Modern medicine is evolving at a tremendous speed. On a daily basis, we learn about new treatments, drugs, medical devices, and diagnoses. Both established technology companies and start-ups focus on health-related products and services in competition with traditional healthcare businesses. Telemedicine and electronic health records have the potential to improve the effectiveness of treatments significantly. Progress in the medical field depends above all on data, specifically health information. Physicians, researchers, and developers need health information to help patients by improving diagnoses, customizing treatments and finding new cures.
Yet law and policymakers are currently more focused on the fact that health information can also be used to harm individuals. Even after the outbreak of the COVID-19 pandemic (which occurred after the manuscript for this article was largely finalized), the California Attorney General Becera made a point of announcing that he will not delay enforcement of the California Consumer Privacy Act (“CCPA”), which his office estimated imposes a $55 billion cost (approximately 1.8% of California Gross State Product) for initial compliance, not including costs of ongoing compliance, responses to data subject requests, and litigation.
Risks resulting from health information processing are very real. Contact tracing and quarantines in response to SARS, MERS, and COVID-19 outbreaks curb civil liberties with similar effects to law enforcement investigations, arrests, and imprisonment. Even outside the unusual circumstances of a global pandemic, employers or insurance companies may disfavor individuals with pre-existing health conditions in connections with job offers and promotions as well as coverage and eligibility decisions. Some diseases carry a negative stigma in social circumstances. To reduce the risks of such harms and protect individual dignity, governments around the world regulate the collection, use, and sharing of health information with ever-stricter laws.
European countries have generally prohibited the processing of personal data, subject to limited exceptions, for which companies have to identify and then document or apply. The General Data Protection Regulation (“GDPR”) that took effect in 2018 confirms and amplifies a rigid regulatory regime that was first introduced in the German State Hessen in 1970 and demands that organizations minimize the amount of data they collect, use, share, and retain. Healthcare and healthtech organizations have struggled to comply with this regime and have found EU data protection laws fundamentally hostile to data-driven progress in medicine.
The United States, on the other hand, has traditionally relied on sector- and harm-specific laws to protect privacy, including data privacy and security rules under the federal Health Insurance Portability and Accountability Act (“HIPAA”) and numerous state laws including the Confidentiality of Medical Information Act (“CMIA”) in California, which specifically address the collection and use of health information. So long as organizations observe the specific restrictions and prohibitions in sector-specific privacy laws, they may collect, use, and share health information. As a default rule in the United States, businesses are generally permitted to process personal information, including health information. Yet, recently, extremely broad and complex privacy laws have been proposed or enacted in some states, including the California Consumer Privacy Act of 2018 (“CCPA”), which have a potential to render compliance with data privacy laws impractical for most businesses, including those in the healthcare and healthtech sectors.
Meanwhile, the People’s Republic of China is encouraging and incentivizing data-driven research and development by Chinese companies, including in the healthcare sector. Data-related legislation is focused on cybersecurity and securing access to data for Chinese government agencies and much less on individual privacy interests.
In Europe and the United States, the political pendulum has swung too far in the direction of ever more rigid data regulation and privacy laws, at the expense of potential benefits through medical progress. This is literally unhealthy. Governments, businesses, and other organizations need to collect, use and share more personal health information, not less. The potential benefits of health data processing far outweigh privacy risks, which can be better tackled by harm-specific laws. If discrimination by employers and insurance companies is a concern, then lawmakers and law enforcement agencies need to focus on anti-discrimination rules for employers and insurance companies - not prohibit or restrict the processing of personal data, which does not per se harm anyone.
The notion of only allowing data processing under specific conditions leads to a significant hindrance of medical progress by slowing down treatments, referrals, research, and development. It also prevents the use of medical data as a tool for averting dangers for the public good. Data “anonymization” and requirements for specific consent based on overly detailed privacy notices do not protect patient privacy effectively and unnecessarily complicate the processing of health data for medical purposes.
Property rights to personal data offer no solutions. Even if individuals - not companies creating databases - were granted property rights to their own data originally, this would not ultimately benefit individuals. Given that transfer and exclusion rights are at the core of property regimes, data property rights would threaten information freedom and privacy alike: after an individual sells her data, the buyer and new owner could exercise his data property rights to enjoin her and her friends and family from continued use of her personal data. Physicians, researchers, and developers would not benefit either; they would have to deal with property rights in addition to privacy and medical confidentiality requirements.
Instead of overregulating data processing or creating new property rights in data, lawmakers should require and incentivize organizations to earn and maintain the trust of patients and other data subjects and penalize organizations that use data in specifically prohibited ways to harm individuals. Electronic health records, improved notice and consent mechanisms, and clear legal frameworks will promote medical progress, reduce risks of human error, lower costs, and make data processing and sharing more reliable.
We need fewer laws like the GDPR or the CCPA that discourage organizations from collecting, using, retaining, and sharing personal information. Physicians, researchers, developers, drug companies, medical device manufacturers and governments urgently need better and increased access to personal health information. The future of medicine offers enormous opportunities. It depends on trust and healthy data protection. Some degree of data regulation is necessary, but the dose makes the poison. Laws that require or intend to promote the minimization of data collection, use, and sharing may end up killing more patients than hospital germs.
In this article, I promote a view that is decidedly different from that supported by the vast majority of privacy scholars, politicians, the media, and the broader zeitgeist in Europe and the United States. I am arguing for a healthier balance between data access and data protection needs in the interest of patients’ health and privacy. I strive to identify ways to protect health data privacy without excessively hindering healthcare and medical progress. After an introduction (I), I examine current approaches to data protection regulation, privacy law, and the protection of patient confidentiality (II), risks associated with the processing of health data (III), needs to protect patient confidence (IV), risks for healthcare and medical progress (V), and possible solutions (VI). I conclude with an outlook and call for healthier approaches to data protection (VII).
Healthy Data Protection,
Mich. Tech. L. Rev.
Available at: https://repository.law.umich.edu/mtlr/vol26/iss2/3