HHS Public Access Author manuscript Author Manuscript
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13. Published in final edited form as: Harvard Health Policy Rev. 2015 ; 14(2): 18–21.
Leaping the Data Chasm: Structuring Donation of Clinical Data for Healthcare Innovation and Modeling Patrick L. Taylor, JD and Kenneth D. Mandl, MD, MPH
Author Manuscript
Many innovators transforming healthcare are not the usual suspects, academic researchers deriving generalizable knowledge from patient data. Instead, they are problem-solvers like software designers developing novel algorithms to connect medical science with patientspecific variation. Often, they lack data. To them, data would reveal methodical solutions for idiosyncratic but recurrent missteps in the intricate dance among patients, biomedical science and clinical delivery. Comprehensive, data-driven testing is essential prophylaxis against unanticipated disasters that manufactured datasets would not reliably include. While simulation methods are finding a role in evidence synthesis,1,2 and payer claims data are suggestive but all-too-limited by overriding financial rationales, genuine, comprehensive and accurate primary provider data are necessary for innovators to distinguish reality from projections, truth from fiction. Modeling innovations’ performance with real clinical data reveals latent flaws and perturbing interactions in both clinical care and IT “improvements” before catastrophe.
Author Manuscript Author Manuscript
We propose a framework for voluntary data donation to capacitate systems innovation because every alternative means of access created by regulations is dysfunctional or problematic. The problem is not technological; both Federal regulations mandating the “meaningful use” of electronic health records (EHRs), and other initiatives,3 promise patients technical control over e-record copies. Incomplete policy imagination forestalled the legal architecture required to enable donative transactions. In designing the plumbing at the House of HIPAA, the plumbers forgot to install a pipe for innovation. No one asked: how will clinical data become accessible to innovators who are not doctors doing medical research, public health specialists, or clinicians doing quality improvement? The absence of a structured answer causes two problems: (1) how do we legally provide for data donation, and (2) in the absence of mutual acquaintance and a rulebook for mutual expectations, how do we increase the chances that total strangers – innovators, patients and providers – will come together and reach a reasonable deal when there is no money or market to motivate their action. The new pipe we create must be leak-proof and credible to the householders. We motivate our proposal with a canonical use case -“apps” that use and create EHR data. We have encountered barriers to providing patient data to app developers first hand in advancing SMART Platforms (www.smarthealthit.org), a program4 funded by health and human services under ARRA, to equip innovators to rapidly create substitutable “apps” for electronic health data.5 SMART provides interfaces that jump both strategic and inadvertent barriers to progress embedded in EHR vendor products; for example, long-delayed apps for pediatric specialists 6 and synergized genomic medicine,7 were implemented within weeks. The development of health apps that do not rely on health system data is already burgeoning
Taylor and Mandl
Page 2
Author Manuscript
- with over 30,000 health apps in the iTunes and Google Play stores, it is clear that this is one of the fastest growth areas for innovation and will ultimately have a large impact on health.
The Unsatisfactory Status Quo Patient data are confidential, requiring patient authorization for providers to disclose personal health information to innovators, unless app development meets one of the Health Insurance Portability and Accountability Act’s (HIPAA) special exceptions. Pertinent here are de-identification, limited data use agreements, quality assurance, and treating data donation for app testing as research. (Waiver of authorization would require the unsustainable finding that obtaining an authorization would be impossible.)
Author Manuscript
“De-identified” personal health data may be disclosed without patient authorization, but reidentification is plausible, turning disclosure into a HIPAA violation. Our challenge.gov contest8 involved developers receiving de-identified data on 30 patients. Preparation was manual and painstaking. Under a data donation program, re-identifiability by the sufficiently determined is virtually guaranteed by the details and breadth of data. Genomic data, inherently identifying, further entangle data release.9 Meanwhile, complete de-identification will impede development and satisfactory testing and validation of apps exploiting deleted data, such as admission dates pertinent to length of stay, and precision zip-codes pertinent to local disease outbreak surveillance. Both are pertinent, for example, to hospital-acquiredconditions.
Author Manuscript
Because their de-identification is partial, these problems afflict limited data use agreements in varying degrees. Moreover, app development is not a permitted purpose for such agreements. App development is not typically, itself, public health oversight, research or healthcare operations to assure quality – although we may expect transformative apps in those areas.
