Abstract
Private industry is increasingly soliciting hospitals to sell or share health data and biospecimens, but current laws offer more disclosure and consent protections for research participants than for patients receiving clinical care. Hospitals can offer more protections than required by law, however, and should move toward greater transparency with their patients about the research use of clinical health data and biospecimens to respect patients and avoid distrust.
In November 2019, a whistleblower released information regarding an agreement between Ascension, a US non-profit health system, and Google Health to share up to 50 million fully identified medical records1. Google Health subsequently reported that the goal of the agreement was to conduct research into developing an “intelligent suite of tools” for clinicians to better leverage electronic medical record data to take care of their patients2. The ability to compare one sick patient with the treatment plans and outcomes of many patients with similar demographics and health issues would be an invaluable tool to be able to sell back to health systems. Unlike a previous agreement between the University of Chicago and Google, in which de-identified patient data were shared3, Ascension shared fully identified patient records under a ‘business associate agreement’—a contract between a health system and third-party provider that is allowable under the Health Insurance Portability and Accountability Act (HIPAA). But Google, a data conglomerate in and of itself, was not the ‘third party’ originally envisioned by the drafters of HIPAA4. In fact, the office in the Department of Health and Human Services that enforces HIPAA is currently investigating whether this was an appropriate use of this mechanism1. In addition, several lawmakers, patients of Ascension, and even employees of Google went on record with their discomfort due to privacy concerns and a lack of oversight over the distribution and use of sensitive health information1,5.
In a progressively lucrative market, private industry is increasingly asking hospital systems to consider whether they are willing to share or sell (i.e., ‘commercialize’) biospecimens and health data in both identified forms and de-identified forms6. The potential legal, financial, ethical, and reputational consequences of this choice is substantial. But in the USA, the government actually offers starkly different protections for a person’s data and biospecimens depending on how they were collected: laws governing the sharing or selling of health data and biospecimens collected from research participants are very different from laws governing those collected from patients. This is because health data and biospecimens are regulated on the basis of who originally collected them, rather than who is currently using them. One person can be presented with two different levels of information and choice about enrollment in research by the same hospital, depending on whether they are considered to be a research participant or a clinical patient.
HIPAA versus the Common Rule
The level of scrutiny over the collection of health data and biospecimens during research is high―and rightly so7. The Human Subjects Research Regulations, the first part of which is called the ‘Common Rule’, protects research participants and their identifiable data and biospecimens in federally funded research. Many hospitals also extend these protections to all participants at their institution. Under the Common Rule, a potential participant needs to be clearly notified that they are being asked to enroll in research, and they generally have the option to decline or withdraw. Researchers must obtain informed consent to engage with participants directly, or obtain informed consent or an Institutional Review Board exemption or waiver for low-risk ‘secondary’ research involving work with health data or biospecimens that were collected for some other purpose8.
The 2010 book The Immortal Life of Henrietta Lacks9 raised public awareness about research with biospecimens that had been collected for clinical care. In the wake of strong public reaction to the book, regulators considered whether all biospecimen research, including research with specimens that did not have any identifying information, should also be protected by the Common Rule. They planned to do this by considering all biospecimens ‘inherently identifiable’, even if they do not include additional information, such as a name. Prior to that, research with de-identified data or biospecimens was allowable without additional consent10.
In 2018, regulators decided to move forward without fundamentally changing this system—still allowing secondary research with de-identified data or biospecimens without specific consent. Their reasons for doing so have been covered at length elsewhere11, but one fundamental argument is that because patients benefit from improved clinical practices, they should also contribute to future improvements12. In addition, the costs of securing informed consent (both financial and in terms of a loss of diversity) are high in comparison to the minimal risks to participants8.
Regulators did decide to require several new disclosures at the time of research-data or biospecimen collection, however. These include whether data and biospecimens may be stripped of identifiers and used for secondary research, or whether biospecimens may be genetically sequenced or used for commercial purposes. Regulators also announced that they would convene an advisory committee to re-examine whether all biospecimen research should be considered inherently identifiable within a year, and every four years thereafter8. As of this writing, this committee has not yet been set up.
But if data or biospecimens are collected from a patient, rather than from a research participant, the protections are completely different. Under HIPAA, as in the Ascension–Google Health deal, hospitals can share fully identified clinical data or biospecimens to business associates if these associates provide them with specific services and meet other criteria13. In addition, they can use identified data for research without patient authorization if there is minimal risk and they receive a review-board waiver14. Generally, there is no way for patients to opt out of this system, and many affirmatively authorize it in standard clinical consent forms—likely without realizing they did so15.
Complexity hinders clarity
This difference in how we treat data and biospecimens collected from patients, versus those from research participants, is complex for the average patient (or even doctor) to understand15. In addition, offering more-limited secondary research protections for patients might have made sense in an era when clinical medical records were handwritten, biospecimens were kept in individual freezers, and risks of research participation were largely physical16. Data and biospecimens could not be shared easily across entities in the same way. But we have entered an age of healthcare advancement based increasingly on secondary research and broad data sharing. A research regulatory structure based on these previous assumptions is progressively dysfunctional12.
Hospitals are right to be concerned about the reputational repercussions of entering into agreements with third parties to sell patient data and biospecimens. There are also several important legal uncertainties in this space. First, whereas the Ascension–Google Health deal appears on its face to be legal under HIPAA, it is unlikely that Google is what regulators were picturing in 2000 as the archetypical ‘business associate’ of a hospital, or that such sharing is what patients understood that they were agreeing to when receiving their healthcare at Ascension. The Department of Health and Human Services investigation into this relationship will be important for our understanding of HIPAA moving forward. Second, at some point in the future, the new advisory committee could decide that a research biospecimen is ‘inherently identifiable’ under the Common Rule, but a clinical biospecimen could still be considered ‘de-identified’ under HIPAA. This could create an untenable legal fiction whereby a hospital system would be expected to categorize biospecimens without additional information as either ‘identified’ or ‘de-identified’ depending on whether they were collected from a research participant or a patient.
