Before we get to that, a little explanation: Under the current US system, if there is no “easy way” to connect a research subject’s health information with her identity, then her deidentified health records are exempt from the rules that govern research with human subjects. Moreover, deidentified health records are not counted as “protected health information” and therefore are exempt from federal privacy protections.
For these reasons, the prospect of working with deidentified subjects can be highly attractive to researchers. The bureaucratic hurdles involved are orders of magnitude lower than they are if the people you’re studying are easily identifiable.
But if you’re a research subject and no one knows who you are, then you could lose out in some ways. Rothstein enumerates the very real risks to deidentified subjects. These include:
- Reidentification: Fail-safe deidentification is hard, if not impossible, especially if DNA data are involved.
- Group harms: I don’t need to know your identity in order to mess with you. If I know your race, gender, ethnicity, etc., I can still perpetuate ideas that your group is more prone to schizophrenia, alcoholism, lower intelligence, etc.
- Objectionable uses: “Thanks for participating in my project. You won’t mind if my research requires the slaughter of a few kittens, will you?”
- Commercial exploitation: “Guess what! Turns out that your tumor’s gene expression profile is just awesome! Big Pharma is ready to pay me a king’s ransom for your sample. I’d love to cut you in on the deal…Oh snap! I don’t know who you are.”
In Part II I will address why, in my opinion, offering further protections to deidentified subjects on an ad hoc, patchwork basis, while well-intentioned, is not the long-term solution to these problems.