients, clinicians, researchers, educators, risk managers, attorneys, informaticists, bioethicists, institutions, and policymakers.


Keywords

health data sharing - ethical, legal and social issues - common rule - privacy - clinical and research data management - consent - HIPAA

Background and Significance

Sharing patients' medical data for treatment and research is beneficial for patient health and health care, essential research, improved public health, and developing new products, treatments, and services. However, in investigating the benefits, ethics, processes, and risks of data sharing, we discovered the term “data sharing” has a range of meanings and interpretations, potentially leading to harmful or unethical actions.

Several different regulations govern patient record privacy protections in the United States. The U.S. Health Insurance Portability and Accountability Act (HIPAA)[1] privacy and security rules, combined with effective cybersecurity, are intended to protect patients from misuse of their clinical data while also providing data to patients, their clinicians, and payers. HIPAA stipulates that data may be de-identified by removing 18 identifiers, for example, name and birth date, collectively known as personal health information (PHI). However, public agencies such as the U.S. Centers for Medicare and Medicaid Services, health care providers such as hospitals or pharmacies, and state agencies are not required to de-identify data for clinical purposes.[2] States and governmental health services (e.g., the military, Indian Health Service) vary regarding data protection and what data can be shared (e.g., alcohol and drug abuse, HIV, and mental health). Genetic data are particularly sensitive, as they are unique, and therefore impossible to de-identify. The Genetic Information Nondiscrimination Act (GINA) protects individuals against employment discrimination on the basis of their genetic information. However, it does allow employers to “request, require, or purchase genetic information” under six specific circumstances, including “commercially and publicly available” sources.[3] GINA defines genetic information as PHI and the HIPAA Omnibus Rule protects such information under the Privacy Rule.[4] Data concerning children and other vulnerable populations, student health data, and data that are considered especially sensitive (e.g., mental health, sexually transmitted diseases) are also covered by separate regulations and may require additional privacy protections when sharing.

States share and sell large volumes of hospital discharge data, as do insurance companies and pharmacies, which may erode patient trust and privacy.[5] [6] There are privacy threats even with de-identified or aggregated data. Pharmacies' medication data have sufficient patient-identifiable content that meets legal requirements for de-identification, which nevertheless can be used to identify individual patients.[5] Also, machine learning has advanced rapidly, making true de-identification increasingly insecure.[7] [8] [9] Legal scholars, privacy advocates, bioethicists, and informaticians, citing privacy and consenting concerns, have called for revising HIPAA and data privacy regulations, and made varied proposals for doing so.[2]

We explore ways in which data are shared and examine the ethical ramifications involving PHI exposure. To our knowledge, data sharing is usually thought of for patient care, public health, and research.[10] We present a six-tier hierarchy of multiple kinds of data sharing and consider the nuances of each. Privacy is an exemplar of potential conflicts among data sharing, organizational operations, and patients' interests. We review consent processes and the commercialization of PHI at different tiers. We generally limit discussion to data sharing within the U.S. regulatory environment.

We conclude with recommendations for data sharing to improve health care, enhance privacy, and facilitate ethical behavior. We hope our hierarchy and recommendations will help organizations enact more informed data sharing policies, mitigate possible patient harms, and reduce organizational liabilities. Our ordering of data sharing reflects these goals, even though there is some overlap, and our ranking is open to interpretation. We hope, too, that others will refine the hierarchy based on their experiences and emerging considerations.


Data Sharing: Tiers and Risks Hierarchy

DaSH, our Data Sharing Hierarchy, organizes data sharing by purpose, U.S. regulatory status, risks, and ethical considerations. We derived the tiers from our analysis of the current literature; our combined experiences in health care informatics and studies of ethical, legal, and social issues; and from ongoing research on data sharing practices.[10] In each tier, data originate with patients in increasingly less obvious ways (e.g., biometric apps, blood tests with many metrics). We arrange the tiers from low ethical risk to more fraught categories, reflecting, in part, different meanings of “data sharing” and increasing distance between patient and data. In addition to categorizing different kinds of data sharing, the six tiers reflect a hierarchy of risks and challenges.

