Confidentiality, privacy, and security of genetic and genomic

Preparing to load PDF file. please wait...

0 of 0
Confidentiality, privacy, and security of genetic and genomic

Transcript Of Confidentiality, privacy, and security of genetic and genomic

July 2008 ⅐ Vol. 10 ⅐ No. 7


Confidentiality, privacy, and security of genetic and genomic test information in electronic health records: points to consider
Amy L. McGuire, JD, PhD1, Rebecca Fisher, MLIS2, Paul Cusenza, MBA3, Kathy Hudson, PhD4, Mark A. Rothstein, JD5, Deven McGraw, JD, MPH6, Stephen Matteson, BS7, John Glaser, PhD8, and Douglas E. Henley, MD9
As clinical genetics evolves, and we embark down the path toward more personalized and effective health care, the amount, detail, and complexity of genetic/genomic test information within the electronic health record will increase. This information should be appropriately protected to secure the trust of patients and to support interoperable electronic health information exchange. This article discusses characteristics of genetic/genomic test information, including predictive capability, immutability, and uniqueness, which should be considered when developing policies about information protection. Issues related to “genetic exceptionalism”; i.e., whether genetic/ genomic test information should be treated differently from other medical information for purposes of data access and permissible use, are also considered. These discussions can help guide policy that will facilitate the biological and clinical resource development to support the introduction of this information into health care. Genet Med 2008:10(7):495– 499.
Key Words: Genetics, policy, ethics, electronic health record, privacy, confidentiality, security, genetic test

The clinical use of genetic/genomic information is becoming an increasingly important aspect of modern health care delivery. At the same time, the increasing role of health information technology platforms in organizing health information has led to the need to review the confidentiality, privacy, and security of electronic information.1,2 Electronic health records (EHRs) provide a useful way to manage complex medical information; as such, EHRs will become established in the future as the means to manage the large and complex datasets that accompany genetic/genomic tests and interpretations. The inclusion of genetic/genomic information in EHRs should inform the determination of disease risk, appropriate drug dosing to avoid adverse events, and the selection of effective
From the 1Center for Medical Ethics and Health Policy, Baylor College of Medicine, Houston, Texas; 2Patient advocate, Oakton, Virginia; 3Entrepreneur, McLean, Virginia; 4The Genetics and Public Policy Center, The Johns Hopkins University, Washington, DC; 5Institute for Bioethics, Health Policy and Law, University of Louisville, School of Medicine, Louisville, Kentucky; 6National Partnership for Women and Families, Washington, DC; 7Global Research and Development, Pfizer Inc, New York, New York; 8Partners Health Care, Boston, Massachusetts; and 9American Academy of Family Physicians, Leawood, Kansas.
Amy L. McGuire, JD, PhD, Center for Medical Ethics and Policy, Baylor College of Medicine, Room 310D, One Baylor Plaza, Houston, TX 77030. E-mail: [email protected]
The first three authors have contributed equally to this work.
Disclaimer: All of the authors on this manuscript are members of the Personalized Healthcare Workgroup for the American Health Information Community, Department of Health and Human Services. Paul Cusenza, MBA, was co-founder and co-president of 23andMe, Inc. and was formerly the SVP of Marketing and Alliances for Perlegen Sciences.
Disclosure: The authors declare no conflict of interest.
Submitted for publication March 4, 2008.
Accepted for publication April 4, 2008. DOI: 10.1097/GIM.0b013e31817a8aaa
Genetics IN Medicine

treatment.3–5 However, electronic health information is portable and mobile; the ease with which information can be disseminated through EHRs raises concern about the potential for unauthorized access to and use of this information. A major policy question, then, is whether special protections should be created for genetic/genomic information that is stored in the EHR.
The authors, who are all members of the Personalized Health Care Work Group of the American Health Information Community, created this consensus document to help aid discussions on this important topic. This document was created through a series of meetings, telephone conferences, and email exchanges. The goal was not to unequivocally answer the important and complex question of whether special protections should be created for genetic/genomic information in the EHR, but to provide reflection on some points to consider in developing policy for handling genetic/genomic test information.
Several laws, including the Americans with Disabilities Act (Public Law 101–336) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA; Public Law 104 –191), have been enacted to protect the rights of individuals with regard to the access and use of sensitive personal information and to reform group health insurance, respectively. Regulations such as the Privacy Rule6 and the Security Rule7 have been promulgated pursuant to HIPAA to address issues regarding shared health informa-

