While the systematic review and meta-analysis published in Nature Communications provided a broad overview of cloud-based personal health records—focusing on aspects such as data security, privacy, sharing, and cost—this new article is distinct. During the original publication, we identified several important ethical and legislative issues that required deeper exploration, which could not be addressed within the scope of the initial review. ¹

The present article focuses exclusively on these ethical, legislative, and human rights aspects. Additionally, a small narrative component has been incorporated into this work. There is no overlap between the two publications, ensuring the integrity of both.

Hence, this study is built upon the recently published Systematic review and meta-analysis for a Global Patient co-Owned Cloud (GPOC). ¹ For the original methods, we refer entirely to this article. However, below is a succinct overview of the methods used, since it is relevant for the understanding of the present article and its methods. The meta-analysis part of the systematic review was not included in this study. For a complete search strategy, see the original article. ¹ For validity and bias, see the PRISMA checklist of the same article. ¹

The initial PRISMA-guided review of multiplatform databases was registered with PROSPERO (CRD42022342597) 1 July 2022. ¹ The search utilised thematic keywords across several databases, identical for both studies. The scope included SCOPUS, CINAHL, Ovid Medline, PubMed, EMBASE, the Cochrane Library, the Web of Science, and Engineering Village (Knovel and Inspec). ¹ The main topics initially explored included global, cloud-based, decentralised, patient co-ownership, and PHR platforms. ¹ However, keyword terms for the present study encompassed a focus on ethical aspects of co-ownership, rights of patients, integration of artificial intelligence, ethical considerations, relevant economic and legislative factors, and the clinically relevant outcomes for patients. For keywords from the original review, only ethical aspects were considered, e.g., ethical aspects of co-ownership. The included period of the systematic review and the present study stretched from 1946 to 2022. ¹

The referencing software EndNote (Programmer: The EndNote Team, Year: 2013, Title: EndNote, Place Published: Philadelphia, PA, Publisher: Clarivate, Version: EndNote 20, Type: 64 bit) imported all the articles. ¹ They were then deduplicated and exported to Rayyan (Harvard, USA). ¹ Both studies have identical screening procedures, i.e., the latter is built upon of the former.

Primary articles that addressed the themes of global distribution, patient rights, co-ownership, electronic health records (EHRs), and personal health records (PHRs) were selected. They encompassed aspects such as co-ownership, with legal and ethical considerations, the economics of PHRs, patient contribution and participance, clinical decision and results in relation to the PHR integrity. Included in this review were randomized controlled trials if they were centred around PHR usage per se. Inclusions were permitted if the articles, e.g., addressed cloud-storage PHRs with shared ownership between patients and healthcare providers. In contrast, abstracts, reviews, conference papers, articles lacking references to PHR platform, or with ambiguous conclusions were not considered. Moreover, articles that did not refer to or discuss patient co-ownership, irrespective of whether they involved cloud-based infrastructures were not included. ¹

While the original article focused on technical measurements, security, privacy and encryption, this current article extracted the keywords deemed relevant for an ethics overview, namely, ethics, legislation, regulation, regulatory, ethical aspects of co-ownership, patient rights and artificial intelligence, health economics, human rights, patient access, sharing, integration, interaction, interfaces, and PHR costs. Through the thus retrieved articles, we included a handful of articles (ca. 10) for a complete picture, i.e., there is a minor narrative review component in this study. This provides a fuller picture of the recent PHR global market, AI integration and human rights aspects, which are not fully covered by the previous study. For an overview of the global latticework of legislation, we received senior expert input; see Acknowledgements.

We assessed the risk of bias (ROB) using seven domains (D1-D7) from the online ROBINS-I and RobVis tools. We designed the abovementioned criteria for the present study as rigorous as in the original inclusion and exclusion. This to avoid any bias. We solved search strategy disparities collaboratively. Publication bias was evaluated using Egger’s test, with no adjustments deemed necessary. The original review adhered to a PRISMA-guided protocol and was registered with PROSPERO. All inclusions in the present study were checked manually to evaluate any of the risk of bias.

