You Don’t Own Me: Do You Own Your Personal Health Data?

Cynthia Chauhan: My personal data is my data and while I willingly share it sometimes, I don’t want anyone to think they can just come and take it because I bought their product. 

I. Glenn Cohen: I’m Glenn Cohen. I’m the Faculty Director of the Petrie-Flom Center, the James A. Attwood and Leslie Williams Professor of Law, and the Deputy Dean of Harvard Law School and your host. You’re listening to Petrie Dishes, the podcast of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School. 

We’re taking you inside the exploding world of digital health, one idea at a time. Today we’re talking about your health data, like the information contained in electronic medical records, or the reams of personal health data generated through consumer devices. Now, I call this your health data, but is it really yours? That’s today’s question: Who owns your health data? 

Michael Abramoff: If you ask any patient, ‘who owns your data?’ they will say, it’s them. HIPAA doesn’t say that at all. 

I. Glenn Cohen: HIPAA, The Health Insurance Portability and Accountability Act, is the primary health data privacy regulation here in the United States. And Michael Abramoff, Professor of Ophthalmology and Founder of an AI company called Digital Diagnostics, is explaining here that this regulation does not give patients ownership of their data.  

Michael Abramoff: All sorts of systems think they own it. Physicians think they own it. EHR companies think they own the data. Everyone thinks they own the patient derived data. It’s a lax issue. Internal sales are being used. People are making billions, and the family now says, well, we were never asked. 

I. Glenn Cohen: Patient derived data or the data related to a patient’s health is valuable because it can be used for many purposes from improving algorithms used in healthcare to targeting advertisements for consumer goods. As Michael explains, the stakes of determining exactly who owns this data are very high. 

Michael Abramoff: And so, I think it’s important to solve this because otherwise decades later you could still run into pretty gnarly ethical problems. And so why not solve them? Why not do it right? Why not be transparent? Why not solve these problems, think about them carefully. I think it’s better to solve it from the start. 

I. Glenn Cohen: Michael argues that it might benefit companies or healthcare providers to be transparent upfront about what data is being collected, how that data is being used, and by whom. Surprises later on could impact their ability to use the data as well as patient’s trust. Let’s hear from Cynthia Chauhan, a patient advocate. 

Cynthia Chauhan: I found out how much they were tracking me and I don’t want that. So I stopped using the Fitbit app. I think I found out that they were collecting all kinds of non-walking information about me and that’s not what I got it for. And I never, I was not aware I gave permission for that. So, I just stopped using it. I think there’s a line that we have to think about between sharing important information and collecting information for non-user use. It’s for their own development as a company or for selling out to other people and I don’t want to be part of it. 

I. Glenn Cohen: When a user buys a health tech product, they have a certain expectation of its use. Without being transparent upfront about other uses that may be happening behind the scenes, users like Cynthia might lose trust in the product later on. But that’s assuming they even know to ask. It doesn’t matter what kind of data we’re talking about. Genetic information, for example, versus x-ray images. Anand Shah, former FDA official, has views about what the process for transparency and consent should look like. 

Anand Shah: There’s a lot to unpackage here, but first and foremost, consumers and patients really should be able to control the flow of their own health data. And fiduciaries of that data such as health app developers or others who the consumer gives their data to really need to clearly communicate their intention to that consumer, to that patient, and whenever possible, have consent for exactly how it may be moved around. And so as much as we may think of a consumer’s data as a car, on the information super-highway, we always have to remember that ultimately, one’s data is deeply personal. It’s sourced from an individual and we should really engage that consumer, that patient, when that data is moved around. 

I. Glenn Cohen: Anand refers to those we are trusting with our healthcare data as fiduciaries, a legal status of an individual who’s expected to act in our best interest. But it’s not clear how much US law reflects that idea. Instead, most patients have, via simple authorization when entering the hospital, relinquished much of their rights to control their healthcare data, especially when certain identifiers like name and zip code are stripped. 

That’s the current law, but what should the law be? When should companies be allowed to use healthcare data? If some form of consent or authorization is required, in some cases, what should it look like? 

Cynthia Chauhan: I prefer to think of health data as something I own, about me, that I have a right to tell people what they may and may not collect and may and may not share with others. What makes me feel secure sharing my health data is I go to a very strict, reputable clinic for all of my care, and they are very careful with the data and they routinely ask me, am I willing to let them share? And they’re very good about anonymizing my data so that it doesn’t become any kind of intrusion into my personal life. I also am in trials at the NIH. Where again, I gave permission for them to share and to continue to use way beyond my lifetime, because we have to do that in order to help the medical profession grow and develop. And by grow and develop I mean provide better care to patients in a more timely, effective manner. 

