Cure, Google Gemini
Overview
For biotech startups, patient data is both a competitive edge and a legal risk. Experts explain how to collect, store, and use it responsibly without slowing growth.
When you’re forming a new biotech or life sciences company, the patient data you gather is one of your company’s greatest assets. When collected thoughtfully, it can shape the direction of your company. But gathering patient data also comes with immense responsibility. If your company mishandles the data you collect, it not only creates distrust among the very people you want to help, it can also create regulatory risk later. For this reason, your goal from the beginning should be to become good stewards of the patient data you collect.
That means not allowing limited resources, the goal of progress, or the pressure to operate at a quick pace to affect the care and concern needed for protecting and honoring patient data. Shortcuts or sloppy safeguards can set your company up for challenges down the road and ultimately impact your organization’s success. Instead, prioritize ethical data collection and use at the start by designing well-thought-out ways to collect, store, and share data.
As you begin, make the focus your patient, not the dataset. Be transparent and explain how the data will be used and why you’re collecting it, said Eileen Anderson, PhD, director of the Inamori International Center for Ethics and Excellence and the Inamori Professor in Ethics at Case Western Reserve University. Also think through how the data will be accessed, who can view it, how it will be anonymized, and what is needed to safeguard against re-identification, and establish clearly defined rules about data sharing and ownership from the start, she said.
When patient data is handled well, it can become a competitive advantage down the road. Not only are you building trust with patients, clinicians, and investors, you’re also minimizing risk as your company scales. Here, patient data experts like Anderson delve into the ethical use and collection of sensitive patient data and share their insights so that you can learn how to handle patient data responsibly while still being innovative and building a product that can benefit others.
What Counts as Patient Data, and Why Early Teams Often Underestimate Its Sensitivity
In the beginning, it’s easy to underestimate how easily different types of data can be traced back to individuals. That’s why it’s important to understand what truly qualifies as patient data and build your plan from there. Recognizing early everything that could possibly be considered patient data is your first step in being responsible with the patient data you have access to, said Anderson.
“Oftentimes people think patient data is only the most obvious things like electronic health records or direct identifiers like name, email, phone address, date of birth, and medical record number,” said Anderson. “But it includes other kinds of direct and indirect indicators of health and care [such as] data around diagnoses, meds, labs, symptoms, diagnostic images, medical notes, device readings, claims, and things of that nature.”
Patient data can also include digital traces that say something about a patient’s behavior, she said. “So that could be something like location data that an app tracks, search data, search history, and survey answers. This data is much more indirect, but it’s still patient data. And then there’s also different kinds of outputs like a risk score that was assigned to someone or different features of a patient model that also have to be considered.”
Anything that is derived from an individual patient should be considered sensitive patient data and handled accordingly, said Anderson. Not doing so could create issues for your biotech or life sciences company down the road, such as eroding patient trust or prompting regulators or investors to question your practices.
Benefits of Strong, Ethical Data Handling
When you treat patient data with care and respect from the start, it not only builds trust with your patients, clinicians, and research partners, it can also improve data quality, strengthen long-term collaborations, and lay the groundwork for sustainable growth. Keep in mind that meaningful clinical innovation doesn’t exist without your patients, and it doesn’t move forward without trust, said Irina Babina, PhD, CEO of the predictive oncology platform Concr, a techbio company that uses astrophysics-derived algorithms to tailor cancer treatments.
“Even if ethics alone weren’t reason enough, [appropriate data handling] is often the make-or-break factor for adoption, traction, and scale, as decision-makers need confidence that innovation is responsible and can realistically integrate into existing workflows,” said Babina.
A clean and traceable “chain of data custody” also makes the regulatory process smoother, she added. “By integrating…ethics standards into [your] architecture early, [you] not only build trust and boost recruitment, but also avoid the massive costs of re-engineering [your] systems if a new legislation were passed.”
If you have collected, stored, and used patient data responsibly from the beginning, Anderson said, this also gives your biotech a competitive edge. “Partner companies and investors know they can rest assured that there’s not going to be an ethical breach that leads to some kind of liability or explosion. [Plus,] patients are also going to continue to interact with you . . . Most people are hungry for reliable innovation in the health space. So if there is a trustworthiness that’s never questioned from the inception, that’s a huge differential down the road.”
How to Explain Data Collection to Patients Clearly and Directly
If you want to earn and maintain patient trust from the start, you need to be clear about your data collection process. Patients will be more willing to share information when they understand what is being collected, why it matters, and how it will be used.
The key is using plain language and explaining your data practices in a straightforward way that helps patients make informed decisions, rather than simply signing consent forms, said Stephanie Devaney, PhD, Chief Operating Officer, All of Us Research Program at the National Institutes of Health. Thoughtful explanations can reduce misunderstandings and set the tone for the patient-biotech relationship from the very beginning.
“Clearly explain, in plain language, what data is being collected and how it will be used,” Devaney said. This includes being specific about what data is collected (e.g., blood samples, survey responses, genetic data, electronic health records), why the data is needed, and how the data will support the biotech’s goals, she said.
Devaney also suggested spelling out:
How privacy is protected. Describe privacy and security safeguards, such as deidentification, limits on downloading data, and secure systems.
Who can access the data. Identify who will have access, for what purposes, and under what rules or conditions.