The original search was employed across multiple databases with a wide time frame to include as comprehensively as possible. The inclusion and exclusion criteria were clearly defined to avoid selection bias. Standardised tools for extraction were utilised for each study, for in the review and the present study. Internal bias risk inside the studies were reported in the original systematic review and applies to the present study. PRIMSA guidelines were followed. The screening procedures were blinded. For this Rayyan was used in the original selection with two reviewers and a third arbitrator. Consensus decision applied. For details, see the RobVis figure which illustrates the risk-of-bias domains for each and every included study; refer to the original article. ¹

This study extends a prior systematic review, focusing on ethical and legislative aspects. Following PRISMA guidelines and PROSPERO registration, a refined search was conducted across major databases. Articles were screened using rigorous criteria, and data validity was ensured via ROBINS-I and Egger’s test. Expert input, along with a minor narrative component, enriched the findings, addressing AI integration and global human rights frameworks.

The GPOC systematic review of 9,362 articles retrieved 226 articles. It covered twelve facets relevant to the realisation of a GPOC. One-fifth of the articles dealt with ownership and data owners. ¹ However, only two mentioned multi-ownership, but mentioned it in a different context. ^{6, 7} To our knowledge, the exact term co-ownership does not appear in any published article. In the GPOC Survey and GPOC Summit we introduced this concept. In both, over 90% of respondents deemed it a human right to co-own PHRs. ^{2, 4}

Here, we present an overview of the initiatives of regulatory bodies, ethical considerations and clinical limitations. The global latticework of regulations is depicted in Table 1, and the global producers of PHRs are shown in Table 2.

In the original systematic review, one dozen core subjects were identified among the 226 articles targeted for retrieval. ¹ Among these articles, the three most prominent subjects were privacy and security, accounting for 65%, followed by sharing at 35%, and ownership at 21%. Thus, the current systematic review focuses on articles containing, e.g., ethics, sharing and ownership and other non-overlapping subjects mentioned below.

The results of the selected review extraction are presented for the twelve subentries (#1--12). Given the nature of the subjects, parts of the discussion will occur within these. Hence, the discussion entry summarises the overarching tendencies. To present the results in a collective manner and maintain an overview, we first present some relevant human rights declarations (#1) and ethical principles (#2). Thereafter, we delve into the ethics of the GPOC term of co-ownership (#3), privacy aspects (#4), and policy and guidelines (#5). GPOC has a special focus on patient-centricity (#6), and we also depict new technical solutions and ethics (#7). Several of the retrieved articles discuss initiatives by regulatory bodies and organisations (#8). The review presents articles from all around the globe and delves into various regulations. Hence, an overview of global regulations (#9) is necessary. Additionally, a brief overview of the global PHR market (#10) is relevant for understanding the settings. Finally, we collected the facts retrieved from AI Integration (#11). Finally, we summarise future challenges (#12) for GPOC.

#1: Relevant Human Rights Declarations

Active participation in personal development is a key human right according to the United Nations’ Sustainable Development Goals (SDGs) of 1986. ⁸ There are no UN declarations on PHRs. However, in 2019, the Declaration on Universal Health Coverage (UHC) was established. Hitherto, it has been the most wide-ranging attempt at universal health guarantees. ⁹

#2: Ethical Principles

The four ethical principles that are universal for healthcare are autonomy, justice, nonmaleficence and beneficence. ¹⁰ Sometimes, fidelity is added here. ¹⁰ These issues are constantly elaborated in ethical discussions to explore dilemmas and better understand conflicting issues. ¹⁰

