The White House released the Precision Medicine Initiative (PMI) Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health (NIH) announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development.
The PMI, launched by the Obama administration in January 2015, is designed to advance developments in precision medicine, an innovative brand of health care that will enable the provision of customized healthcare that takes into account individual variations in genetics, environment, and lifestyle. As part of that initiative, the NIH is tasked with developing a voluntary national research cohort of one million or more individuals and obtaining genetic sequencing data from participants to identify genomic drivers of cancer, improve how next-generation sequencing-based tests are evaluated and marketed, and develop methods for managing and analyzing large patient data sets while protecting individual privacy.
Privacy is a key concern for PMI. Jocelyn Samuels (Director, Department of Health and Human Services (HHS), Office for Civil Rights (OCR)) noted during the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference, that the success of PMI will depend on the willingness of the public to participate and that given the sensitive nature of the personal information involved, including genetic and other highly sensitive data, such willingness may turn on the degree to which the public believes strong privacy and security protections are in place.
Seeking to make effective privacy practices a central part of the PMI, in March 2015 the administration convened an interagency PMI privacy working group including the White House Office of Science and Technology Policy, HHS OCR, and the National Institutes of Health. Leveraging a series of expert roundtables, bioethics literature, existing biobank and large research cohort privacy policies and frameworks, and more than 100 public comments received in response to the publication of draft principles in July 2015, the working group released these PMI Privacy and Trust Principles organized around six primary values:
- Governance. Stakeholders, including participants, researchers, health care providers, and the federal government, should develop mandatory rules and mechanisms to ensure:
- Responsible data management;
- Protection against unauthorized access, use, disclosure, or re-identification of PMI data; and
- Proper identification, management, and mitigation of breaches.
- Transparency. PMI participants should remain informed through all stages of participation. Communications to participants should be clear and conspicuous, and generally should disclose:
- How information will be collected and stored;
- How data will be used and shared;
- The goals, potential benefits, and risks of participation;
- The measures in place to protect participant data; and
- The ability to withdraw participation.
The transparency principle also calls for making public information about PMI data protections and use, as well as compliance with governance rules. It also contains substantive breach notification requirements, which generally align with those of state breach notification laws.
- Respecting Participant Preferences. Participant autonomy and trust should be promoted through “a dynamic and ongoing consent and information sharing process.” Participants should be able to withdraw consent for future use and sharing of PMI data at any time, and should be able to control the types and frequency of communications received.
- Participant Empowerment through Access to Information. Participants should be granted access to the medical information that they provide. In addition, accessible resources should be made available that enable participants to make informed choices and to access research data.
- Data Sharing, Access, and Use. The access, use, and sharing of PMI data should be permitted only for authorized purposes. Certain activities, including the sale or use of data for targeted advertising, unauthorized re-identification of data, and unauthorized re-contacting of PMI participants should be expressly prohibited. Access controls should include multiple tiers of access based on data type and use, and user qualifications.
- Data Quality and Integrity. Data quality and integrity should be kept at all times. Participants should be able to report inaccuracies and request that such inaccuracies be addressed.
As a general matter, commenters encouraged special considerations for engaging with the diverse populations that the PMI hopes to include. Specifically, commenters focused on the communications that participants would receive from the PMI and encouraged governance bodies to ensure that communications were appropriate, responsible, and inclusive of linguistic and cultural differences. The Principles were updated to reflect that suggestion and adhered to the concepts of diversity of inclusion as priorities throughout. Also in response to comments received, the PMI plans to release a Security Policy Framework that will help protect the confidentiality and integrity of PMI data and ensure that security is built into the foundation of the initiative. The framework will be informed by industry best practices and will undergo regular evaluation to keep pace with technological advances.
The $72 million in funding opportunities for PMI announced by NIH are designated for framework-establishing projects. This funding, contingent on Congress passing a federal budget, will help to establish several centers designed to manage different aspects of the initiative including: (1) a central coordinating center to manage the collection and use of PMI data, volunteer activities, and communications among participating organizations; (2) health care provider organization enrollment centers to recruit and enroll volunteers, foster study participation, gather data and specimens, ensure that the cohort population reflects the diversity of the U.S.; and (3) a cohort participant technologies center to supervise the use of mobile devices and sensor technologies.
Stakeholders wishing to contribute to PMI privacy and security rules and guidelines should monitor the PMI website and other federal government communications for opportunities to join the discussion.