Document Type


Publication Date



Health data uses are on the rise. Increasingly more often, data are used for a variety of operational, diagnostic, and technical uses, as in the Internet of Health Things. Never has quality data been more necessary: large data stores now power the most advanced artificial intelligence applications, applications that may enable early diagnosis of chronic diseases and enable personalized medical treatment. These data, both personally identifiable and de-identified, have the potential to dramatically improve the quality, effectiveness, and safety of artificial intelligence.

Existing privacy laws do not 1) effectively protect the privacy interests of individuals and 2) provide the flexibility needed to support artificial intelligence applications. This paper identifies some of the key challenges with existing privacy laws, including the ineffectiveness of de-identification and data minimization protocols in practice and issues with notice and consent as they apply to artificial intelligence applications, then proposes an alternative privacy model. This model specifically rejects a notice and consent model in favor of legitimate interest analysis. This approach introduces a more restrictive application of health privacy law while adopting a flexible, interest-balancing approach to permit additional data uses that primarily benefit individuals and communities.