I Introduction

Digital tools to diagnose and treat patients in the home: The phrase hits several tripwires, each sounding its own privacy alarm. Invading the “castle” of a person’s home is one privacy tripwire.Footnote ¹ Sustained digital surveillance of the individual is another. Anything to do with personal health information is still another. Each alarm calls attention to a different strand of privacy law, each with its own account of why privacy matters and how to protect it. No overarching conception of privacy leaps out, which calls to mind Daniel Solove’s remark that “the law has attempted to adhere to overarching conceptions of privacy that do not work for all problems. Not all privacy problems are the same.”Footnote ²

This chapter explores four faces of privacy: (1) Privacy of the home, which links privacy to the location where information is created or captured; (2) privacy as individual control over personal information, without regard to location, in an age of pervasive digital surveillance; (3) contextual privacy frameworks, such as medical privacy laws addressing the use and sharing of data in a specific context: clinical health care; and (4) content-based privacy, unmoored from location or context and, instead, tied to inherent data characteristics (e.g., sensitive data about health, sexual behavior, or paternity, versus nonsensitive data about food preferences). The hope here is to find a workable way to express what is special (or not) about digital tools for diagnosis and treatment in the home.

II The Privacy of the Home

An “interest in spatial privacy” feels violated as the home – the “quintessential place of privacy” – becomes a site of digital medical observation and surveillance.Footnote ³ Yet electronic home health monitoring originated decades ago, which invites the question of what has sparked sudden concern about digital home health privacy now.

Past experience with home diagnostics clarifies the privacy challenge today. In 1957, Dr. Norman J. Holter and his team developed an ambulatory electrocardiograph system, building on the 1890s string galvanometer for which Willem Einthoven won the 1924 Nobel Prize.Footnote ⁴ The resulting wearable device, known as a Holter monitor, records electrocardiographic signals as heart patients go about their routine activities at home and, since 1961, has been the backbone of cardiac rhythm detection and analysis outside the hospital.Footnote ⁵ Six decades of at-home use of this and similar devices have passed without notable privacy incidents.

There is a distinction that explains why traditional home diagnostics like Holter monitors were not controversial from a privacy standpoint, while today’s digital home health tools potentially are. Jack Balkin stresses that “certain kinds of information constitute matters of private concern” not because of details like the content or location, “but because of the social relationships that produce them.”Footnote ⁶ For example, an injured driver receiving care from an ambulance crew at the side of a road should not be filmed and displayed on the evening news – not because the person is in a private location (which a public highway is not), but because the person is in a medical treatment relationship at the time.Footnote ⁷ It is “relationships – relationships of trust and confidence – that governments may regulate in the interests of privacy.”Footnote ⁸

Traditional devices like Holter monitors are prescribed in a treatment relationship by a physician who refers the patient to a laboratory that fits the device and instructs the patient how to use it. After a set period of observation, the patient returns the device to the laboratory, which downloads and analyzes the data stored on the device and conveys the results to the ordering physician. Everyone touching the data is in a health care relationship, bound by a web of general health care laws and norms that place those who handle people’s health information under duties of confidentiality.Footnote ⁹

These duties flow less from privacy law than from general health care laws and norms predating modern concerns about information privacy. For example, state licensing statutes for health care professionals focus mainly on their competence but also set norms of confidentiality, enforceable through disciplinary sanctions and the potential loss of licensure.Footnote ¹⁰ Professional ethics standards, such as those of the American Medical Association, amplify the legally enforceable duties of confidentiality.Footnote ¹¹ State medical records laws govern the collection, use, and retention of data from medical treatment encounters and specify procedures for sharing the records and disposing of or transferring them when a care relationship ends.Footnote ¹² State courts enforce common law duties for health care providers to protect the confidential information they hold.Footnote ¹³

Jack Balkin’s first law of fair governance in an algorithmic society is that those who deploy data-dependent algorithms should be “information fiduciaries” with respect to their clients, customers, and end-users.Footnote ¹⁴ Traditional health care providers meet this requirement. The same is not always (or perhaps ever) true of the new generation of digital tools used to diagnose and treat patients at home. The purveyors of these devices include many new players – such as medical device manufacturers, software developers and vendors, and app developers – not subject to the confidentiality duties that the law imposes on health care professionals, clinics, and hospitals.

The relationships consumers will forge with providers of digital home health tools are still evolving but seem unlikely to resemble the relationships of trust seen in traditional health care settings. Responsibility for protecting the data generated and collected by digital home health devices defaults, in many instances, to vendor-drafted privacy policies and terms of service. Scott Peppet’s survey of twenty popular consumer sensor devices found these privacy protections to be weak, inconsistent, and ambiguous.Footnote ¹⁵

Nor is the privacy of the home a helpful legal concept here. As conceived in American jurisprudence, the privacy of the home is a Fourth Amendment protection against governmental intrusion to gather evidence for criminal proceedings.Footnote ¹⁶ This has little relevance to a private-sector medical device manufacturer or software vendor offering home diagnostic tools that gather personal health data that could be repurposed for research or a variety of other commercial uses that threaten users’ privacy. The Fourth Amendment occasionally might be helpful – for example, if the government seeks data from a home diagnostic device to refute a user’s alibi that she was at home at the time she stands accused of a crime at a different location. Unfortunately, this misses the vast majority of privacy concerns with at-home medical monitoring: Could identifiable health data leak to employers, creditors, and friends in ways that might stigmatize or embarrass the individual? Might data be diverted to unauthorized commercial uses that exploit, offend, or outrage the person the data describe? The Fourth Amendment leaves us on our own to solve such problems.

The privacy of the home enters this discussion more as a cultural expectation than as a legal reality. The home as a site of retreat and unobserved, selfhood-enhancing pursuits is a fairly recent innovation, reflecting architectural innovations such as hallways, which became common in the eighteenth century and eliminated the need for every member of the household to traverse one’s bedroom to get to their own.Footnote ¹⁷ The displacement of servants by nongossiping electrical appliances bolstered domestic privacy, as did the great relocation of work from the home to offices and factories late in the nineteenth century.Footnote ¹⁸ The privacy of the home is historically contingent. It may be evolving in response to COVID-19-inspired work-from-home practices but, at least for now, the cultural expectation of privacy at home remains strong.

This strong expectation does not translate into a strong framework of legal protections. Private parties admitted to one’s home are generally unbound by informational fiduciary duties and are free to divulge whatever they learn while there. As if modeled on a Fourth Amendment “consent search,” the host consents at the point when observers enter the home but, once there, they are free to use and share information they collect without further consent. The privacy of the home, in practice, is protected mainly by choosing one’s friends carefully and disinviting the indiscreet. The question is whether this same “let-the-host-beware” privacy scheme should extend to private actors whose digital home health tools we invite into our homes.

