Abstracts
Abstract
Artificial intelligence (AI) is increasingly being developed and implemented in healthcare. This presents privacy issues since many AI systems are privately owned and rely on data sharing arrangements for mass quantities of patient health information. We investigated the Canadian legal and policy framework focusing on regulation relevant to the potential for inappropriate use or disclosure of personal health information by private AI companies. This included analysis of federal and provincial legislation, common law and research ethics policy. Our evaluation of the various regulatory frameworks found that together they require private AI companies and their partners in healthcare implementation to meet high standards of privacy protection that prioritize patient autonomy, with limited exceptions. We found that healthcare AI systems are required to be consistent with the rules and foundational ethical norms enshrined in law and research ethics, even if this poses challenges to implementation. Data sharing arrangements must focus on tight integration with high levels of data security, strong oversight and retention of patient control over data.
Keywords:
- health law,
- privacy,
- artificial intelligence,
- bioethics,
- legislation,
- Canada
Résumé
L’intelligences artificielle (IA) est de plus en plus développées et mises en oeuvre dans le domaine des soins de santé. Cela pose des problèmes de protection de la vie privée, car de nombreuses IA sont privées et dépendent d’accords de partage de données pour des quantités massives d’informations sur la santé des patients. Nous avons étudié le cadre juridique et politique canadien en nous concentrant sur la réglementation relative à la possibilité d’une utilisation ou d’une divulgation inappropriée de renseignements personnels sur la santé par des entreprises privées d’IA. Nous avons notamment analysé les lois fédérales et provinciales, la common law et la politique d’éthique de la recherche. Notre évaluation des divers cadres réglementaires a révélé qu’ensemble, ils exigent que les entreprises privées d’IA et leurs partenaires dans la mise en oeuvre des soins de santé respectent des normes élevées de protection de la vie privée qui privilégient l’autonomie des patients, à quelques exceptions près. Nous avons constaté que les systèmes d’IA dans le domaine des soins de santé doivent être conformes aux règles et aux normes éthiques fondamentales consacrées par la loi et l’éthique de la recherche, même si cela pose des problèmes de mise en oeuvre. Les accords de partage de données doivent être axés sur une intégration étroite, avec des niveaux élevés de sécurité des données, une surveillance étroite et le maintien du contrôle des données par le patient.
Mots-clés :
- droit de la santé,
- vie privée,
- intelligence artificielle,
- bioéthique,
- législation,
- Canada
Download the article in PDF to read it.
Download
Appendices
Remerciements / Acknowledgements
Merci à Ubaka Ogbogu et à Robyn Hyde-Lay pour leurs commentaires et suggestions utiles. Les auteurs tiennent également à remercier le Commissariat à la protection de la vie privée du Canada, Genome Alberta et Génome Canada pour leur généreux soutien aux projets : « Privacy and Artificial Intelligence: Protecting Health Information in a New Era » et « Precision Medicine CanPREVENT AMR. »
Thanks to Ubaka Ogbogu and to Robyn Hyde-Lay for their helpful comments and suggestions. The authors would like to thank the Office of the Privacy Commissioner of Canada, Genome Alberta and Genome Canada for their generous support of the projects: “Privacy and Artificial Intelligence: Protecting Health Information in a New Era” and “Precision Medicine CanPREVENT AMR.”
Bibliography
- 1. Hamid S. The Opportunities and Risks of Artificial Intelligence in Medicine and Healthcare. CUSPE Communications. 2016.
- 2. Price Nicholson II W. Artificial intelligence in the medical system: four roles for potential transformation. Yale Journal of Law & Technology. 2019;21:122-32.
- 3. Tschider CA. AI’s legitimate interest: towards a public benefit privacy model. Houston Journal of Health Law & Policy. 2021;21:101-61.
- 4. Jiang F, Jiang Y, Zhi H, et al. Artificial intelligence in healthcare: past, present and future. Stroke and Vascular Neurology. 2017;2(4):230-43.
