- As cybersecurity threats continue to evolve and put PHI at risk, precision medicine guidelines need to be updated to account for new health data privacy threats, according to a recent opinion piece published in the Oxford University Press.
The Johns Hopkins Hospital and Health System Senior Counsel Jennifer Kulynych, JD, PhD explained that data re-identification methods are not foolproof, and it can be difficult to determine exactly how individuals’ genomes are being used.
“This realization is colliding with research norms that permit the relatively free exchange of patients’ medical information,” Kulynych wrote. “Research and medical privacy regulations, as currently interpreted, allow review boards to waive patient consent, and even allow researchers to call DNA sequences ‘de-identified,’ data, a category without oversight or privacy protection. Newly-announced changes to federal research regulations simply broaden the scope of these practices.”
Kulynych noted that while HIPAA regulations accounted for an individual’s fingerprint to be protected under re-identification requirements, the genome was not. Now, databases containing genomes and medical histories are increasing in popularity.
“Unlike a medical record number or credit card number, genome sequences, unique and permanent, can’t be replaced when compromised, and sequence data are a wellspring of information about health risks, ancestry, and sometimes, unexpected parenthood,” Kulynych said.
Research participants also do not always know when their personal information is being shared, she explained.
“Data from these databases is shared with researchers world-wide, typically under a ‘data use agreement’ that offers no recourse to data subjects if their information is misused or compromised,” stated Kulynych. “We became interested in this issue when we realized that the biggest database of all – the increasingly networked EHRs of hospitals and physician practices nationwide – might one day include genomic data from everyone, as gene sequencing becomes common in healthcare.”
Re-identification is always a risk, she stressed. Researchers cannot let participants believe that their information will never be compromised.
Patients need to stay informed, and there must also be ethical research guidelines, Kulynych suggested.
“If patients remain unaware and regulators are reluctant to question the status quo, they’ll be few incentives for improvement,” she explained. “Unless we raise the bar on research data security, however, patients, though they may benefit from better care, will assume unreasonable and unnecessary privacy risks as their data is shared in the pursuit of precision medicine.”
Federal agencies are also taking note of potential data privacy and security concerns with precision medicine.
Earlier this month, the ONC released the Precision Medicine Initiative (PMI) Security Principles Implementation Guide in conjunction with OCR and the National Institute of Standards and Technology (NIST).
The guide supports the final PMI Data Security Policy Principles and Framework, and will provide entities with “best practices in security and data management for precision medicine.”
“The Data Security Policy Principles provide a broad framework for protecting PMI participants’ data based on the NIST Cybersecurity Framework,” according to the document. “The PMI Data Security Principles Implementation Guide outlines how the Data Security Policy Principles would apply to an example PMI use case.”
Report authors noted though that adhering to the guidance does not ensure HIPAA compliance, and covered entities should still perform their own security risk assessments.
This will “assess the risks to the confidentiality, integrity, and availability to PMI data processed, stored, or transmitted throughout their enterprises,” report authors explained. Organizations should also “implement security controls sufficient to reduce these risks to a reasonable and appropriate level.”
Covered entities must also regularly update their security risk assessment, accounting for any environmental and operational changes, the report stated. The risk assessment should then be updated to account for those changes.