Dr. Maurer, to what extent should patients have control over who has access to their health data, and are there ethical limits to this control?
In principle, patients have the right to be informed about the collection and use of their data. Depending on whether the data is only collected for medical treatment (for example, a blood test is carried out to determine a patient‘s iron level and the corresponding data such as laboratory parameters, diagnosis and possibly the appropriate medication is stored in the hospital information system) or whether this data is also used for research purposes – in which case other ethical and legal questions arise. Stricter protection mechanisms are in place to ensure that the data is only used under clear conditions.
How much trust do patients have in research?
Julia Maurer: Interestingly, many patients are willing to share their routine data for research as long as the data is stored securely and used in a controlled manner. The trust of the population shows that patients consciously give their consent to research, often with the desire to contribute to the advancement of medicine. This will should be respected, even if it is often questioned in research whether patients fully understand all the risks. Since they often have neither the time nor the capacity to deal with all the details, it is all the more important that clear and reliable safety measures are in place.
Incidentally, I personally consider the risk of misuse or a data breach in research to be low, but it can never be completely ruled out. A great deal is done to prevent misuse: contracts, guidelines, agreements, secure data usage environments. But when 15 parties work together on a research project, the risk of a data breach at the institutions often appears so great that some projects are significantly delayed or ultimately do not come to fruition at all.
How could the electronic patient record (EPR) contribute to a solution?
Julia Maurer: When it comes to an individual‘s control over their medical data, we should take a look at the current discussions on the electronic patient record (EPR). Suppose an oncologist needs an imaging examination, for example a CT scan. The patient remembers that she recently had a CT scan at the hospital. The oncologist could request the image from the hospital, provided that the patient has consented to the data being passed on for treatment purposes. In addition, the data must be available in reliable quality, otherwise the recording would have to be repeated. This makes such processes cumbersome and slow. The EPR could provide a remedy here and avoid redundancies in the healthcare system such as multiple examinations or overtreatment, as well as security gaps in data transmission.
However, the patient cannot view the CT data on her cell phone or computer – she does not have the right software for this. The most she can do is check who has general access. She is not yet able to see directly whether the data has been recorded correctly.
In Switzerland, it is therefore important to deepen communication with citizens and honestly address existing fears, i,e, to transparently explain where there are risks and where there are not.
I think that patients do not primarily need to have control over their data, they must above all be well and comprehensively informed – for example by introducing a right of objection, as with the collection of data on cancer, so that the population feels included and taken into account.
However, when it comes to controlling patients‘ personal data, we must also consider purpose limitation: what is the purpose of the data collection and use? If the use serves a public good, it may be appropriate that the individual has no say over the use of their data or that only the right to object is applicable – for example, when reporting certain cancer data to the relevant registry, the right to object may be applied.
Do other countries handle health data for research differently?
The attitude towards data use and the interest in dealing with the issues seem to be different in Switzerland than in some other countries. In Denmark, for example, data is seen as a common good. Data sharing is supported by the majority of citizens. The Central Person Register (CPR) number, which has been available to all registered citizens for 50 years, enables individual linkage regardless of the data sources. The Danish healthcare system is fully digitized and offers opportunities to analyze health data in a secure remote environment.
In Switzerland, we are not yet at that stage, partly because we have a slightly different legal basis. For example, the business approach of many medical start-ups that require a large amount of data may be easier to implement in the USA or the Nordic countries than here in Switzerland.
How can ethically sound handling of health data be designed to strengthen patient trust in digital healthcare?
Just think about how often we consent to the use of our data in a different context in everyday life: when installing a new app, for example, sometimes sensitive personal data is shared. And very few of us find out how the app manufacturer stores and uses our data.
On one hand, we can see that citizens and patients are open to sharing their data, including sensitive data, under certain conditions. On the other hand, however, we see that data-providing institutions are currently very cautious about sharing patients‘ data with public or private partners in large consortium projects. In principle, this is to be welcomed. However, to ensure that Switzerland remains competitive and attractive for national and international data-driven projects, we must be open to a more effective use of healthcare data. This does not mean that data protection or data security will suffer as a result.