III Privacy as Individual Control over Identifiable Information

Many privacy theorists reject spatial metaphors, such as the privacy of the home, in favor of a view that privacy is a personal right for individuals to control data about themselves.Footnote ¹⁹ After the 1970s, this “control-over-information” privacy theory became the “leading paradigm on the Internet and in the real, or off-line world.”Footnote ²⁰ It calls for people – without regard to where they or their information happen to be located – to receive notice of potential data uses and to be granted a right to approve or decline such uses.

This view is so widely held today that it enjoys a status resembling a religious belief or time-honored principle. Few people recall its surprisingly recent origin. In 1977, a Privacy Protection Study Commission formed under the Privacy Act of 1974 found that it was quite common to use people’s health data in biomedical research without consent and recommended that consent should be sought.Footnote ²¹ That recommendation was widely embraced by bioethicists and by the more recent Information Privacy Law Project on the ethics of data collection and use by retailers, lenders, and other nonmedical actors in modern “surveillance societies.”Footnote ²²

Control-over-information theory has its critics. An obvious concern is that consent may be ill-informed as consumers hastily click through the privacy policies and terms of use that stand between them and a desired software tool. In a recent survey, 97 percent Americans recalled having been asked to agree to a company’s privacy policy, but only 9 percent indicated that they always read the underlying policy to which they are agreeing (and, frankly, 9 percent sounds optimistic).Footnote ²³ Will people who consent to bring digital health devices into their homes carefully study the privacy policies to which they are consenting? It seems implausible.

A more damning critique is that consent, even when well-informed, does not actually protect privacy. A person who freely consents to broadcast a surgery or sexual encounter live over the Internet exercises control over their information but is foregoing what most people think of as privacy.Footnote ²⁴ Notice-and-consent privacy schemes can be likened to the “dummy thermostats” in American office skyscrapers – fake thermostats that foster workplace harmony by giving workers the illusion that they can control their office temperature, which, in fact, is set centrally, with as many as 90 percent of the installed thermostats lacking any connection to the heating and air-conditioning system.Footnote ²⁵ Consent norms foster societal harmony by giving people the illusion that they can control their privacy risks, but, in reality, consent rights are disconnected from privacy and, indeed, exercising consent rights relinquishes privacy.

The loss of privacy is systemic in modern information economies: It is built into the way the economy and society work, and there is little an individual can do. Privacy is interdependent, and other people’s autonomous decisions to share information about themselves can reveal facts about you.Footnote ²⁶ Bioethicists recognize this interdependency in a number of specific contexts. For example, genomic data can reveal a disease-risk status that is shared with one’s family members,Footnote ²⁷ and, for Indigenous people, individual consent to research can implicate the tribal community as a whole by enabling statistical inferences affecting all members.Footnote ²⁸

Less well recognized is the fact that, in a world of large-scale, generalizable data analytics, privacy interdependency is not unique to genetically related families and tribal populations. It potentially affects everyone. When results are generalizable, you do not necessarily need to be reflected in the input data in order for a system to discover facts about you.Footnote ²⁹ If people like you consent to be studied, a study can reveal facts about you, even if you opted out.

Biomedical science aims for generalizability and strives to reduce biases that cause scientific results not to be valid for everyone. These are worthy goals, but they carry a side effect: Greater generalizability boosts systemic privacy loss and weakens the power of consent as a shield against unwanted outside access to personal facts. Whether you consent or refuse to share whatever scraps of personal data you still control, others can know things about you because you live in a society that pursues large-scale data analytics and strives to make the results ever-more generalizable, including to you. Just as antibiotics cease to work over time as microbes evolve and grow smarter at eluding them, so consent inexorably loses its ability to protect privacy as algorithms grow smarter, less biased, and more clever at surmising your missing data.

There is another concern with notice-and-consent privacy schemes in biomedical contexts, where the problem of bias has been empirically studied more than in some other sectors. Selection bias occurs when the people included in a study fail to reflect the entire population that, ultimately, will rely on results from that study.Footnote ³⁰ Consent norms can produce selection bias if some demographic groups – for example, older white males – consent more eagerly than other groups do. People’s willingness to consent to secondary data uses of their health data varies among racial, ethnic, and other demographic groups.Footnote ³¹ If digital home health tools are trained using data acquired with consent, those tools may be biased in ways that cause them to deliver unreliable results and health care recommendations for members of historically underrepresented population subgroups, such as women and the less affluent.Footnote ³² Consent norms can fuel health care disparities. Admittedly, this is only one of many equity concerns with digital home health tools. The more salient concern, obviously, is whether these tools will be available to nonprivileged members of society at all. Many of these tools are commercially sold on a self-pay basis with no safety net to ensure access by those who cannot pay.

In October 2022, the White House published its Blueprint for an AI Bill of Rights, recommending a notice-and-consent privacy scheme in which “designers, developers, and deployers of automated systems” must “seek your permission” to use data in an artificial intelligence (AI) system.Footnote ³³ It simultaneously calls for AI tools to be “used and designed in an equitable way” that avoids disparities in how the tools perform for different population subgroups.Footnote ³⁴ In domains where selection bias is well-documented,Footnote ³⁵ as in health care, these two goals may clash.

IV Medical Privacy Law

One possibility for regulating AI/machine learning (ML) home health tools would be to place them under the same medical privacy regulations – for example, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,Footnote ³⁶ a major US medical privacy framework – used for data generated in clinical health care settings. This section argues against doing so.

Medical privacy law rejects control-over-information theory in favor of “privacy’s other path” – confidentiality law,Footnote ³⁷ a duty-based approach that places health care providers under duties to handle data carefully.Footnote ³⁸ The HIPAA Privacy Rule does not itself impose any confidentiality duties. It does not need to do so, because it regulates one specific context – clinical health care – where most of the “covered entities”Footnote ³⁹ it regulates have confidentiality duties under state law.Footnote ⁴⁰

The Privacy Rule is best modeled as what Helen Nissenbaum refers to as a contextual privacy scheme.Footnote ⁴¹ It states a set of “informational norms” – data-sharing practices that have been deemed permissible in and around clinical health care.Footnote ⁴² The Privacy Rule allows protected health information (PHI) to be disclosed after de-identification or individual authorization (HIPAA’s name for consent).Footnote ⁴³ This leads casual observers to think that it is a notice-and-consent privacy scheme, but it then goes on to state twenty-three additional rules allowing disclosure of PHI, often in identifiable formats, without consent but subject to various alternative privacy protections that, at times, are not as strong as one might wish.Footnote ⁴⁴

Where medical privacy is concerned, the European Union (EU)’s General Data Protection Regulation (GDPR) is more like the HIPAA Privacy Rule than most Americans realize. It grants leeway for the twenty-seven EU member states, when regulating data privacy in clinical health care settings, to go higher or lower than the GDPR’s baseline consent standard.Footnote ⁴⁵ A 2021 report for the European Commission summarized member state medical privacy laws, which replicate many of the same unconsented data flows that the HIPAA Privacy Rule allows.Footnote ⁴⁶

The bottom line is that when you enter the clinical health care setting – whether in the United States or elsewhere – you will only have limited control over your information. A certain amount of data sharing is necessary to support the contextual goals of health care: For example, saving the life of a patient whose symptoms resemble yours by sharing your data with their physician; conducting medical staff peer review to rout out bad doctors; tracking epidemics; detecting child abuse; enabling the dignified burial of the deceased; and monitoring the safety of FDA-approved medical products. Your data can be used, with or without your consent, to do these and many other things considered essential for the proper functioning of the health care system and of society.

