Medical data has the potential to revolutionize healthcare by enabling more personalized and effective treatments, improving patient outcomes, and reducing healthcare costs.
For example, medical data can be analyzed to improve patient care, discover new treatments, and advance medical research. More specifically, by analyzing medical records, researchers can identify trends and patterns in patient outcomes, and healthcare providers can use this information to improve patient care and clinical decision-making.
However, there are also concerns about patient privacy and data security, as medical data often contains sensitive personal information. In this regard, the Act on the Protection of Personal Information (the “APPI”) imposes various restrictions on the utilization of medical data. For example, companies must not use personal information beyond the scope necessary to achieve purposes specified by such companies pursuant to the APPI without obtaining the prior consent of the subjects of such data. Also, in principle, companies are prohibited from disclosing personal data to third parties without obtaining the data subjects’ prior consents. Furthermore, the APPI imposes heavy restrictions on the use of sensitive personal information. For example, sensitive personal information cannot be provided to third parties by using an opt-out mechanism.
In order to utilize medical data, companies must address how to abide by the APPI’s restrictions on sharing such data with third parties. There are several ways to disclose personal data to third parties without obtaining the prior consent of the subjects thereof.
II. The “Public Hygiene” Exception
Companies can disclose personal data to third parties without obtaining the data subjects’ prior consents in cases where there is a special need to enhance public hygiene, or to promote fostering healthy children, in both cases where it is also difficult to obtain a data subject’s consent (the “Public Hygiene Exception”).
Last year, the Personal Information Protection Commission (the “Commission”) publicly represented their view on the Public Hygiene Exception in a Q&A regarding the Guidelines for the Act on the Protection of Personal Information. The Commission’s view was that (i) use of personal data for the purpose of observational study or improving medical technology meets the requirement of “a special need to enhance public hygiene” and (ii) not only cases where the companies do not have the contact information of the data subject, but also cases where there is a possibility that obtaining a data subject’s consent would interfere with the relevant studies in terms of time and cost, etc., satisfy the requirement of “difficulty in obtaining a data subject’s consent.”
The Public Hygiene Exception may be helpful in utilizing medical data at research phases; it may, however, not work for companies intending to provide outcomes generated from medical data to third parties for business purposes, as this use does not fall within the scope of public hygiene.
III. The “Academic Studies” Exception
Companies can disclose personal data to third parties without obtaining the prior consent of the data subjects in the following cases (each of which excludes cases in which there is a possibility of unreasonable infringement upon an individual’s rights or interests) (collectively, the “Academic Studies Exception”):
- Where the companies are academic research or similar institutions and there is a compelling interest in the provision of personal data for the publication or teaching of the results of academic research;
- Where the companies are academic research or similar institutions and there is a need to provide personal data for the purpose of academic research (limited to cases in which the companies and a third party jointly conduct academic research); or
- Where the companies are academic research or similar institutions and there is a need for the third party to deal with the personal data for the purpose of academic research (including where only a part of the purpose relates to such academic research).
The Academic Studies Exception is also attracting increased attention in the context of the utilization of medical data; like the Public Hygiene exception however, this exception may not work for companies intending to provide outcomes generated from medical data to third parties for business purposes, since such use would exceed the scope of this exception. In this regard, in the Commission’s public expression of its view on the Academic Studies Exception in the Guidelines for the Act on the Protection of Personal Information, it stated that if companies deal with personal information for the purposes of product development, such activities do not fall within this exception.
IV. Anonymized Information
“Anonymized Information” (tokumei kako joho) means information relating to an individual that can be prepared in such a way that it is not possible, by taking any of the measures prescribed in the APPI, to (i) identify a specific individual by use of such information, or (ii) restore such personal information. Companies can use Anonymized Information for any purposes (i.e., beyond the scope necessary to achieve specific purposes) or provide Anonymized Information to third parties without obtaining the prior consent of the data subjects, since Anonymized Information is considered to not fall within the scope of Personal information.
There are drawbacks to Anonymized Information as well, however. First, the anonymization of information in accordance with the techniques and processes for anonymization stipulated by the APPI is burdensome. Furthermore, since such information is anonymized in a way that makes it impossible to restore it to personal information, it is difficult to prove reliability by returning to the original medical information.
V. Anonymized Medical Information
The Next Generation Medical Infrastructure Law (the “NGMIL”), which is a special law of the APPI, defines “Anonymized Medical Information” (tokumei kako iryo joho) in a way similar to the APPI’s definition of Anonymized Information. Briefly, the NGMIL allows for the use and provision of Anonymized Medical Information without obtaining patients’ express consent. In other words, unless the patients expressly “opt-out”, their medical information may be anonymized and used for various purposes, including medical research.
Last year, the NGMIL Studying Working Group pointed out that Anonymized Medical Information cannot meet the on-site needs of medical studies as to (i) data provision on rare cases, (ii) continuous and developmental data provision regarding same target group and (iii) proving reliability by returning to the original data in order for authenticity verification, which is a requisite for pharmaceutical applications.
VI. Pseudonymized Medical Information
On March 3, 2023, a bill of amendments to the Act to Revise the Next Generation Medical Infrastructure Law (the “Bill of Amendments”) was introduced to the 211th ordinary session of the Diet. The Bill of Amendments intends to establish “Pseudonymized Medical Information” (kamei kako iryo joho) as a legal concept, covering medical information that is prepared in such a way that it cannot be used to identify a specific individual unless collated with other information.
As opposed to Anonymized Medical Information, the preparation of Pseudonymized Medical Information does not require deletion of singular values or data regarding rare diseases. Furthermore, companies can provide Pseudonymized Medical Information to the Pharmaceuticals and Medical Devices Agency (“PMDA”) (PMDA is in charge of pharmaceutical licenses, including marketing authorizations for pharmaceutical products). In cases where PMDA conducts examinations to judge whether licenses should be granted, companies which applied for certain licenses using Pseudonymized Medical Information can re-identify specific individuals. The Bill of Amendments also purports to make it possible to conduct interlinked analysis between Pseudonymized Medical Information and the National Database of Health Insurance Claims and Specific Health Checkups of Japan (NDB), one of the most exhaustive healthcare database in Japan which includes health insurance claims every month and specific health checkup data every year. The Bill of Amendments also intends to impose certain obligations on medical institutions to make efforts to cooperate with governmental requests for the provision of medical data, in order that sufficient information can be collected and valuable outcomes generated under the NGMIL. Both the preparation and the use of Pseudonymized Medical Information, however, require governmental certification; the use of Anonymized Medical Information, by contrast, does not. This certification framework, if operated strictly, could constitute a barrier to entry.
Although there are pros and cons for each framework, the utilization of medical data, which can lead to various nationwide benefits such as improved patient outcomes, more personalized medicine, new medical breakthroughs, cost savings, and better public health outcomes, is quite important. The government is therefore actively promoting the utilization of such data. Given that the medical data industry constantly undergoes radical improvement, it is important to remain open to the latest administrative and policy trends, and to keep up to date with emerging technologies and innovations.
Author: – Masato Kumeuchi
Original article: https://www.noandt.com/en/publications/publication20230324-1/