OtherBIOETHICS IN PRACTICE

Ethical Implications of Clinical Genomic Information, Records Research, and Informed Consent

Susannah W. Lee
Ochsner Journal September 2018, 18 (3) 196-198; DOI: https://doi.org/10.31486/toj.18.0052

The prevalent practice of using patients' medical records for chart review research, without consent from patients, does not engender much criticism when compared to biospecimen research, where worries surrounding genomic privacy inspired proposed revisions to the Federal Policy for Protection of Human Subjects, or the Common Rule, to require consent for such research.1 With the proliferation of electronic medical records (EMRs), an immense amount of patient data is now available for researchers to analyze and search for insights into factors that might influence and predict health outcomes.2 Further, these factors may be found in the genome, the encoded genetic representation of a person. As gene sequencing evolves from an expensive tool used by researchers to a more affordable and routine clinical screening test used in direct patient care, more patients are likely to have their genomes fully digitized, immeasurably growing the already impressive accumulation of electronic health data currently housed in EMRs.3

Because of the relative ease of acquiring a great deal of data, increasing numbers of genomic researchers will seek out EMRs as a low-cost source of populationwide genome data, thereby making patients unwitting subjects of genomic study. In this way, EMR-based records research will pose genetic privacy risks analogous to those of biospecimen research, yet current federal regulations still allow researchers to call gene sequence data de-identified, removing such data from the protection of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule4 and the Common Rule.5 Therefore, this chart review research will likely happen outside of patients' knowledge, much less their consent, in a research environment where the privacy risks are regularly minimized and security practices can be uncertain.3 For patients' privacy rights and expectations and for the research community, the ethical implications loom large.

Regulators have permitted the nonconsensual use of chart review research on the grounds of one essential assumption: stripping common identifiers such as names, social security numbers, and addresses from the data essentially removes the risk of harm. Once deemed anonymization, this method is presently called de-identification, a statement on the probability of identification.

While de-identification may protect other forms of health information by minimizing the risk of re-identification, a person's DNA sequence is a unique combination of coding for physical traits that could create a partially or fully identifying profile just from the gene sequence itself.6 Further, as geneticists learn more about the genome, the sensitivity of any particular genome and the re-identification risk from the gene information will grow. Similarly, as private and public genomic databases (or reference databases) continue to proliferate,7 the frequently discussed method of re-identification—comparing anonymous sequences with reference databases—will be an increasing risk.

Advocates of the current regulatory regime minimize the risk of re-identification by contending that the risks are overstated, or even if re-identifying genetic information is possible, the incentive to do so is less compared to other information stores such as financial data because genomic information is less meaningful, valuable, and damaging and thus less attractive as a target of attack.8 On the other side are scientists who demonstrate re-identification risks by continually re-identifying purportedly anonymous participants in research databases.9-11 Further, genomic information is indeed sensitive and potentially stigmatizing because knowledge about future disease risk, familial relationships and shared susceptibilities, and an uncertain amount of yet-to-be-discovered information about the relationship between genes and health is embedded in the genome.12 Certainly, not everyone's genome will constitute a “future diary”13 or contain sensitive and revealing information; still, many genomes will, and few if any individuals for whom that is true will have knowledge beforehand of that fact.

Genomic information is particularly, if not uniquely, sensitive health information with a high potential for re-identification, and some have maintained that it can never truly be anonymized.14 When reference genomic databases of identifiable data are burgeoning and forensic scientists are studying how to decrease the time it takes to sequence DNA onsite for use as a biometric identifier,15 the contention that a whole or partial gene sequence is not an identifier that could put connected demographic or health information at risk is becoming increasingly tenuous.16 Consequently, federal regulations should no longer allow HIPAA-covered entities to regard large genomic datasets as de-identified health information.

Irrespective of the risk of re-identification or whether genomic information should be considered an identifier in its own right, a significant question remains at the core of this problem: Is it ethically permissible for the research and provider communities to continue to ignore the amassing evidence from numerous studies that patients want and expect to be informed of and in control of if and how their genomic and health information is used in research?17,18 Because while it is clear to see why researchers value records-based research containing genomic data and the benefits that can accrue from these studies, in the absence of policy or a practice change that promotes disclosure, one day the general public will realize that sensitive information that was expected to be confidential and protected is in fact used widely in research that the subjects neither consented to nor were aware of.