Notably, the HIPAA Privacy Rule takes no position on individual data ownership, so state medical records laws that vest the ownership of medical records in health care providers are not “less stringent” than HIPAA and, thus, are not preempted.Footnote ⁴⁷ In many states, providers legally own their medical records, subject to various patient interests (such as confidentiality and patient access rights) in the data contained in those records.Footnote ⁴⁸ Some states clarify provider ownership in their state medical records acts; others reach this conclusion through case law.Footnote ⁴⁹ Only New Hampshire deems the medical information in medical records to be the property of the patient,Footnote ⁵⁰ and a handful of states provide for individuals to own their genetic information.Footnote ⁵¹

What could go wrong if purveyors of digital home health devices were added to the list of covered entities governed by the HIPAA Privacy Rule? The Privacy Rule relies on an underlying framework of state laws to place its covered entities under duties of confidentiality.Footnote ⁵² Many sellers of home health devices are not bound by those laws. Without those laws, the Privacy Rule’s liberal norms of data sharing could allow too much unauthorized data sharing.

Similar problems arose after 2013, when “business associates” were added to the list of HIPAA-covered entities.Footnote ⁵³ Many business associates – such as software service providers offering contract data-processing services to hospitals – fall outside the scope of the state health laws that place health care providers under duties of confidentiality. The amended Privacy Rule did not address this problem adequately, leaving an ongoing privacy gap.Footnote ⁵⁴

Placing business associates – or, by analogy, digital home health care providers – under strong duties of confidentiality seemingly requires legal reforms at the state level. Federal solutions, such as HIPAA reforms or the proposed AI Bill of Rights, are not, by themselves, sufficient.

V Content-Based Privacy Protection

A uniform scheme of content-based privacy regulations stratifies the level of privacy protection based on inherent data characteristics (e.g., data about health) without regard to where in the overall economy the data are held. The fact that Sally is pregnant receives the same protection whether it came from a home pregnancy test, a clinical diagnostic test, or a Target™ store’s AI marketing algorithm.Footnote ⁵⁵ This reasoning has strong superficial appeal, but there may be good reasons to distinguish health-related inferences drawn within and outside the clinical care context.

Some factors justify stronger privacy protections for digital home health data than for clinical health data. In clinical settings, most (not all) unconsented HIPAA data disclosures go to information fiduciaries, such as health care professionals, courts, and governmental agencies subject to the federal Privacy Act. In home care settings, the baseline assumption is that the users and recipients of people’s digital health data are not information fiduciaries, which strengthens the case for strong individual control over data disclosures.

There can be important differences in data quality. Data generated in clinical settings is subject to regulatory and professional standards aimed at ensuring data quality and accuracy. Data generated by home health devices does not always meet these same quality standards. Digital home health data might be inaccurate, so that its release is not only stigmatizing but defamatory (false). Again, this counsels in favor of strong consent norms. Other factors might cut the other way.

The EU’s GDPR and the California Consumer Privacy Act are sometimes cited as consistent, content-based privacy schemes.Footnote ⁵⁶ Such schemes could offer consistency in a home care system where licensed professionals, nonmedical caregivers, and commercial device companies are all differently regulated. Yet these laws are inferior to the HIPAA Privacy Rule in various respects. An important example is the treatment of inferential knowledge. Under the GDPR, people have access to their raw personal input data but can have trouble accessing inferences drawn from those data.Footnote ⁵⁷ Wachter and Mittelstadt note that “individuals are granted little control or oversight over how their personal data is used to draw inferences about them” and their “rights to know about (Articles 13–15), rectify (Article 16), delete (Article 17), object to (Article 21), or port (Article 20) personal data are significantly curtailed for inferences.”Footnote ⁵⁸

The GDPR recognizes the legitimacy of competing claims to inferential knowledge. Inferences are not just a product of the input data from which they were derived, so that an inference “belongs” to the person it describes. Data handlers invest their own effort, skills, and expertise to draw inferences. They, too, have legitimate claims to control the inference. In contrast, the HIPAA Privacy Rule grants individuals a right to inspect, to obtain a copy of, and to request correction of not only their raw personal data (e.g., medical images and test results), but also the medical opinions and inferences drawn from those data.Footnote ⁵⁹ This is the only informational norm in the HIPAA Privacy Rule that is mandatory: Covered entities must provide people with such access if they request it. The point of this example is that fact-specific analysis is needed before jumping to policy conclusions about which framework is better or worse for digital home health care.

VI Conclusion

This chapter ends where it began, with Solove’s insight that “[n]ot all privacy problems are the same.” The modern generation of digital home health devices raises novel privacy concerns. Reaching for solutions devised for other contexts – such as expanding the HIPAA Privacy Rule to cover digital home health providers or cloning the GDPR – may yield suboptimal policies. Consent norms, increasingly, are understood to afford weak data-privacy protections. That is especially true in digital home health care, where consent rights are not reliably backstopped by fiduciary duties limiting what data handlers can do with health data collected in people’s homes. State legislation to set fiduciary duties for digital home health providers may, ultimately, be a better place to focus than on new federal privacy policies. Medical privacy law reminds us that achieving quality health care – in any context – requires an openness to responsible data sharing. Will those needed data flows exist in a world of privately sponsored digital home health tools whose sellers hoard data as a private commercial asset? The goal of a home health privacy framework is not merely to protect individual privacy; it also must enable the data flows needed to ensure high-quality care in the home health setting. At the same time, the “wild west” environment of digital home health might justify a greater degree of individual control over information than has been customary in traditional clinical care settings. Forging a workable consensus will require hard work, and the work has only just begun.