The first tier encompasses primary uses of data essential to patient care. Sharing medical information for direct patient care includes data interchange and communication between patients and clinicians as well as family and caregivers, and is permissible for purposes involved in paying for care. Privacy safeguards are in place and enforceable under the HIPAA, Omnibus Rule and GINA Breach of confidentiality is possible but is low risk.

Secondary sharing (tiers 2–6) includes data shared with organizations not directly involved with patient care, such as research organizations, pharmaceutical firms, social media, device vendors, and commercial data aggregators. Thus, in tiers 2 to 6, we attempt to clarify different kinds of secondary data sharing and related concerns. [Table 1] lists examples of data sharing arrangements in each tier, the purposes they serve, and privacy protections. As data sharing becomes more complex, as reflected in our hierarchy from one-to-one communication to public agencies, researchers, and more parties, the risks to patients' privacy increase. We discuss each tier and related privacy, ethical, legal, and social implications.

Table 1

The Data Sharing Hierarchy of data sharing, showing types of data shared, and privacy and legal risks

Data Sharing Hierarchy

Type of data sharing

Purpose

Regulatory protections

Tier 1: Data sharing for direct patient care (a primary use of patient data)

Clinician-to-clinician

To provide patient records for patient changing clinicians or obtaining consultation

Yes, HIPAA and state laws

Within EHR/same organization

Direct patient care

Yes, HIPAA and state laws

Between health care organizations and/or health information exchanges

Direct patient care

Yes, HIPAA

With insurance companies

Payment

Yes, via treatment, payment, and operations HIPAA exclusions

Clinician-to-patient

• Sharing data as required by 21st Century Cures Act

• Communication with patient

• Appointments

• Prescriptions

• Referrals

Yes, HIPAA and state laws

Patient-to-clinician

• Communication with clinician

• Appointment requests

• Prescription requests

• Patient generated data (e.g., blood sugar results, heart rates)

Yes, HIPAA and state laws

Tier 2: Data sharing for public health and safety (where all tiers below are secondary uses)

Between health care organization and governmental registries and agencies

Data collection for public health initiatives and public safety

Yes, HIPAA if BAA and DUA in place

Some public health registries require full identification for contact tracing

Tier 3: Data sharing for research

Quality analysis (often only within an institution)

Data analytics for quality improvement

State laws

Scientific and clinical research

Knowledge discovery

Yes, the Common Rule, and HIPAA if BAA and DUA are in place

Data aggregation of de-identified data for scientific and clinical research purposes only

Knowledge discovery with the goal of creating new technologies, treatments, or products

Yes, the Common Rule and HIPAA if BAA and DUA are in place

Tier 4: Data sharing for commercial purposes

Research

New knowledge discovery

Yes, the Common Rule, GINA, and HIPAA if BAA and DUA are in place

Quality improvement projects (often only within an institution)

Discovery of patterns, best practice guidelines

Generally protected by the Common Rule. If shared, then HIPAA de-identification exception allows sharing

Commercial data aggregation for

a) studies for safety, efficacy, outcomes of specific drugs

Yes, the Common Rule, GINA, and HIPAA

b) new studies for possible additional clinical uses for specific drugs

c) market studies of drug use

d) targeting prescribing physicians for sales visits

e) sell data to others

Uncertain

HIPAA de-identification exception likely relied upon

f) develop ML/AI for new knowledge discovery (compare tier 3) with intent to create products for sale (including back to the data source/originator)

Laws, regulations, and guidelines currently in their infancy

Process and analyze data for public health trends (compare tier 2)

Trending data of patients with various conditions at different time periods

No, unless data derived using HIPAA exception

Store and analyze individual patient data for specific reasons (e.g., suicide risk)

Dataset to be sold to or by social media, smartphone application, or similar companies to monitor for risk

No, HIPAA does not apply to these venues[23]; and GINA specifically excludes data given voluntarily[3]

