EHRA: Genomic data sharing policies must protect privacy, minimize risk
The association provided feedback in response to NIH’s recent RFI on proposed updates to its ‘Genomic Data Sharing Policy.’
The HIMSS Electronic Health Records Association (EHRA), whose member companies sell EHR and other IT systems, supports the National Institutes of Health’s ongoing objective of sharing research data sets to facilitate additional study. But EHRA stresses the need to protect patient privacy, ensure patients can provide informed and meaningful consent for use of their data, and minimize the risk that patients’ genomic and other health data can be re-identified or misused.
EHRA provided feedback in response to NIH’s recent request for information on the proposed updates to and long-term considerations for its “Genomic Data Sharing Policy” in the areas of de-identification, potentially identifiable information and data linkages. Following is a summary of that feedback.
De-identification
The EHRA supports adding the “expert determination” method as an acceptable option for de-identification under the GDS Policy. However, when employing this method, the person responsible for determining the level of re-identification risk should be made aware of the intention to submit the data set to an NIH repository as well as that repository’s policies for access and re-disclosure of the data set, which will inform the final determination of the risk of re-identification.
Repositories should also be required to hold a “certificate of confidentiality” and should strictly enforce adherence to data use agreements.
EHRA also stresses that it’s important for the NIH to work with the HHS Office for Civil Rights to clarify expectations regarding the extent to which genomic data could be considered a biometric identifier. In addition to other identifiable information, HIPAA “safe harbor” de-identification (currently the only method of de-identification permitted by the GDS) requires the removal of all biometric identifiers from a data set for it to be considered de-identified. However, it’s unclear what types of genomic data are considered biometric identifiers for the purposes of meeting safe harbor requirements. This has created challenges for entities engaging in research activities.
Definitive guidance from OCR is essential to facilitate consistent interpretation and implementation and reduce the burden and risk to researchers. When creating the guidance, OCR should adopt a policy that considers the degree to which the genomic data could be used to identify a unique individual. If the genomic data could not, itself, be used to identify an individual, it should not be considered a biometric identifier.
Use of potentially identifiable information
Robust privacy and security measures must be implemented by NIH repositories before it would be appropriate for potentially identifiable information to be submitted under the GDS Policy. When considering protections, EHRA recommends employing expectations that at a minimum align with expectations in HIPAA’s privacy and security rules for the stewardship of protected health information. These require implementation of physical, administrative and technical safeguards to prevent inappropriate access, use or disclosure of identifiable information.
Repositories should also be required to hold a “certificate of confidentiality” and should strictly enforce adherence to data use agreements for any individual or entity accessing potentially identifiable information. Data use agreements should prohibit entities with permission to access potentially identifiable data from attempting to re-identify individuals in the data set.
Data linkages and consent
EHRA recommends that researchers who are combining or linking data sets be accountable for verifying that the resulting data set remains de-identified or take remedial action to de-identify it. If that isn’t feasible, the data set should not be re-disclosed without protections that would prohibit attempts to identify individuals and that would prevent the use or disclosure of the information for unauthorized purposes.
Although EHRA appreciates the NIH’s objective of maintaining patient autonomy over the use of their data, it acknowledges that there are challenges inherent in prospectively informing participants about potential data linkages.
Given that consent for the use of information in secondary research studies is covered under current GDS patient consent expectations, EHRA believes it would be unnecessary for researchers to collect additional specific consent for linking data sets – as long as due diligence is undertaken to verify that linked data sets continue to meet de-identification expectations.
Finally, ensuring that consent is meaningful is an issue that is much larger than just this NIH request for comment. The EHRA recommends a separate request for comment on this topic.
The full comment letter is available here.
Michael Saito is Chair and Nam Nguyen is Vice Chair, EHRA Privacy & Security Workgroup
This article originally appeared as a blog on the EHRA website.