Author Manuscript
For quality assurance, a provider may use identifiable patient information internally and can disclose identifiable patient information to another covered entity if both have a relationship with the patient and the disclosure is pertinent to that relationship.”10 Modeling a method, whether it is a checklist or an app, is not explicitly within the definition of health care operations; even if it were, modeling could examine only patients common to both systems, and the developer would have to be a covered entity. In our challenge.gov contest, none of the apps8 submitted was from a covered entity; all came from software developers eager to jump in to the field, but lacking more than a small sample of real patient data to test their applications’ likely safety and effectiveness. Finally, one might imagine treating developers as researchers, and development as research, particularly since Food and Drug Administration (FDA) approval of devices involves clinical investigations, and researchers regularly solicit consented data donation to their studies. But debugging apps is not the search for generalizable knowledge. Nor do developers face the conflict between seeking knowledge and providing care that underlies research ethics and Institutional Review Board (IRB) review11 Apps require specialized algorithmic review, modeling, performance optimization, and compliance with HIPAA Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 3
Author Manuscript
security standards. They may require technical detection of malign functions. These are not IRBs’ expertise. Clinical investigations are not the natural method one would choose to perform them, and fundamental research ethical concepts, like equipoise, are inapt. Rarely will a developer have a medical or hospital appointment, or qualifications to do research; without these it is doubtful that any provider would let them, as strangers, do research on their patients. There is no legal marketplace for comprehensive, provider-originated patient medical records; as the composite and fiduciary creation of many people, with expectations of confidentiality varyingly defined by state and federal statutes finely protecting conditionspecific sensitivities, the ethical and legal challenges to even just the warranted “title,” fungibility and compensated alienability required for a market are enormous.
Author Manuscript
That leaves only voluntary donation. HHS’s “Blue Button” program3 empowers patients to download their EHR data and HIPAA amendments permit patients to direct these records to others – an easy mechanism for donations. But in contrast to charitable financial donations where template legal arrangements abound, data donation faces a vacuum. We believe that, if conditions were reasonably structured and well-known, both “information altruists”12 and disease-specific, self-assembling patient groups will donate data to speed social and direct benefit through innovation and research.13–17 The government could incent donation with deductions and credits without embracing the stark commoditization of market sales.
Author Manuscript
HIPAA authorizations, the current transfer instrument, are under-regulated despite obvious risks. Regulations fail to ensure transaction integrity. A patient signature on a minimally explanatory template yields naked disclosure, without boundaries on risks, and without recourse if developers misuse data or disclose it to embarrass. An authorization, if competently executed, is in force, without regard to whether issues are present that would have prevented a comparable research use, and without regard to whether the data recipient has an iota of privacy or data confidentiality protection.
Author Manuscript
As a regulatory solution to govern the relations of three parties – the patient, the provider and the entity disclosed to – authorizations fail completely because they do not address the behavior of the entity disclosed to. It can wheedle, misrepresent, coerce or hypnotize; and there is no HIPAA violation. HIPAA offers no answers to obvious donor questions: how to verify the data-seeker’s purposes and qualifications; how will data be protected from hackers; is there a de-identified option; this authorization form says that HIPAA will not protect my privacy once data are disclosed – so what will prevent this entity from misusing my data; the entity that wants my data isn’t even a party to this authorization – do I need a contract with the entity and if so what would it look like and can I get a free form online? Answers to such questions are critical to public trust. In our view, donation for innovation modeling, presented fully below, is distinct from the only extant model for data donation we are aware of, the open consent model for genomic research,18 in three ways: 1.
nature, purposes, methods and review;
2.
we address the exclusion of innovators external to academic medicine from relying on research infrastructure to address barriers to contribution, e.g. qualifications; and
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 4
3.
Author Manuscript
our conviction that the problems open consent models do not address, structurally assuring that social benefits and non-self-dealing reciprocate donor altruism despite the ultimate exploitation of discoveries by commercial entities for profit, are essential to identify and resolve to a public that made Henrietta Lacks’ story a continued best-seller, and two professions, medicine and law, that must keep awareness and prevention of conflicts of interest front and center in their endeavors.
No “Second Best” for Innovation: a Proposal for Ethical Solicitation and Responsible Use
Author Manuscript
We propose nesting donation in a voluntary process designed to make donation accessible, safe and effective. We avoid proliferating new standards by importing selected, workable, participant-protective elements whose familiarity confirms plausible implementation. The model is not tied to apps, but generalizable to uncompensated patient data donations for health systems innovation and modeling involving innovators outside organized medicine. 1. Go Beyond a HIPAA Authorization: Build Sound Internal Review and Import Standards
Author Manuscript
Research requires attention to consent and independent review HIPAA does not; an authorization suffices. The difference is philosophically significant. For research, consent implements respect for autonomy; review reflects that beneficence is not reducible to choice - consent can be mistaken or flawed, and promises of benefit, warnings about risks, and their relative significance require confirmation by disinterested experts and community members. Protocol complexity and the researcher’s conflict of interest (between care and knowledge) are inadequately addressed by consent: an incomprehensible consent form and a care relationship exploited may both endanger consent’s power to guard against overreaching. IRBs scrutinize recruitment and evaluate study risks in part because an executed consent form, rather than documenting consent, may reflect successful manipulation and radical misunderstanding. Not so under HIPAA: Consent need not be cognitively assessed and the template form, if executed, is definitive. Consistently, HIPAA prescribes a process to revoke an authorization, but no process is offered or prescribed to assert an authorization’s invalidity.
