The patient privacy factor in clinical trials – MedCity News
In the first quarter of 2022, my personal life converged with my work life concerning the topic of healthcare data use and privacy. My new role at a healthcare IT company necessitated research and a greater understanding of the push and pull between privacy and interoperability, between what is legal and what is ethical, and a consideration of the cost of safeguarding patient privacy from both a HIT vendor and physician perspective. Simultaneously, I was offered an opportunity to participate in a clinical trial as a patient, which has allowed me to experience the use of my own healthcare data and conversations around privacy. Below are four highlights about data use and privacy that I found impactful.
How do data protections translate to a real-world patient experience?
I was nearing the end of a visit with a subspecialty team, all of whom were new to me, when the attending physician asked me to participate in a clinical trial that he is currently running. Perfect timing to apply what I was learning about appropriate data use! I already understood, that at a high level, healthcare data protections provided by the Health Insurance Portability and Accountability Act (HIPAA), as well as the U.S Department of Health & Human Services’ Common Rule (45 CFR) and Substance Use Confidentiality (42 CFR) hold organizations and people within the healthcare ecosystem accountable for the privacy and security of patient data, specifically data that can identify a particular patient.
I also understood that while these protections seem extensive, they may lead to an overestimation of the expected level of privacy, given that some healthcare data sources, data types, and the businesses involved with them are not required to comply with the regulations. With that in mind, I was pleased to hear the attending physician take great care to explain the purpose of the research, how my data would and would not be used and shared, and who would potentially benefit. Living in my health IT world, I interpreted this as applicable primarily to the data pertaining to me in the EHR, but through the discussion with the physician, I learned how the privacy and security of my imaging and lab specimens would be protected as well.
What data is not protected?
I was impressed by the research team’s consent process, and after a flurry of document signing, I was enrolled in the clinical trial! Even though I felt comfortable sharing my health information and participating in the clinical trial after the thorough consent process I experienced, I was curious to explore the other side of the equation to find out more about what data is not protected or protected well.
I learned that examples of data that are not protected are data from healthcare apps and purchasing history. In these instances, consent to share data by the consumer may or may not be requested, easily visible or understood. De-identified data, meaning data that cannot be connected to an individual patient, is also not protected, and may be sold and utilized without consent if the appropriate business agreements are in place. Digging deeper into the requirements around de-identifying data, whether via the Safe Harbor method or third-party certification, eased my mind from both a patient and health IT professional perspective.
What data sharing protections exist today?
Seemingly in opposition to the need to protect patient privacy are new requirements under the 21st Century Cures Act to share identifiable patient data for treatment, payment, and healthcare operations, and to prevent information blocking. Protections exist for data sharing between organizations in the form of data use agreements. For patients, data sharing is an all or nothing proposition, where they choose to opt-in or opt-out of sharing their data based on state regulations.
Interestingly, in my health IT world, there is a huge focus on having appropriate data agreements in place, understanding the regulations around data privacy and security, and de-identifying data correctly. This is in direct contrast to my usual experience as a patient, where I sign a form once a year providing consent to share my data when I check in for my annual wellness visit. This contrasts again with my clinical trial experience, which aligned more with my health IT world. In fact, the research assistant not only managed all the consents and communication, but also accompanied me to my imaging and lab appointments to make sure that my specimens were handled correctly and that I would not be billed for the testing.
What is on the horizon for management of sensitive data?
Gaining momentum is the idea that a patient should have the ability to tag data that they consider sensitive and do not wish to share. The benefits of that include patient control of their data, determination of what they consider to be sensitive in the context of their lives, and greater trust in data sharing. Cons include the complexity and cost of building and managing data tagging. For me, this is on my watch list to learn more about how this will work for patients and whether we will see increased data sharing as a result.
As a physician working in health IT, I know that having access to patient data from the patient and from other sites of care is of tremendous value in clinical decision-making and directly impacts patients. I also understand that sharing data makes medical research possible, which can include voluntary participation in clinical trials like I am doing, where patients can help improve the diagnosis and treatment of others like themselves. As a patient, I value healthcare organizations and companies that treat my healthcare data with respect and that are mindful of improvements to data privacy and security.
Photo: JuSun, Getty Images