A patient co-owned PHR means shared information and increased autonomy. The medical data in the PHR are based on both the medical history provided by the patient and on physical examinations and investigations. Both are patient-centric. Hence, it is a question of justice with patient access and co-ownership. Co-ownership could then lead to a revenue stream to the patient from anonymized research on PHR content. Healthcare providers informing the patient and being transparent in the PHR towards the patient demonstrate aspects of both beneficence and fidelity. With GPOC, healthcare should be more effective and not harmful, i.e., nonmaleficence. ^{4, 10}

A basic Kantian enlightenment concept is the categorical imperative—‘act so that your actions can be translated into universal law.’ ¹¹ Following this, then evidently patients should be informed about their health and co-own their PHRs. ⁴

However, in clinical care, not all information can be inserted into the PHR. For instance, if it causes risks to a third person. In studies of PHRs with patient access, this type of information may be kept in other parallel notes or verbally, which is not recommended. ¹² Moreover, a co-owned PHR may strengthen access rights. Hence, this may lead to more granular regulation. Currently, patients’ PHR access varies greatly geographically. ¹³ A global overview of the regulations is provided in Table 1.

#3: Co-Ownership Ethics

Co-ownership may encourage patients to actively contribute to the PHR. Some patients may have an interest in monitoring or ‘gatekeeping’ the access log of the PHR. Co-owning parties would be able to correct misunderstandings in medical history or faulty content. ⁴ Communication deficits are the most common cause of legal conflicts in healthcare. ¹⁴ Co-ownership would improve communication and overall connectivity. This may decrease mistakes due to inaccurate PHR information.

The patient’s freedom of expression in healthcare is essential. To date, the direct voice of the patient has been silent in the PHR. Co-ownership could emphasise the right to PHR contributions. Additionally, the rights to PHR migration and sharing with anyone deemed relevant. Hence, there are advantages in emergencies, travel and refugee situations. The GPOC concept embodies these as human rights principles. The ownership question is also highlighted with the outsourcing to cloud service providers and producers of PHR software; for an overview of the market, see Table 2.

Co-ownership may be a step in the evolution of medical ethics. There is an increase in the amount of information provided to patients about their health status. Until the 1950s, the Hippocratic concept of not informing was dominant. There has since been a global decrease in paternalism. ¹⁵ In the last thirty years of the information revolution, widespread smartphone use and patient PHR access have led to the democratisation of medicine. ¹⁶

There are concerns over data ownership for the cloud service providers and manufacturers of PHRs; see Table 2. Individuals and healthcare providers could lose control of highly sensitive data. ⁶ To address this issue, robust encryption protocols and secure data access mechanisms can be implemented. Additionally, strict regulatory frameworks and transparent data governance policies are essential for safeguarding patient privacy and data security. There are methods to achieve full decentralisation and link the specifications of open data platforms. These approaches enable patients to have genuine ownership of their data and provide them with fine-grained access control for sharing their personal health records (PHRs). ¹⁷ Here, it is crucial to not only consider but also actively address the potential risks posed by authoritarian regimes, which may seek to exploit personal health data for surveillance and control purposes.

#4: Privacy Aspects

The sources of big data, privacy concerns, trust issues in organisations and complex regulations may all hinder the progress of AI in healthcare. ³⁴ Cloud computing may have the strength of revolutionising healthcare, but progress has been slow. Strict regulations on patient information are hindrances. However, there are new cloud models with revised privacy issues generally associated with cloud service providers. These methods use fully homomorphic encryption (FHE), which enables computations of PHRs without seeing the underlying data. ¹⁸ Recently, a relevant European Commission call for cloud, data and artificial intelligence in the Digital Europe Programme (DIGITAL) was announced. ¹⁹

#5: Policy Guidelines

Timely international policy guidelines could facilitate the GPOC concept. These should cover end-user policies and regulations for identities and accesses. ^{1, 2, 4} However, network resilience, agreements, computational power, ‘big data’ mining capacities, privacy and security should also be considered. ³ There is such guidance for an ‘intelligent cloud-based electronic health record’ (ICEHR) in line with healthcare regulations. ^{1, 20} For an overview, see Table 2.

