Public Comments: May 2012 – WPF Asks Presidential Commission to Protect Genetic Privacy

 

Background:

WPF filed comments with the Presidential Commission for the Study of Bioethics today urging the Commission to recognize the need for enhanced genetic privacy protections in a digital world. WPF noted that “The increasing identifiability of genetic data presents major privacy issues for research activities that must be acknowledged and addressed.” WPF suggested four key ways that Certificate of Confidentiality programs could be enhanced for privacy protection, and urged the Commission to speak out about the importance of protecting patient privacy in research activities involving genetic information. “The Commission should advocate providing patients with reasonable controls over research uses of their data as electronic records develop and spread throughout the health care system.” Public comments may be submitted to the Commission until May 25, 2012.

—–

Comments of the World Privacy Forum to the Presidential Commission for the Study of Bioethical Issues

Via email to: info@bioethics.gov

Public Commentary,
The Presidential Commission for the Study of Bioethical Issues,
1425 New York Ave. NW.,
Suite C–100,
Washington, DC 20005

May 15, 2012

 

The World Privacy Forum appreciates the opportunity to respond to request of the Presidential Commission for the Study of Bioethical Issues for comments on ethical issues raised by the ready availability of large-scale human genome sequence data, with regard to privacy and data access and the balancing of individual and societal interests. The notice appeared at 77 Federal Register 18247 (March 27, 2012). These comments mostly address privacy issues.

The World Privacy Forum is a 501(c)(3) non-partisan public interest research group based in California. Our funding is from foundation grants, cy pres awards, and individual donations. We focus on conducting in-depth research on emerging and contemporary privacy issues as well as on consumer education. A core area of our work is in health care privacy issues, among other topics. [1]

We offer broad comments on privacy issues that must be addressed in developing policies, rules, and law for the use of genetic information in research activities. We believe that genetic data is among the most sensitive of all health data and that genetic data requires some types of protection that, because of the nature of the data, may differ from the protection for other types of health data. However, we also believe that genetic information is at its heart just another type of health data and that we need to integrate genetic data into health care much in the same way that information from other technological developments (e.g., x-ray, laboratory tests, and computerized axial tomography) has been integrated into standard health care treatment and recordkeeping. Outside of health care, we need to protect individuals from discrimination based on their genetic profile.

Following please find our comments regarding identifiability, certificates of confidentiality, and choice and consent.

 

I. Identifiability

The increasing identifiability of genetic data presents major privacy issues for research activities that must be acknowledged and addressed. The World Privacy Forum strongly believes that genomic sequences must be treated as identifiable today. We recognize that there may be a limit on the identifiability of partial genetic sequences, but we do not have the technical expertise to know where to draw the line. Others will be more useful in making that judgment, and we are broadly aware of research activities focusing on the identifiability of limited genetic data.

Today, the most sophisticated health data identifiability standards are found in the HIPAA health privacy rule. [2] These standards are not specifically designed for genetic data, and the current identifiability standards are under review at HHS. Whatever HHS does to amend the standard will not likely solve genetic identifiability issues and may not address them at all. We certainly do not believe that the Commission can or should rely on existing HIPAA standards as the last word. We further observe that the HIPAA standards do not and will not apply to all researchers or all users of genetic sequence information. Regardless of what HHS does in the near term, standards for identifiability will change over time as technology changes and as more personal data is collected, compiled, and made available. The realm of truly de-identifiable data will continue to shrink over time, and there may be a distressingly small pool of truly de-identified data anywhere in the future.

The Commission should recognize that even if there are no databases today that allow for the ready identification of an entire genome or a significant part of a genome, these databases will exist in the near future. Further, these databases may not be in the control of researchers or of any part of the health care system. Law and policy must anticipate the creation of facilities that will expand the range of data that can be associated with a particular individual or family outside the health and research systems. There may well develop a dynamic commercial marketplace for genetic data that seeks to exploit the data for marketing and profiling purposes.

Even if we assume that genetic information is identifiable, that does not mean that appropriate research use of the information should be prohibited. The World Privacy Forum supports the use of patient data for research under appropriate conditions. We need procedures, controls, and legal limits that will allow socially beneficial research activities to proceed while protecting data subjects appropriately.

One way – and not the only way – to accomplish this broad goal is to through broader application and mandatory use of data use agreements to control the transfer of identifiable or potentially identifiable data or specimens. Data use agreements allow for the sharing of data in a way that imposes controls on the recipient and assigns responsibility to the recipient to use data appropriately. In particular, data use agreements can tell recipients that they cannot seek to add overt identifiers to data that comes without them and that they cannot allow others to do so.

One proposal for greater use of data use agreements can be found in a recent article. [3] The abstract offers a summary:

Deidentification is one method for protecting privacy while permitting other uses of personal information. However, deidentified data is often still capable of being reidentified. The main purpose of this article is to offer a legislative-based contractual solution for the sharing of deidentified personal information while providing protections for privacy. The legislative framework allows a data discloser and a data recipient to enter into a voluntary contract that defines responsibilities and offers remedies to aggrieved individuals.

While the article calls for legislation, some of the proposed goals could might accomplished in other ways. For example, an “industry” standards might treat data use agreements as a standard method for balancing the interests of individuals and the needs of researchers by allowing some transfers of data while establishing standards for the transfers and liability for those providing and receiving data.