Author Manuscript
For many privacy issues, the difference between research and privacy regulations may reflect the relative transparency and comprehensibility of privacy issues compared to clinical research, and the alignment of patient interests and patient authorization Here, the patients will be asked, perhaps by their own provider, to act potentially against their interests, without direct benefit to themselves, but apparent benefit to commercial third-parties; and the risks depend on mitigation steps unknown to the patient and not under their control. We see only two options: (1) the Office of Civil Rights, and professional associations, prepare model agreements for various donative purposes that address anticipatable issues with mutual fairness; or (2) Independent review ensures that risks are minimized, donor purpose is achieved, there is no donee self-dealing, and the primary benefit of the donors’ altruism, from equipping commercial parties to undertake modeling otherwise avoided, is public. That
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 5
Author Manuscript
review should include appropriate experts in privacy and security systems and standards, and consults with clinicians who can assess app utility.
Author Manuscript Author Manuscript
Other gaps in HIPAA are addressed as follows: (a) solicitation of donors should meet research standards for recruiting research participants, protecting donors according to familiar institutional practice; (b) Authorizations should be very specific. For example, “disclosure directly to qualified med app developers to confirm safety and efficacy of their developed app, and retest, subject to reporting back their results, and no other use or disclosure to others except secure retention and disclosure of the data for purposes only of independent validation by government or accrediting bodies”. The authorization should precisely describe the data donated, whether or not it has been scrubbed of errors and the opportunity, if any, the donor has had to review the data. We cannot avoid sensitive data without ruling out apps addressing their care, but disclosure of such data should meet high standards. (c) Independent review of the authorization, the developer written application, and the overall plan. (d) Developers must contractually agree with the donor to obligations like business associates, including purpose limitations, the privacy and security standards the developer implements, an obligation to report and cooperate in the mitigation of breaches and misuses, destruction of the data at end or secure preservation if required by law, prohibitions on secondary uses and redistribution, and extension of the obligations to any subcontractors,. The agreements should also include consent to the regulatory jurisdiction of the federal Office of Civil Rights, and basic indemnification and insurance terms common for independent contracts. (e) Developers must have, in force, business insurance covering privacy and security breaches. While insurance was difficult to obtain in 2001, it is now common, inexpensive, and easily obtainable by solo developers. Requiring it meets the twofold need for some on-site personal assessment of developers’ bona fides, and creating a remedy for injured donees. This model guarantees a financial remedy for donors, which HIPAA omits and research permits but still fails to require. 2. Create a Nonprofit, Mission-oriented Intermediary focused on Procuring and Administering Data Donations, Evolving with Market and Regulatory Developments, and Exploring Stewarded and Other Approaches to Reducing Donor Risk
Author Manuscript
Here we borrow from the laws governing the organization, operating standards and oversight of charities and organ procurement organizations to create a focused organization for which this is not a potentially neglected distraction outside its core provider competencies. Donee entities should be organized as nonprofit, federally tax-exempt organizations that primarily promote health care improvement. This will require a federally approved application for exemption that discloses ownership, control, and plans (including community membership and benefit) and commits them to values, oversight and processes that preclude self-dealing, private benefit, excessive salaries and profiteering. Net revenue must be spent on the charitable purpose. These entities should be separate from both the end-user of data and providers, to prevent end-users from skewing the solicitation process. Independence provides the basis for programs to encourage donation; annual reports back to donor alumni; and ongoing attention to market changes, risk management, technology and regulations. Donee organizations
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 6
Author Manuscript
should explore related services, including stewarded inquiry models that reduce donor risk through staff services, conducted on data available only to the intermediary, minimizing donor privacy risks and potential selection biases while contributing to the organization’s self-support.19 3. Instead of Relying Solely on a HIPAA Authorization, Reinforce Donee and Developer Obligations to Donors and Providers through Uniform Revocable, Conditional, Data Use Licenses
Author Manuscript
To preempt claims of ownership against patients by donees or developers, respect donors, and add legal strength to enforce parameters for use and disclosure, we would treat donors, in this context, as the quitclaim co-owners of their data, interpret donation as nonexclusive licensing-in to the donee nonprofit, and disclosure out to users, such as app developers, as nonexclusive licensing out subject to rigorous terms and conditions, breach of which would result in automatic revocation of their license, and the donor’s authorization with respect to them. 4. Convene an International Working Group to Work towards a Consensus International Framework on Privacy, analogous to the Declaration of Helsinki in Research
Author Manuscript
A significant limitation of our analysis is that it involves only HIPAA, and privacy and security interests under U.S. law. An analysis of other countries’ laws would be enormous work of questionable reliability, since with laws, interpretation, enforcement and effect involve more than the smooth surfaces of printed pages, and there is no unifying set of international principles to depend on. What is required for data donation to be internationally encouraged and protected is less a government-to-government protocol than an influential consensus framework analogous to the Declaration of Helsinki, protective of patient privacy while equally respectful of the safe progress on which patient welfare depends.
Conclusion
Author Manuscript
The proposed model enables data donation through creating enough of a “pipe” for informed donors to simply turn on the tap and say yes; they need not recreate the plumbing from scratch and secure design consensus anew for each donation. It is serviceable for a range of health system innovations, exposing the bad, and illuminating the safe and socially compelling. The design parsimoniously relies primarily on familiar research standards, HIPAA business associate obligations, and charitable organizational and operating standards with demonstrated practicality and utility. Donor remedies and developer scrutiny are enhanced by requiring developers to be insurable and maintain breach insurance. Not-forprofit intermediaries could help avoid profiteering, and ground further progress in reducing donor risks and strengthening altruistic reciprocity.
