data rights

Breaking the Mental Model: Individual Data Control Can Deliver Better Research


The majority of individuals on Luna want to accelerate research and ensure their data is used as they allow. We considered a recent article in Forbes, and we broke down two recent legal opinion articles on medical data privacy and rights when it comes to your data’s application in research (article links below).

As standard practice in US healthcare, laboratory results, doctor’s conclusions, and any other information collected during your virtual or in-person visit is digitally captured and stored for later reference by the healthcare provider. This information is protected under the Health Insurance Portability and Accountability Act, referred to as HIPAA, to protect your private information from disclosure to parties outside of your care team. There are provisions under HIPAA for the de-identification of health data (which is simply the removal of your name, address, and other information that would clearly link the data back to you) so it can be shared freely for health research purposes – so-called secondary use of health data. Some types of health data, such as DNA information that may be collected to make treatment decisions, are inherently challenging to de-identify, and some argue impossible, despite their significant utility for research.

The balance between research benefit (i.e., the advancement of knowledge to guide improvements in diagnosis and treatment of diseases) and the role that individuals play is evolving. Many of the contemporary data protection and privacy laws around the world such as Europe’s General Data Protection Regulation (GDPR) and California’s Privacy Rights Act (CPRA) are built upon HIPAA and Fair Information Practice Principles (FIPPs) from the 1970s to define a right for individuals to control the use of data that is collected from them. And while this right to have control over the use of one’s data is absolute, the intersection between secondary use of de-identified data and the control granted by privacy legislation needs to find common ground for health data from all peoples to be included for research to have representation from the widest range of backgrounds possible.

As it pertains to the secondary use of health data, a case can be made that shifting the control of data use from institutions to individuals provides a direct pathway to greater study participant engagement and more inclusive participation of individuals in future research studies.

The debate on this intersection of approaches is couched in terms of data ownership and control of data use. Unlike many other tangible assets like real estate or a piece of furniture, data can be used simultaneously by many parties without degrading the value of each party’s use of the data. This difference has shifted thinking to consideration of the control of data use (i.e., rather than data ownership) to be of paramount importance. And moreover, the trend globally and increasingly at the State level in the US is that the control of data use should rest with the individual on whom the data was collected. This argument is most compelling when considering an individual’s DNA data that uniquely characterizes them. As it pertains to the secondary use of health data, a case can be made that shifting the control of data use from institutions to individuals provides a direct pathway to greater study participant engagement and more inclusive participation of individuals in future research studies.

Articles Reviewed for this Blog

“The Future Of Personally Identifiable Information And Health Data”
https://www.forbes.com/sites/forbestechcouncil/2023/07/18/the-future-of-personally-identifiable-information-and-health-data/?sh=694704622468

“Data Unlocked: Why Rights Mean More Than “Ownership” in B2B Data Sharing”
https://gowlingwlg.com/en/insights-resources/articles/2023/data-unlocked-rights-over-data/

“Ensuring Data Privacy in Genomic Medicine: Legal Challenges and Opportunities”
https://www.jdsupra.com/legalnews/ensuring-data-privacy-in-genomic-8975727/


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


data rights

De-identified, Pseudonymized, Anonymous Data, Oh My!


It seems like everywhere we turn these days some aspect of data privacy is in the news with this or that company sharing your data in some form or fashion. Amongst many of these reports are the use of your de-identified data. What is de-identified data and how is it different from pseudonymized or anonymous data? And how do any of those relate to your personal data/information covered by modern data privacy regulations?

De-identification removes features like your name, address, and date of birth from your data. It is reversible if those accessing your de-identified data have enough other information that can be tied to the remaining details in the de-identified data. Think of this like pixels in an image. With enough pixels, the full image comes together, even if some pixels are missing.

Pseudonymization replaces certain pieces of information in your data set – for example associating your data with a unique ID in place of your name or address. This is also reversible if those with access to your data have enough other information (or have access to the key or decoder that connects your name back with that unique ID).

Anonymization is NOT reversible which means that, in addition to removing your name, address, date of birth, zip code, and so on, other information such as medical diagnoses, job title, and/or geolocation must also be removed.

