Current Landscape of Patient-Generated Data and Data Privacy
By: Sara Gray, Programs Associate
Last December, the National Health Council and Duke-Margolis hosted the fourth webinar in the Real-World Evidence (RWE) training program, the “Current Landscape of Patient-Generated Data and Data Privacy.” This webinar was hosted in partnership with the International Society for Pharmacoeconomic and Outcomes Research’s (ISPOR) Real-World Evidence Special Interest Group and the Duke-Margolis Center for Health Policy. It featured:
- Corey M. Dennis, CIPP/US, CIPP/E, Lead, US Privacy Officer, Sanofi, and
- Craig Lipset, Advisor and Founder, Clinical Innovation Partners and Former Head of Clinical Innovation, Pfizer
Current Landscape of Data Privacy Laws in the United States:
Mr. Dennis outlined the history of privacy protection laws for consumers and reduce data breaches. He introduced the European Union (EU)’s General Data Protection Regulation (GDPR), which regulates how personal data are collected and processed. The term “personal data” is broad an includes what we think of as “real-world data.” Examples of personal data include:
We also learned about the process of de-identification, “removing personally identifiable information from data collected, stored, and used by organizations.” Advances in computer science have added new challenges to truly de-identifying data.
Mr. Dennis also introduced two prominent data regulations In the United States:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) – regulates privacy, security, and breach notifications. It does not apply to all health data but only covers information used by covered entities such as doctors and hospitals.
- California Consumer Privacy Act of 2018 (CCPA) – the strictest general privacy law in the U.S., creates new rights relating to access/control over consumer data and mechanisms to enforce those rights.
These regulations have implications for real-world research, since data may involve sensitive and identifiable patient data from various sources with clear privacy implications:
- Electronic health records
- Patient registries
- Mobile applications
- Wearable devices
- Online forums and social media
Privacy compliance is increasingly important in this space, particularly given the use of sensitive data and digital technologies.
Data Privacy, Patient-Generated Data, and Research
Mr. Lipset discussed the opportunities and possible privacy concerns in using patient-generated data in research. Patient-generated data is routinely collected in health care interactions and used in research. However, there are few opportunities for patients to provide input. Engaging patients as active partners could improve the quality of research while simultaneously increasing patient trust.
This is particularly important considering growing concern among the public over data privacy and data sharing. Most individuals are willing to share their health data to support research as long as their privacy preferences are maintained. In addition to preserving privacy, promoting models of patients as aggregators of their own data, could lead to more comprehensive datasets. Future, sustainable patient-generated data models should:
- Support data-enabling for patients
- Make clear how and where data is being used
- Invite patient permission for data use
- Prioritize permissioned data
Watch the full webinar here.