#6: Patient-Centricity

There are PHRs allowing patients to collect and share content securely in a cloud. These few platforms allow for doctoral referrals and also sharing with a medical research intent. ²¹ Though, patients’ information remains private. Such platforms facilitate sharing across borders. Notably, with different regulations in various countries. ²¹ For an overview, see Table 2. To our knowledge, none of the large systems mentioned in this table allow fully encrypted sharing with research intent.

Large amounts of data are generated by PHR clouds. However, the most common drawback of these techniques may be the combination of their patient-centric nature and the lack of sufficient security with fine-grained access control. This is crucial to comply with regulatory requirements. ²²

In the construction of PHR infrastructures, cloud-based ecosystems are ubiquitously used. A GPOC must have an impenetrably safe cloud using a distributed blockchain. Therefore, international engagement at various fora between regulators and stakeholders may provide insights into shaping the most applicable technologies. ^{1, 4, 22}

#7: New Technical Solutions and Ethics

Technical solutions exist to achieve the GPOC concept. For example, there is co-ownership issue with abundant medical images. To increase the degree of clinical practicality, single modality images can be fused to obtain clear multimodal images. The spread of these fused medical images raises new issues related to authentication and ownership. ²³

The privacy-preserving and secure service-oriented architecture (SOA) can integrate PHRs. Herein, patients could be “partly owners” and share or edit their PHRs. SOA enables full ownership of integrated PHRs. Owners may decide to share with healthcare providers or even insurance companies. ^{24, 25}

Co-owners of the PHR would be the patients, together with their managers, who are the doctors and nurses and their respective hospitals and clinics. These three owners are likely the only relevant ones. There are concerns that a broader division of the ownership of PHRs could potentially lead to sensitive data leaks if stored in a cloud environment. ²⁶

Currently, healthcare organisations are the sole PHR owners. Now, patients only have limited information about the content and only receive discharge summaries or specific report letters. This was an evident problem during the COVID-19 pandemic. The need for patient control became more accentuated. ²⁷

#8: Initiatives by Regulatory Bodies and Organisations

The 2021 Food & Drug Administration (FDA) industry guidance aims at accelerating medical product development and creating innovations more quickly so that patients can benefit earlier. It focuses on electronic PHRs for clinical trials that may impact regulatory decision making. ²⁸ A total of 78% of the series’ participants noted that in their state or organisations, there were ongoing or planned initiatives that strived to improve PHR integration. ⁴

However, not all PHRs are electronic yet. For example, in the UK, the Medicines and Healthcare Products Regulatory Agency (MHRA) leads a nationwide NHS initiative to replace all physical (paper) records with digital (electronic) PHRs. At the centre are ethical and practical considerations for research, clinical trials, and best clinical practice. MHRA, the Health Research Authority (HRA) and the Information Commissioner’s Office (ICO), have presented guidance for medical research processed on PHRs. It is recommended to be read alongside the Data Protection Impact Assessments (DPIAs). ²⁹

The World Health Organisation (WHO) carried out the Third Global Survey on eHealth in 2015 (GOE_Q144), which investigates PHRs globally. It collected data from 125 countries, with the then largest ever survey. ³⁰ The WHO has produced a manual for developing countries on the implementation of PHRs. Here, the requirements for the introduction, maintenance, content, staffing, ethics, and other regulatory considerations are presented, aiming at, e.g., staff of health ministries. ³¹ The WHO has no global PHR project under way, and GPOC entails a larger and wider concept. ^{1– 4}

In the USA, the Office of the National Coordinator for Health Information Technology (ONC) works under the authority of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Department of Health has established improvement programs for healthcare quality and safety, including health IT and PHRs. ³²

