Who Owns the Digital Patient? Data Sovereignty in Health AI

Who Owns the Digital Patient? Data Sovereignty in Health AI

Share

Who Owns the Digital Patient? Data Sovereignty in Health AI

In 2017, the UK Information Commissioner's Office ruled that the Royal Free London NHS Foundation Trust had failed to comply with data protection law when it shared 1.6 million patient records with Google DeepMind. The data was used to develop Streams, a kidney injury detection app. Patients were not told. They did not consent. The legal basis the Trust cited, "direct care," was found to be inappropriate for the scope of data shared.

The ruling was significant, but the practice it addressed is common. Health data moves from clinical encounters into commercial AI training sets with a regularity that most patients would find surprising.

The Legal Patchwork

Three regulatory frameworks govern health data in the jurisdictions we work in, and they disagree on fundamental questions.

PIPEDA, Canada's federal privacy law, requires "meaningful consent" for the collection and use of personal information. In practice, consent is bundled into intake forms patients sign without reading. Provincial acts like Ontario's PHIPA add layers, but secondary use of de-identified data for AI training falls into grey zones the Privacy Commissioner has acknowledged without resolving.

HIPAA in the United States permits de-identified health data to be used without patient consent. The Safe Harbor method requires removing 18 specific identifiers. But research has shown that de-identified data can be re-identified with surprising accuracy. A 2019 Nature Communications study demonstrated that 99.98% of Americans could be re-identified using 15 demographic attributes. The Safe Harbor standard is a legal fiction.

The GDPR takes the strongest position, granting data subjects rights to access, erasure, and portability. But even the GDPR struggles with AI. Once patient data has trained a model, the data is encoded in the model's parameters. You cannot delete it in any conventional sense. The right to erasure collides with the technical reality of machine learning.

The Tempus Problem

Tempus Labs has built one of the largest clinical datasets in oncology, drawn from partnerships with US hospitals. Patients at partner institutions have their pathology data, genomic sequencing, and clinical outcomes incorporated into Tempus's platform. That platform is sold to pharmaceutical companies and other health systems.

The patients whose data built the platform receive no compensation and often no notification. Their consent, if it exists, is buried in admission paperwork authorizing data use for "quality improvement" and "research purposes."

We think this raises a straightforward question: if your health data trained a commercial AI model, do you have any claim on the value that model generates?

Data Sovereignty as a Framework

The concept of data sovereignty, borrowed from indigenous data governance movements, offers a useful frame. The CARE Principles for Indigenous Data Governance (Collective Benefit, Authority to Control, Responsibility, Ethics) were developed for a different context, but the core insight transfers. Data about a person should remain, in some meaningful sense, under that person's authority.

Applied to health AI, this would mean several things. Patients should know what AI systems their data has trained. Consent for AI training should be separate from consent for treatment; bundling them is coercive. And when health data generates commercial value, patients should benefit. The mechanism matters less than the principle: value extraction without reciprocity is exploitation.

A Practical Position

We are both physicians who use AI tools in clinical contexts. We are not opposed to the use of health data for model development. Better diagnostic models and improved decision support depend on large, representative datasets.

But the current system treats patient data as raw material. The patient is the source. They are rarely the beneficiary. The question of who owns the digital patient does not have a simple legal answer yet. But it has a clear ethical one. The patient does. Our laws need to reflect that.


Related Reading