Data sales from one commercial collecting entity to another

Varied, for example, targeted advertising, data aggregation, product development

Depends on end-user click-through agreement between user and collecting entity

Tier 5: Complex combinations of data sharing for commercial purposes

Problematic, even if de-identified

Data aggregators that sell data to others

a) Government programs to purchase ML/AI algorithms for public health or other purposes

Laws, regulations, and guidelines currently in their infancy

b) Private companies to purchase ML/AI algorithms for public health or other purposes

Laws, regulations, and guidelines currently in their infancy

c) For profit non-health care (e.g., news organizations, Facebook, TikTok) to purchase ML/AI algorithms for public health or other purposes

Laws, regulations, and guidelines currently in their infancy

Tier 6: Data sharing with networked third parties

Problematic, and complex legal arrangements

Networks or cooperative researchers (e.g., oncology groups)

Networks studying diseases, treatments, or cost reduction strategies

HIPAA, GINA

Industrial consortia

Develop new drugs, treatments, and algorithms

High risk if data derived from outside HIPAA-covered entities

Government agencies

Interagency data sharing

Usually exempted from the Common Rule, but not from HIPAA

International

Public health, for example, World Health Organization

Questionable application of U.S. laws internationally; GDPR

Social media and commercial interests

Marketing and advertising that is not covered by HIPAA

No, HIPAA does not apply to these venues[23]; and GINA specifically excludes data given voluntarily[3]

Abbreviations: AI, artificial intelligence; BAA, business associate agreement; DaSH, Data Sharing Hierarchy; DUA, data use agreement; EHR, electronic health record; GDPR, General Data Protection Regulation; GINA, Genetic Information Nondiscrimination Act; HIPAA, Health Insurance Portability and Accountability Act; ML, machine learning.


Tier 1: Data Sharing for Direct Patient Care

Medical personnel and institutions share patient-level data needed for direct patient care. To facilitate their availability when a patient is treated in different places, the recent 21st Century Cures Act requires that data be more readily sharable and thus more easily integrated into patient records. Patient records are widely protected both legally and by long-standing confidentiality norms.[5] Tier 1 data sharing is generally uncontroversial.

Long-standing confidentiality norms, reinforced by law, help protect privacy rights. Known breaches of patient record systems or violations of confidentiality are punishable legally and professionally. HIPAA requires that patients agree to data release if those data are not de-identified as per regulations unless a business associate agreement (BAA) and/or a data use agreement (DUA) are in place. Patients allow or refuse to share records with other organizations as a standard part of medical services' HIPAA statements and informed consent for treatment.[2] [11] [12] [13] The process is usually pro forma but is ethically suspect because it can be coercive, that is, refusal to consent can imply no treatment, even for gravely ill patients. Further, individual patients do not have the right to sue for damages, as HIPAA solely permits patients to report suspected problems to the Office of Civil Rights.[14]

Other issues arise from patients' ability to access records. Children's records are an example: states' laws determine when parents' unlimited access to an adolescent's health record ends, and how much information an adolescent (or adult) can access. This includes permission for the children's access to their mother's sensitive medical condition (e.g., HIV status), which becomes part of the child's record at birth. Additional considerations pertain to potentially stigmatizing data, such as mental health status, and whether patients should be able to block data release.


Tier 2: Data Sharing for Public Health and Safety

Explicit patient authorization is required to release non-de-identified data, except for purposes such as public health or law enforcement.[2] Reporting laws vary by nation and state regarding communicable diseases and other data but in general these include patient-specific data for public health agencies. The U.S. government requires reporting of patient-level health data to protect the common good, for example, public health. Although these data are critical to health care, they are not directly part of the clinician–patient relationship, as in tier 1. These data help trace disease outbreaks and track contacts. Other data that support public health include birth and death records, controlled substance use and abuse, gunshot and other traumatic injuries and deaths, cancer statistics, rates of some specific diseases and infections, and animal bites to monitor for rabies and other enzootic diseases. Law enforcement and national security agencies, too, may use health data for policing, criminal investigations, and controlling illegal activities. While sharing such data can and should be used in the public interest, some uses are controversial, as discussed subsequently. Much of these data are not de-identified, thereby facilitating sensitive data aggregation and privacy risks. Some of these practices are controversial and may prevent people from seeking care.[15]


