The 2014 White House Big Data Report identified healthcare delivery as one of the areas of greatest potential in harnessing big data, as well as an area involving especially sensitive personal information. The Proposed Principles set forth core values and strategies to minimize the risks inherent in large-scale data collection, analysis and sharing. The issuance of this proposal reflects a view by the White House that the success of PMI will depend heavily on the ability of PMI to prioritize and protect the privacy and security of individually identifiable health information. This is a unique opportunity for stakeholders to weigh in on federal policy that has the dual objectives of advancing scientific research and ensuring the privacy and security of personal information. Comments are due on August 7, 2015.
Background on PMI
Precision medicine is an emerging approach to disease treatment and prevention that takes into account individual variability in genes, environment and lifestyle. While advances in precision medicine have been made for select cancers, the practice is not currently in use for most other diseases. The PMI objectives include the creation of a voluntary national research cohort of more than one million Americans, and a commitment to protecting privacy, among others. This PMI research cohort would contribute diverse sources of data, such as medical records, genomic data, metabolite and microorganism data, environmental and lifestyle data, patient-generated information, and personal device and sensor data, to further the research community’s understanding of health and disease and set the foundation for research through responsible data sharing.
The Proposed Privacy and Trust Principles
As part of its commitment to protect the privacy of the PMI research cohort, the White House convened an interagency working group to develop the data privacy principles for PMI. These Proposed Principles provide guidance on governance, transparency, reciprocity, respect for participant preferences, data sharing, access and use, data quality and integrity and security, as described further below. They reflect Fair Information Practice Principles (FIPPs) that have informed numerous U.S. privacy laws and government guidance.
The PMI cohort should be planned and conducted in partnership with the main stakeholders—participants, researchers, healthcare providers and the federal government. The central governance system should be dynamic and transparent so that there is continuous assessment of policies and practices to ensure scientific, technological and ethics-related developments remain current.
The Proposed Principles identify risks to both participants and their families and communities with participating in the PMI. Specifically, they state that the potential for research conducted using PMI cohort data to lead to stigmatization or other social harms should be identified and evaluated through meaningful and ongoing engagement with relevant communities.
To ensure participants remain adequately informed, information should be provided at the point of initial engagement and periodically thereafter. Such information should be communicated to participants clearly and conspicuously, and information concerning PMI cohort data use, protection and access should be publicly available. Participants should receive prompt notification in the event of a breach of their personal information. All data users would be expected to publish or post publicly their summary research findings, regardless of the outcomes, as a condition of data use.
The Proposed Principles provide that participants should be informed “generally” how their data will be used, accessed and shared, which could be read to suggest that broad, general consents will be permitted. However, they also state that a single consent at the time of enrollment will not be sufficient for building and maintaining an adequate level of public trust. Instead, the Proposed Principles contemplate a consent process that is dynamic and ongoing. This is likely to lead to additional notifications depending on the context.
The PMI cohort should facilitate participants’ access to the medical information they contribute to PMI, and innovative and responsible ways of sharing research data with participants should be explored, such as sharing aggregate research data and findings.
Respect for Participant Preferences
To insure the PMI cohort is broadly inclusive, an effort should be made to engage and recruit individuals and communities with varied preferences and risk tolerances concerning data collection, sharing and use. Participants should be able to withdraw their consent for future research use and data sharing at any time and for any reason. Participants would not be able to withdraw consent for use of data in aggregate data sets or used in past or ongoing studies.
Placing limitations on the ability of a participant to withdraw consent with respect to data that is aggregated with other data would be a significant limitation on the participants’ ability to control the use of their data. The Health Insurance Portability and Accountability Act (HIPAA) similarly limits the ability of a participant to withdraw authorization to use and disclose identifiable health information for research but does not go as far as the Proposed Principles. Under HIPAA, individuals may not withdraw authorization to the extent a covered entity has acted in reliance on that authorization, which in the research context permits covered entities to retain identifiable health information as necessary to ensure the integrity of a research study.
Data Sharing, Access and Use
Multiple tiers of data access based on data type, data use and user qualifications should be employed to ensure that privacy is safeguarded and public trust is maintained. Policies and mechanisms should be implemented to ensure the privacy and security of the data, such as data-sharing agreements and a prohibition on unauthorized re-identification or re-contacting of participants.
Data Quality and Integrity
The PMI governance structure should include mechanisms to ensure that the quality and integrity of PMI cohort data is maintained and is accurate, relevant, complete and appropriately up-to-date at all stages of access (collection, maintenance, use and dissemination).
A robust data security framework should be developed in consultation with experts in data science, security, health IT and ethics, and should be integrated into the architecture of the PMI cohort from the start. The security framework should identify state-of-the-art administrative, technical and physical safeguards to ensure the confidentiality and integrity of all PMI cohort specimens and data and to protect against threats to their security.
In light of the increasing frequency of computer hacking and the sensitive data that will be included in the cohort, ensuring the security of PMI data will be a critical and challenging task. It is unclear whether the government will be the sole entity to maintain PMI data or whether it will permit disclosure of data to third parties whose network and practices would also need to be secure.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
Sidley Healthcare Practice
Sidley Privacy, Data Security and Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.