Health care research has been increasingly international & data intensive. Everything from genomic research to adverse drug reaction testing to epidemiology depends on the collection, linkage, & analysis of diverse patient indicators & disease features.
Advances in personalized medicine & use of algorithms in diagnosis & treatment depend on the analysis of massive amounts of individual statistics.
While focussing on the individual’s privacy we cannot ignore the need to promote innovation, social & technological developments, particularly those that are related to developing cures for illnesses & promoting public health.
The current legal & regulatory frameworks are often no longer in line with recent digital health innovations, or their introduction in the future. In addition, incidents of data misuse by commercial parties increase the awareness that data protection rules must be ensured.
While policies & regulations might be regarded as very lenient in some countries, the rules for processing health data in other countries are considered as very stringent, thus impeding the information sharing between healthcare professionals as well as for purposes such as scientific research.
I. Data protection of healthcare sector in the United States
Health Insurance Portability & Accountability Act (HIPAA), is the US federal act that governs privacy & security of healthcare information relating to healthcare providers, including doctors’ medical practices & hospitals, health plans & health insurers, & healthcare clearinghouses, such as third-party organizations that host, handle or process medical information.
In view of the federal system in the United States, each state may enact its own laws to deal with privacy in the healthcare sector.
HIPAA provides two important definitions related to healthcare information:
— Protected Health Information (PHI), which:
is any individually identifiable health information that is transmitted or maintained in any form or way.
is held by a covered entity or its business associates.
identifies the individual or offers a reasonable basis for identification.
is created or received by a covered entity or an employer.
is related to a past, present, or future physical or mental condition, provision of healthcare or payment for an individual’s healthcare.
— Electronic Protected Health Information (ePHI) is any PHI that is transmitted or maintained in electronic media, for example, computer hard drives, magnetic tapes or disks, or digital memory cards.
Compared with other US privacy laws, HIPAA provides the most detailed implementation of the ‘fair information practice principles’, as it includes requirements concerning privacy notices, authorizations for use & disclosure of PHI, limits on use & disclosure to the minimum necessary, individual access & accounting rights, security safeguards & accountability through administrative requirements & enforcement.
Alongside HIPAA, the US health legal framework also contemplates:
(1) the Health Information Technology for Economic & Clinical Health Act (HITECH), which governs the adoption & meaningful use of health information technology.
(2) the Genetic Information Nondiscrimination Act of 2008 (GINA), which sets forth limits on the use of genetic information in health insurance & employment.
(3) the 21st Century Cures Act of 2016 (the Cures Act), which has the purpose of expediting the research process for new medical devices & prescription drugs, speeding up the process for drug approval & reforming mental health treatment.
II. Data protection specific to the healthcare sector in the European Union
In the EU the General Data Protection Regulation (GDPR) aims to ensure that the data subject has the fundamental right to the protection of health data.
While the GDPR is much-appreciated, variation in its interpretation & national level legislation linked to its implementation has led to a fragmented approach which has made cross-border exchange of data for healthcare system administration or research difficult.
The GDPR has put forward challenges for all possible sectors of the economy. Particularly it has affected the healthcare sector as it considers data concerning health as a special category of data.
A challenge for EU legislation is that it should be supportive of the ways health systems are organized in the different Member States.
Recently a joint opinion on the Commission’s European Health Data Space (EHDS) proposal, by two key EU data protection supervisory bodies, the European Data Protection Board (EDPB) & the European Data Protection Supervisor (EDPS) have recommended to establish a legal framework to make it easier to share electronic health records & other medical data across borders & care institutions; with researchers & developers of innovative health products to ensure citizens’ health data is stored locally, inside the European Economic Area (EEA), to avoid the risk of unlawful access.
The objective of the EHDS is to strengthen & extend the use & re-use of health data for the purposes of research & innovation in the healthcare sector.
III. International transfers of health data between the EU & USA:
The European Union (EU), through GDPR, has strengthened the rules for sharing data across borders to protect individual privacy. These rules threaten cooperation between the EU & the USA, the two largest public funders of biomedical research.
The threat of steep penalties for noncompliance have upended decades of accepted practice in commercial & public health research between the EU & other major research centers, especially the USA. The director of the US National Institutes of Health, labeled the GDPR ‘a serious impediment to research’.
The European Commission (EC) adopted a ‘limited adequacy’ decision in 2016 on the so-called ‘EU-US Privacy Shield Framework’.
This Framework allows the free transfer of personal data to companies that are certified under the EU–US Privacy Shield. However, this Shield has been challenged as insufficiently protective of subject rights in the EU & is seen as overly restrictive & burdensome on companies & federal agencies in the USA. Currently the US–EU Privacy Shield is the primary pathway for sharing research data with the USA.
What is a Possible Solution?
One way around the inadequacy of the Privacy Shield would be to seek an additional sector-based adequacy determination based on the existing US health privacy law, the Health Insurance Portability & Accountability Act (HIPAA).
A sector-specific approach to adequacy for health would avoid many of the most contentious issues that divide the USA & EU on data protection. It could also serve as a model for other third-party jurisdictions & facilitate international harmonization of health research practices.
A HIPAA shield would not replace the EU–US privacy shield. It would be an additional legal basis for lawful international transfer of personal health data. Advantages of HIPAA shield over the EU–US privacy shield are such as greater democratic legitimacy, a targeted health data focus; & harmonization with an existing & tested legal framework.
A comprehensive data protection regime for the entire USA is still years away.