- 5. Johnson KW, Soto JT, Glicksberg BS, et al. Artificial intelligence in cardiology. Journal of the American College of Cardiology. 2018;71(23):2668-79.
- 6. Thompson RF, Valdes G, Fuller CD, et al. Artificial intelligence in radiation oncology: a specialty-wide disruptive transformation? Radiotherapy and Oncology. 2018;129(3):421-6.
- 7. Canadian Blood Services. Kidney Paired Donation (KPD) Program. 2019.
- 8. Rabbani M, Kanevsky J, Kafi K, Chandelier F, Giles FJ. Role of artificial intelligence in the care of patients with nonsmall cell lung cancer. European Journal of Clinical Investigation. 2018;48(4):e12901.
- 9. O’Sullivan S, Nevejans N, Allen C, et al. Legal, regulatory, and ethical frameworks for development of standards in artificial intelligence (AI) and autonomous robotic surgery. The International Journal of Medical Robotics and Computer Assisted Surgery. 2019;15(1):e1968.
- 10. Hashimoto DA, Rosman G, Rus D, Meireles OR. Artificial intelligence in surgery: promises and perils. Annals of surgery. 2018;268(1):70-6.
- 11. Dietterich T. Overfitting and undercomputing in machine learning. ACM Computing Surveys. 1995;27(3):326-7.
- 12. Mukherjee S. A.I. versus M.D. The New Yorker. Annals of Medicine. 3 Apr 2017.
- 13. Cuttler M. Transforming health care: How artificial intelligence is reshaping the medical landscape. CBC News. 26 Apr 2019.
- 14. Char DS, Shah NH, Magnus D. Implementing machine learning in health care—addressing ethical challenges. The NEJM. 2018;378(11):981-3.
- 15. United Nations. Universal Declaration of Human Rights. 10 Dec 1948.
- 16. Reddy S, Allan S, Coghlan S, Cooper P. A governance model for the application of AI in health care. Journal of the American Medical Informatics Association. 2020;27(3):491-7.
- 17. Nicholson Price II W, Cohen IG. Privacy in the age of medical big data. Nature Medicine. 2019;25(1):37-43.
- 18. van den Hoven van Genderen, R. Privacy and data protection in the age of pervasive technologies in AI and robotics. European Data Protection Law Review (EDPL). 2017;3(3):338-52.
- 19. Pesapane F, Volonte C, Codari M, Sardanelli F. Artificial intelligence as a medical device in radiology: ethical and regulatory issues in Europe and the United States. Insights into Imaging. 2018;9(5):745-53.
- 20. Powles J, Hodson H. Google DeepMind and healthcare in an age of algorithms. Health and Technology. 2017;7(4):351-67.
- 21. Skopek JM. Untangling privacy: Losses versus violations. Iowa Law Review. 2019;105(5):2169-2231.
- 22. Crawford K, Schultz J. Big data and due process: Toward a framework to redress predictive privacy harms. Boston College Law Review. 2014;55:93-128.
- 23. Nicholson Price II W. Problematic interactions between AI and health privacy. Utah Law Review. 2021;4:925-36.
- 24. Tschider CA. Regulating the internet of things: discrimination, privacy, and cybersecurity in the artificial intelligence age. Denver Law Review. 2018;96:87-143.
- 25. Winter JS, Davidson E. Governance of artificial intelligence and personal health information. Digital Policy Regulation and Governance. 2019;21(3):280-90.
- 26. Lacobucci G. Patient data were shared with Google on an “inappropriate legal basis,” says NHS data guardian. BMJ. 2017;357:j2439.
- 27. Vincent J. Privacy advocates sound the alarm after Google grabs DeepMind UK health app. The Verge. 14 Nov 2018.
- 28. He J, Baxter SL, Xu J, Xu J, Zhou X, Zhang K. The practical implementation of artificial intelligence technologies in medicine. Nature Medicine. 2019;25(1):30-6.
- 29. CBC News. LifeLabs pays ransom after cyberattack exposes information of 15 million customers in B.C. and Ontario. 17 Dec 2019.