Tier 3: Data Sharing for Research

Scientific and medical research depends on patient data: clinical studies, drug trials, epidemiological modeling, algorithm creation, and practice guideline development. Data may be shared among researchers at the originating or cooperating organizations or with government agencies responsible for research oversight. Some of these data necessarily are patient level, while some are aggregated. Researchers must be aware that sharing data involves a moderate risk of confidentiality breach, especially when sharing data with entities not covered under HIPAA.

The Revised U.S. Common Rule (45 CFR 46)[16] regulates privacy for data collected for medical research that involves human subjects. Protections are similar to HIPAA-protected clinical data shared with researchers, research sponsors, and others involved in data analysis. The agreements limit disclosures by third parties to act as if they were part of the originating health care organization. There should be restrictions in the BAAs and DUAs to govern further sharing or selling of the data to parties not part of the original contracts. Data sent to the U.S. Food and Drug Administration for clinical trials or adverse event reporting is an exception, even though it may be identifiable. This may contribute to some patients' reluctance to enter clinical trials.[17] [18]

Data collected for scientific research require explicit patient consent prior to release if the patient is identifiable.[2] However, the possibility of re-identifying HIPAA-compliant de-identified data raises further issues of consent and risks to patient data privacy.[19] Public awareness of these risks generated a strong backlash, with some calling for prohibitions against re-identifications.[20] [21]


Tier 4: Data Sharing for Commercial Purposes

The public appears not as enthusiastic about sharing patient-level data with businesses that monetize the data by generating marketable products.[22] The business uses include the creation of new drugs or commercial clinical decision support (CDS) algorithms. Moreover, when the CDS may be sold back to institutions contributing to those data, assumptions of consent, privacy, or even institutional control become dubious. Such data use may well violate the bioethical principle of justice by not compensating those who created or own the original data.

HIPAA and the Common Rule generally do not regulate nonhealth care enterprises.[23] Instead, end-user agreements signed by patients govern the data sharing, generally by clicking through to accept opaque policies users likely neither read nor understood.[23] The Federal Trade Commission enforces compliance with these agreements.[2] The degree of protection and enforcement varies. Voluntary sharing perhaps implies consent, at least for the purpose the patient intends, but we classify these often-opaque data sharing arrangements as highly risky.

Many complex arrangements among health care entities, patients, and commercial enterprises become more fraught when the intent is commodification of the data. Patients may want to know when data are used for others' profit or for purposes they find repugnant.[5] Patients who allow the sharing of data at their origin rarely profit from the subsequent sharing or sales. However, many patients often are both unaware and uninformed about these possibilities, making informed consent impossible for data sharing with unforeseen parties.[15] [17] [18] [24] [25] [26]

Nevertheless, individuals directly provide sensitive medical data to commercial entities voluntarily, such as ancestry and genetics websites, exercise monitoring devices, smartphone apps, and wearables. In addition to these kinds of health apps, people report personal information to social media, including information about their health, diet, and exercise, that are widely used by commercial entities.[23] These types of services use data for their own purposes, including selling them to other parties, thereby raising several ethical and legal issues. For example, Facebook's Meta allegedly used PHI scraped from hospital websites for sales to advertisers.[27] [28]


Tier 5: Complex Combinations of Data Sharing for Commercial Purposes

Whether profit is the original intent of sharing clinical data, health systems, employee health management systems, and government agencies often share data with data aggregators who combine information from many sources and sell those data to multiple parties. Multiparty contracts are seldom, if ever, apparent to patients, which increases legal, ethical, and moral concerns. As these various entities commodify data, downstream audits of data provenance and security become impossible to trace, privacy is impossible to guarantee, and consent is probably meaningless. Further, it makes correcting errors patients perceive in their records difficult to correct in downstream uses.[14] [29]

