1
|
Clayton EW, Bland HT, Mittendorf KF. Protecting Privacy of Pregnant and LGBTQ+ Research Participants. JAMA 2024; 331:1527-1528. [PMID: 38619831 DOI: 10.1001/jama.2024.4837] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Track Full Text] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Indexed: 04/16/2024]
Abstract
This Viewpoint summarizes existing federal regulations aimed at protecting research data, describes the challenges of enforcing these regulations, and discusses how evolving privacy technologies could be used to reduce health disparities and advance health equity among pregnant and LGBTQ+ research participants.
Collapse
Affiliation(s)
- Ellen Wright Clayton
- Center for Biomedical Ethics and Society, Vanderbilt University Medical Center and Vanderbilt University, Nashville, Tennessee
| | - Harris T Bland
- Vanderbilt University Medical Center, Nashville, Tennessee
| | | |
Collapse
|
2
|
Abstract
Daniel E Ho and colleagues explore the legal implications of using artificial intelligence in the response to covid-19 and call for more robust evaluation frameworks
Collapse
Affiliation(s)
- Mark Krass
- Stanford Law School, Stanford University, Stanford, CA, USA
- Department of Political Science, Stanford University School of Humanities and Sciences, Stanford, CA, USA
| | - Peter Henderson
- Stanford Law School, Stanford University, Stanford, CA, USA
- Department of Computer Science, Stanford University School of Engineering, Stanford, CA, USA
| | - Michelle M Mello
- Stanford Law School, Stanford University, Stanford, CA, USA
- Stanford Health Policy and Department of Medicine, Stanford University School of Medicine, Stanford, CA, USA
| | - David M Studdert
- Stanford Law School, Stanford University, Stanford, CA, USA
- Stanford Health Policy and Department of Medicine, Stanford University School of Medicine, Stanford, CA, USA
| | - Daniel E Ho
- Stanford Law School, Stanford University, Stanford, CA, USA
- Department of Political Science, Stanford University School of Humanities and Sciences, Stanford, CA, USA
- Stanford Institute for Human-Centered Artificial Intelligence, Stanford, CA, USA
- Stanford Institute for Economic Policy Research, Stanford, CA, USA
| |
Collapse
|
3
|
|
4
|
Dove ES, Chen J. To What Extent Does the EU General Data Protection Regulation (GDPR) Apply to Citizen Scientist-Led Health Research with Mobile Devices? J Law Med Ethics 2020; 48:187-195. [PMID: 32342746 DOI: 10.1177/1073110520917046] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 06/11/2023]
Abstract
In this article, we consider the possible application of the European General Data Protection Regulation (GDPR) to "citizen scientist"-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.
Collapse
Affiliation(s)
- Edward S Dove
- Edward S. Dove, Ph.D., is a Lecturer in Health Law and Regulation at the School of Law, University of Edinburgh. Jiahong Chen, Ph.D., is a Research Fellow in IT Law at Horizon Digital Economy Research, University of Nottingham
| | - Jiahong Chen
- Edward S. Dove, Ph.D., is a Lecturer in Health Law and Regulation at the School of Law, University of Edinburgh. Jiahong Chen, Ph.D., is a Research Fellow in IT Law at Horizon Digital Economy Research, University of Nottingham
| |
Collapse
|
5
|
Vokinger KN, Stekhoven DJ, Krauthammer M. Lost in Anonymization - A Data Anonymization Reference Classification Merging Legal and Technical Considerations. J Law Med Ethics 2020; 48:228-231. [PMID: 32342783 PMCID: PMC7411532 DOI: 10.1177/1073110520917025] [Citation(s) in RCA: 3] [Impact Index Per Article: 0.8] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 05/29/2023]
Affiliation(s)
- Kerstin N Vokinger
- Kerstin N. Vokinger, M.D., J.D., Ph.D., LL.M., is an Assistant Professor at the University of Zurich, Switzerland. Daniel J. Stekhoven, Ph.D., is at NEXUS, Personalized Health Technologies, Swiss Federal Institute of Technology, (ETH) in Zu-rich, Switzerland. Michael Krauthammer, M.D., Ph.D., is Professor for Medical Informatics at the University of Zurich, Switzerland
| | - Daniel J Stekhoven
- Kerstin N. Vokinger, M.D., J.D., Ph.D., LL.M., is an Assistant Professor at the University of Zurich, Switzerland. Daniel J. Stekhoven, Ph.D., is at NEXUS, Personalized Health Technologies, Swiss Federal Institute of Technology, (ETH) in Zu-rich, Switzerland. Michael Krauthammer, M.D., Ph.D., is Professor for Medical Informatics at the University of Zurich, Switzerland
| | - Michael Krauthammer
- Kerstin N. Vokinger, M.D., J.D., Ph.D., LL.M., is an Assistant Professor at the University of Zurich, Switzerland. Daniel J. Stekhoven, Ph.D., is at NEXUS, Personalized Health Technologies, Swiss Federal Institute of Technology, (ETH) in Zu-rich, Switzerland. Michael Krauthammer, M.D., Ph.D., is Professor for Medical Informatics at the University of Zurich, Switzerland
| |
Collapse
|
6
|
Omar RA. Hacking HIPAA: "Best Practices" for Avoiding Oversight in the Sale of Your Identifiable Medical Information. J Law Health 2020; 34:30-105. [PMID: 33449456] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Abstract] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/12/2023]
Abstract
In light of the confusion invited by applying the label "de-identified" to information that can be used to identify patients, it is paramount that regulators, compliance professionals, patient advocates and the general public understand the significant differences between the standards applied by HIPAA and those applied by permissive "de-identification guidelines." This Article discusses those differences in detail. The discussion proceeds in four Parts. Part II (HIPAA's Heartbeat: Why HIPAA Protects Identifiable Patient Information) examines Congress's motivations for defining individually identifiable health information broadly, which included to stop the harms patients endured prior to 1996 arising from the commercial sale of their medical records. Part III (Taking the "I" Out of Identifiable Information: HIPAA's Requirements for De-Identified Health Information) discusses HIPAA's requirements for de-identification that were never intended to create a loophole for identifiable patient information to escape HIPAA's protections. Part IV (Anatomy of a Hack: Methods for Labeling Identifiable information "De-Identified") examines the goals, methods, and results of permissive "de-identification guidelines" and compares them to HIPAA's requirements. Part V (Protecting Un-Protected Health Information) evaluates the suitability of permissive "de-identification guidelines," concluding that the vulnerabilities inherent in their current articulation render them ineffective as a data protection standard. It also discusses ways in which compliance professionals, regulators, and advocates can foster accountability and transparency in the utilization of health information that can be used to identify patients.
