University of Michigan Law School, Ann Arbor, MI, USA.
Centre for Advanced Studies in Biomedical Innovation Law, Copenhagen, Denmark.
Science. 2019 Feb 1;363(6426):448-450. doi: 10.1126/science.aav5133.
Large sets of health data can enable innovation and quality measurement but can also create technical challenges and privacy risks. When entities such as health plans and health care providers handle personal health information, they are often subject to data privacy regulation. But amid a flood of new forms of health data, some third parties have figured out ways to avoid some data privacy laws, developing what we call “shadow health records”—collections of health data outside the health system that provide detailed pictures of individual health—that allow both innovative research and commercial targeting despite data privacy rules. Now that space for regulatory arbitrage is changing. The long arms of Europe’s new General Data Protection Regulation (GDPR) and California’s new Consumer Privacy Act (CCPA) will reach shadow health records in many companies. In this article, we lay out the contours of the GDPR’s and CCPA’s impact on shadow health records and health data more broadly, highlight critical remaining uncertainty, and call for increased clarity from lawmakers and industry on the use of such data for research.
大量的健康数据可以实现创新和质量衡量,但也可能带来技术挑战和隐私风险。当健康计划和医疗保健提供者等实体处理个人健康信息时,他们通常受到数据隐私法规的约束。但是,在大量新形式的健康数据中,一些第三方已经找到了规避某些数据隐私法的方法,开发了我们所谓的“影子健康记录”——健康系统之外收集的健康数据,这些数据提供了个人健康的详细信息,允许在数据隐私规则下进行创新研究和商业定位。现在,监管套利的空间正在发生变化。欧洲新的《通用数据保护条例》(GDPR)和加州新的《消费者隐私法案》(CCPA)的长臂将触及许多公司的影子健康记录。在本文中,我们概述了 GDPR 和 CCPA 对影子健康记录和更广泛的健康数据的影响,强调了关键的剩余不确定性,并呼吁立法者和行业提高对这些数据用于研究的使用的清晰度。