I. Glenn Cohen: Cynthia’s comment highlights the importance of feeling secure that the companies and clinics we give our data to are reputable and do the right thing by their patients. But how do we protect individual health information so that we feel secure enough to share our data? Let’s hear from Anand. 

Anand Shah: So it’s important to note that HIPAA actually turns 25 years old and we’ve got to continue to build on this framework. Over the years we’ve seen HIPAA, and its associated HIPAA privacy rule regulations, conflict between the dual noble aims of one; protecting consumer privacy while also, two; fostering access to information and technology that improves healthcare and makes it more efficient. Over the years, and especially over the recent years, we’ve seen science and technology pushing the boundaries of HIPAA. 

I. Glenn Cohen: What Anand is describing is a trade-off between patient’s full control over their data and improving health outcomes. This conflict is particularly acute in health tech, which requires a lot of patient data to develop. 

Anand Shah: This has led to various revisions, most notably GINA in 2008 high-tech and in 2013.  

I. Glenn Cohen: GINA, or the Genetic Information Non-Discrimination Act of 2008, prohibits discrimination on the basis of genetic information with respect to health insurance and employment. HITECH is the health information technology for Clinical and Economic Health Act, which updated privacy and security provisions of HIPAA and broadened the definition of a data breach and thus notification requirements. 

Anand Shah: And given how rapidly we were improving care coordination, value-based care, an individual’s ability to move data around, we’re going to need to continue to evaluate where current law and regulation need to be revised to keep pace with innovation, but also while keeping critical safeguards around data protection. 

I. Glenn Cohen: So how do we do that? How do we safeguard privacy and personal information in the realm of health data? 

Anand Shah: So HIPAA in the ensuing quarter century, they’ve led, as I mentioned, to remarkable progress, but we still have a long way to go. Keep in mind that the majority of health data is not covered by HIPAA at all. 

I. Glenn Cohen: This is an important point to emphasize. HIPAA only applies to so-called covered entities and their business associates. That means it misses a lot of the data that today and certainly in the future, will be used to predict health. For example, healthcare data generated by life insurance companies, data generated by Fitbit, or information about our health from our purchases off Amazon. And even data that is protected by HIPAA could, in some cases, be tied back to the individual who generated the data or re-identified because of a concept known as data triangulation, where multiple data sets are cross-referenced to pinpoint the original source. In many instances, such triangulation requires a concerted effort and some resources, and is unlikely to happen, but some malicious re-identification remains possible. As Anand notes. 

Anand Shah: There are numerous emerging privacy threats. The current laws only protect against the sharing of identifiable health information. So even as we de-identify in tokenized data, there are opportunities for bad actors to re-identify and potentially use data for malicious purposes.  

I. Glenn Cohen: Anand just walked us through some privacy concerns, but another big point of tension is ownership of the data. Lurking behind the question of how to set the rules on access and use is a related but different question: Who should be allowed to profit from the use of this data? Should patients be paid for it? Cynthia, as a patient, has one perspective on the question of profit. 

Cynthia Chauhan: If it’s health data, who owns it? My thought is I own it. It’s my body, it’s my health. I gladly share that data to help other patients have better life experiences, but the choice about sharing should belong to me. And it should be very clear, very explicit. I mentioned to you clinical trials. I’ve been in about 10 clinical trials and a couple of other things where I go from my health care, every time they collect my blood, they’re able to take some of that blood and use it for other research. I have no expectation of payment for that. Regarding my health data, I own it, but I do not use it for income. This is my way of giving back for all the good that has happened to me. I think if you get into trying to collect money for it, you get into really murky, swampy waters of ethics and you get into things like people selling organs. And I know they already sell blood at blood banks, but I just don’t see it as an income resource. I see it as a way to give back, to learn more about myself, and to help others have better lives. 

I. Glenn Cohen: As we’re beginning to see, there are many different answers to ‘who owns medical data?’ and indeed many different ways of even understanding the question. How sensitive are our intuitions to the way we describe what’s going on? Let’s start by assuming we’re talking about data from a patient that cannot easily be used to re-identify the patient. We can call it de-identified as a shorthand, but I want to stress this is really a continuum of how easy or hard it is to re-identify. Now imagine we have an algorithm that is trained not just on that particular patient’s de-identified data, but on the aggregated data of 500,000 patients. Now imagine further that this is data that has been created by the physician who observed a patient like Cynthia, compiled the relevant data points, and interpreted the information from the encounter. While the data is about that patient and hundreds of thousands of other patients, it was in a sense co-produced by the physician observing and recording her observation about the patient. Who should own that data? While it’s plausible to think we own our bodies and have a property interest in them, one’s body and data about one’s body are different things. What started out as a straightforward idea has now become more complex. What are my rights as to de-identify data co-produced by a physician observing and interpreting information about my body that is aggregated with similar data about hundreds and thousands of others? 

