Joeky T. Senders, Nicole Maher,

Alexander F. C. Hulsbergen, Nayan Lamba,

Annelien L. Bredenoord, and Marike L. D. Broekman

Passive Data in Healthcare and Neurosurgery

In the past few years, there has been a dramatic increase in the use of portable elec- tronic devices including smartphones, tablets, smartwatches, and other wearables [1–15]. Traditionally, phones were used for calling and texting only, but the number of applications has grown exponentially, as well as the number of daily interactions we have with these devices. Portable electronic devices now have the digital sen- sors, processing speed, and memory to collect, share, and analyze a vast amount of data to provide granular insight into human behavior. For example, spatial trajecto- ries, motions, cognitive capacity, sociability, and sleep cycles can all be derived from GPS, accelerometers, metadata on text and call activity, and screen on/off status, respectively [16–18]. These data streams are referred to as passive data (PD) since they are generated without any active participation of the subject as opposed to active data (surveys, audio samples, etc.). By collecting and analyzing PD, it is possible to make a very granular profile based on the behavior of the individual, the so-called digital phenotype. Digital phenotyping refers to the moment-by-moment

quantification of the in situ individual-level human phenotype, using data from smartphones and other personal devices.

Digital phenotyping may be particularly useful for numerous applications in the healthcare setting ranging from early symptom recognition to postoperative moni- toring to the prediction of future trends. The PD used for digital phenotyping is a quantifiable, continuous source of longitudinal data and provides unique insight into the health and lifestyle of patients measured in their environment. Furthermore, PD is economically attractive, noninvasive, and scalable from individual patient care to clinical research, basic science, and the public health domain. In contrast, traditional ways of patient monitoring, such as surveys and routine hospital appoint- ments, have always been subject to recall bias, subjective patient perception, vari- able physician interpretation, sporadic and episodic follow-up, and influence of the hospital environment in which outcomes are measured [19–21]. PD, by virtue of its objectivity, therefore has the potential to transform healthcare.

Although the collection and use of PD may be broadly applied across many domains of healthcare, neurosurgical patients in particular can benefit from digital phenotyping. Digital phenotyping denotes the quantification of behavior and func- tional outcome, and the human central nervous system is the biological machine underlying this. Pathological changes in the brain and spinal cord can result in func- tional and behavioral changes that can be captured by sensors in portable electronic devices. In fact, most digital phenotyping studies to date focus on psychiatric, neu- rological, or neurosurgical patients [4, 5, 13, 16, 17]. Additionally, neurosurgical interventions are temporally discrete, whereas neurologic and psychiatric interven- tions are often longitudinal, thereby allowing a distinct temporal assessment of the effect of surgery on functional outcome and behavior.

Commercial and academic institutions investigate numerous ways to improve health monitoring and effectively improve patient care; however, the sensitive nature of PD makes exploration of the field especially challenging. Given the rapid development of technologies that collect and analyze PD and the inevitable imple- mentation in clinical practice, it is essential to have an overview of the ethical chal- lenges that come along with it, as well as their potential solutions.

Ethics of Passive Data Collection of PD

Informational privacy invasion is one of the leading concerns regarding the collec- tion of PD [22–37]. Multiple factors can contribute to this loss of privacy. Due to its longitudinal and in situ nature, PD can be collected from a subjects’ home and record intimate, private moments [22–26]. Data can even be collected on specific social or mobile activities that the subject does not intend to share [27, 29]. For example, GPS data collected for monitoring of physical functioning after surgery could also provide insight into specific locations patients visit and the time they spend there. Another factor that contributes to privacy invasion is so-called function creep. This means that

the technology can be used beyond the purpose it was initially intended for. For example, the initial purpose of collecting PD might be to monitor clinical outcomes in operated patients, such as movement after orthopedic surgery. However, the same technology could then also be used by clinicians to check if the patient adheres to lifestyle intervention and whether they carry out enough physical exercise as part of a health plan. Through this, clinicians obtain a surveillance role. On the other hand, analyzing PD can also enhance patient privacy by allowing them to receive treatment in their own homes versus in a hospital setting [30].