I Introduction

The connected at-home health care device industry is booming.Footnote ¹ Wearable health trackers alone constituted a $21 billion market in 2020, anticipated to grow to $195 billion by 2027.Footnote ² At-home devices now purportedly make it possible to diagnose and monitor health conditions, such as sleep apnea, diabetes, and fertility, automatically, immediately, and discreetly. By design, these devices produce a wealth of data that can inform patients of their health status and potentially even recommend life-saving actions.Footnote ³

But patients and their health care providers often lack access to this data.Footnote ⁴ Manufacturers typically design connected at-home devices to store data in cloud services run by the manufacturers themselves, requiring device owners to register accounts and accept the terms of use and limitations that the manufacturers impose. A recent survey of 222 mobile “app families” associated with wellness devices found that 64.4 percent “did not report sharing any data” with other apps or services.Footnote ⁵ A parent testified in Congress as to how a lack of data access impaired his daughter’s ability to manage Type I diabetes,Footnote ⁶ and patients with sleep apnea have had to circumvent technological device locks to extract data on their own sleep.Footnote ⁷ Many medical and wellness devices that patients use for in-home diagnosis and monitoring – which we simply call “health devices” – lock patients into manufacturers’ ecosystems. This limits patients’, and society’s, ability to tap into the full value of the data, despite the extensive individual and social benefits that access could provide.

The problem here is not solely technical; it is also legal. Existing law in the United States provides patients with no guarantee of access to their data when it is generated and stored outside the traditional health care system. The Health Insurance Portability and Accountability Act (HIPAA) provides patients a legally enforceable right of access to copies of their electronic health records (EHRs), and, in recent years, the Department of Health and Human Services (HHS) has moved to make this right enforceable and meaningful.Footnote ⁸ But as HHS itself has observed about health devices and other “mHealth” technologies used outside the EHR ecosystem, manufacturers “are not obligated by a statute or regulation to provide individuals with access to data about themselves,” so patients with data on such devices “may not have the ability to later obtain a copy.”Footnote ⁹

This chapter begins by identifying the individual and societal benefits of patient access to health device data. It then addresses the arguments for restricting such access, especially those based on intellectual property laws and policies. We conclude that such arguments are ultimately doctrinally and normatively unconvincing, such that they should not dissuade legislatures and federal agencies from legislating or regulating rights of access. We then consider what can and should be done to create a robust, administrable right of patients to access health device data that protects all stakeholders’ interests, and we offer a nascent framework that draws from other regimes for patient and consumer access to personal information. We hope the framework will guide legislatures and regulators as they begin to address this important issue.

II Benefits of Patient Access

There are important individual and societal benefits when patients can access their own health data. Foremost for individuals is the fulfillment of patient autonomy and dignity. Health device data informs decisions about treatment, so a patient without access can neither make fully informed decisions about a course of care nor evaluate a provider’s recommendations.Footnote ¹⁰ Patients may also need access to health device data to “transport” their data to new health care providers for safekeeping,Footnote ¹¹ or to repair their devices.Footnote ¹² From a research perspective, patients can and do exploit health device data to useful ends, since their own health stands to benefit from insights and discoveries drawn from that data.Footnote ¹³ Many patients use health device data for “quantified self” or “n=1” research to discover how best to manage their own health.Footnote ¹⁴

Turning to broader societal benefits, a key starting point is the research that is enabled when patient data is aggregated.Footnote ¹⁵ For example, the National Institutes of Health (NIH)-run ClinVar database receives genetic variant data authorized for inclusion by individual patients and now contains over two million records representing 36,000 different genes, which public and private enterprises have used to advance research and create consumer products and services.Footnote ¹⁶ The ClinVar model of government-supported collaborative dataset-building is one starting point for the idealistic vision of “medical information commons” – the collective, shared governance of medical knowledge (rather than proprietary or authoritarian governance of the same)Footnote ¹⁷ – that researchers and regulators alike believe would be a tremendous boon to science.Footnote ¹⁸

Research on aggregated health data also allows patient groups and civil society watchdogs to verify manufacturers’ claims and ensure that health devices function as advertised – especially important given that those devices are only lightly regulated.Footnote ¹⁹ Aggregated health device data also promises to become a variety of the “real-world evidence” increasingly used to conduct public health research and validate the safety and efficacy of other products the same patients are using.Footnote ²⁰ But these potential benefits depend on patient data aggregated at a sufficient scale.Footnote ²¹

Societal spillover effects explain, at least in part, why market forces do not prompt manufacturers to satisfy patient demand for data access. Patient self-researchers tend to be consumer-innovators who share their insights and discoveries altruistically, at low or no cost, which may undercut the manufacturers.Footnote ²² And the value of aggregated patient data cannot easily be captured by a single entity. As a result, there is no straightforward way for patients and health device manufacturers to transact for data access.

Another economic disconnect arises from competition among device manufacturers. When patients can easily extract their data from one device and port it to a competing device, they avoid “lock-in,” which promotes patient choice and fosters competition.Footnote ²³ In an effort to avoid such competition, however, device manufacturers have incentives to limit patient data access. Indeed, some have implemented technical measures to keep even savvy patients from extracting data and asserted laws against the circumvention of those technological measures to further keep patients from their data.Footnote ²⁴

III Legality of Patient Access

To be sure, there are real concerns with giving patients access to health device data.Footnote ²⁵ Device manufacturers have pointed to these as reasons to limit such access. The main concerns fall into three categories.

First, there are costs associated with authenticating users, formatting data, and otherwise providing access to records. This problem can be solved by permitting reasonable, small charges for data access.Footnote ²⁶

Second, device manufacturers may be better stewards of sensitive health data than patients, in terms of privacy and cybersecurity.Footnote ²⁷ In theory, manufacturers enjoy economies of scale that enable them to protect health records from data breaches and other compromising disclosures, while individual patients may fail to secure their data or fall victim to privacy-invading scams. Yet, there are countervailing considerations: Manufacturers’ vast databases are themselves an attractive and recurring target for data malfeasance,Footnote ²⁸ and some manufacturers’ shady deals with privacy-intrusive data brokers suggest that companies holding volumes of lightly regulated personal data may not be better positioned than patients to protect data security and privacy.Footnote ²⁹

The third concern often raised as a reason to limit patient access is that the data is somehow proprietary to the device manufacturers. This intellectual property concern requires a bit of conceptual unpacking, as it operates on two different levels. First, it is a legal or doctrinal argument, in which the manufacturers assert specific intellectual property rights over the data. Second, it is a normative, policy-oriented argument that exclusive control over patient data is desirable to protect incentives to develop health devices and data ecosystems.

Evaluating these arguments requires distinguishing the types of health device data. First, there is the software code that the device manufacturer writes. Second, the device takes the raw measurements of the patient and stores them. Third, the device (or external software) may perform computations on the raw data to produce values intended to approximate a natural phenomenon, such as a pulse. Fourth, the device may compute data outputs of the manufacturer’s own invention. For example, a device might use pulse measurements across a night to produce a “sleep score,” indicating how well, in the manufacturer’s opinion, the patient slept, and offer recommendations on how to sleep better.Footnote ³⁰

Our focus is the second and third types of information – raw measurements and computed estimates of physiological properties – because they are likely to be of the most interest to patients. We therefore refer hereinafter to these two types of data together simply as “patient data.” With access to this patient data, patients likely will not need to view source code on the device to put the data to use. Manufacturer-specific computations and scores are likely not useful for cross-device interoperability, and the black-box nature of the algorithms often used to compute such scores limits their usefulness for care and research alike.Footnote ³¹

Two intellectual property regimes are most frequently raised to justify withholding patient data from patients: Copyright law and trade secret protection.Footnote ³² Yet neither provides a genuine doctrinal basis for “ownership” of patient data or barriers to patient access.