But maybe a lot depends on what the data is used for. What if it’s a for-profit company building a medical device that will be available to only well-off patients? What if it’s a hospital system using this data to try to improve its decision making about which patients need extra follow-up care? What if it’s a public healthcare pair trying to decide if an intervention is cost effective? Do your feelings change? Do questions of incentives matter? What if the cost of collecting, cleaning, and organizing the data is high? Should that matter? Do we need to assign ownership in a way that provides incentives to do all that? On the flip side, if we assign the ownership rights to patients rather than the providers who gather the data, will that undermine the development of new helpful devices, treatments, and software? Or is thinking about all this through the lens of property law the wrong way to go? 

Ari Waldman: It is a mistake to try to leverage traditional property doctrines to maintain control over information flows because the implication of us owning data is that we can contract away our ownership of that data, or we can autonomously license that data.  

I. Glenn Cohen: That’s Ari Waldman, a professor of Law and Computer Science. 

Ari Waldman: If one person has a property interest in their data, then they can leverage property law and other companies can leverage property law about that information, but that would happen in a situation of such power asymmetry that we’d essentially go back to the world of the Lochner era, where there was no such thing as collective bargaining and companies could negotiate and leverage their power over any unskilled worker.  

I. Glenn Cohen: The Lochner era, as Ari describes it, was a period in the U.S. during the early 1900s when regulations designed to protect individual workers were continually struck down by the courts. Ari worries that if we give companies the power to leverage property law over the data they collect, then individual rights over data could fade away. 

Ari Waldman: And even if we had data ownership unions or some collected power over that it’s still based on this premise that this is mine and I can give it away. That itself is wrong. That information goes into a system that affects other people, that nudges and manipulates other people. We are, by virtue of going online, automatically conscripted into a system that manipulates other people that are like us. Because they’re not interested in data about Ari Waldman. They’re interested in data about my latent characteristics that will affect other people. They don’t have the ability to consent or to have any power over what happens with my data. So considering data as anything like an individual right, or individual property right ignores the true nature of how data flows work and contribute to profit in informational capitalism. 

I. Glenn Cohen: What would it mean to go beyond considering individual rights? 

Ari Waldman: I think we need to focus much more on data flows than individual data ownership. It’s not ‘my data.’ It’s what is happening with this data and how is it affecting power relations? We shouldn’t have laws, privacy laws, health laws, that focus exclusively on individual rights. The right to disseminate, the right to correct, the right to access. Individual rights through our data are based on the wrong premise that there is such a thing as an individual right to data. These are collective rights and this is a collective social issue that has social or group-based harms.  

I. Glenn Cohen: But what does it mean in practical terms for the law to protect a collective right? 

Ari Waldman: Law should be focused, not on limiting someone’s ability to share data or limiting a company’s ability to collect data from a particular person. Law should be focused on explicitly limiting the power that companies can exert or exact from gathering that data. Whether that involves actually regulating the business model, making sure that they can’t micro-target, civil rights, there are lots of different approaches to something like that. But legal regimes have to focus on corporate power, not on I or my data. 

I. Glenn Cohen: Ari’s concern regarding collective rights is well founded, but a lot of health law scholars would actually argue the opposite. In a society that is very focused on the individual and their rights, it is the individual’s rights or lack thereof over data that matters. So, do we own our health data? Well, we’ve heard a number of different views from our guests today, but despite the differences in their answers, they all point to a common reality. Which is that in our digital world, we don’t have as much control over our data as we want. And as Ari highlights, those who seek to change the legal regime may face an uphill battle because there are powerful commercial interests that favor the status quo. 

I. Glenn Cohen: If you liked what you heard today, check out our blog ‘Bill of Health’ and our upcoming events. You can find more information on both at our website, petrieflom.law.harvard.edu. And if you want to get in touch with us, you can email us at petrie-flom@law.harvard.edu. We’re also on Twitter and Facebook @petrieflom, no dash. 

Today’s show was written and produced by Chloe Reichel. Nicole Egidio is our audio engineer. Melissa Eigen provided research support. We also want to thank Michael Abramoff, Cynthia Chauhan, Anand Shah, and Ari Waldman for talking with us for this episode. 

This podcast is created with support from the Gordon and Betty Moore Foundation and the Cammann Fund at Harvard University. 

I’m Glenn Cohen and this is Petrie Dishes. Thanks for listening.