Skip to main content
WhitepaperData Governance & Analytics

Patient Data Consent Is Broken. AI Is About to Make It Worse

Data Governance Practice4 min read10 pages

Full report available

The complete 10-page version with full methodology, exhibits, and references.

The consent form a patient signs at admission was drafted for a different decade. It assumed that data would sit in clinical systems, that named clinicians would access it for treatment, and that secondary use would mean a study with an ethics committee, a sponsor, and a defined endpoint. AI training does not fit any of those assumptions cleanly. The training pipeline pulls from many sources, the model parameters carry the data forward in compressed form, and the deployment context can be anywhere the model is later sold or licensed. Most existing consent language does not name any of this.

In the UK, GDPR Article 9 treats health data as a special category, and Article 89 provides a research-purposes derogation that hospitals routinely lean on for secondary use [1]. The ICO's AI guidance, alongside the Data Protection Act 2018, then asks providers to identify a lawful basis, run a data protection impact assessment, and demonstrate fairness [2][3]. None of those instruments resolve the specific question of whether training a commercial foundation model counts as research, or whether a model trained at hospital A and deployed at hospital B implicates the consent of the patients whose data shaped its parameters. The 2017 Royal Free finding on the DeepMind Streams transfer of 1.6 million patient records remains the cleanest worked example of how easily this can go wrong [6].

In Nigeria, the 2023 Data Protection Act and the older NDPR set a higher bar than was widely assumed when both came into force, and the NITDA AI strategy adds direction without statutory weight [7][8][9]. South Africa's POPIA names health information as special category data with a tighter consent regime [10]. In the US, HIPAA still does most of the work, but the Washington My Health My Data Act and California's CCPA / CPRA have begun to capture health data outside HIPAA's scope, and they take a noticeably stricter line on consent [11][12][13]. The pattern across all of these regimes is that the model side has been the focus, and the consent side has been left for later.

The consent paperwork, in our reading of these statutes, is doing something it was not designed to do. A typical hospital admission form will say data may be used for "treatment, audit, and research consistent with applicable law." That language was workable when research meant a discrete study. It is not workable when research includes training a model that may be sold, fine-tuned in another jurisdiction, deployed in workflows the patient never consented to, and updated continuously after deployment. The FDA's 2024 final guidance on Predetermined Change Control Plans and the MHRA's Software and AI as a Medical Device roadmap acknowledge that AI systems change after release [14][15]. The consent infrastructure that fed those models has not caught up.

What we propose, as a recommendation rather than a deployed system, is a layered consent model. Layer one is treatment consent, unchanged. Layer two is audit and quality improvement consent, also largely unchanged. Layer three is a specific AI-related consent that distinguishes between in-institution model improvement, cross-institutional model training, and commercial AI products. Each layer can be opted out of independently. Patients receive an annual summary of what their data has been used for, by category. The shape of this proposal draws on the dynamic consent literature led by Effy Vayena and others, on Wellcome's Understanding Patient Data work on commercial access, and on the Ada Lovelace Institute's algorithmic impact assessment case study with the NHS [18][20][21]. The NHS national data opt-out [5] is in some sense an early version of layer three, applied at national rather than institutional scale.

Three regulatory gaps are doing the most damage. Provenance disclosure: patients should be able to know what categories of data their care provider has used to train models that affect their care. Cross-institutional flow: there is no clear regime for what happens when a model trained at institution A is deployed at institution B. Withdrawal of consent: if a patient withdraws AI-training consent today, what happens to model parameters that already reflect their historical data? The WHO's 2021 ethics guidance and its 2024 large multi-modal models update both name these gaps without resolving them [16][17].

We are not arguing that AI in healthcare should slow down to wait for perfect frameworks. Where the clinical benefit is real, it is too important. We are arguing that the consent infrastructure is the weakest link in most healthcare AI programmes, and that quietly leaving it where it is invites either a regulator action or a public backlash that will be harder to repair from a defensive posture than to fix now from a credible one.

Coderex advises hospital systems, ministries of health, and AI developers on how to redesign clinical consent for the AI era, including the layered model proposed here, and on how to operationalise it without disrupting front-line clinical workflow.

Expect the first major regulator finding on consent for AI training to land in the UK or US within the next 18 months, before any of the African regimes have had a chance to litigate the question through their less-developed enforcement infrastructure. Expect the academic dynamic-consent literature to be picked up by at least one national health service in a published policy by 2028. Expect the gap between FDA-style lifecycle regulation (PCCP, post-market surveillance) and the consent paperwork patients actually sign to become the dominant policy story in healthcare AI through 2027.

Methodology note: This article reviews public regulatory texts, regulator guidance, peer-reviewed work, and published civil-society research. It does not describe any specific Coderex client deployment. The layered consent model is presented as a published recommendation, not as an operational system. Where claims rest on a specific source, that source is cited inline against the bibliography in sources.json.

