Harmonizing regulatory regimes for the governance of patient-generated health data

Patient-generated health data (PGHD), created and captured from patients via wearable devices and mobile apps, are proliferating outside of clinical settings. Examples include sleep trackers, fitness trackers, continuous glucose monitors, and RFID-enabled implants, with many additional biometric or health surveillance applications in development or envisioned. These data are included in growing stockpiles of personal health data (PHI) being mined for insight by health economists, policy analysts, researchers, and health system organizations. Dominant narratives position these highly personal data as valuable resources to transform healthcare, stimulate innovation in medical research, and engage individuals in their health and healthcare. Large tech companies are also increasingly implicated in these areas, through mobile health application sales and data acquisitions. Given the many possible uses and users for PGHD, ensuring privacy, security, and equity of benefits from PGHD will be challenging. This is due in part to disparate regulatory policies and practices across technology firms, health system organizations, and health researchers. Rapid developments with PGHD technologies and the lack of harmonization between regulatory regimes may render existing safeguards to preserve patient privacy and control over their PGHD ineffective, while also failing to guide PGHD-related innovation in socially desirable directions. Using a policy regime lens to explore these challenges, we examine three existing data protection regimes relevant to PGHD in the United States that are currently in tension with one another: federal and state health-sector laws, regulations on data use and reuse for research and innovation, and industry self-regulation of consumer privacy by large tech companies. We argue that harmonization of these regimes is necessary to meet the challenges of PGHD data governance. We next examine emerging governing instruments, identifying three types of structures (organizational, regulatory, technological/algorithmic), which synergistically could help enact needed regulatory oversight while limiting the friction and economic costs of regulation that may hinder innovation. This policy analysis provides a starting point for further discussions and negotiations among stakeholders and regulators to do so.