At the same time as the GDPR has extended the extraterritorial reach of EU data protection law, the mechanisms used by US companies to export EU citizens` data are subject to judicial review. This leads to a risky legal environment. The actual scope of the GDPR is controversial, but US companies with a transatlantic presence, or who know they are monitoring EU citizens, will likely try to comply with it given the risk of high fines (9). In particular, the GDPR targets third-party information processors that have not been regulated in the US, for example by introducing notification obligations and other data protection rights. On the other hand, others might highlight the importance of parallel health records as a useful workaround for industry to foster health innovation and research in a botched system, and highlight the negative impact of increasing compliance thresholds on modernizing and improving the quality of health systems. The CCPA applies primarily to large companies and data brokers, which excludes some small players in the health data space. It creates notice and access obligations for companies that collect, sell or disclose information, and consumers can request that certain information be deleted and choose not to sell their information (14). The CCPA lacks many GDPR protections, but can actually create additional or at least different requirements (12). Like the GDPR, the CCPA provides exceptions for research; For example, the right to erasure does not apply to consented “public or peer-reviewed” scientific data.
Research” – but the exception requires that the research be in the “public interest”, and the applicability of this exception to research conducted by commercial entities remains uncertain. The GDPR potentially affects many companies outside the EU (10). It carries out data processing for EU citizens, for example by offering them a product or service; monitor the behaviour of EU citizens within the EU, even if it comes from abroad; and other forms of processing of EU persons, including those carried out abroad (8). With potential inputs such as genetic data, medical history, lifestyle, phenotypes, and health outcomes, big health data has the ability to turn information into knowledge more effectively than ever before. However, the current regulatory structure in the United States was not created to protect or enable such use of big data to advance research and improve health. Although the United States does not have a comprehensive federal privacy law, its most ambitious privacy regulations – the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) – target personal health information and aim to protect the protection of health information (1). The confidentiality rule governs when protected health information (PHI) may be used or disclosed by health care providers, plans or clearing houses (“covered entities”). HIPAA allows uses or disclosures such as quality enhancements, but does not create a full exception for search (2). Under the regulations governing government-funded research involving human subjects (the “Common Rule”), researchers are generally required to obtain consent from subjects or obtain an exemption from the institutional review panel to use identifiable data. As a result, neither clinical nor health information protection research structures were designed to allow for rapid analysis of big data (3). Such records may result in the very privacy risks that HIPAA and Common Rule should avoid, but remain outside their scope. These regulations did not provide for the masses of health-related data and related health findings that would be available in the future, so the once-fair attempt at full regulation of the protection of personal health information inadvertently gave way to arbitration.
These phantom medical records are therefore an uncomfortable solution to a problem; They can be used for innovation or improvement of care or, even more problematically, to deliver targeted advertising or identify expensive patients who should be avoided. However, the benefits come at the expense of avoiding data protection regimes. Further guidance – in particular the clarification of research exceptions for work done in the “public interest” – will be crucial under the GDPR and CCPA. This clarity is necessary not to discourage the potential impact of innovation in the health data industry, while ensuring that sufficient safeguards are in place to ensure that the people who make up big health data are knowledgeable and consenting participants. For example, the GDPR refers to exceptions for “scientific research,” “public interest,” and “public health,” without clearly defining these overlapping terms or addressing dual-use efforts. Although the GDPR guidelines suggest that `scientific research` should be broad and include both technological development and privately funded research (recital 159), it is suggested elsewhere that public health and public interest exemptions “should not result in personal data being processed by third parties for other purposes… (recital 54). Although the GDPR allows exceptions for research, it requires `appropriate safeguards` to protect individual privacy rights – without specifying what these safeguards should consist of (e.g. Article 89(1) and Article 9 and recitals 52 and 54).
T1 – Phantom medical records comply with new data protection laws Phantom medical records comply with new data protection laws. / Prix II, William Nicholson; Spector-Bagdady, Kayte ; Minssen, Timo; Kaminski, Margot.