WPF Report – The Precision Medicine Initiative and Privacy: Will Any Legal Protections Apply?

The report, The Precision Medicine Initative and Privacy: Will Any Legal Protections Apply? was published May 18, 2016. This report is a first edition, which has been updated by a second edition published March 16, 2017. Second edition report: (PDF, 39 pages).

Report Authors: Robert Gellman and Pam Dixon.

You are at the report main page, where you can download the report in PDF format.

First Edition Report Links:

Download Full Report (PDF, 27 pages).
Read the Report Brief Summary, Findings, and Recommendations, below

—-

Brief Summary of Report

This report reviews privacy law applicable to the Precision Medicine Initiative (PMI), and the large medical information and biospecimen database at its center. Precision medicine approaches to disease seek to incorporate individual variability in genes, environment, and lifestyle in research to eventually reach the goal of maximizing treatment effectiveness for individuals. The PMI will include a robust genetic research component. The HIPAA health privacy rule and its protections for individuals will not apply to PMI research activities. Other privacy laws may apply, such as the Privacy Act of 1974, but there is uncertainty regarding if or how this and other laws apply. The PMI offers a set of privacy guidelines, but the guidelines lack detail and fail to address underlying legal requirements and protections.

The key privacy concerns raised by the PMI are the lack of applicable law to govern its collection and use of individuals’ health data, the potential waiver of the patient-physician legal privilege that can shield data from disclosure through litigation, and the possibility of law enforcement access to patient records held in the PMI. Before it launches, the PMI needs to clarify the legal and administrative privacy protections that apply to its activities. People who volunteer their medical data and biospecimens must be told what specific legal protections apply and do not apply.

About the Authors

Robert Gellman is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) He has written extensively on health, de-identification, Fair Information Practices, and other privacy topics. Pam Dixon is the founder and Executive Director of the World Privacy Forum. She is the author of eight books, hundreds of articles, and numerous privacy studies, including her landmark Medical Identity Theft study. She has testified before Congress on consumer privacy issues as well as before federal agencies. Dixon and Gellman’s writing collaborations include the seminal report on predictive algorithms, The Scoring of America, and numerous well-regarded privacy-focused research, articles, and policy analyses. They co-authored a reference book on privacy, Online Privacy: A Reference Handbook, (ABC-CLIO 2011) and most recently a chapter on privacy regulation and law in Enforcing Privacy: Regulatory, Legal, and Technological Approaches, (Springer Nature, 2016.)

About the World Privacy Forum

The World Privacy Forum is a non-profit public interest research and consumer education group that focuses on the research and analysis of privacy-related issues. Founded in 2003, the Forum publishes significant privacy research and policy studies on health privacy, privacy self-regulation, financial privacy and identity issues, biometrics, and data broker privacy practices among other issues. www.worldprivacyforum.org.

Key Findings:

Medical record data and biospecimen data that consumers donate to the PMI are not covered by the core federal health privacy law while in the hands of the PMI. The health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) does not apply to the PMI and will not apply to most research activities conducted using information available from the PMI.

Consumers may have no formal legal right to obtain their own information from the PMI unless a US government agency administers the PMI, something that is not expected. The Privacy Act of 1974, which provides citizens with the ability to review data collected about them by a government agency, applies only if a federal agency operates the PMI. We do not yet know with certainty if a federal agency will operate any part of the PMI. However, if a federal agency operates the PMI, the Privacy Act’s disclosure provisions allow agencies considerable authority to disclose records subject to the Act and to define new categories of disclosures at any time through new rules. In particular, the Act allows many types of disclosure to foreign, national, state, and local law enforcement agencies with few procedural prerequisites. We do not yet know what disclosure authority will apply to PMI records or even if they are subject to the Privacy Act. (See Appendix C.)

Patients who share their health records and biospecimens with the PMI could lose the ability to claim a physician-patient privilege in unrelated judicial proceedings.

A limited amount of patient records shared with PMI may be protected from subsequent disclosure if 42 C.F.R. Part 2 (rules governing substance abuse records) applied to the records at their original source. If so, records disclosed to the PMI from health care providers subject to the substance abuse privacy rules would retain their confidentiality if disclosed to the PMI. This may be the only existing privacy law applicable to the PMI, although it would cover few of the health records in the PMI.

Certificates of confidentiality for research activities available through the Department of Health and Human Services may offer some legal protections for research records, but there are many uncertainties about the scope and value of the certificates. There are known limitations about the protections this would offer.

When volunteers enroll in the PMI, they donate a great deal of personal information in the form of medical records and biospecimens. However, cell phone data monitoring, social media monitoring, sensor monitoring and other real-time monitoring are under discussion. How the privacy of the real time systems will be handled is an unknown. Further administrative records about volunteers – as opposed to health information – may be extensive and presents their own privacy concerns. Administrative records may include contact information, identification numbers, employment and educational history, location data, and more.

Key Recommendations:

The PMI needs to detail its structure and organization with clarity so that the privacy protections or lack of privacy protections for its records can be assessed. The public needs to know what institutions will maintain information in the PMI and where they are located. The PMI must explain how privacy laws, if any, will apply to it. The privacy and security standards issued so far do not answer the questions about what legal protections will apply.

The PMI should not begin soliciting information or biospecimens from or about individuals until it clearly describes the applicable privacy protections. The description should include potential uses and disclosures of PMI information for law enforcement and national security purposes. The description of applicable privacy rules should cover health records, administrative records, and any real-time monitoring from mobile or other devices. Volunteers should be told expressly if HIPAA does not apply to the PMI.

The E-Government Act of 2002 requires federal agencies to conduct a Privacy Impact Assessment before they develop or procure information technology systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public.^{^[1]} We have not seen a PIA for the PMI. There is an immediate need for a PIA that includes an opportunity for public comment and debate.

If the Privacy Act of 1974 applies to PMI or any significant part of it, then the National Institutes of Health should publish a system of records notice and allow adequate time for public comment.

If the Privacy Act of 1974 does not apply to the PMI, then it is possible that no health privacy or other privacy law will apply to most data and biospecimens. As a result, patient data could be vulnerable to a host of unrelated public and private demands and activities. If so, then PMI may need its own privacy law in place before it starts.