Genomics, HIPAA and Informed Consent
Andy Warhol talked about the fifteen minutes of fame of the future in 1968 and this quote captured everyone’s attention coming back again and again in a variety of forms and fashions. Those of us that work in health care and genomics can be just as captivated by the value of anonymity and privacy.
De-identification of data and safeguarding of Protected Health Information (PHI) is important to maintaining trust and security in the health care setting. HIPAA, or the Health Information Portability and Accountability Act, enacted by the United States Congress and signed by President Clinton in 1996 defines the policies, procedures and guidelines for maintaining this privacy and security. For most research purposes, de-identification of data is accomplished by stripping the data of 18 specific identifiers such as names, phone numbers, photographs, Social Security numbers, health insurance information, etc.
That this comprehensive process of de-identification is not sufficient for genomic data became painfully clear when Nils Homer and his colleagues published their landmark study in PLoS Genetics showing that it is possible for re-identification of an individuals data in a large set of pooled genetic data. This publication led to the understanding that genomic data itself is an identifier, caused a significant shift in the approach to publicly available data and, questioned the anonymity of de-identified data. This also prompted the NIH as well as other institutions to change their data sharing policies.
As a physician, the informed consent process is a cornerstone of my clinical research and practice, whether the discussion is around end of life care issues with a cancer patient or around recruiting a patient for a clinical study. Consent for obtaining or using an individual’s genomic data is no different. It needs to be broad enough to further research and discovery while also allowing the individual to gather a good understanding of who would be able to access their data and for what purposes. Patient preferences on use of their genomic data should be elicited and complied with.
Having an informed consent process is however not enough. Meeting HIPAA requirements will add an additional layer of security as de-identification is no longer sufficient to ensure anonymity. NextBio’s announcement of successfully passing an audit to meet HIPAA requirement is based on this new understanding that all systems that work with genomic data need to meet these higher security standards. Meeting these standards would infuse the era of genomic medicine with a higher level of trust and enable accelerated scientific and medical discovery.