Improving Genomic Data PrivacyCommission Recommends Steps to Earn Patients' Trust
Declining prices for human genome sequencing are likely going to make such testing more common for medical research and clinical care. But first, privacy issues need to be adequately addressed, says Lisa M. Lee, who heads the Presidential Commission for the Study of Bioethical Issues.
The commission recently issued a report outlining recommendations for policies to better protect the privacy of genomic sequencing data.
The commission's research didn't turn up any serious breaches involving genomic data, Lee says in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below). However, she stresses that the fear of such breaches could stunt genetic-based research that could eventually lead to personalized medicine, which pinpoints treatment based on an individual's genetic makeup.
"Trust is key to amassing these huge numbers of genomic data sets needed in order to make these powerful and life-saving discoveries," Lee says. "So without the appropriate privacy protections, progress will be slowed."
In its report, the commission highlights the need to resolve discrepancies between privacy regulations that protect genomic data used in clinical settings and regulations governing research. It also highlights discrepancies in state laws. For example, only about half of the states have laws preventing surreptitious commercial genomic testing, she says.
"Given the patchwork of federal and state governance and protections, one of the most important recommendations of the commission was to urge federal and state governments to develop a process to ensure there's a consistent floor of protection covering whole genome sequencing data regardless of how they were obtained," she says.
In the interview, Lee discusses some of the commission's other key recommendations for protecting patient privacy, including those related to:
- Guidelines for patient informed consent related to genomic sequencing;
- Creating "a safe space" for people to access and share genomic data;
- Integrating genomic data in electronic health records.
Before joining the commission, Lee had been with the Centers for Disease Control and Prevention, most recently serving as chief science officer in the office of surveillance, epidemiology, and laboratory sciences. She has a Ph.D. from Johns Hopkins and an M.S. in bioethics from Alden March Bioethics Institute at Albany Medical College.
MARIANNE KOLBASUK MCGEE: Tell us briefly what your role is at the commission.
LISA M. LEE: I'm the executive director here and, in consultation with the chair the commission, Dr. Amy Gutmann, I help to identify the bioethical issues as well as the conceptual and analytical approaches that we use to assess issues that warrant the attention of the commission. I also help identify, plan and prioritize our staff's activities in order to facilitate the work of the commission and sub-committees and other ad-hoc working groups.
MCGEE: Why did the commission decide to study the issue of privacy and genomic data?
LEE: The role of the commission really is to advise the president and the administration on the best way to ensure the country makes use of science and technology in an ethical way. This project is a forward-looking analysis of the anticipated privacy concerns that could impede progress toward the enormous public benefit of whole genomic sequencing. Soon, the cost of whole genomic sequencing will reach nearly a thousand dollars, well within the reach of other clinical tests currently, and its use in both research and the clinical setting is likely to increase. ... But individuals have to be willing to share their very personal genomic data. And ... they have to trust that the data will remain secure. The privacy is critical in order for us to make progress with the science and technology.
Public Policy Discrepancies
MCGEE: The report says that there are discrepancies in public policy regarding the privacy of genomic data. What are the biggest discrepancies?
LEE: Here's an example of failing to protect individuals fully. Let's say that your genomic sequence is at your doctor's office and ... these would be the same data that you would have as your genome sequence during research. However, the sequenced information collected in your doctor's office currently is protected by HIPAA, the Health Insurance Portability and Accountability Act. The sequence information collected during research is protected by what's known as the Common Rule, or IRB [Institutional Review Board] protections. Moreover, in many states in the U.S., someone could legally pick up your discarded coffee cup and send a sample of your saliva out and get it sequenced and could see if you have any predisposition to certain kinds of diseases. ...
The ... data, whether they're collected at your clinician's office, by a researcher or by someone you didn't even know, arguably are your most personal data. They're treated differently depending upon who took your sample and who sequenced your data.
These are just a few of the discrepancies and the kinds of policies that can create confusion and uncertainty when it comes to understanding how to protect some of our most personal data. This confusion and this uncertainty is a risk for trust, and we need trust in order for people to submit their data.
We looked at the current governance and oversight of genetic and genomic data across states and it varied dramatically. Protection from intrusion on these data varies from state to state, and some of the risks associated with sharing whole genome-sequence data concerns people. Only about half of the states currently have protections against surreptitious commercial testing - that's testing without a person's informed consent.
MCGEE: What are the commission's key recommendations for how privacy of patients' data can be better protected?
LEE: Given the information that we discovered, the analysis and our look at the data that's there now, the commission crafted 12 recommendations that called for five areas. One is strong base-line protections for privacy while at the same time promoting data access and sharing. We need to have a safe space for people to share these data. We need a lot of data for these kinds of studies and for progress, and we have to ensure that in order for people to participate in these studies, they can be assured that their data are safe. So there are the strong base-line protections while promoting access in sharing.