So, what about DNA data? Everything stated here certainly suggests that DNA information about you that is large enough (e.g., your entire genome sequence) or specific enough (e.g., gene variations that led to a medical diagnosis) could never be considered anonymous. This is why DNA is used in applications ranging from family finder tools to crime scene investigations.

According to many data privacy regulations, de-identified data is likely still considered your personal data/information and you have the right to know how it is being used and prevent it from being used for purposes you don’t agree with, if you choose.

Data privacy regulations vary based on where you live. Some country or state-level data privacy regulations consider your data as personal information unless it has been anonymized. Others only require de-identification or de-identification PLUS defined additional steps (sometimes many such steps!) to help prevent re-identification so it’s no longer considered your personal data.

Yes, this is all a bit confusing and constantly evolving. So, when you see news articles bandying about a company selling access to “de-identified” data that is no longer in the control of you – the individual the data represents – it should set off warning flags. According to GDPR (Global Data Privacy Regulation in Europe) and CCPR (California Privacy Rights Act) and similar US and non-US data privacy regulations, de-identified data is likely still considered your personal data/information and you have the right to know how it is being used and prevent it from being used for purposes you don’t agree with, if you choose.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Privacy-Preserving Technologies and Rights-Based Privacy Regulation Compliance


There has been increased interest over the past decade over what to do with the growing volume of digital information collected on individuals that are potentially used or sold by companies and governments. This interest is even more heightened when health data is involved and how this data might be used in ways contrary to the interests or values of individuals. In parallel, new data protection laws have passed in many parts of the world and increasingly in several states within the United States that express the control of data privacy as a human right.

It is commonplace to merge the concepts of data privacy and security, even though each has a unique role. Data security is the step taken to prevent unauthorized access to data. A common security approach involves data encryption that requires user-specific information to decrypt the data back to its original form. Privacy-preserving technologies, or PPTs, are a newer class of technologies that support the distribution of encrypted data that can be selectively decrypted to reveal some or all of the data that is encapsulated. PPTs are especially exciting for the sharing of genomic data so that only some of the data is made available to a researcher, which presents a lower risk to the individual for subsequent data misuse.

A common data privacy policy is the right to rescind one’s consent and to have the individual’s data deleted, also known as the “right to be forgotten.”

Data privacy, in contrast to data security measures, is a set of policies that are applied to secure data. These policies typically govern the data collected, the purpose for which the data is collected, and the informed consent granted to the researcher to study the data. A common data privacy policy is the right to rescind one’s consent and to have the individual’s data deleted. This is also known as the “right to be forgotten.”

Security-based protections such as PPTs and privacy-based protections are very different in how they are implemented. With security-based approaches, data are distributed to researchers that are approved to access the data. Once access is granted, the control of the data is lost. Over time there can be many copies of the data that have been granted to multiple researchers, as shown in Figure 1A.

Figure 1A. Once permission is granted data is distributed to uncontrolled environment(s)

In contrast, privacy-based approaches maintain control of each piece of data within an environment that supports the removal of the data if an individual’s consent is withdrawn. Under the privacy-based approach, an individual has a virtual string on their data that supports the pulling back of their data at any time, as shown in Figure 1B.

Figure 1B. Use of permissive data is used within an environment that enforces privacy policies.

The question of which approach is better rests largely on the regulatory environment in which the research is being performed. In Europe, compliance with the General Data Protection Regulation, or GDPR, requires that the data rights of individuals persist when they share their sensitive personal data, such as health data. In states such as California, the California Privacy Rights Act (CPRA) that has come into law in 2023 requires similar protections for individuals. For historic datasets, databases, and biobanks that include genomic data, the use of PPTs has provided a more secure way to distribute such sensitive personal data.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Something Exciting Happened on October 6, 2022, Concerning Your Medical Records


Editor’s note: This article is jointly authored by Luna and Greenlight Health Data Solutions.

The Information Blocking Rule, now in effect, is a new federal regulation we should all celebrate as a big win for control over our health information, a right that we should always have had.

