What you should know about patient data after May 2018

When scientists don’t fight over funding they fight over data.

Having large amounts of data that competitors can’t access means having the upper hand when it comes to publishing and getting funding. Corporations operate the same way. Science is, after all, a knowledge economy, where data is knowledge and knowledge is power.

But in a world where data is seen as an asset, patient rights when it comes to accessing their own data and deciding what to do with it can be compromised. And they are, in a regular basis.

I am a vocal advocate for empowering patients (and individuals in general) by giving them access to their personal data files so that they can know what these contain and choose whom to share it with. I also know that not everybody feels the same way. I have had the opportunity to address data scientists twice, first in 2015 and more recently at a personalized medicine meeting in 2017, and both times I managed to divide the audience and offend some data scientists and clinicians. 

The good news is that this debate is becoming obsolete in May 25th 2018, when a new regulation protecting patients right to access their data will enter in force.

The surprising news is that the solution didn’t come from a medical organization but from the EU Parliament, in the form of a General Data Protection Regulation. The key word here is “general”, because the new regulation was not written with patients or even with medical data in mind. It applies to anyone who collects other people’s data. From Google storing your preferences, to Facebook knowing your friends, to your aunt having a mailing list for her cooking blog. And patients are, surprisingly, a key collateral beneficiary of this regulation.

Let me review the current problems that patients face to access their own data and why the General Data Protection Regulation is so important.



Before 1973 your doctor didn’t need to tell you what he thought was your diagnose, or to ask you to consent to the treatment he was prescribing. This would be unthinkable in today’s world, but it was grounded on the observation that the doctor, and not the patient, is the most knowledgeable person in the room when it comes to medicine. While this is generally true, it is also paternalistic and condescending, and in 1973 the American Hospital Association adopted the Patient’s Bill of Rights to put an end to this practice. After the Bill, patients were entitled to receive information about their disease and to make decisions about treatments (except in emergencies), among other important rights. Similar regulations were then adopted worldwide.

When I give presentations on this topic I like to use the slide below to illustrate the problem of scientists and healthcare providers not supporting the transfer of patient data from a study to another. It shows the example of a patient having to repeatedly give the same personal and medical information over and over to their hospital, a patient registry for their disease, to a couple of academic studies, and probably also to a clinical trial where the patient participates and that is also generating a separate patient registry. The burden on that individual patient is ridiculous, and this is not a made up example. I know multiple cases of patients with rare diseases where they end up interacting with such a large number of data holders in an attempt to get the best medical care and to help advance the scientific understanding of their disease. 

Screen Shot 2018-02-02 at 12.00.13 PM.png

There are two separate problems here:

1- Data holders refuse to share the patient data with other data holders.

The main argument is often that the informed consent didn’t consider sharing data with third parties, but in my experience even if the patient (or caregiver) offers to sign a new informed consent to support that transfer the original data holder refuses. As I see it they are not thinking on the patient’s best interest but looking at the data instead as an asset that they own.

2- They also often refuse to share the patient data with the patient himself.

If patients had access to their entire medical history and relevant studies in a way that can be easily transferred to other data holders, such as new registries and studies, the patient would choose who has it and who doesn’t. But they don’t have that choice when they don’t have their data files. The expressed reasons to not grant the patient access to his or her own data files fall often into two categories. One is the technical one, like in the real example: “we never designed our registry with a output format that could be useful to you”.  The second is the same one that led to the 1973 Patient’s Bill of Rights, as in another real example: “no we can’t give you your whole exome sequence because you don’t understand genetics, interpreting sequences is hard and confusing, and you might make the wrong decisions based on uninterpretable data”.

The cry of patients for accessing their own genetic sequence data files is so loud that in 2015 the European Society of Human Genetics issued a press release with the following headline: “People want access to their own genomic data, even when uninterpretable”.

It wasn’t about patients having the knowledge to read a raw whole exome sequence file, but about being entitled to get a copy of such file.

I personally thought it would have to be an organization like the European Society of Human Genetics or the American Hospital Association who would issue a new recommendation (or hopefully something more enforceable) to protect patients right to access their own medical data files. Surprisingly the regulation that would come to protect these patients rights was simply a new general regulation for personal data protection that was never developed thinking specifically of patients.




The General Data Protection Regulation (GDPR) was approved by the EU Parliament in 2016 and will enter in force in May this year. It doesn’t matter where the organization that collects personal data of data subjects (including medical data) is located. What matters is that if the data subject resides in the EU, the organization needs to be compliant or face heavy fines. Unless organizations are planning to follow separate Standard Operating Procedures for EU and non-EU residents, most will simply have to be compliant with the GDPR and the new regulation will also protect non-EU patients.

Screen Shot 2018-02-02 at 2.07.34 PM.png

My favorite “data subject rights” are the following:

1- Right to Access. 

Under the GDPR the data holder will have to provide patients with a copy of their personal data, free of charge and in a machine-readable format. It won’t be ok to argue that the database wasn’t built for export functions or to be passive-aggressive and give the patient only a small summary in a PDF. The patients, and all data subjects in general, are now empowered to have a copy of their data files, to know how much data the data holder has collected from them, and to know what they are using it for.

2- Right to be Forgotten.

Under the GDPR the data holder can withdraw consent and request their data to be removed from the data holder files and to not be user or disseminated. If you are a patient that gave data to a registry on the understanding that they would use it to further research in your disease, and you later become aware that they are refusing to share data with other research groups, you can now approach the registry and request your data to be removed.

3- Data Portability.

Under the GDPR the patient can request the data holder to provide them with a copy of their files in a machine-readable and usable format not only for their own records, but also to transfer them to another data holder. In my real example of a rare disease patient that has his data in multiple registries and studies, the patient can now get usable files from his hospital including proper gene sequencing files and then share this file with the other registries and studies. They won’t have to give the same data, and be subject to the same procedures, over and over as it happens nowadays.




After May 2018 I will have to change my PowerPoint presentations. Patients will have the right to request access to their data files. They will have the right to withdraw their data from a database that is not being used in the way that the patient through it would operate. And the patient has the right to obtain these files generated by a particular data holder, for example a gene testing lab, and get the usable file and share it with as many studies and registries as the patient wants.

In 2015 I offended some data scientists at a big data meeting with the following message:

Health data must be shared
In particular with the patient (even if they don’t understand it)
Because it is their data
And because they will share it

I wanted to shift the conversation on giving patients’ access to their own data from “the patients don’t understand the data” to “they need to have access so that they are able to share their data”. I guess we don’t need to debate this anymore. After May 2018 we just need to say that it is the new law!

Ana Mingorance PhD