By Stacey Kusterbeck
It is not uncommon for hospitals to share patient data with technology companies, either to spur research and product development or to train artificial intelligence (AI) models designed to improve clinical decision making.1,2 Brian Jackson, MD, MS, began to wonder how often hospitals shared patient data with third parties. “While most of the terms of the agreements seem pretty ethical, the secrecy of it bothered me,” says Jackson, adjunct professor of pathology and adjunct associate professor of biomedical informatics at the University of Utah.
Jackson and colleagues interviewed and surveyed 24 informatics leaders about current data sharing practices at their institutions.3 There was considerable heterogeneity across organizations, with data sharing policies and practices varying widely. ”The people we interviewed were responsible for data sharing arrangements. Surprisingly, a number of them didn’t know if their organizations had data sharing policies or what they were,” says Bonnie Kaplan, PhD, FACMI, co-first author of the study. Kaplan is faculty in the Yale Department of Biostatistics (Health Informatics) in the Yale School of Public Health, a Yale Bioethics Center Scholar, and an affiliated fellow at the Yale Information Society Project and at Yale Solomon Center for Health Law & Policy at the Yale Law School.
Surprisingly, most organizations had not developed specific policies for external clinical data sharing — even in the case of sharing with commercial entities. Most organizations relied on Health Insurance Portability and Accountability Act (HIPAA) de-identification standards to preserve patient privacy. The ethical concern with that practice is that data could be re-identified. “Data from multiple sources gets combined. Some of it may be identified, some may be de-identified. This mix of data makes it easier to re-identify the de-identified data,” says Kaplan.
When data are de-identified to HIPAA standards, it is no longer subject to HIPAA at all. That means patients do not have to be notified, and no consent is legally required. “Even for identifiable data, though, hospitals can use business associate agreements to go around many of HIPAA’s requirements. This is how Ascension was able to share hundreds of millions of patient records with Google a few years ago without any public disclosure, and certainly no informed consent,” notes Jackson.4
Re-identification of de-identified data has become much easier over the years. In part, this is the result of the availability of huge datasets of personal data that companies can use to cross-reference against. Therefore, de-identification by itself does not fully preserve privacy. “Organizations also need to ensure, through contracts and other means, that re-identification will not be attempted. And they should be highly selective about the kinds of de-identified data that are shared, and with whom,” says Jackson.
The study findings suggested that patients mostly are not told that data were being shared or sold, and they do not have much control over what happens with data about them. Consent forms are unclear about how data will be used. ”It’s especially problematic if treatment is contingent on a patient’s consent,” says Kaplan. One interviewee stated, “These forms may appeal to the institution’s attorney, but they don’t do much to inform patients.”
Healthcare providers can tell patients what the institution’s policies and practices are. ”But it would be difficult, if not impossible, to inform patients of what happens to data about them once it’s shared and re-packaged and re-shared and shared yet again. Getting consent at each step would be unwieldy, even if it could be done. Exactly what happens to data down the sharing pipeline is unpredictable, especially over time,” explains Kaplan.
The reality is that there are very few ways for patients to control what happens to data about them. It is difficult or impossible to opt out from the process altogether. “Many of the people we spoke with indicated that their hospitals did not have well-developed technical mechanisms to allow patients to opt out of third-party data sharing,” reports Jackson. From an ethical standpoint, says Kaplan, “There are gaps between data sharing practices and the Belmont principles of beneficence/non-maleficence, respect for persons/autonomy, and social justice, and also the data sharing principles of transparency and accountability.”
The people interviewed understood the term “data sharing” in different ways. Some interpreted the term as making data available for public health or academic use. Others interpreted it as selling data for corporate research and commercial purposes or contracting with electronic health record (EHR) and device vendors, or selling the data to aggregators who would re-sell the data for future use. “Different kinds of data sharing have different privacy and ethical risks. Those risks should be handled differently,” says Kaplan.5
The term “data sharing” is used to refer to different categories of activities that have different ethical implications. A hospital can share records with a competing hospital when a patient seeks care there. A hospital also can share records for purposes of academic research or sell records to a pharmaceutical company. “Because the ethical issues are so different across these use cases, it’s problematic to lump them all under the same term,” says Jackson.
The authors suggest some ways healthcare institutions can align data sharing practices with ethical principles. “Ethicists can help others, including their IRBs [Institutional Review Boards], to pay attention to ethics. They can help their institutions’ decision-makers be aware of these issues,” says Kaplan. Ethicists can suggest how the data sharing can be addressed from an ethical standpoint and can help to draft policies and procedures on data sharing. ”Ethicists can bring up these issues when serving as consultants or advisors, in informal conversations with colleagues, and in talks, presentations, and publications,” recommends Kaplan.
There appear to be a lot of data sharing activities in healthcare settings that are not currently receiving formal ethics review. “It’s ironic that data sharing is much more tightly scrutinized in academic research, specifically by IRBs, than non-research activities,” observes Jackson. For instance, there is no formal ethics review if organizations sell de-identified data to pharmaceutical companies, or sign contracts with EHR vendors that allow extensive access to local data. “I hope that, in at least some cases, ethicists might have the ear of senior administrators and be able to insert formal ethics review into these kinds of activities,” says Jackson.
One interviewee stated that their IRB routinely reviewed all external data sharing requests. This was the case regardless of whether the requests were tied to formal research protocols. However, as a general rule, IRBs are unlikely to review data requests that do not involve an IRB submission. “I’d like to see ethicists inserted into the loop for these other cases, to do some sort of IRB-style review and assess whether patients’ interests are being adequately protected,” says Jackson.
Exploitation is a pressing ethical concern. Patients bear the risks of data sharing, while companies and health systems reap the benefits. “To avoid exploitation, it’s essential to ensure that the patient communities whose data are being used share in the benefits of these arrangements,” says Matthew McCoy, PhD, assistant professor in the Department of Medical Ethics and Health Policy at University of Pennsylvania’s Perelman School of Medicine.6
Risks to patient privacy is another central ethical concern. “It’s virtually impossible for patients to give informed consent for these sorts of secondary uses of their data,” says McCoy. Patients may be unaware that the data sharing is occurring or cannot fully understand all the ways in which their data might be used. Without transparency, patients cannot give informed consent to the sharing of their data. Even with transparency, many patients would not be able to give voluntary consent to data sharing since they do not have options for where they seek their care. “Thus, in addition to being informed about any plans to share their data, patients should be given the right to opt out of data sharing,” concludes McCoy.
References
- McGraw D, Petersen C. From commercialization to accountability: Responsible health data collection, use, and disclosure for the 21st century. Appl Clin Inform. 2020;11(2):366-373.
- Wakabayashi D. Google and the University of Chicago are sued over data sharing. The New York Times. Published June 26, 2019. https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html
- Jackson BR, Kaplan B, Schreiber R, et al. Ethical dimensions of clinical data sharing by US healthcare organizations for purposes beyond direct patient care: Interviews with healthcare leaders. Appl Clin Inform. 2024; Oct 3. doi: 10.1055/a-2432-0329. [Online ahead of print].
- Schneble CO, Elger BS, Shaw DM. Google’s Project Nightingale highlights the necessity of data science ethics review. EMBO Mol Med. 2020;12(3):e12053.
- Schreiber R, Koppel R, Kaplan B. What do we mean by sharing of patient data? DaSH: A data sharing hierarchy of privacy and ethical challenges. Appl Clin Inform. 2024;15(5):833-841.
- McCoy MS, Joffe S, Emanuel EJ. Sharing patient data without exploiting patients. JAMA. 2020;323(6):505-506.