Another frequently discussed concern regarding the collection of PD is informed consent [22, 24–27, 33, 38–43]. Many patients do not read or understand the consent forms. Instead, they automatically agree to terms and services [22, 25, 39, 41]. Due to the dynamic nature of PD collection and lack of insight into what knowledge can be derived from PD, patients may have less understanding and control over the data that is collected from them [24–27, 29, 33, 34, 36–38, 44–48]. Moreover, due to the rapid evolution of technology, the data that can be collected and the knowledge that can be derived from this data may prove to be different than at the timing of consent.

Another issue identified is receiving informed consent from third parties or bystand- ers, such as family members or people living in the same household [26, 33, 38, 43].

Bystanders experience a loss of control over their data. Data can be unintentionally collected from them and sent to researchers without their knowledge or approval.

Monitoring patients’ texting behavior for longitudinal, cognitive assessment is an example because online conversations always include two or more people.

There are a variety of solutions that can improve informed consent procedures and also help minimize the extent to which the collection of PD infringes on a sub- ject’s privacy. Researchers could collect the simplest and minimum number of data elements necessary [26, 31–35]. Consent procedures could actively engage the indi- viduals, thereby creating complete transparency in the data that is collected, the intent around the data acquisition, and the intentional and unintentional impact this may have on the patient [27, 33, 39, 40, 42]. This can be achieved through encour- agement of an interactive dialogue, inclusion of visual aids, and stepwise verifica- tion of participant understanding, instead of a single episode explanation followed up by signing of the consent form [24, 33, 39, 40, 42]. Lastly, since the data is lon- gitudinal and the technology is dynamic, it can be argued that the informed consent process should also be dynamic and flexible [22, 23, 26, 27, 29, 33, 36, 37, 43]. To help patients regain autonomy, it is suggested to give them as much control as pos- sible over the technology and data [24, 25, 27, 33, 36–38, 45, 46, 49]. Privacy should be malleable to different contexts, and subjects should be able to change their personal privacy preferences at any time [22, 26, 29, 36, 37].

Use of PD to Improve Clinical Care

Care deliverers that collect and analyze PD are in a position to identify and act on health issues. Because healthcare interventions are highly reliant on the accuracy of this information, ethical concerns related to patient safety arise when PD directs

clinical decision-making. For example, if a PD-based alarm system is responsible for detecting neurological deterioration after surgery, malfunctioning of this prod- uct can result in detrimental patient outcomes. Major themes include the regulation of devices, creating new safety systems, and ensuring safe PD-informed clinical decision-making [22, 24–27, 31, 33, 34, 36, 42, 43, 45, 47, 48, 50–52]. Currently, the evidence supporting the accuracy of apps processing PD is scarce, and there is no system in place to regulate their performance. Many healthcare apps are made directly available to the consumer through public app stores.

Digital phenotyping can reveal personal patient information that may lead to an increase in doctor biases. For example, a physician might notice that his or her patient is not adhering to prescribed lifestyle changes and as a result empathize less with the patient or underestimate the patient’s complaints. Data that would have otherwise remained private can, therefore, result in stigmatization [27, 34, 47].

Additionally, an increase of monitoring by digital devices can come at the cost of real-life doctor-patient contact, causing depersonalization of healthcare. Much can be lost if human interaction is replaced with technology in the treatment of patients [43, 48]. For example, in the treatment of elderly patients, human touch and direct communication can have a significant impact on the well-being of the patient. Many elderly patients are already isolated, and replacing traditional healthcare interac- tions with technology will further exacerbate this issue [29]. Furthermore, the psy- chological effects of continuous surveillance by healthcare providers remain to be elucidated [28].

Incidental findings, findings that are discovered unintentionally and not related to the indication for which the data was originally investigated, are bound to occur with PD. For example, an accelerometer that tracks patients recovering from orthopedic surgery might also pick up a tremor related to an underlying Parkinson’s disease.

