Shadow health records meet new data privacy laws

William Nicholson Price II, Kayte Spector-Bagdady, Timo Minssen, Margot Kaminski

Research output: Contribution to journalJournal articleResearchpeer-review

49 Citations (Scopus)

Abstract

Large sets of health data can enable innovation and quality measurement but can also create technical challenges and privacy risks. When entities such as health plans and health care providers handle personal health information, they are often subject to data privacy regulation. But amid a flood of new forms of health data, some third parties have figured out ways to avoid some data privacy laws, developing what we call “shadow health records”—collections of health data outside the health system that provide detailed pictures of individual health—that allow both innovative research and commercial targeting despite data privacy rules. Now that space for regulatory arbitrage is changing. The long arms of Europe's new General Data Protection Regulation (GDPR) and California's new Consumer Privacy Act (CCPA) will reach shadow health records in many companies. In this article, we lay out the contours of the GDPR's and CCPA's impact on shadow health records and health data more broadly, highlight critical remaining uncertainty, and call for increased clarity from lawmakers and industry on the use of such data for research.
Original languageEnglish
JournalScience
Volume363
Issue number6426
Pages (from-to)448-450
Number of pages3
ISSN0036-8075
DOIs
Publication statusPublished - 1 Feb 2019

Keywords

  • Faculty of Law
  • big data
  • GDPR
  • CCPA
  • Shadow health records
  • research exemption
  • privacy

Cite this