The Red Cross (ICRC) employs the Red Cross Health Information System (RCHIS) as the platform for emergency response, which is tailored for humanitarian situations. Here, medical personnel can manage patient information in the field. The ICRC has also developed several apps for first aid and emergencies, etc. Its main app RedSafe is a digital humanitarian platform that provides safe and secure services for people affected by conflict, migration and other crises. RedSafe also helps the ICRC reach out to more people, in compliance with their own ICRC data protection standards. ³³

The European Union (EU) published a synopsis of the members’ PHR laws and their compatibility with open internal border policies. ³⁴ Under EU Law ‘Article 14 of Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare,’ the eHealth Network aims at facilitating interactivity between European PHRs. It aims to present pan-European guidelines for future cross-border transferability of PHRs. These need to conform with the existing EU data protection rules, including the General Data Protection Regulation (GDPR). A European Commission action plan aims to remove obstacles for integration and ‘a fully mature and interoperable eHealth system in Europe’. Although 24 of the 30 surveyed states were not equipped for the EU vision of continental PHR interaction. ^{1, 2, 4, 35} If realised, then a data substrate of such size may spark the development of AI integrated into PHRs. ^{1, 4} Natural language processing and decision support systems would be woven into the fabric of AI-integrated PHRs. ³⁶

#9: An Overview of Global Regulations

The legislative, clinical and practical ramifications of co-ownership between the three involved parties (patients, clinicians and clinics), include the resolution of some legal entanglements in the patient-doctor-clinic relationship across the world.

For an overview of the global latticework of regulations, see Table 1. The mentioned Global Data GDPR protects all 27 EU member states. Several other countries have been inspired. For instance, in Nigeria the Nigerian Data Protection Regulation (NDPR) narrowly mirrors the GDPR. Globally, 66% of the UN states had data protection and privacy laws in 2021. Another 10% were drafting new legislation, in 19% legislation was absent, and for 5% of countries, there was no information. ³⁷ Figure 1 shows the current global distribution of data protection laws as of August 2024.

#10: The Global PHR Market

It is somewhat less clear which companies dominate this market. Table 2 provides an overview of the largest global PHR producers. Note the pronounced US dominance. However, the regulation of PHRs almost always comes from the country of implementation. An exception is when the PHR is part of a foreign aid program. Thus, the donor nation may influence the regulation. This can lead to legal imbalance or further dependency. There are also open-source solutions such as openEHR and Fast Healthcare Interoperability Resources (FHIR), which provide open standard specifications in health informatics.

However, the producer overview is not complete. There are also initiatives for nationwide platforms. For example, with the NHS in the UK, in the Nordics and in technically progressive Asian states, e.g., Japan, Singapore, and South Korea. These studies have demonstrated how clouds can be used to serve nationwide databases of PHRs to support both medical research and telemedicine. There are several such national cloud solutions for public health innovations relevant to a GPOC. ⁴⁰ These existing national cloud-based solutions and databases might provide a feasible foundation for a GPOC. ⁴

According to the 2023 global Newswire report, estimates indicate that the total world PHR market will expand from the 2021 value of $32 billion to $34 billion in one year. The growth rate is then anticipated to be 8% per annum. Projected global market growth will reach $44 billion by 2026, with an average annual growth rate (AAGR) of 7%. ⁴¹ In contrast, a report by Grand View Research forecasts the total market volume at $27 billion in 2021, with a lower AAGR of 4% anticipated from 2022 to 2030. ⁴²

#11: Artificial Intelligence (AI) Integration

How AI can be optimally implemented into a GPOC is currently a key policy conundrum. One component of this is how AI can use data and interact with GPOC to generate results. Another is how GPOC and its anonymised PHR data become a substrate for global machine learning development. A third is under what conditions for data protection, platform security management and product development. This will most likely depend on the users’ sharing and permissions. ^{1, 2} Here, we are faced with a novel online amenity paradigm that allows users to share their own health data. ⁴³