Collapse
|
7
|
Affiliation(s)
- Joel Schwartz
- From the Departments of Environmental Health and Epidemiology, Harvard T.H. Chan School of Public Health, Boston
| |
Collapse
|
8
|
van Veen EB. Observational health research in Europe: understanding the General Data Protection Regulation and underlying debate. Eur J Cancer 2018; 104:70-80. [PMID: 30336359 DOI: 10.1016/j.ejca.2018.09.032] [Citation(s) in RCA: 39] [Impact Index Per Article: 6.5] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 09/27/2018] [Accepted: 09/27/2018] [Indexed: 01/26/2023]
Abstract
Insights into the incidence and survival of cancer, the influence of lifestyle and environmental factors and the interaction of treatment regimens with outcomes are hugely dependent on observational research, patient data derived from the healthcare system and from volunteers participating in cohort studies, often non-selective. Since 25th May 2018, the European General Data Protection Regulation (GDPR) applies to such data. The GDPR focusses on more individual control for data subjects of 'their' data. Yet, the GDPR was preceded by a long debate. The research community participated actively in that debate, and as a result, the GDPR has research exemptions as well. Some of those apply directly; other exemptions need to be implemented into national law. Those exemptions will be discussed together with a general outline of the GDPR. I propose a substantive definition of research-absent in the GDPR-which can warrant its special status in the GDPR. The debate is not over yet. Most legal texts exhibit ambiguity and are interpreted against a background of values. In this case, those could be subsumed under informational self-determination versus solidarity and the deeper meaning of autonomy. Values will also guide national implementation and their interpretation. The value of individual control or informational self-determination should be balanced by nuanced visions about our mutual dependency in healthcare, as an ever-learning system, especially in the European solidarity-based healthcare systems. Good research governance might be a way forward to escape the consent or anonymise dichotomy.
Collapse
Affiliation(s)
- Evert-Ben van Veen
- MLC Foundation, Dagelijkse Groenmarkt 2, 2513 AL Den Haag, the Netherlands.
| |
Collapse
|
9
|
Abstract
In the United Kingdom (UK), transfer of genomic data to third countries is regulated by data protection legislation. This is a composite of domestic and European Union (EU) law, with EU law to be adopted as domestic law when Brexit takes place. In this paper we consider the content of data protection legislation and the likely impact of Brexit on transfers of genomic data from the UK to other countries. We examine the advice by regulators not to rely upon consent as a lawful basis for processing under data protection law, at least not when personal data are used for research purposes, and consider some of the other ways in which the research context can qualify an individual's ability to exercise control over processing operations. We explain how the process of pseudonymization is to be understood in the context of transfer of genomic data to third parties, as well as how adequacy of data protection in a third country is to be determined in general terms. We conclude with reflections on the future direction of UK data protection law post Brexit with the reclassification of the UK itself as a third country.
Collapse
Affiliation(s)
- M J Taylor
- HeLEX@Melbourne, Melbourne Law School, University of Melbourne, Carlton, Australia.
| | - S E Wallace
- Population and Public Health Sciences, Department of Health Sciences, University of Leicester, Leicester, UK
- Nuffield Department of Population Health, Centre for Health, Law and Emerging Technologies ("HeLEX"), University of Oxford, Oxford, UK
| | - M Prictor
- HeLEX@Melbourne, Melbourne Law School, University of Melbourne, Carlton, Australia
| |
Collapse
|
10
|
Abstract
This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.
Collapse
Affiliation(s)
- Mary Anderlik Majumder
- Center for Medical Ethics and Health Policy, Baylor College of Medicine, One Baylor Plaza, Houston, TX, 77030, USA.
| |
Collapse
|