In Switzerland, we are thinking about how health data only needs to be collected once – but then in a quality that allows it to be combined with other data and kept available for multiple purposes. Collecting data in such a structured way that it meets research standards and regulatory requirements is time-consuming. Who is going to finance this? The money doesn‘t just fall from the sky! Even the federal government cannot finance it completely. Data users must be aware that the provision of high-quality interoperable data comes at a cost and that we need sustainable financing models for the data usage infrastructure in the medium term. This is why we are now talking about «data as a product» approaches. These are models in which the institution is financially compensated for the effort involved in providing the data – including private partners such as industry. Here too, of course, no compromises can be made in terms of data protection and security. The big question is: how much should such a data set cost and how can we maximize the value chain?
DigiSanté, the program initiated by the Federal Council to promote digital transformation in the Swiss healthcare system, plays an important role in the provision of interoperable healthcare data. DigiSanté aims to promote the creation of a digital healthcare system in which all relevant data can be seamlessly exchanged and read by all systems. It leads to higher quality, especially for patients, greater efficiency, more transparency and increased patient safety. Society and politics must also rethink in order to make such approaches possible.
What responsibility do healthcare organizations and IT companies have to ensure that health data is only shared within an ethical framework?
Julia Maurer: Healthcare organizations must clearly regulate their handling of data, for example through policies that define ethical values and principles. In addition, companies and institutions need representatives for these topics and contact persons to whom patients can turn with questions. They should ensure that the dialog is not just on paper, but is actually put into practice. Companies and institutions must establish an internal culture of responsible data handling. In Switzerland, the Swiss Personalized Health Network (SPHN) has developed standards that demand fairness, transparency and accountability in the handling of data. Projects supported by this network are obliged to comply with these standards – this creates trust.
What ethical challenges arise from the use of artificial intelligence based on large amounts of shared health data, particularly with regard to bias and discrimination?
This is an exciting topic! AI algorithms have to be fed with a lot of data. Where does this data come from? Often this is not «Swiss data» – because we don‘t have it in the required quantity! These AIs are brought to market abroad with other data. You have to be aware that this can lead to distortions in applicability. For example, the Swiss population has a different
exposure to heavy metals than perhaps the population in Sweden or the USA, or the impact of genetic characteristics on the effect of medicines is different, keyword «personalized medicine». This can have an impact on the diagnosis. In some cases, data used for research in Switzerland is «purchased» abroad because different regulations apply there, or existing models are re-trained, i,e, adapted, using Swiss data. However, some people in Switzerland find it very difficult to be remunerated for the provision and use of health data. That‘s a paradox, isn‘t it?
How can ethical standards be maintained when sharing health data across national borders, especially in countries with different data protection laws?
Take a close look! If data is exchanged with foreign countries as part of collaborations, contracts must be drawn up and the security measures for data protection must be clarified locally. Who has access to the data? Where is the data stored? The Swiss Data Protection Ordinance lists countries that guarantee adequate data protection and which security precautions should be taken when data is exchanged across borders. Other countries that have less stringent regulations must agree to comply with the strict Swiss rules.
Collaborations with the USA sometimes take place in which data from Switzerland is shared with institutions in the USA. Fortunately, this August saw a harmonization of the level of data protection through the Swiss-US DataPrivacy Framework. It gives certified US institutions the opportunity to be included in the list of trusted partners.
How can institutions ensure that patients are clearly informed about how their health data is used and shared?
Julia Maurer: To do this, we need technical solutions and tools to map information and data exchange, and make it accessible to patients under certain conditions. We have not yet efficiently implemented these options in Switzerland – neither for the treatment of patients nor for research. So far, there are still too few solutions for informing the patients involved about relevant developments or findings from research projects. Institutions are already striving to develop solutions here, but investments still need to be made. What is needed in research with routine data, for example, are consent management systems. These should make visible which consents have been given and which data is used for which projects based on this.
Dr. Julia Maurer is team leader for ethical, legal and social implications (ELSI) of the Swiss Personalized Health Network (SPHN) initiative, coordinated by the Swiss Academy of Medical Sciences and the Swiss Institute of Bioinformatics. In this role, she ensures, together with her team, that the Swiss research network establishes responsible health data sharing practices in multi-center, data-driven projects while complying with Swiss legal and ethical standards. Julia Maurer‘s professional background is characterized by her experience in clinical research and a deep understanding of ethical and legal issues related to health data. Her work consists of facilitating transparent discussions with national and international partners on the topic of data governance, with the aim of creating a Swiss consensus on these critical issues.
This website contains information on products which is targeted to a wide range of audiences and could contain product details or information otherwise not accessible or valid in your country. Please be aware that we do not take any responsibility for accessing such information which may not comply with any legal process, regulation, registration or usage in the country of your origin.