Acknowledgments This work was funded by the Strategic Health IT Advanced Research Projects Award 90TR000101 from the Office of the National Coordinator of Health Information Technology and by NIH National Institute of General Medical Sciences grant R01GM104303.
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 7
Author Manuscript
References
Author Manuscript Author Manuscript Author Manuscript
1. Fusaro VA, Patil P, Chi CL, Contant CF, Tonellato PJ. A systems approach to designing effective clinical trials using simulations. Circulation. Jan 29; 2013 127(4):517–526. [PubMed: 23261867] 2. Harnisch L, Shepard T, Pons G, Della Pasqua O. Modeling and simulation as a tool to bridge efficacy and safety data in special populations. CPT Pharmacometrics Syst Pharmacol. 2013; 2:e28. [PubMed: 23835939] 3. Conn J. Mobile push: Blue Button focus of government IT strategy. Mod Healthc. May 28.2012 42(22):10. 4. Office of the National Coordinator for Health Information Technology. [accessed February 10, 2015] Strategic Health IT Advanced Research Projects (SHARP) Program. http://www.healthit.gov/ policy-researchers-implementers/strategic-health-it-advanced-research-projects-sharp/ 5. Mandl KD, Kohane IS. No small change for the health information economy. N Engl J Med. Mar 26; 2009 360(13):1278–1281. [PubMed: 19321867] 6. SMART BP Centiles. [accessed February 10, 2015] http://www.SMARTPlatforms.orghttp:// smartplatforms.org/smart-app-gallery/bp-centiles/ 7. SMART Genomics Advisor. [accessed February 10, 2015] http://www.SMARTPlatforms.orghttp:// smartplatforms.org/smart-app-gallery/genomics-advisor/ 8. Chopra, A. [accessed February 10, 2015] SMArt Prize for Patients, Physicians, and Researchers. http://www.white-house.gov/blog/2011/03/10/smart-prize-patients-physicians-and-researchers 9. Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. Jan 18; 2013 339(6117):321–324. [PubMed: 23329047] 10. Department of Health and Human Services. 45 CFR §164.501 (Definitions) and 164.506. US. Government Printing Office; 2002. Uses and disclosures to carry out treatment, payment, or health care operations. 11. Taylor PL. Overseeing innovative therapy without mistaking it for research: a function-based model based on old truths, new capacities, and lessons from stem cells. The Journal of law, medicine & ethics : a journal of the American Society of Law, Medicine & Ethics Summer. 2010; 38(2):286–302. 12. Kohane IS, Altman RB. Health-information altruists--a potentially critical resource. N Engl J Med. Nov 10; 2005 353(19):2074–2077. [PubMed: 16282184] 13. Mandl KD, Kohane IS. Tectonic shifts in the health information economy. N Engl J Med. Apr 17; 2008 358(16):1732–1737. [PubMed: 18420506] 14. Zulman DM, Nazi KM, Turvey CL, Wagner TH, Woods SS, An LC. Patient interest in sharing personal health record information: A web-based survey. Ann Intern Med. Dec 20; 2011 155(12): 805–810. [PubMed: 22184687] 15. Weitzman ER, Adida B, Kelemen S, Mandl KD. Sharing data for public health research by members of an international online diabetes social network. PLoS One. 2011; 6(4):el9256. 16. Frost JH, Massagli MP. Social uses of personal health information within PatientsLikeMe, an online patient community: what can happen when patients have access to one another’s data. Journal of medical Internet research. 2008; 10(3):e15. [PubMed: 18504244] 17. Wicks P, Vaughan TE, Massagli MP, Heywood J. Accelerated clinical discovery using selfreported patient data collected online and a patient-matching algorithm. Nat Biotechnol May. 2011; 29(5):411–414. 18. Ball MP, Thakuria JV, Zaranek AW, et al. A public resource facilitating clinical use of genomes. Proc Natl Acad Sci U S A. Jul 24; 2012 109(30):11920–11927. [PubMed: 22797899] 19. Taylor P. When consent gets in the way. Nature. Nov 6; 2008 456(6):32–33. [PubMed: 18987719]
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 8
Author Manuscript
Biographies
Author Manuscript
The academic work of Patrick L. Taylor (Assistant Clinical Professor, HMS, Affiliate Faculty, Petrie-Flom Center at HLS) focuses on emerging issues in science and medicine where law and science poorly intersect. His policy contributions concerning bioethics, stem cells, conflicts of interest, privacy, and genomics have been recognized nationally and internationally.
Author Manuscript
Dr. Kenneth Mandl (Twitter: @mandl) is Professor at Harvard Medical School and the Boston Children’s Hospital Chair in Biomedical Informatics and Population Health. Through scholarship intersecting epidemiology and informatics, Mandl pioneered use of IT and big data for population health, discovery, patient engagement and care redesign.