Let’s take a step back in time and then fast forward to today. In recognition of the importance of digital health information for advancing precision medicine, the Information Blocking Rule was a provision of the 21st Century Cures Act which aimed to modernize healthcare data interoperability and update a component of HIPAA that was oriented to paper-based medical records, not Electronic Health Records (EHRs). Part of the motivation to connect EHRs was to improve the portability of one’s health data to multiple healthcare providers and to give direct access to one’s health data using online patient portals. The Information Blocking Rule requires that all healthcare organizations give patients access to their full health records digitally (via a patient portal)–without delays or cost.

Why is this important? The new Information Blocking Rule unblocks access to Electronic Health Information (EHI), which Health and Human Services (HHS) defines as electronically Protected Health Information, or PHI. The significance of this rule has many threads–not least of which is bringing control and rights to the information much closer to the patient–the individual who the data is about, you! You can now review and research your own information to be a more informed patient. You can easily share your data with new healthcare providers if you relocate or change your insurance coverage. You can avoid time-consuming and costly duplication of diagnostic tests, which is commonplace whenever one engages with a new medical professional. You can also choose to share your data with a clinical research study or trial that is of interest to you to advance medical knowledge and health discoveries for society more broadly.

We’ve been advocates for individuals’ rights to access their health information for a long time. Greenlight Health was an early software platform specifically designed to offer patients online access to their health data. Luna has implemented Greenlight’s EHI data-sharing APIs which support connections to more than 90% of the U.S. provider market. This approach allows for the inclusion of EHR data, along with genomic and health survey data, for patient-centered research studies to understand and improve health outcomes. Gathering health information from multiple health systems, and across decades, provides convenience to individuals and their families while simultaneously providing a richness of data to researchers to unlock new insights for health improvements. Such patient-centered studies hold promise to enrich the standard of care more equally for individuals of all ethnic and racial backgrounds.

An essential aspect of inclusive clinical study participation requires that data shared by individuals is done with their informed consent and that the data is not used for other purposes outside the individual’s consent. Luna’s health data sharing and analysis platform uses rights-based data privacy measures to protect access to shared data so that a contributor (you) can remove their data from the platform and/or from any studies they joined with a simple click of a button. By implementing rigorous rights-based data protection and privacy that complies with all current privacy laws (such as GDPR in the EU), Luna provides a path to international clinical studies that can benefit from population diversity globally.

It’s no longer in the medical provider’s control to decide when to release a patient’s information. The Information Blocking Rule is really about information sharing and empowering the patient with ownership of their health data. Under HIPAA, healthcare providers are allowed 30 days to fulfill medical record requests; 60 days is permitted if the provider needs an extension. With this new rule and direct EHI access methods for patients, a healthcare provider cannot “interfere” with the flow of EHI, and it needs to flow without delay. When there are instances of interference, healthcare providers and EHR vendors are subject to financial penalties (up to $1 million per occurrence and/or reductions in Medicare and Medicaid reimbursement). Healthcare providers and vendors lobbied strongly against this rule being passed (in fact, the rule was held up for six years). Days before the rule became effective, 10 of the leading healthcare industry trade associations pushed HHS for a delay. As stated, the rule extends an individual’s right to access EHI through a patient portal. As the name implies, patient portals were designed to support functionality that allows individuals to connect to their medical records whenever needed. The intent of having immediate access to medical records through a patient portal is to provide a mechanism for sharing EHI with other healthcare providers, with family members, and for research.  

It’s no longer in the medical provider’s control to decide when to release a patient’s information.

This rule is one more step toward providing you with a comprehensive understanding of and access to your own healthcare information and, more importantly, control of how your health records are shared.

Taking the power of your health records to the next level, Greenlight Health and Luna combine capabilities to enable you to consolidate your records in one place and safely share your health records and other unique experiences in research studies that are of interest to you. You are in the driver’s seat now. The steps you take next could make a big difference in finding treatments and cures for those who need them most.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


newborn feet

Use of Genomics in Newborn Screening Offers New Insights and Decisions


Newborn screening (NBS) in the United States has been used for more than 50 years and is often touted as the world’s most successful public health program. Some 99% of the nation’s children are screened at birth for treatable genetic conditions caused in whole or in part by variations in their DNA sequence. Screening has saved infants, and their families, from enormous suffering.  