 

II. Certificates of Confidentiality

The World Privacy Forum believes that certificate of confidentiality programs provide a degree of privacy protection for data subjects whose records are being use in research activities. [4] Certificates of confidentiality generally allow an executive agency to authorize persons engaged in “biomedical, behavioral, clinical, or other research” to protect the privacy of data subjects by withholding from persons not connected with the research the names or other identifying characteristics of subjects. Persons so authorized may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify subjects. Federal funding is not a prerequisite. The protection is given, upon application, on a project-by-project basis in the form of a certificate of confidentiality. NIH coordinates one certificate program, but there are others.

Many questions remain about the value and effectiveness of a certificate of confidentiality, but they remain a potentially significant privacy protection. We strongly recommend that any research project that involves genetic data should be required to obtain a certificate of confidentiality. The Commission should lend its voice in support of the protections offered by certificate programs and in support of addressing the deficiencies in current programs.

However, more needs to be done to enhance the promise of certificate programs. We suggest the following actions to move toward this goal.

  • First, anyone holding a certificate should be required to notify a research subject if the subject’s record is sought through legal process. Some exceptions to notice may be appropriate.
  • Second, anyone holding a certificate should be required to refuse to disclose records protected by a certificate.
  • Third, institutions sponsoring research should be required to bear the burden of challenging subpoenas in court. The Commission should support making these action mandatory, whether through regulatory changes or though legislation.
  • Fourth, any researcher with a certificate of confidentiality should be required to report to HHS or otherwise make public any disclosure request before responding to the request. Disclosure would be required both for compelled requests (e.g., subpoena) and non- compelled requests. Disclosure of both categories of requests would be valuable. For compelled requests, public reporting might well deter some requesters, would allow researchers to find assistance with legal and other responses, and make it more likely that researchers will rely upon the legal defense that they have a result of the certificate. For non-compelled requests, public reporting of the requests is even more essential. A researcher with a certificate of confidentiality may be tempted to avoid the expense of resisting a subpoena by making a voluntary disclosure. If public reporting of any proposed voluntary disclosure were required, a researcher would likely find it much more difficult to evade responsibility for protecting the privacy of research subjects. [5] Public reporting might also inhibit those seeking records from making requests that would only call attention to the abuse of research records that their requests entailed. Public reporting by researchers could be enforced by making failure to report a factor in making decisions about future grants.

The Commission should make a broad recommendation supporting the need for certificates in genetic research activities of all types. We do not single out genetic research in this regard. We support the use of certificates in all research activities involving identifiable or potentially identifiable data. We believe that all research projects subject to the Common Rule should be required to obtain a certificate of confidentiality if the project collects and maintains any PII. The risks faced by data subjects whose genetic information is used in research activities are at least at great as any other research data subjects.

 

III. Choice and Consent

The research community has, for the most part, yet to face the complexities of privacy. The Commission should speak out about the importance of protecting patient privacy in research activities involving genetic information. It is only a matter of time before a research project comes to broad public attention because it involves an area of research that is ethically, religiously, morally, or politically objectionable to a portion of the American public. The trigger for public attention will be the use of data or biospecimens without individual consent. When that happens, legislative controls will follow (whether at the national or state levels) that will mandate individual choice. [6] The Commission should anticipate this type of “horror story” and support providing more robust ways for individual preferences to be accommodated in an efficient manner.

How to carry out this difficult task? For health data at least, one way is to build the capability into the developing National Health Information Infrastructure. One of the stated purposes of the NHIN is to give individuals greater opportunities to participate in their own health care. Controlling the research use of their data is one way that people can participate. If choice were supported, the system could start with a default choice that allows for reasonable data use (under appropriate conditions) in recognition of the potential societal benefits of research. Those individuals with different requirements could change that default choice as they please. The Commission should advocate providing patients with reasonable controls over research uses of their data as electronic records develop and spread throughout the health care system.

Researchers will complain that any restrictions on full access will interfere with their scientific conclusions. Whether that is the case or not is more of an open question than researchers want to admit, but researchers are not the only ones with an interest here. Individuals who object to the use of their data have an interest that must be considered and accommodated in a reasonable way. The risk of not satisfying individual choice appropriately and in advance creates much higher risk for a horror story-based piece of legislation that will not likely produce a properly balanced approach.

Again, we thank you for the opportunity to submit these comments.

 

Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum

 

 

 

________________________________________

Endnotes:

[1] The World Privacy Forum website contains more information about our organization, our publications, and activities. See https://www.worldprivacyforum.org.

[2] See 45 C.F.R. § 164.514.

[3] Robert Gellman, The Deidentification Dilemma: A Legislative and Contractual Proposal, 21 Fordham Intellectual Property, Media & Entertainment Law Journal 33 (2010), at http://iplj.net/blog/wp- content/uploads/2010/11/C02_Gellman_010411_Final.pdf.

[4] See, e.g., 42 U.S.C. § 241(d).

[5] Public reporting should probably be limited to demands or requests for records about multiple individuals. Publicly disclosing a request for the records of a particular individual could negatively affect that individual’s privacy interest, and personal notice to the individual should be sufficient. Public reporting may also be unnecessary in some cases when a researcher refuses a request.

[6] The well-publicized example involving the Havasupai Indians offers a taste of the controversy that can arise. See, e.g., Amy Harmon, Indian Tribe Wins Fight to Limit Research of Its DNA, New York Times (April 21, 2010), at http://www.nytimes.com/2010/04/22/us/22dna.html.