The current patient privacy protection landscape is turning into a legal and regulatory patchwork that suffers from unnecessary complexities, security gaps, and vulnerabilities. It does a poor job protecting privacy and creates barriers to health, fitness, DNA and other data indispensable to AI research and development. One notable example is limited regulatory oversight of direct-to-consumer (DTC) DNA profiling. These services, which began shortly after the Human Genome Project announced in 2003 that sequencing was 99% complete, are exempt from most privacy laws and regulations, including HIPAA. Instead, profile storage, security, access, use, and ownership rely on contractual agreements between the companies and their customers. Recent financial woes at 23andMe, the second-largest company in the space with over 14 million stored DNA profiles are raising concerns about their future ownership and control if the company goes out of business or is acquired by parties from countries with limited privacy protections.

Wearable devices, such as the iWatch and Fitbit, present similar challenges. These devices collect and analyze growing panels of physiological data that overlap regulated private health information. Manufacturers use and often share their customers’ data with their partners and other third parties. For instance, Apple shared iWatch collected physiological and other data with institutions like Stanford, Harvard, and the National Institute of Environmental Health & Sciences, while Google, who owns the Fitbit, uses its data in researching and developing health and fitness applications. As with DTC DNA profiles, ownership, storage, and access are defined contractually between the companies and their customers.

On the other hand, innovation and advancements in AI based health, fitness, and clinical technologies will suffer without large representative data sets of health, fitness, and DNA data and information. Balancing these conflicting interests will require updating and reforming existing legal, regulatory, and technical frameworks to reassure the public and the research and development communities.