A 2023 survey found that 36% of patients feel somewhat or extremely uncomfortable with their health data being used for research, even if it's stripped of their name and other details.
That 36% might not realize that this is already happening.
The moment patients arrive at any health care facility, they lose control of their data. Someone will hand them a HIPAA document to sign about patient data privacy practices, but a signature merely attests that the information has been delivered, not that it's agreed to. Sign it or don't—getting care in the hospital means those rules will apply.
That includes using personal health data for medical research. No permission needs to be granted for that. And patients typically have no way to opt out.
Patient privacy laws have two somewhat conflicting goals: to keep medical information private, but also to make it appropriately shareable to enable coordination of care. For example, if a woman lands unconscious in the ER, a doctor would want to know what medicines she is allergic to. Similarly, public health agencies need to know if infectious diseases, such as COVID-19, are spreading. Medical researchers also use patient data to study the effects of treatments across large populations.
This is a delicate balance. The public needs rigorous and thorough health research, but individual patients should have rights over their medical information. Today they have very little.
When anyone receives medical care, information about their condition and treatment is entered into a large database. Under HIPAA, it can be accessed for treatment, billing, and for “operations,” meaning the things that are needed to make the medical system run. That information sticks around for a long time. Under federal law, health care providers must keep their records for at least six years and in some places, longer. Partly, this is because hospitals and health systems need records for billing and lawsuits later on. So in contrast with businesses like Google or Meta, which have been required by state laws, such as California's Consumer Privacy Act and Virginia's Consumer Data Protection Act, to delete your personal information when asked, your health care providers have an obligation not to do so. Patients cannot erase or remove their data from your hospital's system.
Health researchers get their hands on treatment data from their own institution (or, potentially, from another institution) by asking permission from an ethics panel called an Institutional Review Board. With an IRB's approval, patient data can be shared with that researcher and their team. It might be scrubbed of your name, birthdate, and other identifying information. But if the study requires it, the researcher might be given access to the full-text notes in a medical file. No patients will be told.
Granted, it would be a huge burden for every researcher to ask every patient about every study they conduct. That's why IRBs generally grant the use of “retrospective data”—data that's already been collected while providing medical care—especially if it's deidentified. It's low-risk to the patient and can be high-yield for science. This “de-identified data” can, further, be traded and even, in some cases, sold to companies—also without a patient's consent or knowledge.
An inability to control data-sharing can lead patients to withhold important information from their own health care providers.
But what if patients do not want to participate, for whatever reason? Maybe they are sensitive about something in their medical chart. Maybe they work at the hospital and don't want colleagues reading their medical records. Maybe they just want the option. Maybe—and for good reasons—they don't trust that data still filled with free text fields, time stamps, and more sufficiently protects your privacy. An inability to control data-sharing can lead patients to withhold important information from their own health care providers.
Legally, patients are allowed to request limits on the use of their medical information, but a hospital does not have to grant them. Last year I asked Mass General Brigham in Boston, where I live, how I could opt out of their research database if I wanted to do so. They said they did not have a mechanism that allows that.
The irony is that this current dynamic of scrubbing and releasing data doesn't necessarily produce the best research. The more information that is redacted, the less useful the data are to researchers. As Nigam Shah of Stanford has argued, de-identification doesn't successfully maintain privacy. But it does makes it harder for researchers to use it, for example if treatment dates, which are considered identifying information, are removed.
We're not stuck with this situation. Notable improvements in ethics guidance and privacy laws have been made over the years, such as the 2018 changes to the Common Rule that governs human subjects research and the 21st Century Cures Act changes to the privacy rule to make research easier. Patients no longer have to pay for and wait for photocopies of medical records to come in the mail—they can now be downloaded as a PDF. So, access has slightly improved—but not protection.
We have a way to go before our laws successfully achieve the two important goals described above: Medical privacy laws should give patients control over their data—and allow the sharing of more complete data to accelerate and improve medical research. Right now, we're failing at both.
Shira Fischer is a physician policy researcher at RAND. Her research focuses on health information technology research and policy.