Author Manuscript Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13. Published in final edited form as: Harvard Health Policy Rev. 2015 ; 14(2): 18–21.
Leaping the Data Chasm: Structuring Donation of Clinical Data for Healthcare Innovation and Modeling Patrick L. Taylor, JD and Kenneth D. Mandl, MD, MPH
Author Manuscript
Many innovators transforming healthcare are not the usual suspects, academic researchers deriving generalizable knowledge from patient data. Instead, they are problem-solvers like software designers developing novel algorithms to connect medical science with patientspecific variation. Often, they lack data. To them, data would reveal methodical solutions for idiosyncratic but recurrent missteps in the intricate dance among patients, biomedical science and clinical delivery. Comprehensive, data-driven testing is essential prophylaxis against unanticipated disasters that manufactured datasets would not reliably include. While simulation methods are finding a role in evidence synthesis,1,2 and payer claims data are suggestive but all-too-limited by overriding financial rationales, genuine, comprehensive and accurate primary provider data are necessary for innovators to distinguish reality from projections, truth from fiction. Modeling innovations’ performance with real clinical data reveals latent flaws and perturbing interactions in both clinical care and IT “improvements” before catastrophe.
Author Manuscript Author Manuscript
We propose a framework for voluntary data donation to capacitate systems innovation because every alternative means of access created by regulations is dysfunctional or problematic. The problem is not technological; both Federal regulations mandating the “meaningful use” of electronic health records (EHRs), and other initiatives,3 promise patients technical control over e-record copies. Incomplete policy imagination forestalled the legal architecture required to enable donative transactions. In designing the plumbing at the House of HIPAA, the plumbers forgot to install a pipe for innovation. No one asked: how will clinical data become accessible to innovators who are not doctors doing medical research, public health specialists, or clinicians doing quality improvement? The absence of a structured answer causes two problems: (1) how do we legally provide for data donation, and (2) in the absence of mutual acquaintance and a rulebook for mutual expectations, how do we increase the chances that total strangers – innovators, patients and providers – will come together and reach a reasonable deal when there is no money or market to motivate their action. The new pipe we create must be leak-proof and credible to the householders. We motivate our proposal with a canonical use case -“apps” that use and create EHR data. We have encountered barriers to providing patient data to app developers first hand in advancing SMART Platforms (www.smarthealthit.org), a program4 funded by health and human services under ARRA, to equip innovators to rapidly create substitutable “apps” for electronic health data.5 SMART provides interfaces that jump both strategic and inadvertent barriers to progress embedded in EHR vendor products; for example, long-delayed apps for pediatric specialists 6 and synergized genomic medicine,7 were implemented within weeks. The development of health apps that do not rely on health system data is already burgeoning
Taylor and Mandl
Page 2
Author Manuscript
- with over 30,000 health apps in the iTunes and Google Play stores, it is clear that this is one of the fastest growth areas for innovation and will ultimately have a large impact on health.
The Unsatisfactory Status Quo Patient data are confidential, requiring patient authorization for providers to disclose personal health information to innovators, unless app development meets one of the Health Insurance Portability and Accountability Act’s (HIPAA) special exceptions. Pertinent here are de-identification, limited data use agreements, quality assurance, and treating data donation for app testing as research. (Waiver of authorization would require the unsustainable finding that obtaining an authorization would be impossible.)
Author Manuscript
“De-identified” personal health data may be disclosed without patient authorization, but reidentification is plausible, turning disclosure into a HIPAA violation. Our challenge.gov contest8 involved developers receiving de-identified data on 30 patients. Preparation was manual and painstaking. Under a data donation program, re-identifiability by the sufficiently determined is virtually guaranteed by the details and breadth of data. Genomic data, inherently identifying, further entangle data release.9 Meanwhile, complete de-identification will impede development and satisfactory testing and validation of apps exploiting deleted data, such as admission dates pertinent to length of stay, and precision zip-codes pertinent to local disease outbreak surveillance. Both are pertinent, for example, to hospital-acquiredconditions.
Author Manuscript
Because their de-identification is partial, these problems afflict limited data use agreements in varying degrees. Moreover, app development is not a permitted purpose for such agreements. App development is not typically, itself, public health oversight, research or healthcare operations to assure quality – although we may expect transformative apps in those areas.
Author Manuscript
For quality assurance, a provider may use identifiable patient information internally and can disclose identifiable patient information to another covered entity if both have a relationship with the patient and the disclosure is pertinent to that relationship.”10 Modeling a method, whether it is a checklist or an app, is not explicitly within the definition of health care operations; even if it were, modeling could examine only patients common to both systems, and the developer would have to be a covered entity. In our challenge.gov contest, none of the apps8 submitted was from a covered entity; all came from software developers eager to jump in to the field, but lacking more than a small sample of real patient data to test their applications’ likely safety and effectiveness. Finally, one might imagine treating developers as researchers, and development as research, particularly since Food and Drug Administration (FDA) approval of devices involves clinical investigations, and researchers regularly solicit consented data donation to their studies. But debugging apps is not the search for generalizable knowledge. Nor do developers face the conflict between seeking knowledge and providing care that underlies research ethics and Institutional Review Board (IRB) review11 Apps require specialized algorithmic review, modeling, performance optimization, and compliance with HIPAA Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 3
Author Manuscript
security standards. They may require technical detection of malign functions. These are not IRBs’ expertise. Clinical investigations are not the natural method one would choose to perform them, and fundamental research ethical concepts, like equipoise, are inapt. Rarely will a developer have a medical or hospital appointment, or qualifications to do research; without these it is doubtful that any provider would let them, as strangers, do research on their patients. There is no legal marketplace for comprehensive, provider-originated patient medical records; as the composite and fiduciary creation of many people, with expectations of confidentiality varyingly defined by state and federal statutes finely protecting conditionspecific sensitivities, the ethical and legal challenges to even just the warranted “title,” fungibility and compensated alienability required for a market are enormous.