Whether data is shared. Clearly state whether data will be sold, shared commercially, or shared with international organizations or researchers.
What patients or participants receive in return. Explain any return of value, such as individual results, aggregate findings, or other benefits over the life of the study.
How information is communicated. Use short sentences, clear headings, and plain language at approximately a seventh-grade reading level.
What is not yet known. Be transparent about uncertainties, how studies or operations may evolve, and how patients will be contacted about future opportunities or changes.
Tips for Designing Lightweight Consent Practices That Meet Ethical Expectations
The best consent practices balance ethical considerations with operational realities. Heavy, overly complex consent processes can overwhelm patients and slow progress, while minimal approaches can undermine trust and leave your company exposed.
A lightweight consent practice prioritizes clarity and relevance while respecting patient autonomy, said Anderson. The goal is to make it easier for patients to understand their choices and feel confident in their participation. Patients also need to know how they can withdraw if they choose to, she said.
“It can also be helpful to have a human being doing a verbal consent alongside a piece of paper that somebody’s going to sign or click on if it’s electronic,” said Anderson. “They are there to answer questions or to explain things. This also might be a time to bring in a consultant, so that your hands are clean and people don’t feel coerced, which would be a horrible ethical breach. Hiring an external consultant, just to do the consent process can be a low-cost, high-yield way to get it done.”
Consent processes should also prioritize understanding, accessibility, and usability, not just formal signatures, said Devaney. Here are some key practices she suggested:
Making consent materials readable, mobile-friendly, and easy to navigate
Using embedded comprehension checks or short quizzes to confirm understanding
Focusing on genuine participant comprehension rather than form completion
Testing consent language and format with prospective participants before finalizing
Using plain language and avoiding long, legalistic, multi-page PDFs
Documenting consent in formats participants can easily access and reference later
Best Practices for Storing, Sharing, and Securing Patient Data, Even With Limited Resources
Storing, sharing, and securing patient data can feel especially daunting for early biotech teams with limited budgets and lean infrastructure, said Anderson. But these challenges don’t eliminate the ethical and legal responsibility to protect sensitive information.
One way early teams put themselves at risk is by unknowingly adopting informal sharing habits, said Anderson. Instead, establish clear guidelines early and conduct internal audits. This helps prevent costly mistakes and strengthens overall data integrity.
“Sometimes just having another set of eyes on it also will help you identify something is amiss,” she said. “You can omit somebody’s demographic details, but describe a patient case, and it’s easily discoverable. The way we correct for this occurs in aggregate de-identified data.”
To avoid that, establish clear, documented rules that apply to both internal and external data use, added Devaney. Best practices can include:
Establishing guiding principles for why and how data may be accessed and used
Implementing role-based access controls from the start
Documenting who has access to which data and the justification for that access
Reviewing and verifying access permissions on a regular basis (e.g., quarterly)
Requiring formal approval and documentation for new access requests
Revoking access immediately when team members leave or change roles
Appointing a data steward, and a backup, to manage access decisions
Training all team members on why data protection matters
Developing clear data use rules, explaining their purpose, consequences for misuse, and requiring all users to formally agree to them
Why You Should Incorporate Patient Feedback Into Data Practices
Incorporating patient feedback into your data practices helps ensure you’re making the most of your relationship with patients. They often have perspectives that can reveal gaps you may not have considered. Look for ways to involve them, such as focus groups and patient advisory boards, so that they become more than data sources.
“The earlier people integrate patient feedback, the stronger their infrastructure is going to be going forward,” said Anderson. “[Also] be really vigilant at the early stages to stay in contact with patients and collect their feedback. There are a number of effective ways to do that but frankly, the best practice is almost always multimodal. Give patients lots of different ways to provide feedback, from very hands off to communicating with an actual human being.”
Biotech teams often have good intentions and can think they’ve captured patient input, then interpret it in a way that’s different from what patients meant, she said. “It helps to use key informants, where you make sure that your interpretation of your patient feedback is actually what they meant, and that’s exactly where a patient advisory board would be invaluable.”
How to Avoid Common Ethical Missteps Startups May Face
Many pitfalls in startups trace back to the same underlying constraints, time and capital, which often translate into limited attention because teams are pulled in many directions at once, said Babina. “The risk emerges when it spills into regulated activities, whether involving public or private data, where legal and contractual obligations mean serious failures can threaten the survival of companies of any size.”
Even with good intentions and thoughtful planning, companies can still run into ethical challenges, said Anderson. Most often, that happens because of insufficient consent, unclear data use policies, and inadequate protection against re-identification.
Founders also need to be mindful of secondary use. That can include over-sharing with partners, including data in pitch decks, and unclear retention policies. Teams should return to the underlying spirit of why these protections exist and keep that goal front of mind as they collect, store, and use data, she said.
Ethical data collection is also a low-cost, high-impact opportunity. It doesn’t take much investment to do it well from the beginning, Anderson said, and it shouldn’t become an afterthought. “There are so many examples where one thing that wasn’t even intentional accumulates momentum and negatively affects a company.”
It’s not worth taking those risks or being haphazard with patient data, she said. When patient data is handled well, everyone wins. Patient privacy is protected, and companies can still learn from meaningful information that may help change outcomes over time.
