Laura Sandor, fellow, Datasphere Initiative
Introduction
The use and storage of personal health information has become an increasingly important topic around the world, especially following the events of COVID-19. With developments in technology, including wearables, healthcare providers and organizations can collect and store more data than ever before. However, with this, increased access comes the duty to protect sensitive information, especially when it comes to personal health data.
Countries around the world have put into place various levels of localization laws and policies to regulate the collection, storage, and sharing of personal health information. These norms influence how healthcare providers and organizations handle sensitive health-related data within and between countries.
However, they are generally not consistent across countries – meaning, localization norms appear in various different flavors – and many lack clarity and guidance on – or even allow in first place for – cross-border flow. The consequences may be dire, from the emergence of an even more siloed datasphere to greater barriers to solve public challenges that demand big and interdisciplinary data.
For example, health-related data is vital in understanding public health trends such as the evolution of pandemics, and at the more individual level, the development of treatments, the advancement of personalized medicine, and diagnosis, etc. This lack of uniformity across nations can result in increased costs, reduced efficiency as well as potential legal implications for governments and organizations. On an individual level, the lack of consistency in regulation can additionally create unclearness which ultimately leads to less trust and hesitation in sharing personal health data.
In this blog post, I will examine health-related localization regulations in some countries, shedding light on how health data is managed. Additionally, I will explore the concept of standardization of regulation around sharing data as a possible solution to promote responsible data flows between countries, aiming to enhance overall public health.
This blog builds on my previous post and further supports my research focused on the identification and impact of data localization norms.
Countries & Health Data Localization Laws
In this section, I briefly identify the norms in certain countries and regions that pertain to the localization and flow of health personal data. The aim of identifying these different laws is to highlight the many approaches to localization grounded on diverse justifications.¹ This grounding first step will then support my discussion on the need for better legal standardization and for interoperability frameworks. A brief description of each country is followed by a table, at the end of this post, with the resources of specific legal language.
United States (US):
In 1996 the United States established the Health Insurance Portability and Accountability Act (HIPPA), a federal law that allowed for the development of nationwide protocols for safeguarding confidential patient health information from being disclosed without the patient’s explicit consent and awareness. The HIPPA Privacy Rule describes standards for the use and disclosure of individuals’ protected health information by covered entities, such as healthcare providers, health plans, healthcare clearinghouses, and business associates. In addition, it implements guidelines for individuals’ rights to understand and control how their health information is used. Even though HIPPA requires informed consent from individuals before revealing this sensitive information, it does not demand for consent to store data or store data within the borders of the United States, allowing for sensitive information to cross borders freely.
European Union (EU):
Differently from the USA, the EU does not have a specific and all-encompassing regulation focused exclusively on health data. Thus, the protection of health data falls within the General Data Protection Regulation (GDPR). The GDPR was implemented in 2018 and provided a comprehensive framework for the protection of personal data, including personal health information. The GDPR requires organizations to gain explicit consent from individuals before collecting, using, or disclosing their personal data. With regard to health data, specific measures and interpretations of the regulations have been established to provide comprehensive and effective protection. Additionally, according to the GDPR, data storage is required to be within the EU or in a jurisdiction that provides an appropriate level of data protection that meets the standards of those of the EU.
Australia:
In Australia, data localization measures are included in the Australian Privacy Principles (APPs). Overall, it is strictly forbidden for data sourced from “My Health Records”, a platform that stores personal health information for patients and any other related health data to be held, taken, processed, or handled outside Australian borders. This includes any backups or copied information. Moreover, some Australian regions have additional localization regulations that restrict the disclosure of health records outside that territory, unless presented with specific conditions such as consent from individuals to transfer data, if there is a contract between an individual and an organization, etc.
China:
China enacted in 2021 its data protection law called The China Personal Information Protection Law (PIPL). China’s localization policies can be divided into two sections: general requirements and special data localization provisions. Important data is considered under the second section of special data localization provisions and is specifically defined as “data that may endanger national security, economic operation, social stability, public health, and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.” Health-related data falls under this category and is also regulated by Article 10 of the Measures for the Administration of Population Health Information, which further determines that population health data is prohibited from being stored outside the borders of China.
Russia:
Russia does not have a specific regulation regarding health-related data. However, health data is considered ‘personal data’ which falls under the Federal Law on Personal Data. The Federal Law on Personal Data requires that all companies, both domestic and foreign, that collect personal data of Russian citizens must use databases that are located within the country for recording, storing, and systemizing purposes.
India:
In 2022, India’s government introduced the Digital Personal Protection Bill, which provided increased protection for personal data, including health data. This created a platform for increased reliability, trustworthiness, and safety in the digital sphere and emphasized efficient data use and informed consent. In addition, this bill allows for cross-border data transfer which was previously more regulated through localization practices in the Personal Data Protection Bill (2019).
Standardization of Regulation
The differences noted in my previous post, above and also elsewhere (see Schwalbe N et al., 2020) generate high barriers to data flow and health research collaboration. Thus, for countries that are in the process of developing their privacy and data protection norms, standard norms, and interoperability by design should be considered. And for those where norms are already in place, developing interoperability frameworks could support responsible data sharing that benefits all.
