By Jorge L. Contreras
This blog post was originally posted by Harvard Law’s Bill of Health blog. It is re-posted with permission.
The popular direct-to-consumer genetic testing site AncestryDNA claims that “You always maintain ownership of your data.” But is this true? And, if so, what does it mean?
For more than a century, US law has held that data – objective information and facts – cannot be owned as property. Nevertheless, in recent years there have been increasing calls to recognize property interests in individual health information. Inspired by high profile data breaches and skullduggery by Facebook and others, as well as ever more frequent stories of academic research misconduct and pharmaceutical industry profiteering, many bioethicists and patient advocates, seeking to bolster personal privacy and autonomy, have argued that property rights should be recognized in health data. In addition, a new crop of would-be data intermediaries (e.g., Nebula Genomics, Genos, Invitae, LunaDNA and Hu.manity.org) has made further calls to propertize health data, presumably to profit from acting as the go-betweens in what has been estimated to be a $60-$100 billion global market in health data.
But what do these proposals hope to gain, and what effects would such a sea change in the law of data ownership have? In several recent papers (Geo. L.J., Health Matrix, NYU L. Rev.), I have argued from different angles that converting health information into personal property is a bad idea. Here are a few reasons why:
Traditional property rules don’t make sense for health data.
The common law of property has been around for hundreds of years and certain assumptions and privileged are built into it. For example, property lasts forever. If I own a bike, it is my property until I sell it, give it away, abandon it, or part with title in some other legally recognized way. When I die, that bike will pass to the beneficiaries of my will or to my heirs, who can then dispose of it as they wish. Is this a feasible system for individual health data?
And what about a property owner’s exclusive right to use his or her property? I may ride my bike only once per year, but does that mean I have to allow others to use it the other 364 days of the year? No, because the bike is my property. But what if data about my health is also property? If I arrive at my doctor’s office covered with red welts and a fever, I expect her to recall other patients she has seen with similar symptoms to make an educated guess about my diagnosis. Likewise, if my neighbor visits the same doctor tomorrow, I would expect her to recall my visit and consider whether some new contagion is at work in our neighborhood (subject to keeping my personally identifiable information confidential – see Point 3 below). If everyone’s health data were their exclusive property, then this type of free re-use would not be possible unless the doctor obtained everyone’s advance consent – a losing proposition for me and my sick neighbors.
Propertization will make biomedical research more difficult and expensive.
Biomedical research today depends on the ability to access, use and share data about large numbers of people. But if individuals are deemed to own all data about themselves then, presumably, this data could not be used without each individual’s prior authorization, no matter how long ago it was collected or how remote it is to a particular study. Such a requirement could impose substantial up-front costs on any sizable research program, which would likely translate into less socially beneficial research or elevated prices for the therapies emerging from such research. Thus, individual property entitlements in health data have the potential both to disrupt and substantially increase the cost of biomedical research that benefits us all. As one federal court warned, the recognition of individual property rights in health data could “cripple medical research.”
Existing legal rules already protect individual privacy and data security.
Even without recognizing a property interest in health data, individuals can be protected against violations of privacy and abuses of their data. Today, the HIPAA Privacy Rule imposes strict confidentiality requirements on healthcare providers who handle personal data.
Likewise, the Genetic Information Nondiscrimination Act prohibits certain employers and health insurers from collecting genetic information or discriminating against individuals based on genetic information. And the click-through agreements that I accept from DTC providers like 23andMe and Ancestry also contain numerous privacy protections. If companies or institutions violate these regulatory and contractual protections, they may be liable both to government enforcement and private lawsuits.
Thus, while there is an intuitive attraction to “owning” one’s health information, translating this concept into a workable legal structure is challenging at best. Instead, we should focus on improving and enhancing existing privacy and data security regulations so that we protect what is important to individuals without imposing additional burdens on already stressed patient care, public health and biomedical research systems.
This post is part of a digital symposium hosted by Bill of Health in conjunction with the Petrie-Flom Center’s 2019 Annual Conference, “Consuming Genetics: Ethical and Legal Considerations of New Technologies.”
Read the rest of the symposium!
Jorge Contreras is a Professor at the S.J. Quinney College of Law, Department of Human Genetics, University of Utah School of Medicine.