Health data is a potential treasure trove of information. So-called ‘secondary use’, or reuse of patient data, whereby information collected for clinical care by health systems and hospitals is used for purposes other than medical record-keeping, offers myriad opportunities. These data can be used for feedback and to improve the health system, drive medical discoveries and enable data-driven solutions in life sciences and technology. However, patient data has also become a valuable commodity, whereby countries can build a health-data economy by entering into deals with commercial partners keen to grow their interests in the healthcare sector.

Several countries have recognized the potential of utilizing health data to its full potential. For example, France has created a Health Data Hub. In 2017, Australia invested more than AUS$317 million toward MyHealthData, a centralized digital health record. Health data is one of the core pillars of the UK’s ambitious life-sciences industrial strategy, and the UK has made a substantial political and financial investment to support the digital transformation of its National Health Service (NHS), with the creation of a dedicated department (NHSX) to set national policy for NHS technology and the creation of an NHS artificial intelligence lab.

However, in the past decade, patient trust in the safety of their health data has been shaken by a series of media storms. For example, in the UK, a controversial NHS information-sharing scheme, which collected anonymized data from doctors’ files to make them available for research called ‘care.data’, was closed in 2016 after more than a million patients opted out of the system over concerns that their medical data could be shared with commercial companies without explicit consent. Also in 2016, New Scientist reported that Google-owned DeepMind was given access to the NHS patient records of 1.6 million people as part of a trial to test an alert, diagnosis and detection system for acute kidney injury. It was later found by the UK Information Commissioner’s Office that Royal Free NHS Foundation Trust, which provided the information to Google DeepMind, had failed to comply with the UK’s Data Protection Act. More recently, in July 2019, in the USA, a lawsuit was filed alleging that the University of Chicago Medical Center shared data with Google without removing potentially identifying information. In November 2019, The Wall Street Journal reported that up to 50 million people’s health information, including names and birth dates, was shared as part of a collaboration between nonprofit hospital chain Ascension and Google. Ascension stated that all of Google’s work with Ascension was in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and is covered by a business associate agreement that governs protected health information. Nevertheless, this caused public outrage and the launch of a federal investigation into whether HIPAA was followed.

In this issue of Nature Medicine, Kayte Spector-Bagdady and colleagues discuss the complexity of the legal framework that regulates health data in the USA. They show how although the level of scrutiny of the regulation of health data is high when the data are collected from research participants, it is lacking for secondary use of patient data. The issue of informed consent is paramount in this conversation, as it would seem that under HIPAA, patient consent is much less clearly informed than it is under the Common Rule, which protect research participants.

Focusing on the UK, a white paper published in February 2020 by the Imperial College Institute of Global Health Innovation warns against the lack of a clear strategy for maximizing the impact of health data and the inconsistent and piecemeal involvement of the public in this strategy. Echoing the concerns expressed by Spector-Bagdady and colleagues, it finds that “the legal framework governing the use of personal data in health in healthcare remains complex and creates a number of legal and societal challenges.”

Patient trust is not inexhaustible; nor should it be taken for granted. Patients have the right to question whether these deals respect their rights, especially as the regulatory frameworks that govern patient data, in the UK and elsewhere, are struggling to keep up with the speed of technological advances. Other deals are underway. On 26 February 2020, STAT reported that the University of California, San Francisco, had stuck a deal with Google to “freely share deindentified patient data with Google,” although, in this instance, the media outlet reports that “UCSF has not been accused of sharing anything improper in the collaboration outlines in its 2016 agreement with Google. Nothing in the contract indicates otherwise.” The announcement in the UK life-sciences strategy that a National Centre of Expertise in NHSX will provide legal and commercial expertise to NHS organizations when they are negotiating data partnerships is welcome and could be replicated in other countries. Also, it is encouraging to see that a year after the publication of Eric Topol’s review on preparing the healthcare workforce to deliver the digital future, there has been visible progress and tangible engagement with its recommendations. However, this is not enough; patients should increasingly be seen by all stakeholders as partners in the research enterprise, and a national conversation that empowers patients to feel ownership over their health data is crucial.

Researchers do not have to wait for regulatory bodies to lead the charge. Spector-Bagdady and colleagues recommend that hospitals take the initiative in providing their patients with the same level of disclosure about secondary uses of health data as research participants are given. Resources are available to help researchers have open conversations with patients about their data, why data sharing is important and how investment in the digital transformation will be beneficial to their health. To preserve access to the data they need for their work, the research community should become the most fervent champions of dialog, transparency and regulation of the use of patient data.