data rights

Know your Rights Around Health Data Privacy


Evolving privacy regulations, changing legal interpretations, and security breaches make it hard to keep up with our rights and risks these days. People are looking for resources to help them cut through the technical jargon regarding personal health data protection. Many simply want to use the technology they have come to enjoy while keeping their health information safe and secure. 

What are health data rights?

To unpack these questions, it’s helpful to review where your health information was first accessed and what your rights are currently. When individuals in the United States consider their health information,  they may be aware that the law regulates how healthcare providers (also known as “covered entities”) use their data. First passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) limits third-party access to personally identifying information stored within the healthcare system. 

Many people may not be aware that this information is used outside the healthcare system for research and other uses beyond medical care. Eighteen data types were established as protected health information (PHI) in the HIPAA Privacy Rule, finalized in 2000. PHI includes types of data such as names and addresses, but it also covers “any other characteristic that could uniquely identify the individual.” However, the HIPAA Privacy Rule only applies to healthcare settings. HIPAA does not protect the privacy of our data held by app providers, government bodies, biotech companies, and other entities that don’t provide healthcare services.

“Health discovery relies on health data. Luna advocates that the most reliable, representative health data comes directly from people. This is why, from Day 1, we’ve built privacy-by-design so that we can protect people and accelerate better health interventions.”

Scott Kahn, Chief Privacy and Information Officer

Since the passage of HIPAA, the amount of information that can be gathered about us has increased exponentially, and data science has advanced significantly. Remember, we just started using email in 1996! Today, computer science methods can combine non-identifying information—as few as two to three pieces of data—into very accurate assignments of a person’s identity. Put differently, the privacy protections that HIPAA gave us two decades ago were not designed with today’s information and science in mind. 

This simple observation has motivated some states and federal legislators to enact data privacy laws that focus on a set of rights for individuals, not institutions.

Read “How Modern Data Privacy Laws Enables Research
Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

You have a right to data privacy

Today, as health and tech consumers, we have rights to data privacy. Modern laws define a person’s rights when it comes to data. They require companies, governments, and organizations to respect these rights when collecting and analyzing data about consumers. We can give permission, known legally as informed consent, for the use of our data, and we have a right to know who is using our data for what, such as a clearly defined public benefit.  

In general, these newer laws require that we are provided the purpose, such as the kind of research being done, for why our data is being collected. One example of these laws in practice is the numerous cookie notifications you receive on practically every website you encounter on the internet. You have the right to change your mind about sharing your data—also known as revoking consent—and the right to confirm that the company destroyed your data. 

We live in a time where data creation is incredibly astounding. Suppose we can use that data to advance causes that matter to us. In that case, we can change the quality and velocity of health interventions. 

At Luna, we appreciate the evolution of these consumer data privacy laws and have operated since Day One to exceed their requirements.

Read about Luna’s Data Protection Impact Assessment.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.


phone security

The Role of Cybersecurity in the Management of Data Privacy


The focus on data privacy from the general public has surged over the past few years. A large cohort of individuals with little to no experience in informatics now needs to understand the digital environment at a level of detail beyond their expertise or experience.

The intersection between privacy and the much more common issues concerning data security and data breaches has resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

The differences between data security and data privacy

Data security features are measures that allow an individual or an organization to exert control over a digital asset. Security is typically implemented in overlapping layers to minimize the likelihood that control or access to a digital asset will be lost. End users most obviously experience security through password-mediated access control, possibly with a second level of identity verification such as a code sent to a mobile phone via text for identity confirmation. There are also many security safeguards put in place at the infrastructure level to avoid unauthorized access by programmatic “hacking.” Collectively, all these cybersecurity features provide a foundation for control of a digital asset.

In contrast, data privacy is a set of policies layered on top of controlled digital assets. Data privacy can be expressed as a set of rights guaranteed to an individual to access, correct, share, un-share, restrict, transport, and delete their digital assets. Data privacy equally requires a level of transparency around the processing or use of data so the individual can exercise those rights in an informed manner. Absent data security measures to exert control, data privacy policies cannot be implemented.

The intersection between privacy and the much more common issues concerning data security and data breaches have resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

Data privacy policies need to persist over the lifetime of a digital asset whereas data security features are temporal. Once access is given by satisfying all security safeguards, all control of the data asset by the owner is lost. Data privacy rights require a persistent environment that provides data security to prevent external access while allowing agreed use of the data asset for approved purposes. 