Modern PHR software allows patients or clinics to share or transfer content. PHRs can now be fortified with AI to forecast patients’ critical development, enabling earlier therapeutic interventions. Moreover, electronic PHRs are starting to be designed so that they may interact with other healthcare platforms. However, currently, most of them do not ( Table 2). With older populations and increasing health budgets for the rest of the century, this is needed. A GPOC, i.e., an AI empowered cloud-based PHR designed to minimise medical mistakes, may decrease costs by making healthcare more streamlined and qualitative. ²⁰

Here, it is also relevant to define what is meant by AI integration in relation to PHRs. In accordance with the legal definition established in the recently enacted EU Regulation on artificial intelligence ( Artificial Intelligence Act), an ‘artificial intelligence system’ (AI system) denotes ‘ software that is developed with one or more of the techniques and approaches … and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with’. ⁴⁴

Some aspects of a GPOC already exist in rare disease or oncological management. The creation of new oncological therapies is a global enterprise. The integration of patient experiences in clinical decision and planning procedures is the focus of international regulatory and health policy communities. Symptoms of both diseases and therapies and effects on functioning and quality of life are essential. International regulatory scientists have identified topics that integrate patient-reported outcome (PRO) measures into regulatory and legislative processes. For instance, a GPOC would allow adverse effects to be reported on a global scale. ⁴⁵

The risks of cloud computing for PHRs may decrease if cloud providers comply with audits. Thus, regulation obedience for securing cloud data would lead to backups to protect against data loss. This is crucial as healthcare becomes dependent on AI-integrated PHRs. ⁴⁶

#12: Future Challenges

Challenging key factors affecting adaptation to cloud PHR technologies in a Technology-Organisation-Environment (TOE) are reliability, privacy, security, organisational support, hospital capacity, competitive situations, and the regulatory environment. ⁴⁷

GPOC may play a role in future global TOE. Challenges include effective global regulatory engagement and the development of policies relevant to a GPOC. Though, this may follow as a consequence of market evolution. This may be affected by a GPOC providing a large and anonymised source for global AI development. Hence, a GPOC could be self-sufficient and with co-owning patients receiving revenue streams. Possibly a new microeconomy could arise. This may ignite the evolution of AI algorithms and the global need for responsible AI health applications. ⁴⁸

A potential risk of adverse implementations might be insurance companies demanding access to personalised information. Authoritarian leadership making decisions based on individual data.

In theory, a future market for patient PHR revenue reimbursements could emerge in a microflow of passive income to the co-owners. ⁴⁹ One part could be reimbursed to the patient and the other corporate component of co-ownership revenue could divert back to the maintenance of GPOC. ⁵⁰

The study may seem to point in many directions. Therefore, let us summarise the contours of a possible ethics framework relevant for GPOC.

A useful ethical framework for GPOC seems to take its origins from UN-defined human rights and basic ethical principles for medicine, as described by Lehmann. ¹⁰

The ongoing process of AI regulation and legislative initiatives at the EU level was investigated thoroughly by Salvatore. ⁴⁴ Thus, the European GDPR propels a global process in which the global landscape of AI legislation matures and inspires several other new acts in this field.

It is also essential to highlight concepts such as “Ethics by Design”, with ethical considerations in the development and deployment of AI systems. ⁵² Ethical challenges of big data in health -balancing innovation with ethical governance. ⁵³ Principles of beneficence, non-maleficence, autonomy, and justice, as outlined by Beauchamp and Childress. ⁵⁴

In essence, who is deemed legally liable, and within which limitations, would require a new collection of guidelines. Thus, the challenges in a partly novel ethical landscape can be mitigated. ⁵⁵ Here, the GPOC concept can also be regarded in a broader setting of scientific intricasy. ⁵⁶ Since the conditions of physics now permit a technical reification of a GPOC a new field of ‘social physics’ becomes a reality. ⁵⁷

While this study touches on the global latticework of legislative and ethics issues, a more nuanced analysis of country-specific barriers to GPOC implementation has been dedicated to an econometric GPOC article. ⁵⁸ Here 24 parameters, including Gini-score, GNP and other economic, infrastructural, regulatory and geopolitical entities, have been analysed to form a GPOC-coefficient. We developed this to measure GPOC readiness on country level. The preprint of this article included the GPOC Sandbox, which was eventually published in a separate atrticle. ³ Hence, the forthcoming article will solely focus on the country-specific situations.