McGuire et al.
tion. The Privacy Rule was designed to ensure that individuals’ health information is properly protected without impeding the information flow necessary to provide high-quality health care. The Security Rule provides standards for the security of electronic personal health information.
The Privacy Rule defines and limits the circumstances in which an individual’s protected health information (e.g., information that could identify the individual, such as name, address, or Social Security Number) may be used or disclosed by “covered entities” such as health plans, covered health care providers, or health care clearinghouses. However, the broad networking capabilities enabled by the Internet can potentially extend the sphere of health information transfer beyond covered entities, and a Nationwide Health Information Network may expand the scope of information disclosed to include comprehensive health records from all of the patient’s health care providers over the course of the patient’s lifetime. This health information can be shared for a variety of “secondary uses,” some of which may violate state law, but may not be subject to coverage afforded by the Federal Privacy Rule.8
Further, as numerous health information databases and electronic record platforms become linked and interoperable, reidentifying individuals whose health information has been “de-identified” according to Privacy Rule standards becomes more plausible. The inclusion of genetic/genomic test information into the EHR increases the possibility that a person can be identified unequivocally on the basis of a few genetic variants.9–11
A diverse range of groups across the Federal Government are working to address the challenges and develop the policies necessary to facilitate the transition toward a more personalized approach to health care. To provide leadership for policy interventions that will enable the introduction of personalized medicine into commonly-used clinical practice, the U.S. Department of Health and Human Services has recently undertaken its Personalized Health Care Initiative.12 This Initiative has two guiding principles. The first of these is to support research that addresses individual aspects of disease and disease prevention with the ultimate goal of shaping preventive and diagnostic care to match each person’s unique genetic characteristics. The second principle is to create an infrastructure for health care data and information exchange that will help researchers establish patterns that identify molecular/genetic “fingerprints” of disease.13 Federal advisory groups such as the Secretary’s Advisory Committee on Genetics, Health, and Society,14 the National Committee on Vital and Health Statistics,15 and the American Health Information Community16,17 contribute further by considering issues that relate to the inclusion of genetic/genomic test information into the EHR. This article describes several pertinent topics that should be considered by these initiatives and advisory groups when policy is developed on this issue.
A growing number of different methods of clinical analyses of gene-based information are captured by the broad defini-

tion of a “genetic/genomic” test, and this discussion is intended to incorporate both “genetic” and “genomic” test information. A wide variety of genetic and genomic information and analyses can be derived from testing in humans, including but not limited to targeted diagnostics (e.g., BRCA1/2 tests that evaluate single genes or polymorphisms in at-risk populations), population-based screening tests for specific gene-related disorders (i.e., newborn screens), and large-scale platforms (e.g., microarray DNA technologies that evaluate multiple genes or polymorphisms). Tests considered to be “genetic/genomic” include analyses of human DNA, RNA, and chromosomes to detect heritable or acquired disease-related genotypes, mutations, phenotypes, or karyotypes for clinical purposes and analyses of human proteins and metabolites used predominantly to detect inborn errors of metabolism, heritable genotypes, or mutations for clinical purposes. Tests used primarily for other purposes but that may contribute to diagnosing a genetic/genomic disease (e.g., blood smear, certain serum chemistries) are not covered by this definition.18
The inclusion of genetic/genomic test information in the EHR has raised issues regarding “genetic exceptionalism”; i.e., whether the information should be treated differently from other health information for purposes of data access and permissible use.19–21 Genetic/genomic test information exhibits several characteristics that should be considered when determining the appropriate level of protection. It is important to note that any one of the characteristics listed below may not be unique to genetic/genomic information (i.e., exceptional) versus other health information. For example, low-density lipoprotein cholesterol level is predictive, and gender is generally considered immutable. However, these characteristics are relevant to consider holistically when determining appropriate protection of genetic/genomic test information. It should also be noted that this list is not intended to be interpreted as exhaustive or as prioritized; all characteristics should be considered, and importance may vary based on the context of discussion.
Excepting identical twins, each individual has a unique genetic/genomic code. Therefore, independently collected samples can be matched with relatively high confidence on the basis of a small number of genetic variants.10 Consolidated databases of genetic/genomic information could potentially be mined for individual identification purposes. Moreover, as scientific understanding of the relationship between genotype and phenotype increases, genetic/genomic information may be used more accurately to predict an individual’s physical characteristics from his/her DNA sequence information.11
Genetics IN Medicine

