data rights
Privacy and Security

Breaking the Mental Model: Individual Data Control Can Deliver Better Research

by Luna

The majority of individuals on Luna want to accelerate research and ensure their data is used as they allow. We considered a recent article in Forbes, and we broke down two recent legal opinion articles on medical data privacy and rights when it comes to your data’s application in research (article links below).

As standard practice in US healthcare, laboratory results, doctor’s conclusions, and any other information collected during your virtual or in-person visit is digitally captured and stored for later reference by the healthcare provider. This information is protected under the Health Insurance Portability and Accountability Act, referred to as HIPAA, to protect your private information from disclosure to parties outside of your care team. There are provisions under HIPAA for the de-identification of health data (which is simply the removal of your name, address, and other information that would clearly link the data back to you) so it can be shared freely for health research purposes – so-called secondary use of health data. Some types of health data, such as DNA information that may be collected to make treatment decisions, are inherently challenging to de-identify, and some argue impossible, despite their significant utility for research.

The balance between research benefit (i.e., the advancement of knowledge to guide improvements in diagnosis and treatment of diseases) and the role that individuals play is evolving. Many of the contemporary data protection and privacy laws around the world such as Europe’s General Data Protection Regulation (GDPR) and California’s Privacy Rights Act (CPRA) are built upon HIPAA and Fair Information Practice Principles (FIPPs) from the 1970s to define a right for individuals to control the use of data that is collected from them. And while this right to have control over the use of one’s data is absolute, the intersection between secondary use of de-identified data and the control granted by privacy legislation needs to find common ground for health data from all peoples to be included for research to have representation from the widest range of backgrounds possible.

As it pertains to the secondary use of health data, a case can be made that shifting the control of data use from institutions to individuals provides a direct pathway to greater study participant engagement and more inclusive participation of individuals in future research studies.

The debate on this intersection of approaches is couched in terms of data ownership and control of data use. Unlike many other tangible assets like real estate or a piece of furniture, data can be used simultaneously by many parties without degrading the value of each party’s use of the data. This difference has shifted thinking to consideration of the control of data use (i.e., rather than data ownership) to be of paramount importance. And moreover, the trend globally and increasingly at the State level in the US is that the control of data use should rest with the individual on whom the data was collected. This argument is most compelling when considering an individual’s DNA data that uniquely characterizes them. As it pertains to the secondary use of health data, a case can be made that shifting the control of data use from institutions to individuals provides a direct pathway to greater study participant engagement and more inclusive participation of individuals in future research studies.

Articles Reviewed for this Blog

“The Future Of Personally Identifiable Information And Health Data”
https://www.forbes.com/sites/forbestechcouncil/2023/07/18/the-future-of-personally-identifiable-information-and-health-data/?sh=694704622468

“Data Unlocked: Why Rights Mean More Than “Ownership” in B2B Data Sharing”
https://gowlingwlg.com/en/insights-resources/articles/2023/data-unlocked-rights-over-data/

“Ensuring Data Privacy in Genomic Medicine: Legal Challenges and Opportunities”
https://www.jdsupra.com/legalnews/ensuring-data-privacy-in-genomic-8975727/

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

data rights
Privacy and Security

De-identified, Pseudonymized, Anonymous Data, Oh My!

by Luna

It seems like everywhere we turn these days some aspect of data privacy is in the news with this or that company sharing your data in some form or fashion. Amongst many of these reports are the use of your de-identified data. What is de-identified data and how is it different from pseudonymized or anonymous data? And how do any of those relate to your personal data/information covered by modern data privacy regulations?

De-identification removes features like your name, address, and date of birth from your data. It is reversible if those accessing your de-identified data have enough other information that can be tied to the remaining details in the de-identified data. Think of this like pixels in an image. With enough pixels, the full image comes together, even if some pixels are missing.

Pseudonymization replaces certain pieces of information in your data set – for example associating your data with a unique ID in place of your name or address. This is also reversible if those with access to your data have enough other information (or have access to the key or decoder that connects your name back with that unique ID).

Anonymization is NOT reversible which means that, in addition to removing your name, address, date of birth, zip code, and so on, other information such as medical diagnoses, job title, and/or geolocation must also be removed.