Recently the NBS program has garnered even more attention and interest thanks to the groundbreaking work by Rady Children’s Hospital to leverage genomics more broadly in the screening and treatment of infants.  Recently, clinicians have pushed to expand the NBS list of treatable genetic conditions.  

The price of genomic testing has continued to come down and innovations in understanding genetic disorders have also been demonstrated to relieve financial pressures on the healthcare sector. In fact, rapid and effective treatment early in life has been shown to be less costly than chronic conditions that would otherwise require ongoing intervention by the health system. 

What is newborn screening?

In the United States, small blood samples are collected from every infant shortly after birth and analyzed for treatable genetic disorders. Newborn screening was pioneered in 1963 by Robert Guthrie, MD, for diagnosing phenylketonuria, a genetic disorder that affects metabolism leading to toxicity that damages the brain.  

Today, it has become a public health practice in all States to screen newborns for a minimum of 29 treatable disorders to detect inherited genetic disorders. The Advisory Committee for Heritable Disorders in Newborns and Children recommends screening for 61 conditions, 35 of which are conditions that are screened in all 50 states. Over the past decade, the use of low-cost DNA sequencing to diagnose and treat sick children suggests that expanding the Recommended Uniform Screening Panel from 35 treatable conditions to a much more comprehensive set is both possible and affordable for the U.S. healthcare system. 

Long-term follow-up is key to ensuring the information learned through DNA sequencing of newborns is appropriately communicated and integrated into clinical care with the family’s pediatrician.  

The path to genomic screening in infants 

Funding of the sequencing of 100,000 patients in England by the U.K. Department of Health in 2013, Genomics England piloted the use of whole genome sequencing (WGS) in 4,660 children suspected of having rare genetic conditions.1 In parallel, Stephen Kingsmore, MD, and Rady Children’s Institute of Genomics Medicine championed ultra-rapid WGS to diagnose affected newborns within 13 hours.2 These efforts, in conjunction with other programs around the world, established the use case of WGS delivering precision care to pediatric practice and set the stage for use of WGS to screen newborns earlier in life and before symptoms appear. 

It is believed there are currently roughly 600 conditions for which early-life intervention will improve the longer-term health of the child. This motivated the National Health Service in the U.K. to begin piloting newborn screening using WGS in 2021. In the U.S., New York is funding the GUARDIAN initiative to offer WGS NBS for 100,000 newborns in the state to screen for 250 conditions and to characterize the diagnostic benefits to the child and the health economic impact on the health system. 

Long-term follow-up is key to ensuring the information learned through DNA sequencing of newborns is appropriately communicated and integrated into clinical care with the family’s pediatrician.  

Luna, in collaboration with the American College of Medical Genetics, Genetic Alliance, and various medical systems, is engaged in a study to understand the follow-up needs of families and children affected by spinal muscular atrophy and other conditions who receive their diagnosis through NBS. This study uses Luna’s Community Driven Innovation™. This participant-led methodology addresses long-standing problems with traditional research approaches while providing an unbiased, clear understanding of the priorities, values, and challenges of individuals, families, and communities. One of the objectives of this study is to understand the impact of both NBS and long-term follow-up for children impacted by one of the conditions covered with current screening programs and potentially recommend changes in patient care. The NBS study may prove the feasibility of one path to improved care moving forward. 

Consider privacy issues with newborn screening research 

As new medical approaches are implemented, parents have important decisions to make prior to enrolling their newborn into WGS studies. Consider the risk and benefits involved regarding further use of DNA data after screening for genetic conditions. They should ask how their child’s data will be used in research, by whom, over what period, and for what types of research. Who makes these decisions is a function of the data privacy and protection regulations in various states and countries.  

One’s genome uniquely identifies them—and their family—for their entire life, so understanding the impact of early decisions such as these is critical. 

As new medical approaches are implemented, parents have important decisions to make prior to enrolling their newborn into WGS studies. Consider the risk and benefits involved regarding further use of DNA data after screening for genetic conditions.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.