Who owns (or controls) health data?
Scott D. Kahn, Sharon F. Terry
Abstract
There is a decades-old practice of so-called de-identifying health data so the information could be shared openly for secondary use in research 1 . The process of deidentifying includes removing directly identifying data such as name and birthdate, and removal of indirect identifiers that in aggregate increase the risk of re-identification. As computing power has increased exponentially, so has the development of machine learning (ML) and artificial intelligence (AI) algorithms that can process collections of such de-identified data to re-identify individuals 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 . Such risks will vary with different data types making the assessment of this risk important prior to data release and making the interpretation of “de-identified” data under HIPAA more nuanced. With the risk of re-identification as a present-day reality, involving individuals in sharing their health data for research is critical, especially regarding transparency around who is performing the research and for what purpose. One powerful framework to achieve these objectives centers on rights-based data privacy regulations that assert the control of the use of data collected about an individual rests with the individual rather than with the institution that collected the data 14 .