New Reproductive Privacy Rule to Protect Both Patients and Physicians.

This Viewpoint describes the newly finalized Reproductive Privacy Rule, a HIPAA regulatory update intended to prevent law enforcement in abortion-restrictive states from obtaining reproductive care medical records to prosecute patients and physicians.

Protecting Privacy of Pregnant and LGBTQ+ Research Participants.

This Viewpoint summarizes existing federal regulations aimed at protecting research data, describes the challenges of enforcing these regulations, and discusses how evolving privacy technologies could be used to reduce health disparities and advance health equity among pregnant and LGBTQ+ research participants.

Data protection, data management, and data sharing: Stakeholder perspectives on the protection of personal health information in South Africa.

The Protection of Personal Information Act (POPIA) 2013 came into force in South Africa on 1 July 2020. It seeks to strengthen the processing of personal information, including health information. While POPIA is to be welcomed, there are concerns about the impact it will have on the processing of health information. To ensure that the National Health Laboratory Service [NHLS] is compliant with these new strict processing requirements and that compliance does not negatively impact upon its current screening, treatment, surveillance and research mandate, it was decided to consider the development of a NHLS POPIA Code of Conduct for Personal Health. As part of the process of developing such a Code and better understand the challenges faced in the processing of personal health information in South Africa, 19 semi-structured interviews with stakeholders were conducted between June and September 2020. Overall, respondents welcomed the introduction of POPIA. However, they felt that there are tensions between the strengthening of data protection and the use of personal information for individual patient care, treatment programmes, and research. Respondents reported a need to rethink the management of personal health information in South Africa and identified 5 issues needing to be addressed at a national and an institutional level: an understanding of the importance of personal information; an understanding of POPIA and data protection; improve data quality; improve transparency in data use; and improve accountability in data use. The application of POPIA to the processing of personal health information is challenging, complex, and likely costly. However, personal health information must be appropriately managed to ensure the privacy of the data subject is protected, but equally that it is used as a resource in the individual's and wider public interest.

To What Extent Does the EU General Data Protection Regulation (GDPR) Apply to Citizen Scientist-Led Health Research with Mobile Devices?

In this article, we consider the possible application of the European General Data Protection Regulation (GDPR) to "citizen scientist"-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.

Hacking HIPAA: "Best Practices" for Avoiding Oversight in the Sale of Your Identifiable Medical Information.

In light of the confusion invited by applying the label "de-identified" to information that can be used to identify patients, it is paramount that regulators, compliance professionals, patient advocates and the general public understand the significant differences between the standards applied by HIPAA and those applied by permissive "de-identification guidelines." This Article discusses those differences in detail. The discussion proceeds in four Parts. Part II (HIPAA's Heartbeat: Why HIPAA Protects Identifiable Patient Information) examines Congress's motivations for defining individually identifiable health information broadly, which included to stop the harms patients endured prior to 1996 arising from the commercial sale of their medical records. Part III (Taking the "I" Out of Identifiable Information: HIPAA's Requirements for De-Identified Health Information) discusses HIPAA's requirements for de-identification that were never intended to create a loophole for identifiable patient information to escape HIPAA's protections. Part IV (Anatomy of a Hack: Methods for Labeling Identifiable information "De-Identified") examines the goals, methods, and results of permissive "de-identification guidelines" and compares them to HIPAA's requirements. Part V (Protecting Un-Protected Health Information) evaluates the suitability of permissive "de-identification guidelines," concluding that the vulnerabilities inherent in their current articulation render them ineffective as a data protection standard. It also discusses ways in which compliance professionals, regulators, and advocates can foster accountability and transparency in the utilization of health information that can be used to identify patients.

No exchange, same pain, no gain: Risk-reward of wearable healthcare disclosure of health personally identifiable information for enhanced pain treatment.

Wearable technologies have created fascinating opportunities for patients to treat chronic pain in a discreet, mobile fashion. However, many of these health wearables require patients to disclose sensitive information, including health information (e.g., heart rate, glucose levels) and personal information (location, email, name, etc.). Individuals using wearables for treatment of chronic pain may sacrifice social health elements, including their privacy, in exchange for better physical and mental health. Utilizing communication privacy management, a popular disclosure theory, this article explores the policy and ethical ramifications of patients disclosing sensitive health information in exchange for better health treatment and relief of chronic pain. The article identifies scenarios where a user must disclose information, and what factors motivate or dissuade disclosure, and ultimately the use of a health wearable. Practical implications of this conceptual article include an improved understanding of how and why consumers may disclose personal data to health wearables, and potential impacts for public policy and ethics regarding how wearables and their manufacturers entice disclosure of private health information.

Observational health research in Europe: understanding the General Data Protection Regulation and underlying debate.