Author Manuscript
That leaves only voluntary donation. HHS’s “Blue Button” program3 empowers patients to download their EHR data and HIPAA amendments permit patients to direct these records to others – an easy mechanism for donations. But in contrast to charitable financial donations where template legal arrangements abound, data donation faces a vacuum. We believe that, if conditions were reasonably structured and well-known, both “information altruists”12 and disease-specific, self-assembling patient groups will donate data to speed social and direct benefit through innovation and research.13–17 The government could incent donation with deductions and credits without embracing the stark commoditization of market sales.
Author Manuscript
HIPAA authorizations, the current transfer instrument, are under-regulated despite obvious risks. Regulations fail to ensure transaction integrity. A patient signature on a minimally explanatory template yields naked disclosure, without boundaries on risks, and without recourse if developers misuse data or disclose it to embarrass. An authorization, if competently executed, is in force, without regard to whether issues are present that would have prevented a comparable research use, and without regard to whether the data recipient has an iota of privacy or data confidentiality protection.
Author Manuscript
As a regulatory solution to govern the relations of three parties – the patient, the provider and the entity disclosed to – authorizations fail completely because they do not address the behavior of the entity disclosed to. It can wheedle, misrepresent, coerce or hypnotize; and there is no HIPAA violation. HIPAA offers no answers to obvious donor questions: how to verify the data-seeker’s purposes and qualifications; how will data be protected from hackers; is there a de-identified option; this authorization form says that HIPAA will not protect my privacy once data are disclosed – so what will prevent this entity from misusing my data; the entity that wants my data isn’t even a party to this authorization – do I need a contract with the entity and if so what would it look like and can I get a free form online? Answers to such questions are critical to public trust. In our view, donation for innovation modeling, presented fully below, is distinct from the only extant model for data donation we are aware of, the open consent model for genomic research,18 in three ways: 1.
nature, purposes, methods and review;
2.
we address the exclusion of innovators external to academic medicine from relying on research infrastructure to address barriers to contribution, e.g. qualifications; and
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 4
3.
Author Manuscript
our conviction that the problems open consent models do not address, structurally assuring that social benefits and non-self-dealing reciprocate donor altruism despite the ultimate exploitation of discoveries by commercial entities for profit, are essential to identify and resolve to a public that made Henrietta Lacks’ story a continued best-seller, and two professions, medicine and law, that must keep awareness and prevention of conflicts of interest front and center in their endeavors.
No “Second Best” for Innovation: a Proposal for Ethical Solicitation and Responsible Use
Author Manuscript
We propose nesting donation in a voluntary process designed to make donation accessible, safe and effective. We avoid proliferating new standards by importing selected, workable, participant-protective elements whose familiarity confirms plausible implementation. The model is not tied to apps, but generalizable to uncompensated patient data donations for health systems innovation and modeling involving innovators outside organized medicine. 1. Go Beyond a HIPAA Authorization: Build Sound Internal Review and Import Standards
Author Manuscript
Research requires attention to consent and independent review HIPAA does not; an authorization suffices. The difference is philosophically significant. For research, consent implements respect for autonomy; review reflects that beneficence is not reducible to choice - consent can be mistaken or flawed, and promises of benefit, warnings about risks, and their relative significance require confirmation by disinterested experts and community members. Protocol complexity and the researcher’s conflict of interest (between care and knowledge) are inadequately addressed by consent: an incomprehensible consent form and a care relationship exploited may both endanger consent’s power to guard against overreaching. IRBs scrutinize recruitment and evaluate study risks in part because an executed consent form, rather than documenting consent, may reflect successful manipulation and radical misunderstanding. Not so under HIPAA: Consent need not be cognitively assessed and the template form, if executed, is definitive. Consistently, HIPAA prescribes a process to revoke an authorization, but no process is offered or prescribed to assert an authorization’s invalidity.