Copyright law, which protects creative works of authorship from unauthorized copying, almost certainly cannot justify withholding patient data. Raw physiological measurements and estimates of natural phenomena are facts, ineligible for protection under copyright.Footnote ³³ Furthermore, given the immense health benefits that patients can enjoy from their own data, data access likely qualifies as fair use, exempt from copyright infringement.Footnote ³⁴ Indeed, the US Copyright Office has consistently agreed since 2015 that patient access to medical device data is not copyright infringement, thus, permitting patients to circumvent the technological locks that interfere with their access to data on medical devices.Footnote ³⁵

Nor is patient data a trade secret. First, every legal definition of a trade secret requires the information in question be secret to qualify for protection.Footnote ³⁶ Patient data of all sorts is shared with patients, health care providers, and others and, thus, is not actually secret. Second, even if subsets of patient data are kept secret, they are not the sort of information that trade secrecy law protects. To qualify as a trade secret, information must derive “independent economic value” from its secrecy.Footnote ³⁷ As Hrdy has explained, “secret information whose value does not stem from secrecy cannot be a trade secret.”Footnote ³⁸ Unlike traditionally protectable information – manufacturing processes, precise recipes, and so on – patient data derives economic value from aggregation and sharing, not secrecy.Footnote ³⁹

To be sure, some (nonpatient data) aspects of devices’ software and mechanical designs may be deemed trade secrets.Footnote ⁴⁰ The European Medicines Agency (EMA) offers helpful guidance here, in its official view of the limits of trade secrecy protection of clinical trial data.Footnote ⁴¹ (Like the patient data that is the focus of this chapter, clinical trial data describes patients’ health and is enormously valuable to researchers and patients themselves.) EMA announced that a large majority of clinical trial data “should not be considered” proprietary.Footnote ⁴² In EMA’s view, only “innovative features” of the methods through which data is collected can constitute trade secrets.Footnote ⁴³ EMA expressly defines narrow categories of information it deems innovative and protectable.Footnote ⁴⁴ These focus on methods for gathering data more quickly or cheaply, such as immunogenicity assays.Footnote ⁴⁵ Notably, EMA’s categories do not permit proprietary claims to the outcome data that describes patients’ health (analogous to health devices’ patient data); EMA instead mandates that all outcome data be publicized.Footnote ⁴⁶

What remains of health device manufacturers’ intellectual property claims is a normative argument that data inaccessibility gives manufacturers incentives to innovate.Footnote ⁴⁷ Yet, there are serious defects to this normative argument. First, patients themselves have a countervailing incentive to innovate – their own health depends on it. Second, the “innovation” manufacturers wish to protect may not be beneficial at all: Secrecy can conceal safety problems, false claims of efficacy, racially biased outcomes, and other defects. Normatively and doctrinally, trade secrecy should not and does not protect this kind of secrecy.Footnote ⁴⁸ As the Supreme Court has stated, if the disclosure of secret information reveals “harmful side effects of the [trade secret holder’s] product and causes the [holder] to suffer a decline in the potential profits from sales of the product, that decline in profits stems from a decrease in the value of the [product] to consumers, rather than from the destruction of an edge the [holder] had over its competitors, and cannot constitute the taking of a trade secret.”Footnote ⁴⁹

IV Toward a Regulatory Framework

Although we have argued patients should have access to health device data as a legal and policy matter, the practical fact remains that manufacturers are currently free to build devices that deny such access at a technological level. There is, thus, a need for a legal framework to secure such access. No such framework currently exists: The existing regulations are generally limited to narrow classes of medical records or apply only to traditional health care providers and some of their business associates.

To develop an effective framework, it is useful to survey existing consumer data-access regimes both within the health care system and otherwise. We arrange them into three categories, roughly ranked by the strength of their mandates.

The most powerful regimes mandate patients’ right to data access. The HIPAA Privacy Rule provides patients with “a right of access to inspect and obtain a copy of protected health information” from health care providers.Footnote ⁵⁰ Similarly, European law and the laws of some states provide consumers with rights to retrieve data about themselves.Footnote ⁵¹ These laws employ a range of enforcement mechanisms, including civil actions by consumers, state attorney general investigations, and administrative monetary penalties. For example, the HHS’s Office for Civil Rights recently began penalizing HIPAA-covered health care providers that fail to supply patients’ protected health information upon request or charge excessive fees for them,Footnote ⁵² prompting improvement after years of subpar compliance.Footnote ⁵³

A second approach is softer financial incentives and disincentives – “carrots” and “sticks” – to encourage data holders to offer access. This was the primary approach used for the adoption of EHRs: The HITECH Act of 2004 both offered providers incentive payments for adopting certified EHR systems in their practices, and imposed a modest penalty on Medicare reimbursements for providers who did not.Footnote ⁵⁴ Today, after billions of dollars of investment by HHS, the vast majority of providers have adopted EHRs,Footnote ⁵⁵ and those systems largely comply with HHS’s voluntary certification standards because the financial benefits created sufficient demand.Footnote ⁵⁶ HHS’s ongoing ability to set certification standards has enabled the agency to require EHR systems to export data in standardized interoperability formats, to expose application programming interfaces for data access, and to stop companies’ “information blocking” practices that hamper patients’ ability to access their own health records.Footnote ⁵⁷

A third possibility is to build public infrastructure or subsidize private infrastructure that coordinates patient data access. With ClinVar, for example, genetic testing laboratories voluntarily submit annotated reports of genetic variants to an NIH-run database, with patient consent. They make these voluntary submissions because, among other reasons, foundations and publishers often require them as a condition of grants or publication.Footnote ⁵⁸ The presence of established, stable, government-supported infrastructure for data sharing makes such data submission requirements more common and more effective. In this way, legislatures and regulators can incentivize data sharing even without direct regulation.

We integrate aspects from these regimes into a nascent framework for patient access to at-home health care device data. Our framework-in-progress has three elements: A legal hook to induce device manufacturers to make patient data accessible to patients, a technical standard for data storage and access, and infrastructure for patients to deposit and use their data.

