Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.
This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.
Learn more at http://petrieflom.law.harvard.edu/events/details/2016-annual-conference.
2. THE COMMON RULE AND IRBS
TWENTIETH CENTURY MODEL
§ Academic Centers
§ Phenotypic Disease Model
§ Traditional Clinical Trial Design
§ Time, place, and inclusion
§ Clearer Lines between Clinical
Treatment and Research
§ Paper Record
3. HIPAA: TOO EARLY, OUT OF
DATE AND WAY TOO
COMPLICATED?
§ Pre-Genomic/Molecular/NetworkIdentifiers
§ TrueDe-Identification,even when HIPAA
identifiers areremoved,is very difficult
§ But there are (sophisticated)analytics thatcan be
used
§ Mostof theseare beyond the capabilities of most
IRBs (if acting as Privacy Board) and many
institutions
§ The morecomplex (useful!)the data,the more
difficultthis may be
§ We want sharingbetweeninstitutions
5. DATASOURCES IN
NETWORKED MEDICINE
Claims
and
Cost
Data;
depending
on
the
entity
subject
to/or
not
HIPAA
Pharmaceutical/Laboratory
R&D;
may
be
subject
to
HIPAA;
but
depends
on
how
data
is
acquired;
Trade
Secrets
may
apply
Clinical
Data
Controlled
by
Providers;
generally
subject
to
HIPAA/Digital
Ownership
Unclear
Patient
Behavior
and
Preferences;
Depending
on
Source
may
be
outside
HIPAA
and
Commercially
Owned
Rapidly
increasing
Commercial
Use
6. § Adaptive clinical trials
§ “Large Simple Studies” and “Pragmatic
Trials”
§ Research networks
INCREASINGLY DIFFICULT TO
DISTINGUISH RESEARCH FROM
CLINICAL CARE
7. THE DARK SIDE OF HIT
§ With health IT, it is now possiblefor the first
time in the history of medicine to:
§ Violate the health privacy of millions of individuals in
a matter of seconds
§ Steal health information without having physical
access to it; and
§ Violate an individual’s health information privacy in a
manner that makes it impossible to restore. “The
Financial Impact of Breached PHI”, ANSI (March 2012)
http://webstore.ansi.org/phi
8. BUT DOES RESEARCHADD
RISKS?
§ Most breaches and compromise are
part of the clinical process
§ Many of those breaches are bread and
butter financial fraud
§ Research (sadly?) is a fairly minor
application of Big Data Health
Information use
9. COMMON RULE NEEDSA MAJOR
OVERHAULTO DEAL WITH DATA
ISSUES
§ Simply adding new rules does not do the
trick; complicates rather than simplifies
§ Fundamental Disagreement is on where
notice is sufficient vs. full informed
consent
§ —Notions of Autonomy
§ Faden/Kass consistent w/ general privacy law
(notice is sufficient)
§ Miller—health care is different
10. FUNDAMENTALCHARACTERISTICS OF
BIG DATA CHALLENGETHE
STRUCTURE OF THE COMMON RULE
AND HIPAA
§ The analysisof Big Data is oftenfor a different
purposethanthe purposefor which it was
originallycollected
§ How does one do meaningful consent?
§ The volumeof data used forBig Data purposes
means that it comes from many sources
§ Outside the purview of any single (or many) IRBs
11. A PATCHWORK SYSTEM OF PRIVACY
LAW IN THE UNITED STATES
§ The United States does not have comprehensive
federal privacy laws
§ Privacy Law in the United States is Sectoral (but
Federal TradeCommission/OCRplay overarching
regulatoryroles)
§ Health
§ Finance
§ Education
§ States also haveprivacy laws—which mayor may
not be pre-empted
12. PRIVACY, CONTROLAND
OWNERSHIP
§ Context driven privacy interests
§ Unclear rules on ownership
§ But rarely the individual that the data
describes
§ Illusory Control
13. CENTRALPRINCIPLES FOR PRIVACY
COMPLIANCE RELATING TO (ANY)
DATA COLLECTION: TRANSPARENCY
AND PROTECTION
§ Transparency
§ Notice -how will the data be used and shared
§ Choice- the individual’s desires as to that
use and sharing
§ Access-howthe individual can implement
those desires—thismeans a meaningful“opt
out”
§ Security Protections
14. BIG DATA REALLY
REQUIRESA
COMPREHENSIVE (NON-
SECTORAL)APPROACH
§ This requires us to fully examine the
question: is health care really different?
§ If not, perhaps then we should have an
data/informationalrisk scheme for
research that is driven by all needs
rather than tacking on HIPAA notions to
other areas