Earlier this month, the Presidential Commission for the Study of Bioethical Issues introduced draft recommendations regarding policies addressing the privacy of human genome sequence data. Some of the recommendations may impact non-profit organizations that fund genomic research, such as research foundations, institutes and patient advocacy groups (“Research Organizations”) by requiring them to implement policies and procedures to protect genomic data.
Since January 2011, the Commission, an advisory panel comprised of leaders in medicine, science, ethics, religion, law, and engineering, has been studying the balance between individual privacy concerns related to whole genome sequencing in genetic research and clinical care and the need for broad information gathering to promote scientific and medical discovery. The Commission considered the balance between individual privacy concerns related to whole genome sequencing and the need for access to information to promote scientific and medical discovery. The draft recommendations generally involve the issues of informed consent to whole genome sequencing and oversight of the informed consent process.
Several draft recommendations suggested that funders of genomic research “maintain or establish strong policies for protection of genomic data” and require those who come in contact with genomic information to adhere to laws and regulations governing the use of genomic information, while protecting the policy of open data access and sharing of the information as permitted by the individual.
Research Organizations are typically not subject to the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) because they are not considered a covered entity, as that term is defined in HIPAA. However, these organizations often have access to study subjects’ PHI if they receive case report forms and/or study data from the institutions performing the research. In addition, it is possible for a Research Organization to engage in activities which could result in it being considered a covered entity.
We recommend that Research Organizations conduct a current analysis of their practices to ensure they are not considered a covered entity under HIPAA. Even if a Research Organization is not obligated to comply with HIPAA, it should consider utilizing a “best practices” approach by adopting and implementing policies and procedures which safeguard the access, use and disclosure of protected health information. This approach prepares the Research Organization for changes in the law and expands the types of activities in which the Research Organization can engage. This approach could also protect the Research Organization from reputational harm in the event PHI is misused.
Finally, if a Research Organization will receive PHI as a result of research it has funded, we recommend conducting a thorough review of the informed consent form to ensure that its anticipated uses of PHI are adequately disclosed to the research subject.