Insights into the incidence and survival of cancer, the influence of lifestyle and environmental factors and the interaction of treatment regimens with outcomes are hugely dependent on observational research, patient data derived from the healthcare system and from volunteers participating in cohort studies, often non-selective. Since 25th May 2018, the European General Data Protection Regulation (GDPR) applies to such data. The GDPR focusses on more individual control for data subjects of 'their' data. Yet, the GDPR was preceded by a long debate. The research community participated actively in that debate, and as a result, the GDPR has research exemptions as well. Some of those apply directly; other exemptions need to be implemented into national law. Those exemptions will be discussed together with a general outline of the GDPR. I propose a substantive definition of research-absent in the GDPR-which can warrant its special status in the GDPR. The debate is not over yet. Most legal texts exhibit ambiguity and are interpreted against a background of values. In this case, those could be subsumed under informational self-determination versus solidarity and the deeper meaning of autonomy. Values will also guide national implementation and their interpretation. The value of individual control or informational self-determination should be balanced by nuanced visions about our mutual dependency in healthcare, as an ever-learning system, especially in the European solidarity-based healthcare systems. Good research governance might be a way forward to escape the consent or anonymise dichotomy.

United Kingdom: transfers of genomic data to third countries.

In the United Kingdom (UK), transfer of genomic data to third countries is regulated by data protection legislation. This is a composite of domestic and European Union (EU) law, with EU law to be adopted as domestic law when Brexit takes place. In this paper we consider the content of data protection legislation and the likely impact of Brexit on transfers of genomic data from the UK to other countries. We examine the advice by regulators not to rely upon consent as a lawful basis for processing under data protection law, at least not when personal data are used for research purposes, and consider some of the other ways in which the research context can qualify an individual's ability to exercise control over processing operations. We explain how the process of pseudonymization is to be understood in the context of transfer of genomic data to third parties, as well as how adequacy of data protection in a third country is to be determined in general terms. We conclude with reflections on the future direction of UK data protection law post Brexit with the reclassification of the UK itself as a third country.

United States: law and policy concerning transfer of genomic data to third countries.

This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.

China: concurring regulation of cross-border genomic data sharing for statist control and individual protection.

This paper reviews the major legal instruments and self-regulations that bear heavily on the cross-border sharing of genomic data in China. It first maps out three overlapping frameworks on genomic data and analyzes their underpinning policy goals. Subsequent sections examine the regulatory approaches with respect to five aspects of responsible use and sharing of genomic data, namely, consent, privacy, security, compatible processing, and oversight. It argues that substantial centralised control exerted by the state is, and would probably remain, the dominant feature of genomic data governance in China, though concerns of individual protection are gaining momentum. Rather than revolving around a simplistic antinomy between privacy preservation and open science, the regulatory landscape is mainly shaped by the tension between government desires for national security, state competitiveness, and public health benefits.

Canada: will privacy rules continue to favour open science?

Canada's regulatory frameworks governing privacy and research are generally permissive of genomic data sharing, though they may soon be tightened in response to public concerns over commercial data handling practices and the strengthening of influential European privacy laws. Regulation can seem complex and uncertain, in part because of the constitutional division of power between federal and provincial governments over both privacy and health care. Broad consent is commonly practiced in genomic research, but without explicit regulatory recognition, it is often scrutinized by research or privacy oversight bodies. Secondary use of health-care data is legally permissible under limited circumstances. A new federal law prohibits genetic discrimination, but is subject to a constitutional challenge. Privacy laws require security safeguards proportionate to the data sensitivity, including breach notification. Special categories of data are not defined a priori. With some exceptions, Canadian researchers are permitted to share personal information internationally but are held accountable for safeguarding the privacy and security of these data. Cloud computing to store and share large scale data sets is permitted, if shared responsibilities for access, responsible use, and security are carefully articulated. For the moment, Canada's commercial sector is recognized as "adequate" by Europe, facilitating import of European data. Maintaining adequacy status under the new European General Data Protection Regulation (GDPR) is a concern because of Canada's weaker individual rights, privacy protections, and regulatory enforcement. Researchers must stay attuned to shifting international and national regulations to ensure a sustainable future for responsible genomic data sharing.

Personally Identifiable Information in State Laws: Use, Release, and Collaboration at Health Departments.

Despite benefits to sharing data among public health programs, confidentiality laws are often presumed to obstruct collaboration or data sharing. We present an overview of the use and release of confidential, personally identifiable information as consistent with public health interests and identify opportunities to align data-sharing procedures with use and release provisions in state laws to improve program outcomes. In August 2013, Centers for Disease Control and Prevention staff and legal researchers from the National Nurse-Led Care Consortium conducted a review of state laws regulating state and local health departments in 50 states and the District of Columbia. Nearly all states and the District of Columbia employ provisions for the general use and release of personally identifiable information without patient consent; disease-specific use or release provisions vary by state. Absence of law regarding use and release provisions was noted. Health departments should assess existing state laws to determine whether the use or release of personally identifiable information is permitted. Absence of direction should not prevent data sharing but prompt an analysis of existing provisions in confidentiality laws.