Author Manuscript
For many privacy issues, the difference between research and privacy regulations may reflect the relative transparency and comprehensibility of privacy issues compared to clinical research, and the alignment of patient interests and patient authorization Here, the patients will be asked, perhaps by their own provider, to act potentially against their interests, without direct benefit to themselves, but apparent benefit to commercial third-parties; and the risks depend on mitigation steps unknown to the patient and not under their control. We see only two options: (1) the Office of Civil Rights, and professional associations, prepare model agreements for various donative purposes that address anticipatable issues with mutual fairness; or (2) Independent review ensures that risks are minimized, donor purpose is achieved, there is no donee self-dealing, and the primary benefit of the donors’ altruism, from equipping commercial parties to undertake modeling otherwise avoided, is public. That
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 5
Author Manuscript
review should include appropriate experts in privacy and security systems and standards, and consults with clinicians who can assess app utility.
Author Manuscript Author Manuscript
Other gaps in HIPAA are addressed as follows: (a) solicitation of donors should meet research standards for recruiting research participants, protecting donors according to familiar institutional practice; (b) Authorizations should be very specific. For example, “disclosure directly to qualified med app developers to confirm safety and efficacy of their developed app, and retest, subject to reporting back their results, and no other use or disclosure to others except secure retention and disclosure of the data for purposes only of independent validation by government or accrediting bodies”. The authorization should precisely describe the data donated, whether or not it has been scrubbed of errors and the opportunity, if any, the donor has had to review the data. We cannot avoid sensitive data without ruling out apps addressing their care, but disclosure of such data should meet high standards. (c) Independent review of the authorization, the developer written application, and the overall plan. (d) Developers must contractually agree with the donor to obligations like business associates, including purpose limitations, the privacy and security standards the developer implements, an obligation to report and cooperate in the mitigation of breaches and misuses, destruction of the data at end or secure preservation if required by law, prohibitions on secondary uses and redistribution, and extension of the obligations to any subcontractors,. The agreements should also include consent to the regulatory jurisdiction of the federal Office of Civil Rights, and basic indemnification and insurance terms common for independent contracts. (e) Developers must have, in force, business insurance covering privacy and security breaches. While insurance was difficult to obtain in 2001, it is now common, inexpensive, and easily obtainable by solo developers. Requiring it meets the twofold need for some on-site personal assessment of developers’ bona fides, and creating a remedy for injured donees. This model guarantees a financial remedy for donors, which HIPAA omits and research permits but still fails to require. 2. Create a Nonprofit, Mission-oriented Intermediary focused on Procuring and Administering Data Donations, Evolving with Market and Regulatory Developments, and Exploring Stewarded and Other Approaches to Reducing Donor Risk
Author Manuscript
Here we borrow from the laws governing the organization, operating standards and oversight of charities and organ procurement organizations to create a focused organization for which this is not a potentially neglected distraction outside its core provider competencies. Donee entities should be organized as nonprofit, federally tax-exempt organizations that primarily promote health care improvement. This will require a federally approved application for exemption that discloses ownership, control, and plans (including community membership and benefit) and commits them to values, oversight and processes that preclude self-dealing, private benefit, excessive salaries and profiteering. Net revenue must be spent on the charitable purpose. These entities should be separate from both the end-user of data and providers, to prevent end-users from skewing the solicitation process. Independence provides the basis for programs to encourage donation; annual reports back to donor alumni; and ongoing attention to market changes, risk management, technology and regulations. Donee organizations
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 6
Author Manuscript
should explore related services, including stewarded inquiry models that reduce donor risk through staff services, conducted on data available only to the intermediary, minimizing donor privacy risks and potential selection biases while contributing to the organization’s self-support.19 3. Instead of Relying Solely on a HIPAA Authorization, Reinforce Donee and Developer Obligations to Donors and Providers through Uniform Revocable, Conditional, Data Use Licenses
Author Manuscript
To preempt claims of ownership against patients by donees or developers, respect donors, and add legal strength to enforce parameters for use and disclosure, we would treat donors, in this context, as the quitclaim co-owners of their data, interpret donation as nonexclusive licensing-in to the donee nonprofit, and disclosure out to users, such as app developers, as nonexclusive licensing out subject to rigorous terms and conditions, breach of which would result in automatic revocation of their license, and the donor’s authorization with respect to them. 4. Convene an International Working Group to Work towards a Consensus International Framework on Privacy, analogous to the Declaration of Helsinki in Research
Author Manuscript
A significant limitation of our analysis is that it involves only HIPAA, and privacy and security interests under U.S. law. An analysis of other countries’ laws would be enormous work of questionable reliability, since with laws, interpretation, enforcement and effect involve more than the smooth surfaces of printed pages, and there is no unifying set of international principles to depend on. What is required for data donation to be internationally encouraged and protected is less a government-to-government protocol than an influential consensus framework analogous to the Declaration of Helsinki, protective of patient privacy while equally respectful of the safe progress on which patient welfare depends.
Conclusion
Author Manuscript
The proposed model enables data donation through creating enough of a “pipe” for informed donors to simply turn on the tap and say yes; they need not recreate the plumbing from scratch and secure design consensus anew for each donation. It is serviceable for a range of health system innovations, exposing the bad, and illuminating the safe and socially compelling. The design parsimoniously relies primarily on familiar research standards, HIPAA business associate obligations, and charitable organizational and operating standards with demonstrated practicality and utility. Donor remedies and developer scrutiny are enhanced by requiring developers to be insurable and maintain breach insurance. Not-forprofit intermediaries could help avoid profiteering, and ground further progress in reducing donor risks and strengthening altruistic reciprocity.
