Unraveling Data Ownership

Contributed by:

Kim Ribbink

NOTE: The content below contains the first few paragraphs of the printed article and the titles of the sidebars and boxes, if applicable.

Amid ongoing concerns over data privacy and how patients’ data is used, who owns the data is both a crucial and complex question.

Just who owns a patient’s data? It’s a question that is fraught with complications due to the sensitive nature of the information. Data has been described as the most valuable currency for business. How it is bought, sold, and used is the subject of much concern and debate.

Recently, the U.K. government allowed Amazon free access to healthcare information collected by the NHS. While the information excludes patient data, it does give the company access to information on symptoms, causes and definitions of conditions, enabling the company to develop products, apps, and services without financial benefit to the NHS.

One of the big challenges with the ownership of health data is that there are so many different stakeholders involved. According to Iyiola Obayomi, practice lead, marketing analytics, at Ogilvy Health, while patients can claim rightful ownership of their data, so can providers, payers, and the technology platforms managing, securing, and bearing the risk of data breaches.

“There are health-related datasets such as genome tests, wearable devices, or health behavior data that are stored outside of the traditional healthcare data repositories — and their ownership is equally unclear,” Mr. Obayomi says.

Access to integrated health, biological, behavioral, and demographic data holds high hopes for drug discovery, behavioral interventions, and outcomes optimization, Mr. Obayomi maintains. But these opportunities are held back by the lack of ownership clarity and not having a comprehensive legal framework that would allow the industry to coordinate and achieve the potential of the data.

Indeed, questions over the ownership of data are at the core of the strained relationship between healthcare institutions and healthcare consumers, says Richie Etwaru, founder, CEO, and chairman of Hu-manity.co, who highlights concerns over the agency, ethics, and reciprocity around the use of consumer health data. “Consumers want agency over their data, and institutions want access to data,” he says. “Consumers expect ethics and reciprocity, and institutions struggle to keep up with emerging regulations. Ownership is the platform of clarity needed to further discussions around data agency, data ethics, and data reciprocity.”

The issue of data ownership is particularly complicated in the rare disease space, says Wendy White, principal at Wendy White Consulting. “Often there is no data in the rare disease space when a company finds a promising target,” she says. “Companies that want to develop a therapy may have to fund development of a registry and/or a natural history. For small biotech companies, this can be expensive but also a competitive advantage if they own a good registry. From a patient’s perspective, a particular company owning a registry makes it harder for the next company to develop a competing, and potentially better, therapy because patients, and their doctors, have already committed to a registry the new company may not have access to.”

Building Trust and Confidence

There have been regulatory efforts to improve confidence over the use of data. In Europe, for example, the General Data Protection Regulation (GDPR) seeks to give individuals control over their personal data and provides safeguards to protect data. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) establishes protection and data privacy for medical info.

Mr. Obayomi says while HIPAA covers many aspects surrounding healthcare data, the advancement in data and technology necessitates updates to help regain confidence and control for data owners, and clarity for institutions, payers, researchers, technology partners, and other entities. What is needed is a regulatory framework that offers guidance on data ownership categories, permissible sharing, consent granting, and required feedback.

“For instance, patients could be designated as the primary data owners, healthcare institutions and payers serve as custodians, and entities such as technology platforms act as administrators, with separate roles altogether for researchers,” he explains. “Patients could therefore be empowered to grant authorizations for access to their data, and could be informed about the use of their data and the possible outcomes of this use.”

Mr. Obayomi says addressing issues related to data ownership should increase patients’ sense of control, comfort, and confidence in the ways in which their data are used.

“Ownership debates will help patients engage with their health data, familiarize them with their rights, and provide them with the personal and social benefits that inherently come with the responsible use of healthcare data,” he says. “And discussion will spur action around technologies and systems that can provide owner control and incentives for using their data.”

Mr. Etwaru says as healthcare becomes more digital, new uses of consumer health data, such as precision medicine and digital health technologies, will emerge. These emerging areas face regulatory and ethical hurdles, such as whether institutions have the intentional consent needed to begin to use historically procured data sets in these new ways.

“In the cases where the answer is not yes, operational issues will emerge,” he says.

Trust will increasingly become an issue, Mr. Etwaru says, noting that there is growing mistrust of institutions that do not have reputable data practices. “In the future, an institution’s data practices and posture will be a component of brand trust, and can increase or decrease a brand’s access to consumers,” he says. “Eventually, this conversation will move from a good debate to just good business. Pioneering brands will recognize this and be the first movers to compete on trust.”

To move the debate forward, Mr. Obayomi says companies need to provide the information and tools that help patients feel informed and in control of their data, educate patients about their rights, and be transparent about those instances when patient data could be used without express permission.