As explained above, patient-generated data, even patient-identifiable clinical information to monitor a patient's conditions and relevant environments, do not enjoy HIPAA protections when collected via health applications for mobile devices (mHealth).[23] This exception holds even if the data are incorporated into a patient's record. Indeed, some data appear in a medical record without patients' knowledge, such as through police, probation, social services, or education records; or from military, immigration, Indian, and veterans' health services[23]; or they are transferred automatically (sometimes without explicit consent), for example, between obstetric and newborns' records. Other information derives from social media postings, contact and geolocation tracking, ubiquitous sensors, and cars (e.g., to detect sleeping or speeding). Here we cannot assume consent, as patients have little choice and awareness of these practices. Even if they did, obtaining consent at each step in a chain of data transmissions would be difficult. With so much data seamlessly collected by many enterprises, many patients say they prefer to know when their data will be shared.


Tier 6: Data Sharing with Networked Third Parties

So far, we distinguished data flow from one organization to another, even if the data are then used in ways later unknown to the organization originally providing the data, let alone to the patients. In contrast, tier 6 reflects intentional many-to-many data sharing, as occurs among organizations in research networks, hospital associations, industrial consortia, government agencies, and combinations of these. The ethical and legal issues are more complicated than those for the lower tiers and amplified when information crosses jurisdictional boundaries governed by different regulations, professional or international agreements, and practices. These complications are the reason for this separate tier despite the difficulty of ranking and assessing such a variety of combinations.

Multiparty arrangements complicate privacy, consent, and data ownership. Even in seemingly simpler circumstances, patients rarely understand who owns the data about them. Especially when multiple parties are involved, as in tiers 5 and 6, determining ownership, which regulations (if any) apply, and how to enforce them becomes difficult even for experts. Dataset ownership is often a legal tangle, involving whether, which, and in what combinations data are controlled by patients, by collecting organizations or vendors, or by other parties.[5] Some health care organizations have reserved rights over such data to protect themselves from these issues. But some vendors sell data back to originating organizations, risking putting patients, health care organizations, and vendors at odds over data ownership. Another significant issue is whether organizations not involved in health care, such as news and social media outlets, should be allowed to have these data[30] but that is beyond this paper's purview.



Discussion

Many patients are understandably concerned about data privacy. Some may avoid care or withhold crucial clinical information for fear that it will be disclosed in ways that may harm or embarrass them.[18] [24] [26] “Data sharing” sounds good, but, as this hierarchy reflects, “data sharing” has at least six different meanings, all with vexing issues of privacy, expectations of the data's uses, and often insufficient explanations to patients, clinicians, and health care administrators—and mostly everyone else.

Our hierarchy seeks to explicate the ways data are shared and the concomitant risks to patients and organizations. Therapeutic relationships rely on widely accepted necessary confidentiality expectations between patients and clinicians.[5] However, most individuals have little idea what data are and are not protected, and have little opportunity to consent meaningfully to their data's release. Neither HIPAA nor the Common Rule protect de-identified data, which may be re-identified by combining data sources or machine learning methods.

The complexities concerning data sharing and privacy require transparency so patients know when and with whom such sharing is likely or possible.[2] [23] [31] Transparent and explicit disclosure of data sharing arrangements may help to ameliorate patients' fears.[23] [32] Moreover, data sharing practices require explainability, interpretability, concern for privacy protections, and consent where possible. We borrow these principles from those promoted for trustworthy artificial intelligence,[33] [34] [35] [36] [37] and those informing many data privacy laws and recommendations by professional organizations.[2] [7] [38] [39] [40] [41]

Sharing patient data beyond that needed for direct care offers myriad advantages to society, from improved treatments to scientific research to the creation of new products and techniques that may benefit millions of patients or generate beneficial and lucrative products. At the same time, sharing data offers opportunities for abuse and exploitation. Negative consequences of health data releases are legion, even without malicious intent, such as the inadvertent revelation about psychiatric treatments, obstetric/gynecological procedures, or a political candidate's cancer. The Supreme Court decision in Dobbs[41] resulted in state laws encouraging legal action against any who aid or treat those seeking abortions. This resulted in medical data releases in violation of HIPAA protections.[1] Similarly, state laws prohibiting transgender care led to governments' efforts to obtain medical records of those seeking or receiving such care.[42]