As to the first element, legislation or regulation to compel access, akin to HIPAA, would be most forceful and effective. For example, in 2019, Senators Klobuchar and Murkowski proposed creating a HIPAA-like statutory right of patients “to access, amend, and delete a copy of the personal health data that companies collect or use,”Footnote ⁵⁹ including data from all “cloud-based or mobile technologies that are designed to collect individuals’ personal health data.”Footnote ⁶⁰

US states also have substantial authority to legislate around HIPAA and could themselves create statutory patient-data access rights. Texas, for example, subjects some HIPAA-exempt entities, such as schools and public health researchers, to some of the obligations that HIPAA imposes.Footnote ⁶¹ The California Consumer Privacy Act (CCPA) arguably creates a right of access to health device data not covered by HIPAA, though this theory is so far untested.Footnote ⁶²

Federal regulators could also explore their existing legal authority to require device manufacturers to share data. For example, the Federal Trade Commission could apply its authority to police unfair and deceptive practices to health device makers that market patient access to data as a feature of their products and require that these companies meet their claims.Footnote ⁶³

Alternatively, following the example of the HITECH Act, Congress could provide financial incentives for health devices that meet data access standards, for example, making such devices reimbursable under Flexible Spending Account (FSA) plans or Medicare. A different, intriguing possibility could leverage the status quo of minimal regulation to create new financial incentives and disincentives. Current Food and Drug Administration (FDA) guidance exempts health devices from clearance and approval requirements only if they “present a low risk to the safety of users and other persons.”Footnote ⁶⁴ As noted above, patients’ data access can enable researchers to study the safety risks of devices, so it could be reasonable for the FDA to change its policies and extend a presumption of safety (and thus of exemption from regulation) only to those devices that make data accessible to patients – and perhaps to qualified researchers, too. Manufacturers that choose to withhold data would not be, per se, prohibited from marketing their products, but would be subject to stricter FDA oversight, which would come with new costs.

The second element of the framework is a technical standard to govern how data is to be stored and accessed. Since health devices typically store data in manufacturers’ cloud servers, there is little sense in requiring less than electronic access via a network-connected application programming interface, akin to the requirements for EHR systems. Furthermore, both research and interoperability would benefit from greater standardization of data formats, in light of the profusion of health devices and manufacturers.Footnote ⁶⁵ HHS and its Office of the National Coordinator for Health Information Technology could play an important role here, as it did in the standardization of EHRs.

The third element is an institutional infrastructure for aggregating and sharing data. We propose a public, ClinVar-like repository of patient-authorized submissions of appropriately anonymized device data. Without such a repository, patient access and data interoperability will likely still enable new research and other benefits for patients, but they also could augment the power of firms that amass data and broker access. A government-run repository of patient data arguably has several benefits. As a focal point for data aggregation, it empowers all researchers, not just the largest firms. Also, firms that contribute to this central repository share a relationship with the government that could be leveraged to ensure data privacy and security. And a public repository enables the government and outside experts to think through and develop privacy practices that best protect patients, rather than leaving these questions, in the first instance, to profit-driven firms.

V Conclusion

In this chapter, we have argued for a legal right of patients to access their own health device data. We have begun to trace a legal framework for access, one that includes three key elements: A legal “hook” to coax or compel device manufacturers to share data with patients, a technical standard to govern how data is stored and accessed, and an institutional infrastructure for aggregating and sharing data. We intend to expand on this framework in future work.

I Introduction

Patients with complex diseases like Alzheimer’s or Parkinson’s often require round-the-clock care. Since caregivers may not always be able to be present, remote care technologies (RCTs) can supplement human caregiver intervention and provide the patient with better care. In the TeNDER project,Footnote ¹ we are building technology that will create an alert system for caregivers: For example, if the person falls, their relative or nurse receives a phone alert and can go and check up on them. Such technology relies on remote patient monitoring to detect anomalies in the person’s environment and combines data sources, including electronic health records (EHRs) and data from connected devices (e.g., wearables). The use of these technologies raises questions of data protection since especially sensitive data are involved.Footnote ²

Legal frameworks that govern the use of RCTs are, by their nature, abstract and high-level, meaning that their application might not take into account the specific type of technology or its use in a particular care situation, leaving developers and users in an unclear legal situation.Footnote ³

This chapter aims to bridge the gap between the high-level data protection framework and practical, micro-level application of RCTs by providing an overview of the challenges under European Union (EU) law when developing and using RCTs, exploring how initial results from the TeNDER project on resolving those challenges can help with the practical implementation of similar solutions, as well as examining gaps in the regulation itself. Using these technologies as a starting point, the chapter analyzes the obligations the General Data Protection Regulation (GDPR) lays upon developers in order to address the following research question: “What challenges does the GDPR pose for designers of remote patient care technologies (RCTs), and how can those questions be addressed in practice?”

To answer the research question, the chapter first introduces key legal concerns that data protection poses regarding the use of RCTs, focusing on their field of application and the key principles and obligations relevant to developers. At the same time, the work draws upon the preliminary results of the TeNDER project (2019–2023) to discuss any potential shortcomings in the regulation.

The RCTs discussed in this chapter are in-house, as they are specifically developed to be used remotely, and digital, including digital technologies such as wearables, smart devices, microphones etc. However, TeNDER is not designed to be a medical device and, thus, performs no diagnostics.

II Remote Care Technologies and the GDPR

RCTs are a type of technology that can help patients manage their illnesses better, as well as help elderly people live more independently. They can be used institutionally (e.g., in a care home or hospital) or in the home, where they can contribute to a better quality of life for the user. A variety of different technologies can be used – monitoring devices, smartphones, apps, social media, videoconferencing tools, etc.Footnote ⁴ RCT is distinct from telehealth or eHealth, which refer to the phenomenon of digital health care in general, while remote monitoring or remote care describes the technology (or technologies) being used. RCT is, thus, a specific technology that is used by health care providers, either in a telehealth or a classical health care setting.Footnote ⁵

The advent of 5G and the Internet of things, combined with the two years of pandemic, has led to a heightened uptake of telehealth solutions, including remote monitoring applications and wearables that help people age better.Footnote ⁶ The use of RCTs is especially beneficial for older adults with chronic conditions, for whom monitoring devices, communication tools, and follow-up phone calls enable the 24-hour availability of health management tools.Footnote ⁷

RCTs, like many other eHealth technologies, rely on advanced data processing techniques and different devices, both medical and general-purpose ones, to provide functionalities. The devices and technologies must, at the same time, meet the goals they were designed for and ensure patients’ privacy and safety.Footnote ⁸ In terms of data privacy, patients risk losing control over their health data – especially when it comes to their EHRsFootnote ⁹ – when remote monitoring devices, such as wearables, are used.Footnote ¹⁰ Elderly users may not have consented to the processing of their health data; they may consider monitoring devices as a form of spying upon their private lives.Footnote ¹¹

The GDPR,Footnote ¹² adopted in 2016, binds controllers and processors involved in the processing of health data to put in place appropriate technical and organizational mechanisms to ensure patients’ data protection and the confidentiality of medical information.