While it is true that specific projects are trying to develop such interoperability frameworks via contracts or governance protocols (e.g. WHO Pandemic Hub), better guidance issued directly by countries could facilitate more agile innovation and research.
In conclusion, the collection and sharing of health-related data has become a global issue, especially in light of the COVID-19 pandemic. Data protection laws with localization provisions are the new norm, but there is significant variability across nations. The standardization of health-related data localization norms and the addition of interoperability frameworks are essential in the promotion of innovation, and economic growth while establishing protective measures in terms of privacy and security. By establishing a uniform framework for health-related data, standardization can provide a solution for responsible cross-border data flows, enabling countries to share information that would positively impact overall public health.
Country | Regulation Name | Official Resource |
United States | Health Insurance Portability and Accountability Act (HIPPA) | National Archives – Code of Federal Regulations |
European Union | General Data Protection Regulation (GDPR) | Intersoft Consulting – General Data Protection Regulation (GDPR) Intersoft Consulting – Recital 35 – Health Data |
Australia | Australian Privacy Principles (APPs) | Australian Goverment – Australian Privacy Principles |
China | The China Personal Information Protection Law (PIPL) | DIGICHINA Stanford University – Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021 *Unofficial translated document |
Russia | Federal Law on Personal Data | Federal Law NO. 242-FZ of July 21, 2014 *Unofficial translated document |
India | Digital Personal Protection Bill | The Digital Personal Data Protection Bill, 2022 |
¹ In my previous post How has COVID-19 influenced data localization measures?, governments are increasingly putting in place new localization measures when it comes to sharing data to (1) ensure individual rights and privacy are better protected, (2) to allow for the protection of sensitive information for national security purposes, (3) increase accessibility of information for regulatory processes and (4) increase domestic competences.
References
Andreeva, K., Kiseleva, A., Neskoromyuk, A., & Lewis, M. (2021). Data Localization Laws: Russian Federation, Practical Law Country Q&A w-024-3181 Data Localization Laws: Russian Federation. https://www.morganlewis.com/-/media/files/publication/outside-publication/article/2021/data-localization-laws-russian-federation.pdf
Australian Digital Health Agency. (2022). My Health Record. Www.digitalhealth.gov.au. https://www.digitalhealth.gov.au/initiatives-and-programs/my-health-record
Baker McKenzie. (n.d.). Data Localization/Residency | Australia | Global Data Privacy & Security Handbook | Baker McKenzie Resource Hub. Resourcehub.bakermckenzie.com. https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/asia-pacific/australia/topics/data-localizationresidency
Centers for Disease Control and Prevention. (2022). Health insurance portability and accountability act of 1996 (HIPAA). Centers for Disease Control and Prevention. https://www.cdc.gov/phlp/publications/topic/hipaa.html
EUROPEAN DATA PROTECTION SUPERVISOR. (2020). Health. European Data Protection Supervisor – European Data Protection Supervisor. https://edps.europa.eu/data-protection/our-work/subjects/health_en
InCountry . (n.d.). Data Residency for the healthcare industry. InCountry. Retrieved May 22, 2023, from https://incountry.com/lp/whitepaper/healthcare-industry-report/
Khanna, L. T. (2023, January 6). Digital Personal Data Protection Bill 2022 and its impact on India’s booming data centre industry. Times of India Blog. https://timesofindia.indiatimes.com/blogs/voices/digital-personal-data-protection-bill-2022-and-its-impact-on-indias-booming-data-centre-industry/
Sandor, L. (2023, January 31). How has COVID-19 influenced data localization measures? The Datasphere Initiative. https://www.thedatasphere.org//news/how-has-covid-19-influenced-data-localization-measures/
Sant, D. (2021, July 30). Is cloud storage GDPR compliant? Harper James. https://harperjames.co.uk/article/cloud-storage-and-gdpr/#:~:text=GDPR%20specifies%20that%20data%20must
Schwalbe, N., Wahl, B., Song, J., & Lehtimaki, S. (2020). Data Sharing and Global Public Health: Defining What We Mean by Data. Frontiers in Digital Health, 2(612339). https://doi.org/10.3389/fdgth.2020.612339
Sheng, J. (Jia), Xu, C., & Cai, W. (2023, March 22). Cross-Border Data Transfer Mechanisms and Requirements in China. Pillsbury Law. https://www.pillsburylaw.com/en/news-and-insights/cross-border-data-transfer-in-china.html
Wolford, B. (Ed.). (2023). What Is GDPR, the EU’s New Data Protection law? GDPR.eu; European Union. https://gdpr.eu/what-is-gdpr/Zhang, D. (2020, July 10). China: Data localisation requirements. DataGuidance. https://www.google.com/url?q=https://www.dataguidance.com/opinion/china-data-localisation-requirements&sa=D&source=docs&ust=1684790188794876&usg=AOvVaw3rKGm8gxWaUWj9RxNhIReg