Personalized Medicine and PrivacyPairing Genetic Information, EHRs Raises Concerns
But this type of research raises significant privacy and security issues.
To address these concerns, pioneering medical centers are setting up systems to ensure that personalized medicine researchers only can access de-identified genetic and EHR information. Among the actions pioneers are taking are:
- Determining how best to gain patient permission to use DNA extracted from their discarded blood samples or tissues, as well as their electronic records, to support the research;
- Using one-way hashing algorithms to modify identification numbers for records and DNA samples so they cannot be linked back to a patient;
- Scrubbing EHRs of more than a dozen types of patient-identifier information before researchers can access the records.
Legislative ActionThe Genetic Information Nondiscrimination Act of 2008, which prohibits the use of genetic information to deny health insurance or as a basis for hiring decisions, laid the groundwork for patient privacy in personalized medicine, says consumer advocate Steve Findlay, senior health policy analyst at Consumers Union, Washington.
"It will be a critical foundation for future legislation and clarifications of privacy in this area," he says. "I don't see how we can avoid enacting more federal legislation in this arena to absolutely protect privacy and set penalties for releases of information on genetics that are harmful."
In addition, the HITECH Act, enacted last year as part of the economic stimulus package, sets tougher penalties for violations of the HIPAA privacy and security rules.
Some consumer advocates contend existing technologies and processes for de-identifying medical records are inadequate to support research, Findlay acknowledges. "But we believe that de-identification techniques are developing rapidly and should be sufficient to protect patient privacy," he adds.
If personalized medicine eventually advances to the point where certain genetic information is stored within individuals' EHRs, as many predict, that will create the need for even stricter privacy protections.
"That raises a lot of issues that need to be thought through very carefully," says Matt Tector, director of the biorepository for a personalized medicine project at Aurora Healthcare, Milwaukee.
Patient PermissionAt Aurora, 15,000 patients so far have volunteered to have their discarded blood samples and EHRs used for the ORBIT personalized medicine program, which began gathering information last year, Tector says.
The patients opted in using a consent form designed specifically for the project. Executives at Aurora, with the advice of ethics consultants, determined the opt-in approach was the most transparent, Tector says.
In contrast, Vanderbilt University Medical Center in Nashville takes an opt-out approach for its BioVu personalized medicine project. The project is now open only to outpatients, who are given the opportunity to opt out of the project when they receive various forms, says Bradley Malen, assistant professor of biomedical informatics.
Since launching the project in 2007, Vanderbilt has enrolled more than 85,000 participants and has begun some limited research studies, including one on early detection of risks for cardiac arrest.
A community oversight board that provides advice on the project approved the opt-out approach, says Malen, who oversees privacy issues for the project. And surveys of patients confirmed they understood how the opt-out option worked, he adds.
But Findlay argues that the opt-in approach is best. "We firmly support opt-in for this kind of program to proactively gain the consumer's permission to use their data," he says.
Multi-layered SecurityVanderbilt's project takes a series of steps designed to ensure the EHRs and DNA samples cannot be linked back to patients.
The medical center uses a one-way hashing algorithm to modify the identification numbers for the EHR and for the DNA sample, and then match them in "de-identified space," Malen explains. "At the end of the hashing, you can't exploit the resulting value to infer the original identifiers," he adds.
Vanderbilt also takes the following steps:
- Researchers' proposals most be approved by both an Institutional Review Board and the BioVu team;
- If a researcher's query yields a relatively small group of patient records, the researcher is automatically denied access because of the risk of pinpointing individual patients;
- Records that researchers access are first subjected to text scrubbing to remove all identifying information;
- As a fail-safe, researchers must sign an agreement that they will not attempt to identify or contact patients based on the data they receive. If they violate the agreement, they know they could be prosecuted, Malen says;
- BioVu organizers keep audit logs for all research to make sure the data researchers retrieve matches the study for which they were approved.
"We're trusting our investigators to do the right thing, plus we make it very hard for them to identify anyone," Malen contends.
Using 'Honest Brokers'Unlike Vanderbilt, which enables researchers to conduct queries themselves, Aurora Healthcare, will rely on "honest brokers" to retrieve the necessary information, Tector says.
Before turning over data to researchers, the brokers will strip all personal information from each record and assign a random research number to the record and the related DNA sample, he explains.
Aurora's ORBIT project is preparing to begin its initial research efforts in the coming weeks. "We are keeping the types of queries conducted simple," Tector explains. This will help minimize the risk of researchers obtaining any patient identifiers, he adds.
Aurora likely will investigate using one-way hashing as it ramps up its research, he adds. "But in the early stages, when we're doing limited queries, we can manage them well."
Need for Best PracticesPersonalized medicine researchers need to develop best practices for assuring patient privacy, stresses Findlay, the consumer advocate. But they must carefully balance the need to ensure privacy against the need to sustain the "momentum for important research," he contends.
Ten years from now, when at least some genetic information is likely to be included in many EHRs, maintaining the privacy of electronic records will be even more critical, he acknowledges.
Meanwhile, Vanderbilt already is in the "planning stages" of an effort that could eventually lead to posting certain limited genetic information in EHRs, says Dan Roden, M.D., assistant vice chancellor for personalized medicine. The medical center is considering taking extra steps to restrict who can access the portion of the record that contains the genetic information, he adds.