Predictive capability
Some genetic/genomic tests can predict the likelihood of developing a given disease or the response to a specific drug. The complex interrelationships within an individual’s genome and how it reacts to environmental conditions ultimately defines what may actually occur. The predictive nature of genetics is a critical yet complex consideration for developing policy regarding genetic/genomic test information. For example, while this information can inform preemptive action, it may also be used to discriminate based on predisposition. In addition, genetic/genomic test results could be used in the absence of other corroborating clinical signs or symptoms to inform health care management decisions.
Genetic information is also immutable; an individual’s germline/inherited information does not change throughout life. (Some cells in the body may have an alteration in DNA after conception, such as those introduced during DNA replication, for example. These mutations, referred to as somatic mutations, may cause cancer or other diseases. Inherited DNA does not otherwise change, and these somatic mutations can not be inherited or passed on). As such, public disclosure of personal genetic/genomic test information could create longlasting and unpredictable effects, given unforeseen technological and interpretive advances.
Requirement of testing
Many genetic markers, particularly those for disease predisposition and drug response, cannot be ascertained in the normal course of clinical care; they must be derived from a genetic/ genomic test. Although manifestations of some diseases (e.g., Huntington disease) imply the presence of certain genetic mutations, testing is usually required to inform an individual of a specific mutation that predisposes him or her to a specific condition.
Historical misuse
Genetic information has been misused to promote eugenics initiatives,22 discriminate in insurance and the workplace, and obtain information about individuals’ medical histories.23 As genetic research and medical applications advance, the ability to associate genetic predisposition for disease to factors such as gender, self-identified race, or population group will likely increase. Although population-based research informs epidemiologic inquiry, concerns abound that genetic/genomic test information could be used inappropriately to stereotype or stigmatize individuals.
Variability in public knowledge and perspectives
There is wide variability in individual understanding about the role of genetics in health and disease, personal sensitivity regarding genetic/genomic test information, and feelings about genetics (e.g., ontological considerations based on genetic reductionism).
July 2008 ⅐ Vol. 10 ⅐ No. 7

