Clinical data sharing combined with deep learning, and soon quantum computing, has the potential to radically accelerate research, improve health care, and lower costs. Unfortunately, those tools also make it much easier to use the data in ways that can harm patients. These competing forces are creating a perilous time for clinical data sharing. Future generations will judge informatics and data science by how we balance those forces.¹

The term “clinical data sharing” has many potential interpretations. This article focuses on the sharing of clinical data for research, rather than to support clinical care or for public health. However, we will draw from incidents that include clinical care to illuminate the challenges and potential pitfalls involved in data sharing in this sector. This article also focuses on sharing data during “normal times” rather than during a public health emergency.² Further, we exclude mandatory data reporting to accrediting or governmental programs,³ and considerations about knowledge sharing (such as pay-to-publish and open access journals).

The Human Rights Watch has declared data privacy a human right,⁴ as has the United Nations High Commissioner for Human Rights.⁵ The ethical mandate for health information privacy traces back at least to Hippocrates.⁶ Researchers are ethically bound to respect and protect the privacy rights of research participants.⁷ Unfortunately, as we will discuss later, data, including clinical data, are frequently used for reasons beyond their original purpose, potentially violating privacy rights. We propose that open clinical data sharing — data that is freely available to any and all users without authentication or repercussions⁸ — cannot adequately protect the privacy rights of research participants. We further propose that clinical data sharing for research should limit sharing to known and trusted entities, with severe penalties for data misuse. Doing less risks losing the trust of patients and research subjects.

In 1999, the chief executive of Sun Microsystems, Scott McNealy, famously declared, “You have zero privacy anyway. Get over it.”⁹ While possibly hyperbolic two decades ago, his statement becomes truer with each passing year. Unlike many other countries, including Canada, Japan, and those in the European Union, the United States (US) has no overarching law that protects personal information.¹⁰ Instead, there are specific laws that cover specific data types, including driver’s licenses,¹¹ educational records,¹² credit reports,¹³ video rental records,¹⁴ and data produced by covered health care entities.¹⁵ The US regulates privacy based on the entity creating the data rather than the content of the data. For comparison, web search data on the term “diabetes” would be protected in Canada as health information, but not in the US because it was not generated by a covered entity.¹⁵

Few patients or research subjects understand this nuanced distinction between source and content. Many incorrectly assume that sensitive data about their health is automatically protected. An analogy to how the US regulates data would be if chemicals were regulated based on the company that produced them. Under this approach, a chemical produced under the auspices of a pharmaceutical company would be regulated as a drug, but the same chemical produced under the auspices of a food company would not (eg, the cocaine produced as a byproduct of Coca-Cola production¹⁶ would be unregulated). This is not how we regulate chemicals. It should not be the way we regulate data.

Also underappreciated is the vast amount of unregulated data, including medical data, that is collected on every individual. Data brokers — companies that collect, aggregate, and resell vast amounts of personal and sensitive data — are virtually unregulated. Justin Sherman, co-founder of Ethical Tech,¹⁷ in testimony to the US Senate noted:

In Our Bodies, Our Selves,¹⁹ Adam Tanner profiles the multibillion dollar business of selling medical records. He observes, “medical data miners cross-reference anonymized patient dossiers with named consumer profiles from data brokers,” noting that one can easily purchase a fully identified list (ie, name, address, phone number, etc.) of people with a given disease, such as, “clinical depression, irritable bowel syndrome, erectile disfunction, even HIV.”¹⁹

What data brokers do is legal. Even when behavior is clearly illegal, penalties are slight. Cambridge Analytica, a British consulting company, collected personal data on millions of Facebook users without their consent and used the data for political advertising to support the 2016 Trump presidential campaign.²⁰ While the company was prosecuted and went bankrupt, the punishments for individuals involved were minimal. The CEO was banned from serving as a corporate director for seven years; no one was incarcerated.²¹ Although Facebook (Meta) was given a $5 billion fine by the Federal Trade Comission,²⁰ this was less than 6% of its revenue and Meta’s stock price did not fall, which suggests that the stock market viewed this as “business as usual.”

Many assume incorrectly that the Health Insurance Portability and Accountability Act (HIPAA) protects all clinical data. Data brokers have found ways around HIPAA.¹⁹ Moreover, most clinical data sharing for research does not involve HIPAA-regulated data. Data transferred to researchers are no longer regulated under HIPAA. Even so, most research-related sharing involves removal of the 18 HIPAA-designated identifiers.²² This is thought by some to render the data “safe” and freely sharable without restriction. Some institutions do not even consider HIPAA de-identified data to be human subject data.