While incidental findings are inherent to medical tests, the added risk in PD lies in the fact that data is collected with such ease and in such large quantities that clini- cally relevant or irrelevant incidental findings are much more likely to surface at some point. Anticipating this is essential, both for overtreatment and avoidance of unwelcome situations of liability through negligence. Clarification is needed around whether and when to inform the patient and who is to inform the patient, especially regarding information that the patient may not have wanted to know in the first place [24, 25, 33, 52]. Lastly, disparities that exist can be made worse due to unequal access to technology for the collection and analysis of PD, resulting in an unequal benefit of PD-enhanced clinical care in the society [22, 24, 27, 29, 33, 36, 41, 43–45, 53, 54]. New technology is often unaffordable and inaccessible to lower-income populations [24, 53, 54]. Other vulnerable patient groups can be people with physi- cal, disease- related, and mental impairments who might lack the technological skills required to use and benefit from personalized health technology [24, 29, 33, 44, 45].

A regulation system should be put in place to evaluate the safety and effectiveness of technology that can collect and analyze PD to enhance patient care [24, 26, 31, 33, 51]. All products should have to pass through a review board process before being approved for clinical use [24, 33, 51]. Some even suggest that mHealth products should meet FDA standards and health informatics standards to obtain clinical

approval [51]. The Consolidated Standards of Reporting Trials (CONSORT) eHealth checklist might be useful for this purpose [40]. This checklist is an extension of the CONSORT statement specified for web-based or mobile health interventions or applications. The extent to which clinical decision-making can depend on patterns found in PD can vary enormously between different mHealth products. PD can, for example, be used as supplementary information for the clinician but can also be con- sidered as an indicator for hospitalization or treatment. The required empirical evi- dence for the safety and effectiveness of PD products should, therefore, be balanced against the clinical impact of its application [40]. Not only should the significance and accuracy of the information be regulated but protocols for how to appropriately respond and take actions regarding patterns found in PD streams should also be implemented [50]. Incorporating continuous monitoring and evaluation of products after approval for clinical use is essential for establishing early detection of malfunc- tioning products [31]. Additionally, subjects should decide whether or not they would like to be informed about incidental findings [40]. Lastly, when products collecting and analyzing PD are implemented and standardized in clinical care, it is of para- mount importance to ensure equal access, by making devices and software products affordable and settings understandable [22, 24, 27, 29, 33, 36, 41, 43–45, 53, 54].

Storage of Passive Data

Issues surrounding ownership and security are closely related to the storage of PD [26, 32, 33, 39, 42]. Currently, there are mixed perceptions about who owns PD. Patients, researchers, companies, hospitals, and academic institutions could all have a claim to the data. These claims are based on the type and degree of contribu- tion involved in the research endeavor. For example, the patient is the subject of the data, researchers and companies may be the parties that analyze and derive insights from this data, thereby increasing the “value” of this data, and hospitals and aca- demic institutions might be the ones that generate, store, and secure the data.

Security is of paramount importance for the storage of highly sensitive PD [22–

25, 27, 31, 33, 36, 37, 39, 42, 43, 51, 55–57]. Many believe true security is not pos- sible due to either government authorities or the failure of de-identification methods [22–25, 27, 31–33, 36–39, 42, 43, 51, 55, 57, 58]. Dependent on the (stability of a) legal framework in countries, authorities can demand access to PD [22, 24, 25, 32, 33, 38, 58]. If illegal activity is recorded during PD collection, courts in some coun- tries might request access, and the security of the data will not be protected [22–25, 33]. Insufficient de-identification can also contribute to the loss of security. PD may be so rich in personal detail that the de-identification and encryption methods fail.

Even if de-identification systems are put in place, combining multiple data points might still reveal an individuals’ identity. PD results in a large volume of data, and current data storage systems may be outdated and insufficient to store all of this information safely. Lastly, PD is collected through mobile applications and wearable technologies allowing less computational power for advanced encryption methods than desktop computers [22–25, 27, 31, 33, 36, 37, 39, 42, 43, 51, 55–57].

Several solutions may help combat the issues of ownership and security for stored PD. Clarifying the details of ownership and making this known to partici- pants is an important first step [25, 33]. Due to the variety of claims, complete ownership by one party might not be feasible or desirable; however, patients should have control over their data [24, 25, 27, 33, 36–38, 45, 46, 49]. The possi- bility of shared ownership between different parties might also be considered [44]. Researchers must protect data at the point of collection and have secure ways of transmitting the data. Also, regulations are needed regarding the security of PD storage systems [42, 43, 52, 54, 57, 59, 60]. These regulations should encompass quality standards for encryption methods but also specifications on who is allowed to access the data.

