Medical scientists increasingly want patients to donate massive amounts of sensitive personal information, from electronic health records to DNA data—either during their lives or after their deaths. But the modern age presents several unanswered questions around how this sensitive data will be used and whether scientists are prepared to keep the information safe, Maggie Koerth-Baker reports for FiveThirtyEight.

Access our health care cheat sheets on top-of-mind legal landmarks

Background

The demand for personal health data donations has grown in recent years, as researchers increasingly conduct studies using large amounts of personal information collected and connected from disparate sources.

For example, NIH in early May launched its research program "All of Us," which seeks to collect the personal and medical information of 1 million Americans to create a database for researchers to eventually use to conduct studies. There are also numerous websites and mobile applications that allow individuals to donate their social media and health data to specific research projects. Some researchers have even called for a post-death data-donation system similar to the United States' organ donation system. For instance, scientists in 2016 published a report in which they outlined a system that would encourage people to register as data donors and perhaps carry data donor cards.

How to be a cybersecurity sentinel

The potential risks of donating data

But experts say, the sheer quantity of data donations presents new questions about the way researchers are accessing, storing, and analyzing personal health information, FiveThirtyEight reports.

For instance, Nicholas Proferes, professor of information science at the University of Kentucky, said scientists can now build essentially complete profiles of their research subjects. While this provides new research opportunities, he said it also carries new and larger risks for research subjects. Proferes noted that data theft has always been a concern in medical studies, but today's researchers might have a subject's EHR, vaccination records, genetic variants, and Fitbit data.

Further, data collected about one individual reveal information about that person's friends and acquaintances, Proferes said, referencing this year's Cambridge Analytics scandal. The "network effects" of allowing access to such data, Proferes said, are "a hard thing for an individual to conceptualize."

For instance, law enforcement could potentially use research subjects' DNA in a search engine for surveillance. Such a database might have disproportionate consequences for people of color, according to Tonia Sutherland, professor of information science at the University of Alabama, because "surveillance isn't applied equally across the board" and "there are people who are more vulnerable to exposure than others."

Another issue, according to Proferes and Sutherland, is that most scientists are not trained in data ethics. According to FiveThirtyEight, institutional review boards in charge of regulating human subject research do not typically monitor data collected online or via social media.  

Donor consent has also grown more complicated, FiveThirtyEight reports. Several experts said scientists can access data on public social media accounts, such as Twitter, without user consent. In addition, according to FiveThirtyEight, users who sign consent forms may not realize that such forms can open up their data indefinitely, meaning in five or 10 years their data could be used in ways they previously could not foresee.

When a data breach occurs, the whole hospital is our patient

Eric Dishman, the director of the NIH's All of Us research program, said he has focused on being transparent with research subjects about researchers' continual access to their health data. Dishman said, "You're turning it on as a spigot, and we don't want people to forget that. So we have to have regular reminders. 'You've turned on the spigot, and are you still OK with that?'"

Ultimately, according to FiveThirtyEight, "The problem is more that data collection and analysis on this scale is new and so far there aren't any standardized practices for how to do it. Some institutions and researchers handle big data from human subjects really well. Others don't."

Key questions researchers should ask

According to FiveThirtyEight, researchers who are asking people to donate their medical data should be prepared to answer key questions, such as:

• How will researchers anonymize data, and what plans does the institution have for dealing with a data breach?
• How will researchers use the data, and what will happen if researchers want to use it in another way?
• How will researchers notify subjects about any updates in the research, and what options they provide subjects with if they do not like how their data is being used?
• What do subjects get in return for donating data?
• Who can access the data, and what qualifications do they need to access the data?

According to Proferes, it is especially important for research subjects to know what they are getting out of the research, but to date most researchers have not focused on sharing research results. According to FiveThirtyEight, "And that's a problem. Nobody can decide whether the risks of data donation are worth it if they never find out what 'it' is" (Koerth-Baker, FiveThirtyEight, 6/25).

Just updated: Your cheat sheet for understanding health care's legal landscape

With the new tax law, antitrust laws, HIPAA, and countless others, the health care landscape has become an alphabet soup of legislation. To help you keep up, we've created a series of cheat sheets for some of the most important—and complicated—legal landmarks.

Check them out now for everything you need to know about the Affordable Care Act, antitrust laws, fraud and abuse prevention measures, HIPAA, MACRA, and the two-midnight rule.

Get the Cheat Sheets