We have attempted to present some potential harms from medical data sharing. In our recommendations ([Table 2]), we offer some ways to protect patients and enhance the benefits of sharing. The higher the tier, the greater the degree of scrutiny needed by health care organizations and regulatory authorities to mitigate data sharing risks and potential harms to individuals and organizations.

Table 2

Recommendations for improved data sharing arrangements

R1: Make the consent process noncoercive and understandable. Patients experience opaque, time-consuming, and frustrating hurdles when granting access permissions and when obtaining their records. Consenting should be relevant, noncoercive, well-informed, convenient, and fully transparent.[40] [44] Standardize consent forms to be at a sixth-grade reading level and include clear lists or a table of what records will be released and to whom, and what records will not be. Treating regulatory privacy protections as organizational checkoffs is an ethical suspect.

R2: Make procedures for revoking permissions to share personal data clear and readily available. Inform patients if revoking data sharing is impossible or near impossible post hoc. Similarly, patients deserve to know if their data may be shared or used in ways not foreseen in the original consent document, and to afford them the opportunity to withdraw consent. At the very least, they should receive notification that it may not be feasible to withdraw consent for sharing their data when they are aggregated anonymously.

R3: Update and extend privacy protections. Not all data sharing is subject to HIPAA or the Common Rule health data protection. Even when they are, the regulations often are insufficient. Despite laudable updates, regulations need to be further updated and simplified to increase clarity while accounting for new developments in at least these three respects.[2]

R3.1: Update HIPAA, GINA, and the Common Rule to reflect the abilities of new technology and methods for re-identification. Make it harder for individual patients to be identified from data and allow patients to sue to redress harms. Expand rules for de-identification that prevent and prohibit re-identification. Expand applicability of HIPAA to include third parties who obtain identifiable personal health information, or when those data can be re-identified.

R3.2: Nearly all data are now potentially health data although neither HIPAA nor the Common Rule covers nonclinically sourced data.[31] Protections need to reflect this reality. Maintain strict adherence to privacy principles when using shared datasets, including full anonymization and use of “hiding in plain sight” ambiguation.

R3.3: Clarify ownership and responsibilities. Commercial entities should be held accountable for overly broad, unenforced, or essentially meaningless consenting and data policies.[2] More is needed to develop desirable legal constraints to control commercial arrangements so they are fair to patients and organizations while enhancing public health, research, innovation, and privacy.

R4: Increase and amplify public information efforts to enhance people's awareness of data sharing's risks and benefits. Clinicians, researchers, and others should welcome the opportunity to inform the public about the uses of medical data.[40]

R5: Expand bioethics areas of interest to include information technology. Require research ethics and HIPAA training for health care staff, IRBs, etc. Often, current health care ethics certification programs focus on Belmont and Helsinki provisions.[44] They need to expand to include the ethical, legal, and social issues involving IT, AI, and databases.[45]

R6: Monitor medical research to periodically evaluate data sharing policies and procedures to incorporate new questions and considerations as they develop. Multidisciplinary perspectives and research methods can help ensure that diverse approaches and concerns are included in the analyses and the possible development of new outcome measures.[45]

Abbreviations: AI, artificial intelligence; GINA, Genetic Information Nondiscrimination Act; HIPAA, Health Insurance Portability and Accountability Act.


Our nine recommendations ([Table 2]) seek to enhance both patient information protection and to reduce the likelihood of clinicians and organizations facing liabilities. These recommendations reflect efforts to promote reasonable privacy, enhance innovation, improve consenting, and develop better policies and regulations for all health-related data regardless of source. Such actions also include expanding the scope of bioethics for information technology and increasing ongoing monitoring and research.[45]

Some of these recommendations require legislative and regulatory changes. These are necessary to reflect the current state of medical care, and the technological advancements, especially in the fields of genetics, de-identification, and cybersecurity (including the risks of ransomware). We do not feel these recommendations are either impractical or unattainable. Some may perceive these recommendations as increasing regulatory burdens, or even stifling rapid technological advancement, but we view them as protecting patients' privacy as the paramount concern.