To avoid the ethical consequences and the subsequent loss of trust in research and science if the public finds out about widespread genomic research without patient consent, the research community should reform current standards and norms surrounding records-based genomic research. Patients should be given meaningful notice of medical records review research occurring at organizations. This notice could take the form of an electronic database listing studies, investigators, and their contact information, thus allowing patients and institutions to hold investigators accountable for data security and privacy.

When offering genetic diagnostic testing, providers should inform patients that records-based research is a common and important avenue for discovering new associations between genes and health and that the resulting knowledge improves the quality and cost-effectiveness of care. However, providers should also make clear that acquiring consent for records-based research is not possible in every instance. For example, a provider cannot retroactively follow a patient's preferences if the patient's genomic information is no longer under the control of the provider's institution.

If the research community stops asserting that it is reasonable to consider genomic data to be anonymous, de-identified, or not readily identifiable,19 then the protections of the Privacy Rule and Common Rule would apply, requiring researchers to acquire patients' consent or an institutional review board (IRB) waiver of consent to proceed with research.20 Currently, records-based research that contains identifiable information has these consent requirements, and IRBs often waive consent on the grounds that contacting thousands of patients to obtain consent is impracticable and the biases between those who consent and those who do not would undermine the validity of the study.21 With the advent of EMR patient portals, where providers and patients exchange secure and encrypted messages and information, communicating with patients is much easier. Institutions use these portals to allow patients to respond to satisfaction surveys, indicate preferences for care, and input demographic data.22 The portal could be used to educate patients about genomic research and to give patients a way to provide broad consent or to opt out. Because the portal and medical record are housed in the same system, researchers looking at medical records could easily identify the patients who did not consent to medical records review research, thus giving patients more control over the use of their data and the ability to consent to records-based research.

Records-based research is not going anywhere, but the time has come for the research community to stop treating large genomic datasets as de-identified information. Patients expect that this information is kept in confidence, and when it is revealed that this genomic data is commonly studied, at some risk, in records-based research, the fallout will be immense. To avoid this occurrence, transparency and disclosure should improve in the research environment, and providers should give patients notice before releasing clinical genomic data for research, allowing, where possible, some degree of choice and control.

