Ethical Dimensions of Clinical Data Sharing by US Health Care Organizations for Purposes beyond Direct Patient Care: Interviews with Health Care Leaders

Objectives This study aimed to (1) empirically investigate current practices and analyze ethical dimensions of clinical data sharing by health care organizations for uses other than treatment, payment, and operations; and (2) make recommendations to inform research and policy for health care organizations to protect patients' privacy and autonomy when sharing data with unrelated third parties. Methods Semistructured interviews and surveys involving 24 informatics leaders from 22 U.S. health care organizations, accompanied by thematic and ethical analyses. Results We found considerable heterogeneity across organizations in policies and practices. Respondents understood "data sharing" and "research" in very different ways. Their interpretations of these terms ranged from making data available for academic and public health uses, and to health information exchanges; to selling data for corporate research; and to contracting with aggregators for future resale or use. The nine interview themes were that health care organizations: (1) share clinical data with many types of organizations, (2) have a variety of motivations for sharing data, (3) do not make data-sharing policies readily available, (4) have widely varying data-sharing approval processes, (5) most commonly rely on Health Insurance and Portability and Accountability Act (HIPAA) de-identification to protect privacy, (6) were concerned about clinical data use by electronic health record vendors, (7) lacked data-sharing transparency to the general public, (8) allowed individual patients little control over sharing of their data, and (9) had not yet changed data-sharing practices within the year following the U.S. Supreme Court 2022 decision denying rights to abortion. Conclusion Our analysis identified gaps between ethical principles and health care organizations' data-sharing policies and practices. To better align clinical data-sharing practices with patient expectations and biomedical ethical principles, we recommend updating HIPAA, including re-identification and upstream sharing restrictions in data-sharing contracts, better coordination across data-sharing approval processes, fuller transparency and opt-out options for patients, and accountability for data-sharing and consequent harms.