The ethical challenges around AI integration particularly include patient privacy and data security. Potential safeguards for ethical AI use within GPOC must be reinforced in parallel with medical quality, visibility, accessibility, and improved medical facilities. ⁵⁹ Here language services and privacy protection have been highlighted as prioritised improvements of international public hospitals. ⁵⁹ In a patient-centric approach, gender aspects must also be considered on several levels. ⁶⁰ At last, there is a need for a dedicated framework to integrate health equity and justice into the development of AI in medicine. ⁶¹

What ought also to be obvious is that this ethical landscape is profoundly affected by the latest techniques in the field of AI in medicine and personal health records. Techniques like federated learning allow for secure, decentralised data processing without compromising individual privacy, thereby aligning with ethical standards in sensitive healthcare contexts. This technique can also be used for energy load forecasting and decision making. ⁶² Additionally, dual watermarking and optimisation algorithms have emerged as powerful methods for enhancing security with robust transmisions of PHRs. ⁶³ During Covid-19 there was an increased urge for sharing PHRs over the open network and dual watermarking proved robust. ⁶⁴ Watermarking is also used on fused medical images to protect sensitive data against unauthorised access. ⁶⁵ Moreover, deep learning-based information hiding schemes continues to transform the analysis and security of PHRs, enabling predictive modelling and more accurate diagnostics within a secure framework, highly relevant to GPOC. ⁶⁶ Altogether, this showcases how novel technical solutions change the prerequisites in the ethical landscape of AI in medicine and thus for the optimal GPOC.

There is a wide range of technical, ethical, human rights, social, medical and scientific factors involved in finding the optimal balance for legislation within the one dozen fields of this systematic review. Here, a recent step towards international legislation in these widespread sectors of AI applications is the EU AI Act, which came into force on 1 ^st August 2024. ⁶⁷

For the future launch of the GPOC concept the patient-centric interoperable platform MediTrans is inspiring. ⁶⁸ It uses blockchain for secure access of cloud based PHRs and has shown promising performance. ⁶⁸ Also inspiring for GPOC’s global sharing concept is the blockchain-based PHR-integrated self-sovereign identity system, which was developed during the Covid-19 pandemic. ⁶⁹ The latter shows that when there is an immediate global need, the necessary means and capacities can be mustered to realise a global vision.

The emergence of synthetic data—AI-generated datasets that mimic real patient records—presents an alternative for privacy-preserving AI training. While synthetic data can mitigate privacy risks, it lacks the full complexity of real-world health patterns, which limits its applicability in precision medicine. However, a GPOC framework could provide a robust foundation for generating high-quality synthetic data, preserving privacy while ensuring AI training data remains clinically representative, bridging the gap between anonymisation and real-world usability.

The EU AI Act introduces critical distinctions between anonymised and pseudonymised health data, which directly impact AI-driven healthcare innovations. While anonymised data falls outside GDPR and is unrestricted, pseudonymised data remains subject to stringent regulatory oversight, limiting its cross-border usability. This divergence underscores the challenge for GPOC in navigating global regulatory frameworks while ensuring privacy-preserving, AI-driven medical advancements.

