Sharing data within and across sectors requires the simultaneous protection of individual privacy and the latitude to make available information that can be used to improve individual and population health. During a recent webinar hosted by All In: Data for Community Health, speakers with deep consent expertise from various disciplines shared their unique perspectives, addressed questions, offered specific strategies, and suggested resources. Taken together, they suggest that consent is a thread that runs through many statutory and regulatory aspects of health and human service provision, and therefore represents an opportunity for data sharing. We’ve summarized some of their other key takeaways below.
1. Be specific about what you want to accomplish—now and in the future.
Before deciding whether obtaining consent is necessary, it’s important to clearly map out the various applications for the data, including current activities and any future data uses might naturally follow – especially if those subsequent uses generate significant value and are needed to support data infrastructure sustainability. Although initially you may be engaged in activities that don’t require consent, consider future activities as well. Jennifer Bernstein, Deputy Director at the Network for Public Health Law, explained:
“A lot of data sharing for public health activities falls under HIPPA exemptions, but often we decide to use data later on for other purposes, like for research or in primary care settings.”
If those use cases for the data are critical, then working through the consent process at the outset could save time in the long run. Also consider that the nature of your anticipated data uses will alter the consent policies and procedures. Be sure to articulate all the potential use cases of the data that may impact your legal analysis. Jane Thorpe, JD, Associate Professor at George Washington University, recommended:
“Think about what kind of organization you are, what data you will need, and what the data will be used for. Communities should also get feedback from consumers, providers, and compliance professionals on the front end to prevent challenges down the road.”
2. Don’t let “technical debt” prevent you from making needed changes.
The term “technical debt” refers to situation that arises when “shortcuts” taken in the development of new technologies results in systems and/or processes that are costly to fix or refine down the road. For example, if institutions running research studies have developed and stored IRB documents in PDF format for the past 10 years, investigators may be hesitant to use a new format because of the time required to re-assess and convert old files, even if these updates will make the process more efficient going forward. John Wilbanks, Chief Commons Officer at Sage Bionetworks, explained:
“The combined level of debt means that it’s hard to make even sensible changes that everyone agrees to in the informed consent process… Because the cost of abandoning the default process is so high, people stick with the current process, even though they know it’s broken.”
3. Internalize the fact that more data isn’t always better.
Collecting more data, particularly from additional sectors, often triggers consideration of additional federal and state privacy and security laws. This situation may make compliance costly and increase risk for exposing protected health information. Bernstein commented:
“Once data is obtained, you have to ensure that it’s being securely stored, the integrity is being maintained, and the information isn’t being impermissibly disclosed. That requires potentially considerable resources, including staff training, employing privacy officers to oversee compliance, investing in computer systems to meet security standards, and legal and security audits.”
Each branch of a data map has potential legal consequences, so Bernstein suggests a parsimonious strategy – essentially suggesting that projects determine the minimum data set required to meet their goals. She also noted the value of exploring different types of data, or alternate data sets, that do not require consent for use.
Carrie Hoff, Deputy Director with the County of San Diego’s Health and Human Services Agency, agreed that it’s not always about getting more data, but understanding what actions you’re trying to drive. Applying role-based, partitioned access to the data, limiting the type of data different individuals can view, helps to parse a specific set of actions that are needed in each specific situation. Hoff advised:
“Push yourself and your colleagues to question your assumptions about what gets bundled in a [data] package. Not every piece of information is governed in the same way. Data mapping can really help you unlock where there is flexibility.”
4. Empower consumers to understand how their information is being used.
Obtaining consent can be a great opportunity to get buy-in from consumers and stakeholders by engaging them in evaluating and improving the process at every step. Wilbanks advised:
“Do interviews and see what people care about and what their worries are. When you decide consent needs to be obtained, spend time thinking about how to make the process of informed consent more effective—both for the person who is providing informed consent and the person that is working to obtain it.”
Generally, individuals are more willing to provide data if they feel they have an informed choice and clearly understand the potential risks and benefits involved. Bernstein commented:
“Most people are very happy to share their personal health data if they see the benefit it will have to themselves or to the community at large.”