In our experience, not only do many researchers not fully understand the “HIPAA 18” identifiers and fail to correctly remove them, but also “HIPAA 18” censoring does not make clinical data unidentifiable. Under HIPAA, “The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual.”²² Sherman noted that the sheer volume of data now available makes re-identification quite easy.¹⁸ For example, the spacing of days between individual data entries (no actual dates) in a clinical data warehouse of over six million patients contained patterns of spacings that were unique for many patients (including author JS). Since care for JS occurred at specific locations, a cross-reference to cellphone location data could easily re-identify JS’s data: the same way January 6 rioters have been identified.²³

Since Latanya Sweeney re-identified the medical data of Governor Weld of Massachusetts,²⁴ a string of papers has illustrated the ability to re-identify individuals from supposedly anonymized data sets.^25,26 There is a veritable arms race between developers of anonymization algorithms and developers of re-identification algorithms. It is reasonable to assume that any individual-level data can be re-identified, if not today, then soon.

On top of increased cyberattacks that have targeted health care data,²⁷ recent political events have accelerated the need to protect patient and research subject privacy.²⁸ Open data are not only available to researchers, they are also available to corporations and to the government. Police use public genetic databases to search for suspected criminals,²⁹ and can subpoena newborn genetic screening results.³⁰ Concerns about governmental access to clinical records are increasingly acute, following the Supreme Court’s Dobbs v. Jackson Women’s Health decision.³¹ Some state Attorneys General are already attempting to subpoena privileged medical records, as has occurred in Indiana.³² This behavior is not new. In 2004, after Congress passed the Partial-Birth Abortion Ban Act, Attorney General John Ashcroft subpoenaed medical records from multiple hospitals, including New York Presbyterian (NYP), and Northwestern Memorial Hospital (NMH). In the case of NYP, the hospital refused; the judge ruled against the hospital and later found the hospital in contempt. In the case of NMH, the hospital successfully blocked the subpoena, but the government appealed. The government later dropped the subpoenas when it became clear that NYP and the other hospitals were ready and willing to fight this all the way to the Supreme Court.³³

These examples are relevant to clinical data sharing for research for several reasons. First, the government is legally allowed to obtain data from third parties that it cannot obtain directly. For example, the US government can bulk purchase data that it is legally forbidden to collect directly without a warrant, such as cellphone location data.³⁴ A government attorney, like Ashcroft, looking for evidence of a crime, could analyze openly shared clinical data and would only need to re-identify a fraction of the individuals to argue that a crime had been committed. Second, the Indiana case reinforces that this risk is not merely hypothetical. The International Classification of Diseases 10th Revision (ICD10-CM) contains many reproductive health codes (Table 1) that indicate activities considered “crimes” in certain states. Similarly, the Systematized Nomenclature of Human Medicine (SNOMED)³⁵ contains roughly 100 codes related to elective or attempted abortions. Normally, researchers do not purge reproductive health codes from shared data sets.

The new NIH Data Sharing Policy³⁶ incorporates many of the concerns described above. It instructs, “Researchers should consider whether access to scientific data derived from humans, even if de-identified and lacking explicit limitations on subsequent use, should be controlled.” The U.S. Department of Health and Human Services Secretary’s Advisory Committee on Human Research Protections (SACHRP) states these concerns even more forcefully, declaring, “Increasingly, the protections afforded by removing the eighteen identifying data elements cited in HIPAA have become out of date, as technological advances and the combining of data sets increase the risk of re-identification.”³⁷ The SACHRP further states, “Genomic data are also particularly susceptible to re-identification.” The SACHRP makes several recommendations including controlled access for data from human participants, and stronger measures to deter misuse.

The approaches to protecting privacy in shared research data can be divided into three broad categories: distributed computing, data-centric, and process-centric. With distributed computing, the data are not actually shared. Instead, each site typically creates identical data structures. Queries and algorithms are then run locally against those structures, and the results are aggregated. The Observational Health Data Sciences and Informatics (OHDSI) network is one of the largest examples of distributed computing.³⁸ While very useful for simple queries, this approach can be limiting for machine learning because of the necessity for every site to support the correct computer environment for the algorithm.

The data-centric approach is to create data that “can defend itself”.³⁹ The goal is to modify or “harden” the data to the point that they can be shared without restrictions because there is a sufficiently low risk of reidentification. Many approaches have been used, which include: removing certain data types, such as the 18 HIPAA identifiers; censoring cells when the number of subjects is below a certain threshold; and censoring extreme values. As we now know, these approaches reduce, but do not eliminate, reidentification risk.