- 30. Hunter J. Privacy breach in B.C. health ministry led to freeze on medical research data. The Globe and Mail. 26 Apr 2016.
- 31. Solomon H. Cost of Canadian data breaches continues to rise, says study. IT World Canada. 11 Jul 2018.
- 32. University of California - Berkeley. Artificial intelligence advances threaten privacy of health data. EurekAlert! 3 Jan 2019.
- 33. Kolata G. Your data were ʻanonymizedʼ? these scientists can still identify you. New York Times. 23 Jul 2019.
- 34. Hayden EC. Privacy loophole found in genetic databases. Nature News. 17 Jan 2013.
- 35. Z Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. 2013; 339(6117):321-4.
- 36. Na L, Yang C, Lo CC, Zhao F, Fukuoka Y, Aswani A. Feasibility of reidentifying individuals in large national physical activity data sets from which protected health information has been removed with use of machine learning. JAMA Network Open. 2018;1(8):e186040.
- 37. Erlich Y, Shor T, Pe’er I, Carmi S. Identity inference of genomic data using long-range familial searches. Science. 2018;362(6415):690-4.
- 38. Ji S, Gu Q, Weng H, et al. De-health: all your online health information are belong to us. arXiv preprint arXiv:1902.00717. 2019.
- 39. Lubarsky B. Re-identification of “anonymized data”. Georgetown Law Technology Review. 2017;202-13.
- 40. McIntyre E. Health care professionals and the privacy rights of patients. Advocates’ Quarterly. 2015;43(4):428-47.
- 41. General Data Protection Regulation. 2016 0.J.
- 42. Health Insurance Portability and Accountability Act, 1996 Pub. L., c.104-191.
- 43. Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
- 44. Office of the Privacy Commissioner of Canada. Provincial and territorial privacy laws and oversight. 2020.
- 45. Office of the Privacy Commissioner of Canada. Processing Personal Data Across Borders: Guidelines. 2009.
- 46. Lambie D. Canadian personal data protection legislation and electronic health records: transfers of personal health information in IT outsourcing agreements. Canadian Journal of Law and Technology. 2010;8:85-98.
- 47. Minssen T, Gerke S, Aboy M, Price N, Cohen G. Regulatory responses to medical machine learning. Journal of Law and the Biosciences. 2020;7(1):lsaa002.
- 48. R v Dyment, 1988 2 SCR 417 at 428-429, aff’d R v Spencer 2014 SCC 43.
- 49. R v Tessling, 2004 SCC 67, citing A. F. Westin, Privacy and Freedom (1970).
- 50. Mohl v. University of British Columbia, 2009 BCCA 249, 271 B.C.A.C. 211; Facilities Subsector Bargaining Association v. British Columbia Nurses’ Union, 2009 BCSC 1562.
- 51. Jones v Tsige, 2012 ONCA 32.
- 52. Oliveira v. Aviva Canada Inc. et al, 2017 ONSC 6161.
- 53. Hopkins v. Kay, 2015 ONCA 112
- 54. Jaremko JL, Azar M, Bromwich R, et al. Canadian Association of Radiologists White Paper on ethical and legal issues related to artificial intelligence in radiology. Canadian Association of Radiologists Journal/Journal de l’Association Canadienne des Radiologistes/ 2019;70(2):107-18.
- 55. McInerney v. MacDonald, 1992 CanLII 57 (SCC), [1992] 2 SCR 138.
- 56. Nicholson Price II W, Gerke S, Cohen IG. Potential liability for physicians using artificial intelligence. JAMA. 2019;322(18):1765-6.
- 57. Nicholson Price II W. Medical malpractice and black-box medicine. In: Cohen IG, et al., editors. Big Data, Health Law, and Bioethics. Cambridge University Press; 2018.
- 58. Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, Social Sciences and Humanities Research Council. Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS2); Dec 2018.
- 59. Caulfield T, Murdoch B, Ogbogu U. Research, digital health information and promises of privacy: revisiting the issue of consent. Canadian Journal of Bioethics/Revue canadienne de bioéthique. 2020;3(1):164-71.