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Playing in the sandbox

The use of such securely isolated environments called “sandboxes” supports independence between the individuals (i.e. data users) gaining access to digital assets in the sandbox and the inclusion of digital assets in the sandbox by the data owners. This effectively maintains a level of control over the data asset by the data owner even as the asset is being used or processed within the sandbox by the data users.

There are many new data privacy policies being enacted into law around the world that, to a greater or lesser extent, confer data rights to data owners. The European Union has enacted the General Data Protection Regulation (GDPR), which serves as an exemplar for many countries outside of the EU and for several states within the U.S. But regardless of the data privacy policies in place, all privacy controls are built upon a cybersecurity foundation of data security measures that support control of data assets within a digital environment.

The interplay between security control and an implemented set of privacy policies takes center stage within the Luna platform. 

Security controls are reviewed via SOC 2 protocols that are documented and audited on a regular basis. Data privacy policies are reviewed regularly and assessed with regard to the data rights conferred to individuals and to the potential risks to these individuals incurred by sharing their data. 

Data privacy impact assessments (DPIAs) are performed for the Luna platform and for the sandboxes employed by researchers. It’s noteworthy that within the Luna platform the full spectrum of research inquiry is supported while simultaneously supporting the data privacy rights of all individuals willing to share their health data to advance medical science.

Read about Luna’s Data Protection Impact Assessment.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.


Doctor with mobile phone

Data Privacy and Health Equity


There is consensus that 2022 will be a busy year for data privacy experts. Many will need to quickly understand and implement the growing list of privacy legislation at the state level—and that is absent any sweeping federal legislation needed to update the country’s antiquated view of data privacy and data governance.

While states such as California are leading the charge in the United States, it is important to recognize that the expression of data privacy as a fundamental human right was first thoroughly expressed by the European Union’s landmark General Data Privacy Regulation (GDPR) which became law in May 2018. Indeed, even when California took steps to address the importance of a person’s right to control the use of data collected on themselves via the California Consumer Privacy Act, a second legislative action was already taking place in the California Data Protection Regulation (CDPR). This further aligns the expression of one’s data sovereignty with the ideal outlined in GDPR.

In 2021, Virginia and Colorado enacted data privacy protections for their citizens, and privacy experts are anticipating even more state-led legislation this year.

What Data Privacy Means to Luna

From the company’s founding in 2017 and the creation of the Luna platform, we believed a tectonic shift in data privacy was about to take place—one that reassigns the control of data from institutions and governments back to individuals. GDPR had yet to be enacted then, but we believed that its tenets would redefine data privacy in ways that could positively address some of the most vexing challenges in human health research.

The history of data misuse in health research is still fresh and remains a top concern for research engagement for some populations. Frequently cited examples include the Tuskegee Study, the appropriation of Henrietta Lack’s tumor cells, and misleading the Havasupai Tribe on how their DNA samples would be used in specific research.

These examples have contributed to the hesitancy of non-European—descended (non-“white”) Americans to participate in health research. More recently, fears around the collection of individuals’ data who may lack formal immigration status in the United States have continued to widen the gap between white and non-white Americans who volunteer to participate in health research through clinical trials and other studies. This has resulted in treatments and policies focused on a single ethnic group. It has also held non-European—descended communities further behind in access to healthcare tools.

The thesis at Luna was to design and implement a platform that embraced an individual’s right to control their health data. Luna was founded on the commitment to use health data in studies to enable broader and deeper participation in health research by all ethnic groups and using all medically relevant attributes. In accomplishing such, it would permit data aggregation at the level required to find research solutions that could be clinically validated for all people and for all ethnicities.

Modern Data Privacy Regulations

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Fast forward to 2022. Legal tech experts are now opining on the challenges posed by state-led privacy legislation motivated by the increasingly prevailing view that data privacy should be a human right. These experts forewarn that the only way to harmonize data in such a regulatory quagmire will be to follow the strictest version of privacy protections for individuals. They point to GDPR as a viable true north.

At Luna, our experience has shown that this approach works exceptionally well for communities seeking novel health treatments for rare diseases and for communities seeking to understand a shared lived experience. It also provides opportunities for commercial pharmaceutical partners that seek to responsibly engage with patients and their support communities by managing each participant’s health data and returning these data once the study has concluded.

As these examples become more extensive and well-known, it is reasonable to assert that the enablement of inclusive and participatory health research will be recognized as a result of modern data privacy regulation rather than the current misbelief that individual data privacy will impede needed health research.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.