Secondly is improving data security and access to databases, ensuring that when people have access, that access is secured and there aren't holes in the security of the data. A fully informed consent process is critical so that people who participate and have their whole genome sequence actually know what it is they're doing and are aware of what whole genome sequencing is and isn't, are aware of what might be discovered and what that might or might not mean.
Another is to facilitate progress in whole genome sequencing through the support of integrating whole genome sequence data into health records. That means really allowing safe sharing between clinical information and research information. ...
Finally, an important piece is the justice piece which is ensuring that all citizens benefit from the medical advances that result from this technology and ensuring that people have an opportunity to participate in this kind of research so they can benefit equitably from the research.
MCGEE: What are the biggest hurdles in getting some of these recommendations enacted?
LEE: The commission is an advisory committee, as I stated earlier, and it doesn't have the authority to actually pass regulations or create new policies. However, the commission is committed to seeing its recommendations implemented and is in regular conversation with other federal agencies that do set regulations - for example the Department of Health and Human Services and the Office of Human Research Protections.
MCGEE: What are some of the possible consequences for patients if current public policies and laws regarding genomic data privacy are not addressed?
LEE: To realize the enormous promise that whole genome sequencing holds for advancing both clinical care as well as the greater public good, individual interest and privacy must be respected and secured. We're sure that in order for people to participate, they have to know that their privacy is being protected. Without such assurance in place, individuals are much less likely to voluntarily supply the data that we need in order to achieve the potential benefit of life-saving treatment for genetic diseases.
As I mentioned earlier, confusion and uncertainty tend to erode trust, and trust is really the key to amassing a large number of genomic data sets that we need in order to make these powerful life-saving discoveries. Without the appropriate privacy protections, progress will be slowed. We all stand to benefit and to gain immensely from our society taking the necessary steps to protect privacy in order to facilitate the enormous progress we'll see in this era of whole genome and large-scale sequencing.
MCGEE: Are there examples of genomic data breaches or misuse?
LEE: ... When we set out to look at this question, we looked to find a good example of an egregious [breach] or the confirmation of the horror stories, and actually the good news is we didn't find one. This is really a proactive report. ... In other words, the commission recognizes that given how quickly this field is developing and how quickly the cost of the whole genome sequencing is falling, we wanted to anticipate as much as we could what the problems would be and get ahead of them instead of waiting for one of these horror stories to happen. But we do recognize that the problems will be here sooner rather than later, so trying to get out ahead of them was the purpose here.
We did find examples though ... of how fear of breaches led [potential research] participants ... to make risk-averse decisions. ... Many people ... lack trust or have this fear that something bad is going to happen to them - a loss of insurance, a loss of a job, or a loss of standing in one's community. The fear of these things, whether real or perceived, will prevent us from realizing the benefits because it will prevent people from participating in the research.
For example, one of the stories that we have in the report is the story of Victoria Grove, a woman who had private genetic tests done to see if she had alpha-1 antitrypsin deficiency, which ran in her family. And even though she had tested positive for the mutation, she withheld this information from her own doctor for several years until she was in a very difficult medical crisis and felt she had no choice but to tell her physician; she was very worried about disclosing that information. ...
Protecting Genomic Data: Key Steps
MCGEE: Absent any changes to current privacy laws and regulations, what can healthcare providers do to protect patient genomic data, and what should patients be doing to make sure their genomic data is kept private?
LEE: The commission recommended a couple of things we could do right now. ... We must ensure that every person who deals with the data, from the person who collects the specimen all the way through the people who do data management, to people who manage the databases in the IT department - anyone who has access to the data - be aware of what their professional and personal responsibility is to protect the security and access to these databases. They must be held accountable to the current policies and laws if a breach should occur, whether it's intentional or not.
The [address your] question about what patients can do to protect the privacy of their own data is [they need to be] fully informed. [We need] to ensure that when [a patient] is facing the option of a whole genome sequence being run, [they] actually know what's going to happen, ask who's going to have access to this data for what purposes and [ask] how much control, if any, they would have over what's going to happen with the data in the future - where the data will be stored, who will have access and for what purposes. There are a couple of very concrete things providers, healthcare organizations, as well as individuals, could do right now.
MCGEE: Insurers can't discriminate, can they? If someone has a bio-marker for some tendency to develop an illness, can they prevent coverage?
LEE: GINA, the Genetic Information Nondiscrimination Act, does protect people who have a genetic predisposition for something. ... It's a non-discrimination law, so it will protect people who are known to have a predisposition from employment and other kinds of discrimination. ... There are some gaps in the legislation and there are people who are very interested in having those gaps closed. However, there's some protection for folks. ...
There's another thing that I think is an important point, given the patchwork of federal and state governance and protections. One of the most important recommendations of the commission, specifically, was to urge federal and state governments to develop a process to ensure that there's a consistent floor of protections covering whole genome sequencing data, regardless of how they were obtained. As we discussed when we talked about what were the key recommendations and what the consequences are for patients, given that policies and laws are variable across states, [we need to] get the states and the federal government together and think about what kind of consistent floor of protections would cover these data, regardless of who obtained them and regardless of where a person resides.