References

22 sources, all verified at the time of writing

  1. [1]European Parliament and Council of the European Union, 2016. Regulation (EU) 2016/679 (General Data Protection Regulation), with particular reference to Article 9 (special categories of data) and Article 89 (safeguards for processing for archiving, scientific or historical research and statistical purposes). Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2016/679/oj.
  2. [2]Information Commissioner's Office (UK), 2023. Guidance on AI and data protection. ICO. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/.
  3. [3]United Kingdom Parliament, 2018. Data Protection Act 2018. UK Government. https://www.legislation.gov.uk/ukpga/2018/12/contents.
  4. [4]NHS England, 2024. Data Security and Protection Toolkit. NHS England. https://www.dsptoolkit.nhs.uk/.
  5. [5]NHS England, 2024. National data opt-out. NHS England. https://digital.nhs.uk/services/national-data-opt-out.
  6. [6]Information Commissioner's Office (UK) and Royal Free London NHS Foundation Trust, 2017. Royal Free - Google DeepMind trial failed to comply with data protection law. ICO. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2017/07/royal-free-google-deepmind-trial-failed-to-comply-with-data-protection-law/.
  7. [7]Federal Republic of Nigeria, 2023. Nigeria Data Protection Act 2023. Federal Government of Nigeria. https://ndpc.gov.ng/Files/Nigeria_Data_Protection_Act_2023.pdf.
  8. [8]National Information Technology Development Agency (NITDA), 2019. Nigeria Data Protection Regulation (NDPR) 2019. NITDA, Federal Republic of Nigeria. https://nitda.gov.ng/wp-content/uploads/2020/01/NDPR-Implementation-Framework.pdf.
  9. [9]National Information Technology Development Agency (NITDA), 2024. Nigeria National Artificial Intelligence Strategy. NITDA, Federal Republic of Nigeria. https://nitda.gov.ng/wp-content/uploads/2024/08/National-AI-Strategy_01082024-copy.pdf.
  10. [10]Republic of South Africa, 2013. Protection of Personal Information Act, No. 4 of 2013 (POPIA). Government of South Africa. https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonalinforcorrect.pdf.
  11. [11]U.S. Department of Health and Human Services, Office for Civil Rights, 2024. HIPAA Privacy Rule and the use and disclosure of protected health information. HHS. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
  12. [12]Washington State Legislature, 2023. My Health My Data Act (RCW 19.373). Washington State. https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.
  13. [13]California Privacy Protection Agency, 2023. California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA). California Office of the Attorney General. https://oag.ca.gov/privacy/ccpa.
  14. [14]U.S. Food and Drug Administration, 2024. Marketing Submission Recommendations for a Predetermined Change Control Plan for AI-Enabled Device Software Functions. FDA. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/marketing-submission-recommendations-predetermined-change-control-plan-artificial-intelligence.
  15. [15]Medicines and Healthcare products Regulatory Agency (UK), 2024. Software and AI as a Medical Device Change Programme - roadmap. MHRA. https://www.gov.uk/government/publications/software-and-ai-as-a-medical-device-change-programme/software-and-ai-as-a-medical-device-change-programme-roadmap.
  16. [16]World Health Organization, 2021. Ethics and governance of artificial intelligence for health: WHO guidance. WHO. https://www.who.int/publications/i/item/9789240029200.
  17. [17]World Health Organization, 2024. Ethics and governance of artificial intelligence for health: Guidance on large multi-modal models. WHO. https://www.who.int/publications/i/item/9789240084759.
  18. [18]Vayena, E. et al., 2018. Machine learning in medicine: Addressing ethical challenges. PLOS Medicine. https://journals.plos.org/plosmedicine/article?id=10.1371/journal.pmed.1002689.
  19. [19]Topol, E., 2019. The Topol Review: Preparing the healthcare workforce to deliver the digital future. NHS Health Education England. https://topol.hee.nhs.uk/the-topol-review/.
  20. [20]Wellcome Trust and Ipsos MORI, 2020. Understanding Patient Data: The one-way mirror - public attitudes to commercial access to health data. Wellcome / Understanding Patient Data. https://understandingpatientdata.org.uk/news/one-way-mirror-public-attitudes-commercial-access-health-data.
  21. [21]Ada Lovelace Institute, 2022. Algorithmic impact assessment: A case study in healthcare. Ada Lovelace Institute. https://www.adalovelaceinstitute.org/report/algorithmic-impact-assessment-case-study-healthcare/.
  22. [22]Future of Privacy Forum, 2024. Best Practices for AI and Workforce Health and Wellness Technologies. Future of Privacy Forum. https://fpf.org/blog/fpf-publishes-best-practices-for-ai-and-workforce-health-and-wellness-technologies/.