Planned research by the U.S. National Institutes of Health on autism still poses other data privacy concerns even after the federal agency backed away from a planned national registry for diagnosed individuals, said attorneys Ariana Aboulafia and Andrew Crawford of the Center for Democracy and Technology.
NIH last week disclosed that it would collect records from government and commercial databases – including private sector electronic health records, pharmacy data, wearable devices and other sources – to study autism and build a database to identify autism patients.
Days following the announcement, NIH appeared to backpedal on its plans for a registry, amid an outburst of pushback from patient and privacy advocates.
But even if autism research – a top priority for Robert F. Kennedy, secretary of the U.S. Department of Health and Human Services’ – no longer includes plans for a national registry, the effort still presents a host of other potential data privacy concerns, said Aboulafia and Crawford in an interview with Information Security Media Group.
That includes who will have access to the data that is amassed and whether the sensitive information has secondary uses.
“Who’s really going to have access to that data, how many third-parties, how many additional researchers will see it – and what will this data they’re hoping to compile eventually be used for,” asked Aboulafia.
Even with NIH stepping away from a registry, “those are still questions we don’t have answers for,” she said.
The project poses uncertainties for the patients who are subjects of that data, said Crawford. “It’s one thing when you exchange information with your doctor – you do that for development of a diagnosis, for treatment,” he said.
“But when that data is used for secondary purposes … you as the patient or consumer might be a lot more hesitant than you were previously to trust your personal information, your health information, your biometrics with your doctor, with your health provider, with your IoT device, with the app on your phone,” he said.
“That has several harms in and of itself – that loss of trust,” he said.
NIH did not immediately respond to ISMG’s requests for comment and additional details about its autism research plans.
In the interview (see audio link below photo), Aboulifia and Crawford also discussed:
- Issues involving consent, including potential concerns around the use of minors’ data for research;
- Potential HIPAA and other privacy regulatory concerns involving health research, including the NIH project;
- Risks involving the use of de-identified or anonymized data in research projects;
- Top privacy concerns involving the recent bankruptcy of genetics and ancestry DNA testing firm 23andMe;
- Other emerging privacy matters involving health data.
Aboulafia is an attorney and project lead for CDT’s Disability Rights in Technology Policy, which focuses on advancing policy solutions that maximize the benefits and minimize the harms of AI, algorithmic systems and emerging technologies for people with disabilities. She previously served as a fellow to the Cyber Civil Rights Initiative. Aboulafia also previously worked as an assistant public defender in Miami-Dade County, Florida.
Crawford is a senior counsel with CDT’s Data and Privacy Project. He led the development of CDT’s Consumer Privacy Framework for Health Data. Prior to joining CDT, Crawford was counsel to U.S. Senator Chris Coons, D-Del. In this role, Crawford focused on Judiciary Committee matters, including, privacy, technology, law enforcement, nominations, immigration and telecommunications. Before that, Crawford worked in the Office of International Affairs within the U.S. Justice Department.