what Is The RESERVATORY AND WHAT are ITS GOALS?
The Reservatory is a registered 501(c)(3) nonprofit corporation (EIN 93-1958911) based in New York. It was formed for the purpose of advocating for individual self-agency regarding the collection of and access to one’s own health data.
We are currently seeking funding in order to: (1) explore the technical feasibility of secure personal health-data repositories, and (2) conduct structured interviews with multiple stakeholders to assess potential interest in the idea as well as potential regulatory roadblocks it may face and whether they may be mitigated or avoided. The Researvatory is not building a product. However, our ultimate goal is to form a company with the mission of building the technical infrastructure necessary for individual health repositories.
We are currently seeking funding in order to: (1) explore the technical feasibility of secure personal health-data repositories, and (2) conduct structured interviews with multiple stakeholders to assess potential interest in the idea as well as potential regulatory roadblocks it may face and whether they may be mitigated or avoided. The Researvatory is not building a product. However, our ultimate goal is to form a company with the mission of building the technical infrastructure necessary for individual health repositories.
isn't it dangerous to let people directly control access to their data?
Potentially, yes. It is certainly possible to envision scenarios in which people have agency over their data and this leads to negative outcomes. This is an inevitable possibility with any rights granted to individuals or to institutions. We belief the better questions concern the nature of the tradeoffs involved under current and proposed systems, and whether there is a strong case for maintaining the status quo.
What are the societal benefits of individual self-agency?
- The development of a personal health services economy.
- Competition in the health-data economy which may lead to lower prices for services and insurance.
- A new, and effective means of philanthropy - both private and public - becomes possible. For example, wealthy individuals, corporations or governments may sponsor programs aimed at building the personal repositories of members of undeserved communities. This increases the unrealized financial capital in these communities, and promotes their engagement with objective measures of health.
- The ability to specify what happens to ones data after death. Options may include the naming of data stewards or custodians (an individual or institution) with certain contractual rights. Our belief is that after death, there is a moral responsibility to allow ones data to benefit humanity, however, there may arise circumstances where this default position should be altered or delayed.
What are the harms associated with the current system
1. There is an overall lack of transparency regarding who can access and profit from one's own health data.
2. Patients do not have an active role in their health decisions. Agency over data is a first step towards this goal.
2. Patients do not have an active role in their health decisions. Agency over data is a first step towards this goal.
how does hipAa relate to individual self-agency?
HIPAA is nominally in alignment with the principles motivating the creation of the Reservatory, though it leaves a lot to be desired. HIPAA is not a law about health data per se. Instead, it is a law governing doctors, insurance companies, and their business associates. The end result is that our health data may be sold without our consent (without violating HIPAA), and even in some circumstances with personally identifying information included (potentially violating HIPAA). As an example of the latter, consider the recent case of Cedars-Sinai Medical Center selling patient data to advertisers including Meta and Google.
"The [HIPAA] Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.
[...]
While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing."
[source: https://www.cdc.gov/phlp/publications/topic/hipaa.html]
Importantly, HIPAA ensures that individuals can send - or have sent - their personal health data to a 3rd party. This is the ultimate legal foundation for personal health repositories.
[source: see Your Health Information, Your Rights! - PDF at https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html]
"The [HIPAA] Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.
[...]
While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing."
[source: https://www.cdc.gov/phlp/publications/topic/hipaa.html]
Importantly, HIPAA ensures that individuals can send - or have sent - their personal health data to a 3rd party. This is the ultimate legal foundation for personal health repositories.
[source: see Your Health Information, Your Rights! - PDF at https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html]
The incentives alignment problem in the health-tech ecosystem
The incentives alignment problem in healthcare refers to the fact that healthcare as a business and healthcare as a service do not equally align with the best interests (financial and medical) of the consumer.
The incentives alignment problem stems from multiple systemic factors. Some of these factors are distinctive to the healthcare industry, e.g., high levels of government subsidy and regulation combined with insurance payers that separate revenue from the consumer. Others exist more broadly, e.g., a lack of transparency and competition.
The incentives alignment problem stems from multiple systemic factors. Some of these factors are distinctive to the healthcare industry, e.g., high levels of government subsidy and regulation combined with insurance payers that separate revenue from the consumer. Others exist more broadly, e.g., a lack of transparency and competition.
Will the future envisioned by the reservatory be a wild west?
We believe the health-data economy in the United States is already a wild west, though it is one restricted to certain kinds of entity (i.e., hospitals, insurance, advertisers, biotech & pharma, government). By enabling individual self-agency, there is indeed the potential for unintended negative consequences. We at the Reservatory believe there exists a moral responsibility to establish ethical standards and guidelines which exceed the status quo. This cannot be merely by setting ethical "goals", but must consider the incentive structures that promote ethical behavior.
In our vision for the future, there may exist alternatives in the market - that is, competitors in the personalized health-data bank space - and individuals will be able to choose among them. Of course, a need for carefully considered regulation will arise to account for the fact that maximizing individual freedoms may conflict with the societal well-being.
In our vision for the future, there may exist alternatives in the market - that is, competitors in the personalized health-data bank space - and individuals will be able to choose among them. Of course, a need for carefully considered regulation will arise to account for the fact that maximizing individual freedoms may conflict with the societal well-being.