[License-review] 2nd resubmission of the new MGB 1.0 license

Barksdale, Marvin mbarksdale at mgb.org
Wed Mar 12 04:44:53 UTC 2025 

> I don't understand the value of saying any of this:

> Licensor does not have any obligation under this License to provide

> any protected health information (hereinafter referred to as *?PHI?*),

> as defined in accordance with 45 CFR ?160.103 of the Health Insurance

> Portability and Accountability Act (HIPAA),or other personal

> information, or to validate any data generated by the use of the Work.

> ... Licensor has attempted to delete all copies of such personal

> information in the data, and will undertake to ensure that the Work

> does not contain any data with personal information.

The Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone in safeguarding patient information at AMCs for three decades, costing AMCs an average of 10 million dollars in liability per breach leading to the unintended release of data. Many of these unfortunate incidents have proved that non-compliance with HIPAA can obliterate a healthcare business not only due to hefty fines but through damaged reputation. So, we when we generally talk about the value of transparency regarding an AMCs stewardship obligations surrounding patient data, we think not only about the severe federal penalties, but about the AMC's licensor's reputation as an open source software distributor.  As a member of one of the leading AMC tech transfer offices in the country, I can attest to the fact that this anti obligation / validation language is boilerplate across the entirety of out-license portfolio. We care about the transparent exercise of our patent data stewardship that much.


We want readers, even non-legal readers, to not only understand, but to not misunderstand our patient data obligations, especially as it pertains to open source ai.   As the Open Source Ai definition requires "sufficiently detailed information about the data used to train the system so that a skilled person can build a substantially equivalent system [which] in particular [must] include the complete description of all data used for training, including unshareable data" I believe it is reasonable for MGB to define what unsharable data is and the scope of their obligations to share said data.  An organization's obligations for sharing w/in the Open Source Ai Definition is one of the most controversial areas of debate, and this language is critical for managing the expectations of some in the industry that may expect to be provided the data exactly as it trained the model. The Open Source Ai definition manages the same expectation by mentioning unsharable data, similarly with language that "may be true, whether the osi says it or not".



Also industry practice for data that has been involved in double blind clinical trials at MGB implies that data will be validated.



Ultimately, to utilize a license with the MGB acronym means that Licensors are taking a heightened responsibility to protect PI, as that's what we've seen the public expects from us and from similarly situated hospitals.  For us that is the value in this language and it is mission critical.



__________________
Marvin Barksdale, JD
Associate Director, Business Development and Digital Health, Innovation

Mass General Brigham
399 Revolution Drive, Suite 955, Somerville, MA 02145
Cell  347.217.8247
Innovation.partners.org
[cid:image001.png at 01DB92E3.59FA9EF0]

The information in this e-mail is intended only for the person to whom it is addressed.  If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Mass General Brigham Compliance HelpLine at https://www.massgeneralbrigham.org/complianceline <https://www.massgeneralbrigham.org/complianceline> .
Please note that this e-mail is not secure (encrypted).  If you do not wish to continue communication over unencrypted e-mail, please notify the sender of this message immediately.  Continuing to send or respond to e-mail after receiving this message means you understand and accept this risk and wish to continue to communicate over unencrypted e-mail. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20250312/9e9624f3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 31149 bytes
Desc: image001.png
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20250312/9e9624f3/attachment-0001.png>

More information about the License-review mailing list