In response to ongoing discourse on the ethics and implementation of the GPOC, this section synthesises insights from the GPOC Series and addresses key perspectives on regulatory, geopolitical, and ethical dimensions. The classification of PHRs as a critical national asset ⁷⁰ has led to debates on sovereignty and security. While political inclination often favours domestic data storage, the largest global survey on the topic—covering 100% of UN member states and key international health organisations—revealed a strong consensus in favour of patient co-ownership ( 89%) and the right to move and share personal health records internationally ( 84%). ² The Crown Question (Q27) of the survey confirmed that 84% of respondents supported global movement of PHRs, with only 3% opposing, reinforcing the fundamental principle of patient data autonomy. The findings from the subsequent GPOC Summit reinforced this, demonstrating unanimous support for co-ownership and the benefits of cross-border data exchange for public health, precision medicine, and global AI-driven healthcare. ⁴

Moreover, recent analyses underscore that cross-border health data governance is already being actively explored by several nations, ⁷¹ demonstrating that such frameworks are not only feasible but increasingly necessary. The integration of regulatory sandboxes in key Asian economies further exemplifies how adaptable, regional approaches can facilitate global interoperability, reinforcing the urgency for a structured, decentralised GPOC model.

Some argue that geopolitical imbalances in AI innovation and digital health infrastructures create an uneven playing field, favouring developed nations. ⁷¹ However, our systematic review ¹ and summit findings ⁴ highlight that a decentralised, international governance model—rather than state-centric control—mitigates such concerns, ensuring that all stakeholders, including developing nations, benefit from ethical data sharing frameworks. The ethical challenge of consent in marginalised communities has also been raised. ^{72 , 73} While disparities in digital literacy exist, our research confirms that assuming an inherent lack of agency among patients is flawed. Surveys among grassroots health organisations affirm that GPOC would empower individuals, particularly women, by fostering greater awareness and autonomy in health data management. ^{2 , 4} Furthermore, global policymakers themselves recognise co-ownership as an emerging human rights principle, aligning with broader ethical frameworks such as Beauchamp and Childress’ principles of biomedical ethics and GDPR regulations. ^{2 , 4}

From a technical perspective, concerns regarding security and privacy risks in a globally integrated PHR system have been addressed through extensive research. The GPOC Systematic Review and Meta-Analysis ¹ synthesised findings from 16,000 articles, demonstrating the feasibility of advanced security architectures. The GPOC Sandbox ³ validated the implementation of homomorphic encryption, zero-knowledge proofs, and blockchain-based access control, ensuring privacy-preserving interoperability. These innovations provide a safeguard against unauthorised data exploitation, a key concern raised in public discussions. ⁷⁴ Furthermore, while some argue that hospitals and commercial entities have economic incentives to withhold data, ⁷¹ our survey and summit findings indicate that legislative trends favour patient-centric governance, prioritising healthcare accessibility over institutional self-interest. ^{2 , 4}

A significant debate surrounds the ethical implications of monetising health data. ⁷⁵ Some contend that financial incentives may distort ethical consent, particularly among economically disadvantaged populations. ⁷¹ However, our survey findings indicate that policymakers globally, including in low-income regions, overwhelmingly support models where patients receive compensation for data sharing. The survey revealed that 90% of respondents opposed companies profiting from their health data without compensation, and 44%–47% expressed support for financial incentives for data use in clinical, pharmaceutical, and public health research. ² Notably, political leaders themselves indicated a preference for compensation when sharing their PHRs, reinforcing the ethical foundation of patient agency. Moreover, the sandbox initiative ³ has demonstrated how cryptographic techniques such as fully homomorphic encryption and federated learning can ensure secure, anonymised data transactions, mitigating privacy risks while enabling participation in research.

Thus, the GPOC Series presents a comprehensive, multidisciplinary exploration of ethical, technical, and regulatory considerations surrounding patient co-owned health data. The convergence of empirical data from the survey, summit, systematic review, and sandbox confirms that a decentralised, patient-centric model aligns with contemporary ethical and legislative trends. By addressing security concerns through encryption technologies and reaffirming the ethical and legal imperatives of co-ownership, GPOC represents a scalable and inclusive solution for global health data governance. Moving forward, continued interdisciplinary collaboration is essential to refine the framework and further advance equitable, AI-powered healthcare solutions worldwide.

No ethical approval or consent is required.