Recently, there has been considerable interest in synthetic data as a way to truly anonymize data (that is, to make it never re-identifiable) while preserving its inferential scientific value. It is worth noting that synthetic data comes in two forms: fully synthetic and partially synthetic. Fully synthetic data are generated completely de novo — without relying on preexisting data — and are intended to provide data that looks like real data, but that may have little inferential value, and consequently little research value. The Medicare Claims Synthetic Public Use Files (SynPUFs) are examples of fully synthetic data.⁴⁰ Partially synthetic data are derived from real data with the intent of preserving the inferential value while reducing the reidentification risk.^41,42 Although some claim that synthetic data is immune from reidentification risk,⁴³ partially synthetic data is vulnerable to several risks, including membership inference,⁴⁴ which is when an adversary can infer that a target individual is in the data set, and can thereby infer other facts about the individual. Stadler, et al., evaluated five different algorithms for generating synthetic data from the All of Us data set and found that synthetic data did not provide a better tradeoff between privacy and utility than traditional deidentification techniques.⁴⁵ Stadler’s work suggests that synthetic data will not be a “magic bullet” that slays the reidentification monster.

Given this, should researchers simply stop sharing data, even though data sharing can accelerate research and save lives? No; which brings us to process-centric approaches. These approaches assume that the data can be reidentified and, instead, focus on process controls and contractual obligations to ensure that the data recipient will not attempt to reidentify individuals or use the data for other than intended uses, and impose penalties as a deterrent. Research institutions are very familiar with process-centric approaches in the form of Data Use Agreements (DUAs) and Material Transfer Agreements (MTAs). Typically, these are bilateral agreements between two organizations. There are 142 medical schools that receive NIH grants, bilateral agreements between each pair of these institutions would require slightly over ten thousand separate agreements and would likely involve massive duplication of research data. In addition, DUAs and MTAs are typically limited to a single project, potentially resulting in hundreds of thousands of separate agreements. To be efficient and to reduce infrastructure duplication, large-scale, multi-institution clinical data sharing for research typically involves consortia of multiple institutions and a single, shared technology infrastructure. We call this the “walled garden” approach.

Physics and astronomy provide examples of the walled garden approach. The Large Hadron Collider (LHC) project, held up as the archetypal big data sharing example, rapidly sends petabytes of data to collaborators globally.⁴⁶ However, this is not open data sharing. Data sharing occurs only within the consortium. The first release of open data was in 2021, roughly a decade after the data was originally collected.⁴⁷ The Laser Interferometer Gravitational-Wave Observatory (LIGO)⁴⁸ has a similar approach: there is extensive sharing within the consortium, with clear rules for data use and consequences for misuse, but little data release outside the walls. With a walled garden approach, data is shared only with known and trusted individuals and institutions that are held accountable if trust is misplaced. In the biomedical domain, the All of Us research project⁴⁹ and the National Covid Cohort Consortium (N3C)⁵⁰ are among the best known examples of walled gardens.

For walled gardens to succeed, several considerations must be addressed. First, developing and maintaining the garden will involve significant infrastructure investment. For the LHC, LIGO, All of Us, and N3C, the data management infrastructures were massive multi-year, multimillion dollar endeavors that required large development teams and ongoing multimillion dollar operations expenditures. Entities, such as the European Council for Nuclear Research (CERN), the NIH or the National Science Foundation have resources of that scope. Second, someone must build the walls. Access to the garden should be though national centralized identity management. Only a large, national entity, such as the NIH, has identity management systems of sufficient scale. Third, the governance of the garden must be trusted and trustworthy. There should be clearly articulated principles and allowed uses for the data. For example, will for-profit researchers be granted access? What are researchers’ obligations for disseminating results derived from the shared data? Whether the governance is appointed or democratic, public or private, the users of the garden must have confidence that data within the garden will only be used for appropriate purposes. Fourth, rules without punishment are not deterrents. The penalties for data misuse must, as SACHRP recommends, be severe enough to be an effective deterrent. Rule violations should be considered scientific misconduct and addressed accordingly. Scientific misconduct is much more common that we often like to admit.⁵¹ In physics or astronomy, getting thrown out of the LHC or LIGO consortia as a result of bad behavior could be career ending. Penalties should also anticipate that not all garden users will be traditional academics, and that purely academic penalties may not be sufficient. Each email that violates the CAN-SPAM Act⁵² can result in a penalty of $46,517 with no limit to the total fine. Clinical data privacy violations are generally considered more serious violations than spam email, and the penalties should reflect that. Finally, to maximize the scientific and societal benefit, entry to and use of the garden must be affordable. Some current gardens, such as All of Us, charge for cloud compute time above a basic allocation. User fees should never make access to the garden so onerous or expensive that only major corporations and elite universities can pass through the metaphorical gate.

Adequate general purpose walled gardens for potentially identifiable biomedical data are not widely available today. So, what can individuals and institutions do now?

In conclusion, we would suggest that Scott McNealy’s privacy nihilist view was half right.⁹ With everything happening today, we have close to zero privacy. But we do not need to “get over it” and give up. We can and should do better. The first step is to stop believing that we can truly anonymize data.