Such lack of clarity, both with the existing legal framework and where it is headed in the future, explains at least in part why patients and the media were startled by the Ascension–Google Health deal. When research participants enroll in primary research that collects their health data and specimens they can make a discrete choice of whether or not to participate in research. When those collected data and biospecimens are then used for secondary research protocols, even if it is without specific consent, we at least know that the participants were open to contributing to research in the first place17. But when patients receive tests or treatments and have their data and biospecimens collected, they expect that those data and specimens are being used for their clinical care. In addition, patients are arguably in a more vulnerable position than are research participants. Participation in research is always elective; receiving clinical care is generally not. And while, in theory, patients have a choice of providers and institutions, we know that location, insurance coverage, and clinical need sometimes make that ‘choice’ nonexistent. But under the current legal framework, patients have fewer options and less control than do research participants.
Just because something is legal does not make it ethically or socially acceptable. We know that that the majority of people are uncomfortable with biospecimen commercialization18. Some are even concerned about research with de-identified data and biospecimens; this is particularly true in black and Latino populations19. And while stronger informed-consent protections for research participants than for patients might make sense for some research protocols, it makes less sense for low-risk secondary research that participants will probably never even know occurred. People likely feel similarly about how their biospecimen and data should be used in research regardless of whether they enter a hospital as a patient or a participant. How the data or biospecimens were originally collected seems irrelevant to any current and compelling health-policy rationale.
Even if hospitals agree that all patients should contribute toward future research in exchange for receiving their clinical care at that institution, there should be more-consistent protections at a federal level for the sharing, use, and re-identification of health data20. But hospitals do not have to wait for legislatures or federal agencies to begin to mitigate this problem. A logical next step is for hospitals to voluntarily begin disclosing the same level of information about secondary research to their patients as they are legally obligated to disclose to research participants. This would include disclosures about future secondary research, commercialization, and genetic sequencing.
By ensuring that patients receive the same level of disclosure about secondary uses as research participants do, hospitals can begin to build a baseline of notification and reclaim trust. Both the goals of protecting vulnerable patients, and valuable research upon which future patients rely, are of critical importance.
Acknowledgements
I thank V. Blanc, P. Lombardo, and H. Fernandez Lynch for thoughtful comments on a previous draft of this Comment. This work was funded by the National Human Genome Research Institute (K01HG010496) and the National Center for Advancing Translational Science (UL1TR002240).
Footnotes
Competing interests
The author declares no competing interests.
References
- 1.Copeland R & Needleman SE The Wall Street Journal https://www-wsj-com.proxy.lib.umich.edu/articles/behind-googles-project-nightingale-a-health-data-gold-mine-of-50-million-patients-11573571867 (13 November 2019).
- 2.Feinberg D Google Blog https://blog.google/technology/health/google-health-provider-tools-launch/ (20 November 2020).
- 3.Cohen IG & Mello MM J. Am. Med. Assoc 322, 1141–1142 (2019). [Google Scholar]
- 4.Price WN II & Cohen IG Nat. Med 25, 37–43 (2019). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Anonymous. The Guardian https://www.theguardian.com/commentisfree/2019/nov/14/im-the-google-whistleblower-the-medical-data-of-millions-of-americans-is-at-risk (14 November 2019).
- 6.Farr C CNBC https://www.cnbc.com/2019/12/18/hospital-execs-say-theyre-flooded-with-requests-for-your-health-data.html (18 December 2019).
- 7.Jones JH Bad Blood: The Tuskegee Syphilis Experiment (The Free Press, New York, 1993). [Google Scholar]
- 8.Department of Homeland Security. et al. Federal Policy for the Protection of Human Subjects. 82. Fed. Regist 12, 7149–7274 (2017). [PubMed] [Google Scholar]
- 9.Skloot R The Immortal Life of Henrietta Lacks (Broadway Books, New York, 2010). [Google Scholar]
- 10.Department of Homeland Security. et al. Federal Policy for the Protection of Human Subjects. 80. Fed. Regist 173, 53933–54061 (2015). [Google Scholar]
- 11.Smith JD et al. J. Clin. Oncol 35, 1879–1883 (2017). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 12.Faden RR et al. Hastings Cent. Rep 43, S16–S27 (2013). [DOI] [PubMed] [Google Scholar]
- 13.Department of Health and Human Services. https://www-hhs-gov.proxy.lib.umich.edu/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html (25 January 2015). [DOI] [PubMed]
- 14.45 C.F.R. § 164.512 (2016).
- 15.Spector-Bagdady K et al. J. Clin. Transl. Sci https://doi-org.proxy.lib.umich.edu/10.1017/cts.2019.308 (2019).
- 16.Grady C et al. N. Engl. J. Med 376, 856–867 (2017). [DOI] [PubMed] [Google Scholar]
- 17.Peppercorn J et al. Oncologist 24, 1–9 (2019).30352943 [Google Scholar]
- 18.Spector-Bagdady K et al. Health Aff. (Millwood) 37, 1313–1320 (2018). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 19.Jagsi R et al. J. Clin. Oncol 35, 2315–2323 (2017). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 20.Price WN II, Kaminski ME, Minssen T & Spector-Bagdady K Science 363, 448–450 (2019). [DOI] [PMC free article] [PubMed] [Google Scholar]