Secondary Use

PD has excellent potential for improving clinical care at the individual level, but on a larger scale, it can also provide valuable insight into disease development and progression in the scientific realm or public health domain. In the clinical realm, the trade-off between PD collection and improved patient care can be clear and trans- parent. In contrast, PD used for research or public health purposes is not directly beneficial for the individual patient who contributes their data.

In the scientific realm, it is suggested that the data collected be used solely for the purpose it was originally intended for [23, 25, 32, 58]. Upon conclusion of the study, the data must be deleted. If the data is to be used for a secondary purpose, informed consent must be received; however, this might be impossible in some cases since these patients might not be alive or within the scope of the hospital any- more [24, 33, 38]. It is harder to set boundaries for data access to governments and companies. Allowing for sharing of data between different institutions can promote the use of PD and increase the benefit we can derive from PD, but it is essential to clarify boundaries of access to data [23–25, 33, 58]. For example, data can be trans- mitted to technology companies to be analyzed by advanced quantitative methods;

however, only the specific data elements that are crucial for performing the analysis should be shared.

The Big Picture

PD has the potential to make a tremendous impact on healthcare; however, this data is sensitive and personal, and many ethical challenges related to its collection, use, storage, and secondary use remain. Since this technology is rapidly and continu- ously improving, the increasing granularity of the collected data will push the ethi- cal boundaries even further. Laying out a robust ethical framework will create an environment in which patients and their interests are protected, while still allowing for the benefits of PD to be harnessed for clinical, scientific, and public health goals.

Parallels with Ethical Concerns Outside the Realm of Passive Data Despite the overall consensus on the ethical concerns surrounding PD, very few concerns are actually supported by empirical research. This lack of scientific evi- dence may be a practical consequence of the fact that PD has not yet been fully implemented in clinical practice. These ethical concerns are, however, closely related to those discussed in other domains. For example, the concepts of informed consent and patient privacy have already been explored since the early days of med- ical research, thereby providing valuable insight into the validity of the opinions, arguments, and suggested solutions reported in the ethical literature on PD.

One study reviewed the effectivity of different consent procedures and found that the traditional consent procedure, which consists of a brief explanation by a physi- cian or researcher followed by signing of the consent form, is often incomplete [61].

Furthermore, this study showed that patients often had difficulties with recalling and demonstrating an understanding of the information, as well as with discussing this information with their caregivers. This review also found that simplified supple- mental written materials, decision aids, educational videos, and utilization of the

“repeat back method,” in which patients repeat their understanding of what their caregiver has explained to them, were more effective communication tools [61].

Two other survey studies that investigated preferences related to informational pri- vacy found that privacy concerns are neither static nor generalizable but differ between cultures [62] and are highly dynamic over time [60]. These cultural and temporal variations support the concerns regarding a single-time-point consent pro- cedure and rigid, uniform privacy settings.

Ethical concerns related to PD also parallel those related to other data types.

Similar to PD, genetic data contains information with a high degree of granular- ity and specificity, which can cause issues with data anonymity and security.

Additionally, insurance companies can refuse to cover patients based on patterns found in both passive and genetic data. To anticipate these issues, the American Society of Human Genetics makes a clear distinction between different levels of identification of data [63]. The level required for studies depends on the source of the material, the purpose of the study, and the extent to which additional informa- tion is necessary. Additional information, such as demographics, diagnosis, and family history, is not stored with the sample if it is not necessary to achieve the goal of the research [63].

The ethical concerns of PD are also similar those seen outside of the medical realm, such as those related to online behavior tracking by large companies such as Google, Facebook, and Verizon. Both PD and online behavior tracking have very low thresholds for generating and obtaining data, as they require neither invasive procedures nor active participation from subjects. Internet companies already col- lect data with tremendous ease, volume, and velocity, but this comes at the cost of transparency and informed consent. However, most people are unaware of the data that is collected from them [35, 38]. Lengthy and complex consent cause individu- als to agree to terms, which they do not read or understand.