The first issue is determining the GDPR’s scope of application to RCTs. The regulation applies when personal data, defined as “any information relating to an identified or identifiable natural person (‘data subject’)” (art. 4(1) of the GDPR), are being processed, meaning “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring,” and so on (art. 4(2) of the GDPR). Data concerning health (also referred to as health data) are defined as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (art. 4(15) of the GDPR).

How can we determine what constitutes personal data in a remote care scenario? As per the definition of art. 4(1), as long as information can be linked to a data subject, it is considered personal data. Since the scenario deals with a health care setting, health data are very likely going to be processed. More specifically, the 2007 opinion of the Article 29 Working Party states that “all data contained in medical documentation, in electronic health records and in EHR systems should be considered to be ‘sensitive personal data.’”Footnote ¹³ However, data that cannot be linked to a data subject is not considered personal data, for example because it has been irreversibly anonymized.Footnote ¹⁴

The regime under the GDPR is centered on a data controller, a central entity in charge of the processing activity, which determines the purposes and means of the processing (art. 4(7) of the GDPR). In order to process data, a controller must comply with data quality principles, such as data minimization and accuracy (art. 5(3) and 5(4) of the GDPR, respectively), and ensure the existence of valid legal grounds, as per art. 6 of the GDPR. Controllers can engage processors to help them carry out the processing operation – art. 4(8) of the GDPR defines a processor as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Since RCT relies on different technologies and different service providers, defining the controller and the processor may be difficult. Recent decisions of the Court of Justice of the EU, such as WirtschaftsakademieFootnote ¹⁵ and Fashion ID,Footnote ¹⁶ as well as advisory opinions,Footnote ¹⁷ point to an “essential means” test. Essential means are key elements which are closely linked to the purpose and the scope of the data processing, such as whose data will be processed, which data types, for how long, and who will have access to them. The entity that determines the essential means of processing is, therefore, the data controller.

Determining the controller is important for ensuring that the right party can demonstrate compliance with the applicable principles and obligations (“accountability” – art. 5(2) of the GDPR). Among them are the data quality principles of art. 5(1): Lawfulness, fairness, and transparency; purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. The controller is further responsible for implementing appropriate technical and organizational measures ensuring compliant processing (art. 24(1) of the GDPR) and for building privacy into the system by design and by default (art. 25(1)–(2) of the GDPR). Moreover, proactively implementing data protection during the development process helps eventual adopters in ensuring compliance, especially with the data protection by design approach.Footnote ¹⁸

III The TeNDER Approach

The TeNDER project, funded by the Horizon 2020 mechanism, seeks to empower patients with Alzheimer’s, Parkinson’s, and cardiovascular diseases, by helping them to monitor their health and manage their social environments, prescribed treatments, and medical appointments. It follows an integrated care model, linking both medical and social aspects, such as (mis)communication and the fragmentation of care. The development process combines existing technologies, such as smartphones, wearables, and sensors, in order to monitor vital signals or alert a caregiver in case of an accident or fall, always consulting with patients to account for their preferences.Footnote ¹⁹

As a research project, TeNDER crosses a number of different legal frameworks. Concerning the development process, we have focused on the requirements found in the GDPR, such as the legal basis for processing health data, privacy by design, and pseudonymization measures, and addressed the potential applicability of the Medical Devices Regulation. Once the results are finalized and marketed to health care organizations and caregivers, the preliminary legal findings, contained in several reports conducted through the lifecycle of the project, can serve as guidance to adopters.

In the project, we have adopted a three-step methodology to address the gaps in the regulation of eHealth technologies and to establish good practices for lawful and ethical implementation. First, a benchmark report identified applicable laws and ethical principles in abstracto and analyzed the initial concerns of the nexus between technology and applicable frameworks.Footnote ²⁰ Building upon its findings, the three follow-up impact assessments take into consideration privacy, data protection, ethical-societal aspects, and the regulation of medical devices.Footnote ²¹ The final legal report, released in April 2023, provided an evaluation from legal and ethical perspectives of the technologies developed during the project, as well as recommendations for future adopters.Footnote ²²

Since the development of eHealth products necessarily takes place in a controlled environment, with a limited number of participants and the roles of different providers known in advance, the legal requirements in a post-project, real-life setting may vary slightly. For example, if the pilots in the project are based on small patient groups, a data protection impact assessment (DPIA) is not always necessary as per art. 35 of the GDPR, while in a larger organizational context it may well be obligatory.Footnote ²³

IV Addressing Data Protection Challenges: Lessons Learned in TeNDER

V Conclusion

What do the findings of this chapter mean for the development of RCTs? I have taken a two-pronged approach and discussed the application of selected legal provisions to RCTs in general, against the application of the same provisions to specific technology developed as part of the TeNDER project. While it may not be possible to fully resolve the tension between particular technologies and abstract legal frameworks, in general, knowing how to interpret the law can bring us closer to bridging the gap.

Responding to the data protection challenges of developing RCTs involves both a technological and organizational angle, such as using different tools in appropriate contexts (e.g., cameras in the rehabilitation room rather than in patients’ homes), as well as legal solutions (e.g., applying additional safeguards to ensure the informed-ness of the patients’ consent). What is acceptable to patients who are receiving remote care in the privacy of their own home, rather than in health care organizations, as well as what kind of technological development is feasible, should be further explored by interdisciplinary, socio-technological-legal research. Nor are all the legal questions resolved, such as the lack of legal provisions under the GDPR that safeguard the consent of persons with cognitive decline. The same problem applies regarding the role of the terms of use of service providers in ensuring that the external processors will comply with the data protection rules.

The scope of this chapter is likewise limited by the scope of the project itself. Since the latter is largely concerned with development, this chapter explores the development process as well, rather than the eventual use of the products in health care organizations after the end of the project. Further, the project will be running for another year, and the results reported in this chapter are preliminary as of the spring of 2022. Legal findings will mature together with the technology, and some of the legal aspects concerning the future use of the TeNDER technologies will be clearer at the end of the development and testing phases.

I Introduction

At-home digital and diagnostic care has expanded in the wake of the COVID-19 pandemic. This change has set off a cascade of secondary effects including new pathways for information flows with an array of direct-to-consumer companies and products, alternative uses of information for health, and a renegotiation of space by shifting when, where, and how we interact with the health care system. This new landscape requires a reexamination of the implicit and explicit social contract between patients, clinicians, and the health delivery system. At-home digital care involves monitoring patients outside of the clinic walls and increased data sharing between traditional care providers and the private companies that build devices. For example, Cue Health offers testing for COVID-19, with the results sent to an app on a personal smartphone and to providers who can provide follow-up treatment.Footnote ¹ The expansion of at-home digital care raises a number of ethical and policy questions: How is health information shared and with whom? What is the appropriate role of commercial companies? Are people who continue to receive care in clinical settings subject to the new norms of at-home care with respect to remote patient monitoring or data sharing?

