. 2019 Feb 1;363(6426):448-450.

doi: 10.1126/science.aav5133.

Shadow health records meet new data privacy laws

W Nicholson Price 2nd^{1

2}, Margot E Kaminski^{3

4}, Timo Minssen^{2

5}, Kayte Spector-Bagdady^{6

7}

Affiliations

¹ University of Michigan Law School, Ann Arbor, MI, USA. wnp@umich.edu.
² Centre for Advanced Studies in Biomedical Innovation Law, Copenhagen, Denmark.
³ University of Colorado Law School, Boulder, CO, USA.
⁴ Silicon Flatirons Center, University of Colorado, Boulder, CO, USA.
⁵ University of Copenhagen Faculty of Law, Copenhagen, Denmark.
⁶ Department of Obstetrics and Gynecology, University of Michigan Medical School, Ann Arbor, MI, USA.
⁷ Center for Bioethics and Social Sciences in Medicine, University of Michigan Medical School, Ann Arbor, MI, USA.

PMID: 30705168
PMCID: PMC6417878
DOI: 10.1126/science.aav5133

Shadow health records meet new data privacy laws

W Nicholson Price 2nd et al. Science. 2019.

. 2019 Feb 1;363(6426):448-450.

doi: 10.1126/science.aav5133.

Authors

W Nicholson Price 2nd^{1

2}, Margot E Kaminski^{3

4}, Timo Minssen^{2

5}, Kayte Spector-Bagdady^{6

7}

Affiliations

¹ University of Michigan Law School, Ann Arbor, MI, USA. wnp@umich.edu.
² Centre for Advanced Studies in Biomedical Innovation Law, Copenhagen, Denmark.
³ University of Colorado Law School, Boulder, CO, USA.
⁴ Silicon Flatirons Center, University of Colorado, Boulder, CO, USA.
⁵ University of Copenhagen Faculty of Law, Copenhagen, Denmark.
⁶ Department of Obstetrics and Gynecology, University of Michigan Medical School, Ann Arbor, MI, USA.
⁷ Center for Bioethics and Social Sciences in Medicine, University of Michigan Medical School, Ann Arbor, MI, USA.

PMID: 30705168
PMCID: PMC6417878
DOI: 10.1126/science.aav5133

Abstract

Large sets of health data can enable innovation and quality measurement but can also create technical challenges and privacy risks. When entities such as health plans and health care providers handle personal health information, they are often subject to data privacy regulation. But amid a flood of new forms of health data, some third parties have figured out ways to avoid some data privacy laws, developing what we call “shadow health records”—collections of health data outside the health system that provide detailed pictures of individual health—that allow both innovative research and commercial targeting despite data privacy rules. Now that space for regulatory arbitrage is changing. The long arms of Europe’s new General Data Protection Regulation (GDPR) and California’s new Consumer Privacy Act (CCPA) will reach shadow health records in many companies. In this article, we lay out the contours of the GDPR’s and CCPA’s impact on shadow health records and health data more broadly, highlight critical remaining uncertainty, and call for increased clarity from lawmakers and industry on the use of such data for research.

PubMed Disclaimer

Cited by

Principles for Health Information Collection, Sharing, and Use: A Policy Statement From the American Heart Association.
Spector-Bagdady K, Armoundas AA, Arnaout R, Hall JL, Yeager McSwain B, Knowles JW, Price WN 2nd, Rawat DB, Riegel B, Wang TY, Wiley K Jr, Chung MK; American Heart Association Advocacy Coordinating Committee. Spector-Bagdady K, et al. Circulation. 2023 Sep 26;148(13):1061-1069. doi: 10.1161/CIR.0000000000001173. Epub 2023 Aug 30. Circulation. 2023. PMID: 37646159 Free PMC article. Review.
"My Research Is Their Business, but I'm Not Their Business": Patient and Clinician Perspectives on Commercialization of Precision Oncology Data.
Spector-Bagdady K, Krenz CD, Brummel C, Brenner JC, Bradford CR, Shuman AG. Spector-Bagdady K, et al. Oncologist. 2020 Jul;25(7):620-626. doi: 10.1634/theoncologist.2019-0863. Epub 2020 Mar 13. Oncologist. 2020. PMID: 32167617 Free PMC article.
Addressing Online Health Privacy Risks for Older Adults: A Perspective on Ethical Considerations and Recommendations.
Friedman AB, Pathmanabhan C, Glicksman A, Demiris G, Cappola AR, McCoy MS. Friedman AB, et al. Gerontol Geriatr Med. 2022 Apr 21;8:23337214221095705. doi: 10.1177/23337214221095705. eCollection 2022 Jan-Dec. Gerontol Geriatr Med. 2022. PMID: 35493968 Free PMC article.
Hospitals should act now to notify patients about research use of their data and biospecimens.
Spector-Bagdady K. Spector-Bagdady K. Nat Med. 2020 Mar;26(3):306-308. doi: 10.1038/s41591-020-0795-6. Nat Med. 2020. PMID: 32161402 Free PMC article.
Protecting Privacy When Genetic Databases Are Commercialized.
Prince AER, Spector-Bagdady K. Prince AER, et al. JAMA. 2025 Feb 25;333(8):665-666. doi: 10.1001/jama.2024.26279. JAMA. 2025. PMID: 39786753

See all "Cited by" articles

References

1. Gostin LO, Halabi SF, Wilson K, JAMA 320, 2334 (2018). - PubMed
1. Price WN II, Minn. Law Rev. 102, 101 (2018).
1. Spector-Bagdady K, Shuman AG, Otolaryngol. Head Neck Surg. 158, 405 (2018). - PubMed
1. Tanner A, Our Bodies, Our Data: How Companies Make Billions Selling our Medical Records (Beacon Press, 2017).
1. Molteni M, WIRED 3 August (2018); www.wired.com/story/23andme-glaxosmithklinepharma-deal.

Publication types

Actions

MeSH terms

Actions
Actions
Actions
Actions
Actions
Actions
Actions
Actions
Actions

Grants and funding

R01 CA214829/CA/NCI NIH HHS/United States

LinkOut - more resources

Full Text Sources
Medical
- MedlinePlus Health Information
Miscellaneous
- NCI CPTAC Assay Portal

Save citation to file

Email citation

Add to Collections

Add to My Bibliography

Your saved search

Create a file for external citation management software

Your RSS Feed

Shadow health records meet new data privacy laws

Affiliations

Shadow health records meet new data privacy laws

Authors

Affiliations

Abstract

Similar articles

Cited by

References

Publication types

MeSH terms

Grants and funding

LinkOut - more resources

Full Text Sources

Medical

Miscellaneous

Abstract

Similar articles

Cited by

References

Publication types

MeSH terms

Related information

Grants and funding

LinkOut - more resources

Full Text Sources

Medical

Miscellaneous