REFERENCES

  1. 1.
    US Department of Health and Human Services. Proposed rules. Federal Register. Volume 76, Issue 143 (Tuesday, July 26, 2011). www.gpo.gov/fdsys/pkg/FR-2011-07-26/html/2011-18792.htm. Accessed April 14, 2018.
  2. 2.
    1. Lin J,
    2. Jiao T,
    3. Biskupiak JE,
    4. McAdam-Marx C
    . Application of electronic medical record data for health outcomes research: a review of recent literature. Expert Rev Pharmacoecon Outcomes Res. 2013 Apr;13(2):191-200. doi: 10.1586/erp.13.7.
    OpenUrlCrossRefPubMed
  3. 3.
    1. Hazin R,
    2. Brothers KB,
    3. Malin BA,
    4. et al.
    Ethical, legal, and social implications of incorporating genomic information into electronic health records. Genet Med. 2013 Oct;15(10):810-816. doi: 10.1038/gim.2013.117.
    OpenUrlCrossRefPubMed
  4. 4.
    US Department of Health and Human Services. Other requirements relating to uses and disclosures of protected health information. 45 CFR §164.514(b)(2). www.ecfr.gov/cgi-bin/text-idx?SID=e5b0f4d4196a2ff12cb6eff228d36ffb&mc=true&node=se45.1.164_1514&rgn=div8. Accessed April 14, 2018.
  5. 5.
    US Department of Health and Human Services. Protection of human subjects. 45 CFR §46. www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html. Revised January 15, 2009. Effective July 14, 2009. Accessed April 14, 2018.
  6. 6.
    1. Claes P,
    2. Liberton DK,
    3. Daniels K,
    4. et al.
    Modeling 3D facial shape from DNA. PLoS Genet. 2014 Mar 20;10(3):e1004224. doi: 10.1371/journal.pgen.1004224.
    OpenUrlCrossRefPubMed
  7. 7.
    1. Heeney C,
    2. Hawkins N,
    3. de Vries J,
    4. Boddington P,
    5. Kaye J
    . Assessing the privacy risks of data sharing in genomics. Public Health Genomics. 2011;14(1):17-25. doi: 10.1159/000294150.
    OpenUrlCrossRefPubMed
  8. 8.
    1. Meyer M
    . No, donating your leftover tissue to research is not like letting someone rifle through your phone. Forbes Magazine. www.forbes.com/sites/michellemeyer/2015/12/31/no-donating-your-leftover-tissue-to-research-is-not-like-letting-someone-rifle-through-your-phone/. Published December 31, 2015. Accessed April 14, 2018.
  9. 9.
    1. Gymrek M,
    2. McGuire AL,
    3. Golan D,
    4. Halperin E,
    5. Erlich Y
    . Identifying personal genomes by surname inference. Science. 2013 Jan 18;339(6117):321-324. doi: 10.1126/science.1229566.
    OpenUrlAbstract/FREE Full Text
  10. 10.
    1. Sweeney L
    . k-anonymity: a model for protecting privacy. Int J Unc Fuzz Knowl Based Syst. 2002;10(5):557-570. doi: 10.1142/S0218488502001648.
    OpenUrlCrossRef
  11. 11.
    1. de Montjoye YA,
    2. Hidalgo CA,
    3. Verleysen M,
    4. Blondel VD
    . Unique in the crowd: the privacy bounds of human mobility. Sci Rep. 2013;3:1376. doi: 10.1038/srep01376.
    OpenUrlCrossRefPubMed
  12. 12.
    1. Schrodi SJ,
    2. Mukherjee S,
    3. Shan Y,
    4. et al.
    Genetic-based prediction of disease traits: prediction is very difficult, especially about the future. Front Genet. 2014 Jun 2;5:162. doi: 10.3389/fgene.2014.00162.
    OpenUrlCrossRefPubMed
  13. 13.
    1. Annas GJ
    . Privacy rules for DNA databanks. Protecting coded ‘future diaries'. JAMA. 1993 Nov 17;270(19):2346-2350.
    OpenUrlCrossRefPubMed
  14. 14.
    1. Rothstein MA
    . Is deidentification sufficient to protect health privacy in research? Am J Bioeth. 2010 Sep;10(9):3-11. doi: 10.1080/15265161.2010.494215.
    OpenUrlCrossRef
  15. 15.
    National Institute of Standards and Technology. DNA biometrics. www.nist.gov/programs-projects/dna-biometrics. Published March 11, 2010. Updated July 13, 2017. Accessed April 14, 2018.
  16. 16.
    1. Lunshof JE,
    2. Chadwick R,
    3. Vorhaus DB,
    4. Church GM
    . From genetic privacy to open consent. Nat Rev Genet. 2008 May;9(5):406-411. doi: 10.1038/nrg2360.
    OpenUrlCrossRefPubMed
  17. 17.
    1. Cho MK,
    2. Magnus D,
    3. Constantine M,
    4. et al.
    Attitudes toward risk and informed consent for research on medical practices: a cross-sectional survey. Ann Intern Med. 2015 May 19;162(10):690-696. doi: 10.7326/M15-0166.
    OpenUrlCrossRefPubMed
  18. 18.
    1. Tabor HK,
    2. Berkman BE,
    3. Hull SC,
    4. Bamshad MJ
    . Genomics really gets personal: how exome and whole genome sequencing challenge the ethical framework of human genetics research. Am J Med Genet A. 2011 Dec;155A(12):2916-2924. doi: 10.1002/ajmg.a.34357.
    OpenUrlCrossRef
  19. 19.
    US Department of Health and Human Services. To what does this policy apply? 45 CFR §46.101(b). www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html. Accessed April 14, 2018.
  20. 20.
    US Department of Health and Human Services. General requirements for informed consent. 45 CFR §46.116. www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html. Accessed April 14, 2018.
  21. 21.
    1. Miller FG
    . Research on medical records without informed consent. J Law Med Ethics. 2008 Fall;36(3):560-566. doi: 10.1111/j.1748-720X.2008.304.x.
    OpenUrlCrossRefPubMed
  22. 22.
    1. Irizarry T,
    2. DeVito Dabbs A,
    3. Curran CR
    . Patient portals and patient engagement: a state of the science review. J Med Internet Res. 2015 Jun 23;17(6):e148. doi: 10.2196/jmir.4255.
    OpenUrlCrossRefPubMed
Back to top

In this issue

Print
Download PDF
Email Article
Citation Tools

Jump to section