For each of Duke Health’s hundreds of thousands of patients, the institution keeps an exhaustive record of valuable health data.
Every medication they’ve been prescribed, every blood pressure reading or temperature recorded, every diagnosis given, every doctor’s note and images from every MRI or X-ray are all cataloged in Duke’s electronic medical database.
Earlier this month, Duke partnered with a Massachusetts-based machine learning company, nference, to remove identifying information from this trove of patient data and ultimately build a library that is easy for researchers to analyze and search.
Nference has already begun marketing access to this database to pharmaceutical companies, which could generate revenue for Duke, said Dr. Jeffrey Ferranti, Duke Health’s chief digital officer, in an interview with the N&O.
Giving pharmaceutical companies access to this data could speed up medical discovery in the long run, by allowing industry researchers to quickly sift through hundreds of thousands of data points, rather than run costly and time-intensive studies on patients.
But several bioethicists interviewed by the N&O said Duke has not been transparent enough with patients about how they plan to use their de-identified data.
“There is useful research here, I’m not against it,” said Arthur Caplan, founding head of the Division of Medical Ethics at NYU Grossman School of Medicine. “You just want to make sure you don’t lose public trust in trying to pursue it.”
Building health care databases is a burgeoning industry
Typically, health information is tightly protected by HIPAA, which prevents health systems like Duke from sharing or selling the data.
But when health information is scrubbed of identifying information — like names, dates of care and ZIP codes — it is no longer protected by those laws and hospitals are legally free to share or sell the information.
A multibillion-dollar industry has emerged around the buying and selling of this data. In recent years, several major health care organizations — including the Mayo Clinic, HCA, and Novant Health — have joined this market.
In Duke Health’s partnership with nference, Ferranti said, both institutions will form a governance committee that will decide who gets access to the Duke data and what research questions they will use the data to answer.
Ferranti said the health system would prefer that a Duke researcher be involved when a life-science company conducts research using the database, but said nference could partner with a pharmaceutical company to access the data without a Duke collaborator.
“It’s not certain whether or not we’ll make any revenues from this,” he said. “But if we do, those monies would support our nonprofit mission to advance our scientific mission or clinical mission.”
Nference declined to grant an interview for this story about its relationship with Duke Health. A written statement released by the company says the goal is to “advance research and accelerate drug development.”
Ferranti said Duke Health is also open to creating a new company with nference based on technologies they develop using patient data.
The Mayo Clinic developed a spinoff with nference in 2021. It markets an algorithm, trained on Mayo patient data, that is designed to read electrocardiograms and detect heart diseases early in their progression. The company raised more than $25 million in an early round of funding, according to an article from Fierce Healthcare.
“How those develop at Duke or if those develop at Duke, I can’t say right now,” said Ferranti, Duke Health’s chief digital officer. “But it’s certainly possible.”
Duke Health will grant access to records, not ownership
Unlike many health care providers that have come under scrutiny for selling de-identified patient information, Duke Health will not relinquish ownership of its data to the companies it works with.
It will instead use “behind the glass” data-sharing, which allows companies to run analysis on Duke’s library of information without the data ever leaving the health system’s network. Privacy researchers say this data-sharing method dramatically reduces the risk that sensitive medical information will be connected back to the patients it belongs to.
Even so, when health systems give access to any health data, the best practice is to send a notice to patients before the deal is finalized. It should clearly explain what data would be shared, how third parties would use it, and clear instructions for opting out of the data sharing, said Mark Rothstein, founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine.
Instead, Duke Health issued a press release after the deal was finalized that made no mention of patient data or the fact that Duke Health would potentially generate revenue by granting access to it. The release emphasized that the partnership would “transform healthcare by making biomedical knowledge computable.”
“If you want this to be the kind of arrangement that patients in the health system know about, I’m not sure that a press release helps get out that information,” said Matthew McCoy, a medical ethics researcher at the University of Pennsylvania School of Medicine. “I don’t think patients are reading the business wire to see what’s going on.”
At the time of publication, Duke Health had not sent a notice to patients regarding its collaboration with nference. The deal comes just weeks after the health system came under fire from state leaders for sending patient data to Meta, Facebook parent’s company.
In response to questions from The News & Observer about how patients would be notified of this use of their data, Duke Health spokespeople said instructions for opting out of the program would be included in the hospital’s notice of privacy practices. This document is offered to people when they first become patients and is posted in waiting rooms at Duke clinics, spokespeople said.
McCoy said such notices are unlikely to reach patients.
“My sense is that approximately 0% of patients read notice of privacy practices,” McCoy said.
As of Jan. 30, the opt-out instructions had not yet been added to the virtual document. The instructions will be made available “well in advance of the platform launch,” a Duke spokesperson said.
When asked to respond to the ethicists’ concerns, Ferranti said he sees their point.
“I think that it’s all fair,” he said, adding: “We fully intend to engage the community and communicate what the program is and what it means.”
He said the health system would create a community governing board that would allow local patients to give input on how they would like the database to be used.
Ferranti said he believes this is a pivotal moment for academic medical centers: They can either embrace machine learning and data science as part of their research process, or get left behind by commercial entities that do.
“The question is, How do you do it in a way that is responsible?” Ferranti said. “And that’s the problem that we’re trying to solve.”
-------