So, what about DNA data? Everything stated here certainly suggests that DNA information about you that is large enough (e.g., your entire genome sequence) or specific enough (e.g., gene variations that led to a medical diagnosis) could never be considered anonymous. This is why DNA is used in applications ranging from family finder tools to crime scene investigations.

According to many data privacy regulations, de-identified data is likely still considered your personal data/information and you have the right to know how it is being used and prevent it from being used for purposes you don’t agree with, if you choose.

Data privacy regulations vary based on where you live. Some country or state-level data privacy regulations consider your data as personal information unless it has been anonymized. Others only require de-identification or de-identification PLUS defined additional steps (sometimes many such steps!) to help prevent re-identification so it’s no longer considered your personal data.

Yes, this is all a bit confusing and constantly evolving. So, when you see news articles bandying about a company selling access to “de-identified” data that is no longer in the control of you – the individual the data represents – it should set off warning flags. According to GDPR (Global Data Privacy Regulation in Europe) and CCPR (California Privacy Rights Act) and similar US and non-US data privacy regulations, de-identified data is likely still considered your personal data/information and you have the right to know how it is being used and prevent it from being used for purposes you don’t agree with, if you choose.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

data rights
Privacy and Security

Know your Rights Around Health Data Privacy

by Scott Kahn

Evolving privacy regulations, changing legal interpretations, and security breaches make it hard to keep up with our rights and risks these days. People are looking for resources to help them cut through the technical jargon regarding personal health data protection. Many simply want to use the technology they have come to enjoy while keeping their health information safe and secure. 

What are health data rights?

To unpack these questions, it’s helpful to review where your health information was first accessed and what your rights are currently. When individuals in the United States consider their health information,  they may be aware that the law regulates how healthcare providers (also known as “covered entities”) use their data. First passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) limits third-party access to personally identifying information stored within the healthcare system. 

Many people may not be aware that this information is used outside the healthcare system for research and other uses beyond medical care. Eighteen data types were established as protected health information (PHI) in the HIPAA Privacy Rule, finalized in 2000. PHI includes types of data such as names and addresses, but it also covers “any other characteristic that could uniquely identify the individual.” However, the HIPAA Privacy Rule only applies to healthcare settings. HIPAA does not protect the privacy of our data held by app providers, government bodies, biotech companies, and other entities that don’t provide healthcare services.

“Health discovery relies on health data. Luna advocates that the most reliable, representative health data comes directly from people. This is why, from Day 1, we’ve built privacy-by-design so that we can protect people and accelerate better health interventions.”

Scott Kahn, Chief Privacy and Information Officer

Since the passage of HIPAA, the amount of information that can be gathered about us has increased exponentially, and data science has advanced significantly. Remember, we just started using email in 1996! Today, computer science methods can combine non-identifying information—as few as two to three pieces of data—into very accurate assignments of a person’s identity. Put differently, the privacy protections that HIPAA gave us two decades ago were not designed with today’s information and science in mind. 

This simple observation has motivated some states and federal legislators to enact data privacy laws that focus on a set of rights for individuals, not institutions.

Read “How Modern Data Privacy Laws Enables Research
Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

You have a right to data privacy

Today, as health and tech consumers, we have rights to data privacy. Modern laws define a person’s rights when it comes to data. They require companies, governments, and organizations to respect these rights when collecting and analyzing data about consumers. We can give permission, known legally as informed consent, for the use of our data, and we have a right to know who is using our data for what, such as a clearly defined public benefit.  

In general, these newer laws require that we are provided the purpose, such as the kind of research being done, for why our data is being collected. One example of these laws in practice is the numerous cookie notifications you receive on practically every website you encounter on the internet. You have the right to change your mind about sharing your data—also known as revoking consent—and the right to confirm that the company destroyed your data. 

We live in a time where data creation is incredibly astounding. Suppose we can use that data to advance causes that matter to us. In that case, we can change the quality and velocity of health interventions. 

At Luna, we appreciate the evolution of these consumer data privacy laws and have operated since Day One to exceed their requirements.

Read about Luna’s Data Protection Impact Assessment.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.