“Patient feedback and disclosure related to data use will be other essential components for stakeholders to think about,” Mr. Obayomi says.

Mr. Etwaru argues that while institutions claim they have included all the necessary language for informed consent, in reality consumers aren’t very informed. Rather, patients require “intentional consent,” where they truly understand what rights they’re waiving, what risks they’re accepting, and what the nature and duration of the relationship is.

“Intentional consent is one where the highest form of trust is built at the ‘I Accept” button,” he says. He notes, for example, that Hu-manity.co has developed an intentional consent model, where the consumer has choice and control of decisions that can be made at the time of contracting.

“Instead of a single “I Accept” button, there are clear and easy-to-understand choices for the consumer to make that manifest into personalized privacy contracts between institutions and consumers,” Mr. Etwaru says.

While Mr. Etwaru believes there is broad support for more progressive consumer data privacy practices, the technology to enable this is lacking.

For example, Ms. White says in many rare disease areas there are multiple groups creating registries for the same disease.

“These patient registries can all be on different systems with different goals and structures, resulting in the fragmentation of the data landscape, which makes development of new therapies harder and more expensive,” she says.

Encouraging Patient Engagement

Patients are becoming more savvy about their data. Specifically, in the rare disease space, patient groups recognize the value of patient data and the potential for selling access to their patients, Ms. White says.

She says these patients are happy to share their medical data if they trust that it will be used to help advance research and they are included in the process.

“The biggest issue is a lack of therapies, but these can’t be developed without good data, natural histories, and partnerships with the patients and caregivers who know the most about these poorly understood diseases,” Ms. White says. “Fewer than half of the 7,000 rare diseases have organized patient groups, and an even bigger percentage of those diseases don’t have good natural histories, bio samples, or a network where researchers can share data.”

Ms. White says one effective model is the use of collaborative networks, where researchers and patient groups work together toward a common goal. “This method has been used successfully to quickly advance research in ALD and was beautifully illustrated in Dr. David Fajgenbaum’s new book Chasing My Cure that describes his background as a doctor, researcher, and patient who started from nothing and found a therapy by setting up a collaborative network in less than 10 years,” she says.

Ms. White says patients need to be part of the discussion with an equal seat at the table, and for that to happen more patients and groups need to be educated on what data is, how it is used and how to be good partners to help researchers and corporations innovate, and create better therapies faster.

She says Global Genes, a global nonprofit in the rare disease space, has put together a four-part educational program to address this unmet need. It includes: the why’s and how’s of data collection; data trust and governance; how to develop collaborative research networks; and how to become a data-centric community.

Mr. Obayomi says patients are driven by different motivations when it comes to sharing their data and it’s important for companies to build incentives that cater to these needs. He notes there are three areas that are the most universal. First is medical rewards — participation in clinical trials or drug-free treatments with successful clinical trials, or free medication whenever the patient needs future treatment. Next is economic rewards — rewards or monetary compensation, possibly including charitable donations made on behalf of the patient, for whenever the information is shared or used. And third, altruistic rewards — receipt of updates on patient outcomes, the latest medical advancements and new drug discoveries, or the lasting effects on population impact.(PV)


Data Protection and Privacy Regulations

The General Data Protection Regulation (GDPR) – this EU law on data protection and privacy affects data on all EU citizens, setting a standard for consumer rights. The law simplifies the regulatory environment in Europe to enable citizens and businesses to benefit from the digital economy. Under the law, organizations are required to ensure personal data is gathered legally and to protect that data from misuse or exploitation.

The Health Insurance Portability and Accountability Act (HIPAA) – sets standards for the protection of certain health information and requires companies to have strict security measures in place to ensure HIPAA compliance. With increased use and sharing of electronic patient data comes additional need for security measures. This is particularly crucial given the increasing number of costly violations. The Office for Civil Rights has been considering updates to HIPAA, including aspects of the rules that are overly burdensome to covered entities but give little benefit to patients, as well as those that could help with the shift to value-based care and improving interoperability.

The Federal Trade Commission Act – prohibits deceptive practices, such as not following a published privacy policy, not giving sufficient protection to personal data, and engaging in misleading advertising practices.

State Privacy Laws – 25 states have data privacy laws that govern the collection, storage, and use of data as it applies to residents of those states. California’s laws, which are the most comprehensive, go into effect Jan. 1, 2020. The California Consumer Privacy Act (CCPA) imposes responsibilities on groups or people who collect information about or from a resident, including letting individuals know when and how information is collected, and enabling them to access, correct, and delete this information.

Posted in:

Post a Comment

You must be logged in to post a Comment.