Reminder: Do not include any PHI or PII in Confluence. If you require 508 accessibility assistance or any other support for this system, then please send an email to onc-jira-questions@healthit.gov
Please provide any feedback regarding this scenario in the comment form below or by clicking here. |
---|
Max Researcher at Non-Profit Research Company has a contract from the ACME Widget Company to conduct research evaluating their workplace wellness program. Employees that participate in the program receive HealthySensors that monitor physical activity (e.g., steps, heart rate, calories burned) and are eligible for a 10% reduction in their premium contributions if they succeed in their activity and weight goals. Max receives IRB approval to consent employees to release HealthySensor data for the NIH-funded Piggyback Research Study (unrelated to the workplace wellness program). Therefore, at the time of program enrollment, employees register their HealthySensors and authorize ACME Widget Company (a third party entity) to access HealthySensor’s data, and some employees authorize Max Researcher to use the sensor data for her NIH study.
HealthySensors has a policy that commercial entities (such as ACME) wishing to access batched data for activities such as wellness programs pay a per-member-per-month fee. ACME agrees to pay this fee in order to obtain data for the evaluation of their workplace wellness program conducted by Max. HealthySensors and ACME have a contract that transfers batch sensor data to ACME every 3 months, all of which Max can access for the wellness program evaluation, but only consented data is available for the Piggyback Study.
In accordance with her IRB protocol, Max obtains consent from participants for the Piggyback Study. With participant consent, Max can analyze the portion of the sensor data for the Piggyback study. She transfers the data subset into her research database, separated from the wellness evaluation data, to perform her analyses.
During Max’s Piggyback study, HealthySensors changes its privacy practices and terms of use. It starts a separate system using AppleResearchKit standards that allows HealthySensor users to provide and track consent, and release their data to third parties (this does not apply to data submitted before the AppleResearchKit standard), including researchers. The Piggyback study does not have funding to re-consent all of the participants and therefore loses a significant number of participants from its sample.
Questions:
- Are there any ethical or legal obligations for HealthySensors aside from those that apply to third party vendors collecting user data?
- Is “bundled consent” for the Piggyback study ethical, given the incentives for participation in the wellness program?
- What are consent best practices?
- Should the company broker consent? What if the company’s consent or privacy policies change during the course of the researcher’s study?
- Should the researcher obtain consent at the beginning of the study, independent of the company?
- The standards for PGHD-based consent are changing more quickly than research protocols. Are there any concerns for longitudinal studies that have not budgeted for changes in participant expectations for privacy, consent, and security?
- What other concerns should be raised about use of PGHD in research?
- Different private organizations have different mechanisms related to terms of use and how personal data will be governed (e.g. Withings and Sage have different policies). Would different standards for these agreements clarify restrictions for both users and researchers (e.g. the way that different open-source software license standards have different, but known and well understood, terms)?
- If participants submit additional data as part of their activity tracking (e.g., weight, exercise and meal regime, sleep patterns, mood), do concerns arise over the sensitivity or identifiability of this data? Should another consent be completed to cover the additional data collected from the individual?
- Is additional consent required for the study of this data vs. the data automatically recorded by the sensor?
- Are there any employer obligations for data collected under the wellness program under GINA or ADA?
- What privacy and consent consideration arise if the device platform includes functionalities such as voice recordings (e.g., goals, mood, responses to optional surveys)?
Title | Response |
Description | A study using PGHD data authorized through direct connections to commercial database |
Primary actor/participant | Participants, PGHD Company, Research Team, Employer |
Support actor/participant | PGHD Information Systems (Sensor company’s information system), Research Information Systems, Sensor devices |
Preconditions |
|
Post conditions |
|
Alternatives |
|
Considerations |
|
Data Elements Considered | Sensor Data |
Purpose of the Data Collection | Wellness Program, Fitness Tracking, Research |
Purpose of Data Use | Research and Program Evaluation |
Terms of Transfer to the Data Holders | Wellness Program, Fitness, Terms of Use by PGHD Vendor |
Terms of Transfer to Researchers | Employer-sponsored evaluation, separate IRB-approved research study with a subset of the data |