Many of these questions have been raised before. Technology and circumstance have often driven change in health care, with policy playing a formative role. The electronic medical record, for example, was rapidly adopted as the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act (HITECH) were passed in response to the 2009 financial crisis in the USA. These acts of legislation led to the investment of billions of dollars in health information infrastructure, and the widespread adoption of the electronic medical record meant that data could be collected, stored, and (ideally) readily shared to support learning, health care systems,Footnote ² precision health,Footnote ³ and comparative effectiveness research.Footnote ⁴ Subsequent policies in the 21st Century Cures Act have continued this investment and commitment to incentivizing interoperability and data sharing.

In clinical research, the Human Genome Project similarly sparked innovation in research information infrastructure that enabled shared data and biospecimens, often in the context of biobanks. The number of large population biobanks housing millions of biological samples linked to individuals’ health data has increased over the past decades in response to demand for the scientific and economic efficiencies that multi-use biobanks offer.Footnote ⁵ Technological advances have made it simpler, safer, and more inexpensive to measure vast arrays of molecular data (e.g., genome-wide chips for DNA, RNA, and methylation), as well as to catalogue and store sensitive health information (e.g., barcoding, robotic retrieval, encryption, and firewalls). In the United States, biobank repositories have emerged primarily from large health systems (e.g., Kaiser Permanente, Marshfield Clinic, Veterans Administration) and research institutions (e.g., Vanderbilt University) as natural extensions of the data collection and research already underway therein.Footnote ⁶

The rapid adoption of new technologies impacts health care culture, care delivery pathways, payment, patient engagement, and, ultimately, the social contract between patients and the systems that care for them. In this chapter, we examine the emergence of the Michigan BioTrust for Health in 2009 as an instance of renegotiation of the social contract between stakeholders in response to new technologies and evolutionary changes in the scientific and health enterprises. Based on prior research on the ethical and policy implications for patients that were part of the legacy system (i.e., those being asked to make the change from old to new systems of care), we review the key findings on attitudes about informed consent, notification, and partnerships with commercial companies, and consider the implications for the governance of at-home digital health care.

II From Newborn Screening to the Michigan BioTrust for Health

With a century-long history of collecting, storing, and analyzing information for surveillance and monitoring community health, public health departments are potentially major contributors to the growing number of large population biobanks. For example, the residual newborn screening bloodspots that health departments collect and store are almost fully representative of a population, as they contain blood samples from ~99.9 percent of children born in a particular state. From an epidemiological perspective, this resource is the gold standard for population health assessment and research, given its completeness and lack of ascertainment bias. If made available or even marketed as public health biobanks, these repositories could contribute to robust population health studies when linked to a wide range of public health surveillance databases. And yet, the repurposing of newborn screening bloodspots to include research use challenges the expectations under which they were collected.

In 2009, the state of Michigan endeavored to pursue expanded uses of newborn screening bloodspots by opening the Michigan BioTrust for Health as a steward organization, tasked with navigating the data governance challenges inherent to the large-scale aggregation of medical information. Michigan’s BioTrust for Health holds bloodspot cards for over four million children born in the state of Michigan and is one of the largest biobanks in the USA. The BioTrust is run through a nonprofit organization, the Michigan Neonatal Biobank, providing health researchers with access to de-identified samples and information, contingent on scientific review, institutional review board (IRB) approval, and payment. The biobank comprises a retrospective (“legacy”) collection of approximately four million bloodspot cards stored from babies born in Michigan between July 1984 and April 2010 – before consent mechanisms were put in place – along with a prospective collection of dried bloodspots added to the biobank since its formal inception in Fall 2010, and included in the research pool only with a written consent.Footnote ⁷

III Consumer Preferences for the Use of Newborn Screening Bloodspots and Health Information: Implications for Digital Health at Home

Over the course of approximately five years (2009–2015), we conducted several empirical studies assessing consumer perspectives on the uses of newborn screening bloodspots, including preferences for consent and notification to understand. This work focused on the so-called “legacy collection” of bloodspots held by the Michigan Department of Community Health (MDCH) and collected prior to policies being put in place for obtaining consent for research uses. There were approximately four million people with bloodspots in the BioTrust who fell into this group. We held ten community meetings across the state of Michigan (n = 393),Footnote ⁸ met with college students at 20 campuses (n = 2,010),Footnote ⁹ and conducted an online deliberative jury (n = 67).Footnote ¹⁰ We also conducted surveys, including three cohorts of the State of the State Survey (n = 2,618) and a simulated dynamic consent process (n = 187).Footnote ¹¹ To try to reach a greater proportion of people in Michigan, we conducted a Facebook campaign that reached over 1.8 million people.Footnote ¹² In this section of the chapter, we draw on the published work in this area, as well as our own reflections on it nearly ten years later, to describe what we learned about three key issues that are likely to shape ethical and policy assessments for at-home digital care: (1) Preferences for consent and notification, (2) relationships with commercial companies, and (3) trust and governance.

IV Conclusion

The experience of biobanking residual newborn screening bloodspots matters not only because these repositories are vast, valuable, and politically volatile, but also because they are harbingers of the ethical and policy issues that will continue to arise in this new era of integrated health information technology and digital health at home. Learning from the public about data and biospecimen use in the context of the BioTrust suggests that the future of digital health at home would benefit from clear expectations and mechanisms for consent and notification. Those who prefer greater involvement in informed consent also see consent as an important sign of respect and may have less trust in the health system. Furthermore, demonstrating the benefits of sharing health information, and to whom they accrue, is a way of being accountable to the trust given to information systems – be they public or private – as being good stewards of information. Novel strategies for licensing data, for example, might be pursued to give consumers greater control over how their health information is used and how profits are shared to promote the use of data as a public good.

Both newborn screening and at-home digital health care are examples of data-generating activities that create information that is of potential value beyond its original intended use. For newborn screening, public health interests justified the original data collection, while research benefits justified the expanded use of those bloodspots. In the case of at-home digital health care, launching digital modalities involves a wider range of entities, including commercial consumer technology companies and a broad scope for data sharing. Public health biobanking has raised issues for consumers with respect to consent and notification, the role of commercial companies, and sustainable governance. Underlying these issues are questions of how to sufficiently notify consumers about the use of their data, how to negotiate the commercial interests in their data, and how to engage and empower the public as a key stakeholder. The issues raised around newborn screening biobanks presented in this chapter suggest that governance should include policies for access, conflicts of interest, and equity, while investing in outreach and education so that patients are informed and transparency is both meaningful and maintained. As a rapidly expanding area of health care, digital health at home has an opportunity to create new avenues for access and equity that may be honored first by assessing its guiding principles, and then by creating systems of governance and engagement that improve upon the current system of care.