Conclusion

Our analysis and recommendations draw on studies of patients' understanding of the consent process and improvement of consent wording,[43] and of health care organizations' data sharing practices and policies,[10] though more empirical research is needed. There are, of course, many more issues already apparent than we have enumerated. New ones will emerge with advances in technology, with better information about data sharing practices, and with new insights about the ethics of these advances. It is too early to predict all the implications of the recent aforementioned disclosures regarding Facebook, or the full extent of the Dobbs decision on possible conflicts between states with varying laws and HIPAA privacy stipulations. This is especially precarious to long-held privacy expectations. Patient advocacy groups, ethicists, and privacy scholars can help to identify and act on these and other risks.


Clinical Relevance Statement

Widespread data sharing practices place responsibilities on all parties: patients, clinicians, researchers, educators, administrators, risk managers, legal experts, informaticists, bioethicists, and policymakers. Emerging concerns generated by new technologies and laws may require new policies. It behooves us all to periodically examine the DaSH hierarchy and change it in response to evolving legal and political environments. This requires frequent monitoring, multidisciplinary research, and public discussion. We hope our hierarchy will spur additional dialogue, regulatory improvements, and more secure processes to benefit patients, health care, and society.


Multiple-Choice Questions

  1. The authors express various concerns about data sharing beyond that needed for direct patient care. Which of the following is their greatest concern?

    • HIPAA de-identification exception

    • Risks of re-identification

    • Unauthorized access to PHI

    • Privacy loss beyond HIPAA

    Correct answer: d. The authors do express concerns about the adequacy of the HIPAA de-identification exception (option a.), that is, de-identified data, lacking PHI, are not covered by HIPAA, especially as this appears to be inadequate to prevent re-identification (option b.). Indeed, their recommendations include updates to the HIPAA rules (e.g., see recommendation 3.1). These indeed risk unauthorized access to PHI but that is already illegal (option c.). Privacy loss outside of HIPAA protections, such as via data brokers and other noncovered entities that have access to protected health information is their major concern.

  2. The authors propose several recommendations to protect patients' interests. Which recommendation most directly assists patients in their understanding of the risks of sharing their data and may be the most achievable?

    • Improve the consent and withdrawal of consent procedures

    • Improve/Extend/Update/Enhance protections for all health-related data

    • Constrain commercial data sharing arrangements to hold entities accountable

    • Develop new bioethics principles as technology expands

    Correct answer: a. It most directly impacts patients and is less onerous than the other options. The authors advocate for all of the above; however, at least in the United States, option b. requires regulatory revisions at the federal level, option c. requires new laws by Congress, and option d. requires the development of bioethics principles, all of which are broad-based, not specifically impacting patients' understanding of sharing their data.



Conflict of Interest

None declared.

Acknowledgments

The authors gratefully acknowledge the contributions of our colleagues Brian Jackson, Victoria Nichols-Johnson, Anthony Solomonides, Paul DeMuro, and Larry Ozeran for their work related to data sharing. Authors would like to thank Joel L. Telles who read an early version of the manuscript and made many helpful suggestions.

Protection of Human and Animal Subjects

Neither human nor animal subjects were included in the project. Review by an Institutional Review Board was not required.



Address for correspondence

Richard Schreiber, MD
301 Robinson Road, Newport, PA 17074
United States   

Publication History

Received: 29 March 2024

Accepted: 24 July 2024

Accepted Manuscript online:
25 July 2024

Article published online:
16 October 2024

© 2024. Thieme. All rights reserved.

Georg Thieme Verlag KG
Rüdigerstraße 14, 70469 Stuttgart, Germany


  Permissions and Reprints