By Michael Saito (Epic), Chair & Nam Nguyen, (Allscripts) Vice Chair, EHRA Privacy & Security Workgroup

The National Institutes of Health’s (NIH) ongoing objective of sharing research data sets to facilitate additional study is something EHRA member companies wholly support – as long as it protects patient privacy, ensures patients can provide informed and meaningful consent for use of their data, and minimizes the risk that patients’ genomic and other health data can be re-identified or misused. 

To that end, we took advantage of the NIH’s recent Request for Information (RFI) on the proposed updates to and long-term considerations for its Genomic Data Sharing (GDS) Policy to provide feedback in the key areas of de-identification, potentially identifiable information, and data linkages.

De-Identification

The EHRA supports adding the Expert Determination method as an acceptable option for de-identification under the GDS Policy. However, when employing this method the person responsible for determining the level of re-identification risk should be made aware of the intention to submit the dataset to an NIH Repository, as well as that repository’s policies for access and re-disclosure of the dataset, which will inform the final determination of the risk of re-identification. 

Is also important for the NIH to work with the HHS Office of Civil Rights (OCR) to clarify expectations regarding the extent to which genomic data could be considered a biometric identifier. In addition to other identifiable information, HIPAA Safe Harbor de-identification (currently the only method of de-identification permitted by the GDS) requires the removal of all biometric identifiers from a dataset for it to be considered de-identified. However, it is unclear what types of genomic data are considered biometric identifiers for the purposes of meeting Safe Harbor requirements. This has created challenges for entities engaging in research activities. 

Definitive guidance from OCR is essential to facilitate consistent interpretation and implementation and reduce the burden and risk to researchers. When creating the guidance, OCR should adopt a policy that considers the degree to which the genomic data could be used to identify a unique individual. If the genomic data could not, itself, be used to identify an individual, it should not be considered a biometric identifier.

When creating the guidance, OCR should adopt a policy that considers the degree to which the genomic data could be used to identify a unique individual. If the genomic data could not, itself, be used to identify an individual, it should not be considered a biometric identifier.

Use of Potentially Identifiable Information

Robust privacy and security measures must be implemented by NIH Repositories before it would be appropriate for potentially identifiable information to be submitted under the GDS Policy. As such, when considering protections, we recommend employing expectations that at a minimum align with expectations in HIPAA’s privacy and security rules for the stewardship of protected health information. These require implementation of physical, administrative, and technical safeguards to prevent inappropriate access, use, or disclosure of identifiable information. 

Repositories should also be required to hold a Certificate of Confidentiality and should strictly enforce adherence to data use agreements for any individual or entity accessing potentially identifiable information. Data use agreements should prohibit entities with permission to access potentially identifiable data from attempting to re-identify individuals in the dataset. 

Data Linkages and Consent

We recommend that researchers who are combining or linking datasets be accountable for verifying that the resulting dataset remains de-identified or take remedial action to de-identify it. If that isn’t feasible, the dataset should not be re-disclosed without protections that would prohibit attempts to identify individuals and that would prevent the use or disclosure of the information for unauthorized purposes.

Although we appreciate the NIH’s objective of maintaining patient autonomy over the use of their data, we agree that there are challenges inherent in prospectively informing participants about potential data linkages. Given that consent for the use of information in secondary research studies is covered under current GDS patient consent expectations, we believe it would be unnecessary for researchers to collect additional specific consent for linking datasets – as long as due diligence is undertaken to verify that linked datasets continue to meet de-identification expectations. 

Finally, ensuring that consent is meaningful is an issue that is much larger than just this NIH request for comment. The EHRA recommends a separate request for comment on this topic. 

The full comment letter is available here.