Acknowledgments This work was funded by the Strategic Health IT Advanced Research Projects Award 90TR000101 from the Office of the National Coordinator of Health Information Technology and by NIH National Institute of General Medical Sciences grant R01GM104303.
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 7
Author Manuscript
References
Author Manuscript Author Manuscript Author Manuscript
1. Fusaro VA, Patil P, Chi CL, Contant CF, Tonellato PJ. A systems approach to designing effective clinical trials using simulations. Circulation. Jan 29; 2013 127(4):517–526. [PubMed: 23261867] 2. Harnisch L, Shepard T, Pons G, Della Pasqua O. Modeling and simulation as a tool to bridge efficacy and safety data in special populations. CPT Pharmacometrics Syst Pharmacol. 2013; 2:e28. [PubMed: 23835939] 3. Conn J. Mobile push: Blue Button focus of government IT strategy. Mod Healthc. May 28.2012 42(22):10. 4. Office of the National Coordinator for Health Information Technology. [accessed February 10, 2015] Strategic Health IT Advanced Research Projects (SHARP) Program. http://www.healthit.gov/ policy-researchers-implementers/strategic-health-it-advanced-research-projects-sharp/ 5. Mandl KD, Kohane IS. No small change for the health information economy. N Engl J Med. Mar 26; 2009 360(13):1278–1281. [PubMed: 19321867] 6. SMART BP Centiles. [accessed February 10, 2015] http://www.SMARTPlatforms.orghttp:// smartplatforms.org/smart-app-gallery/bp-centiles/ 7. SMART Genomics Advisor. [accessed February 10, 2015] http://www.SMARTPlatforms.orghttp:// smartplatforms.org/smart-app-gallery/genomics-advisor/ 8. Chopra, A. [accessed February 10, 2015] SMArt Prize for Patients, Physicians, and Researchers. http://www.white-house.gov/blog/2011/03/10/smart-prize-patients-physicians-and-researchers 9. Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. Jan 18; 2013 339(6117):321–324. [PubMed: 23329047] 10. Department of Health and Human Services. 45 CFR §164.501 (Definitions) and 164.506. US. Government Printing Office; 2002. Uses and disclosures to carry out treatment, payment, or health care operations. 11. Taylor PL. Overseeing innovative therapy without mistaking it for research: a function-based model based on old truths, new capacities, and lessons from stem cells. The Journal of law, medicine & ethics : a journal of the American Society of Law, Medicine & Ethics Summer. 2010; 38(2):286–302. 12. Kohane IS, Altman RB. Health-information altruists--a potentially critical resource. N Engl J Med. Nov 10; 2005 353(19):2074–2077. [PubMed: 16282184] 13. Mandl KD, Kohane IS. Tectonic shifts in the health information economy. N Engl J Med. Apr 17; 2008 358(16):1732–1737. [PubMed: 18420506] 14. Zulman DM, Nazi KM, Turvey CL, Wagner TH, Woods SS, An LC. Patient interest in sharing personal health record information: A web-based survey. Ann Intern Med. Dec 20; 2011 155(12): 805–810. [PubMed: 22184687] 15. Weitzman ER, Adida B, Kelemen S, Mandl KD. Sharing data for public health research by members of an international online diabetes social network. PLoS One. 2011; 6(4):el9256. 16. Frost JH, Massagli MP. Social uses of personal health information within PatientsLikeMe, an online patient community: what can happen when patients have access to one another’s data. Journal of medical Internet research. 2008; 10(3):e15. [PubMed: 18504244] 17. Wicks P, Vaughan TE, Massagli MP, Heywood J. Accelerated clinical discovery using selfreported patient data collected online and a patient-matching algorithm. Nat Biotechnol May. 2011; 29(5):411–414. 18. Ball MP, Thakuria JV, Zaranek AW, et al. A public resource facilitating clinical use of genomes. Proc Natl Acad Sci U S A. Jul 24; 2012 109(30):11920–11927. [PubMed: 22797899] 19. Taylor P. When consent gets in the way. Nature. Nov 6; 2008 456(6):32–33. [PubMed: 18987719]
Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
Taylor and Mandl
Page 8
Author Manuscript
Biographies
Author Manuscript
The academic work of Patrick L. Taylor (Assistant Clinical Professor, HMS, Affiliate Faculty, Petrie-Flom Center at HLS) focuses on emerging issues in science and medicine where law and science poorly intersect. His policy contributions concerning bioethics, stem cells, conflicts of interest, privacy, and genomics have been recognized nationally and internationally.
Author Manuscript
Dr. Kenneth Mandl (Twitter: @mandl) is Professor at Harvard Medical School and the Boston Children’s Hospital Chair in Biomedical Informatics and Population Health. Through scholarship intersecting epidemiology and informatics, Mandl pioneered use of IT and big data for population health, discovery, patient engagement and care redesign.
Author Manuscript Harvard Health Policy Rev. Author manuscript; available in PMC 2015 June 13.