Electronic health records and genetic information
Impact on family
Genetic/genomic test information also has the potential to impact an individual’s family members, as germline mutations (i.e., mutations contained in the sperm or egg that may be passed to offspring) may reveal information about medical risks to blood-relatives. Thus, an individual’s decision to undergo a genetic/genomic test could reveal information that suggests risk to relations regarding the potential development of a chronic or debilitating disorder.
Societal perspectives and the ability to interpret genetic/ genomic test information will likely evolve over time, as will policies regarding the use of such information in health care decision-making. For example, a contemporary test that sequences a specific gene may yield insight into the risk of developing a particular disease. However, in time this sequence information may prove informative regarding different conditions and/or therapeutic responses. Given the exponential growth of the field of molecular diagnostics, the scope and ability to interpret test results will evolve rapidly. In parallel, increasing public awareness about the potential application of genetic/ genomic information to health care decisions will influence perspectives regarding how to oversee this information.
Ubiquity and ease of procurement
Genetic material is easy to procure. DNA can be obtained from saliva, blood, hair, and other tissues that are deposited on a surface. Thus, an individual’s genomic information can be readily obtained without his/her knowledge or permission.
The characteristics discussed here must be considered holistically when informing policy on the use of genetic/genomic test information in patient health records. Although a single characteristic may not support an argument for or against treating genetic/genomic test information as “exceptional,” the combined effect of these characteristics may influence matters of potential exceptionalism. An integrated framework should therefore be used to assess the full impact of policy alternatives.
This section addresses the issue of potential exceptionalism regarding access to genetic/genomic test information (e.g., the right to view the data) in the EHR. This discussion takes the view that if there is to be a system of limited access to certain sensitive data in the EHR, then genetic/genomic test information should be subject to the same limitations, at least for the immediate future. This will encourage genetic/genomic testing where it is medically indicated. It will necessarily require, however, discussions of the definition of “sensitive” information (e.g., any information that the patient views as sensitive or only certain data categories such as genetic/genomic information), technical implementation issues, transition processes to en-

McGuire et al.
sure adoption and adherence, adherence verification processes and penalties for potential noncompliance, and enabling patient control while ensuring that medical practitioners have appropriate access to needed information.
Genetic information generally does not require more protection than other information that patients may view as sensitive (e.g., HIV status, mental health, or drug abuse). Over time, social norms may evolve so that mental health or HIV status is no longer viewed as sensitive, and perspectives regarding genetic/genomic test information may likewise evolve. The issue therefore becomes one of policy regarding access to sensitive health information. Although some states have provisions that protect access to specific types of data in the EHR, and there are some narrowly tailored federal statutes that address this issue (e.g., in the context of substance abuse treatment records),24 there is currently no comprehensive Federal legislation that limits access to sensitive health data. Any efforts directed toward selective access to genetic/genomic test information should be combined with those for other sensitive data, creating a consistent policy that applies to all sensitive health information.
Data masking or controlled access provides a means for patients to control disclosure of select information within the EHR.11 Although genetic/genomic information is not intended to be treated uniquely with regard to data access policies, it should be considered as sensitive if the option for data masking of sensitive information becomes policy. Many countries that are establishing EHR systems, including the United Kingdom, Canada, Netherlands, and Denmark, are using or developing electronic methods for masking certain elements to prevent health care providers’ access to certain types of sensitive information. Controlled access benefits the patient by empowering him or her to designate which health care providers have access to the masked information.25 However, masking information may negatively impact patient care. Withholding important information from physicians could interfere with accurate diagnosis and may lead to bad treatment decisions. Therefore, it is important that the provider at least know that some information has been masked so that he or she can request the information for a medically-relevant reason.
Data masking could also be an important tool to protect elements of patient privacy in required disclosure requests. At least 25 million times per year, individuals are compelled to sign authorizations to release their health records as a condition of employment, life insurance, or other application processes.26 In a controlled-access environment of selective fields, it will require that electronic methods for contextual access criteria be devised and adopted that mask sensitive information that is deemed irrelevant to the purpose of the request. Otherwise, some individuals may be dissuaded from undergoing genetic/genomic testing and seeking medical consultation that may be of great importance to their health management.
In addition to concerns that a patient may choose to mask data that are significant to his/her health care providers or other medical professionals, pragmatic considerations regarding the technical implementation and management of the au-

thorization process must be addressed. For these reasons, there is currently no consensus regarding whether sensitive information should be permitted to be masked in the EHR. The debate on this issue should be one aspect of a broader discussion that encompasses all potentially sensitive information, including but not limited to genetic/genomic test information.
Genetic/genomic test information may also be exceptional with respect to permissible use (regardless of the right to access). Specific considerations should be made for protections: (1) against the misuse of genetic/genomic test data (e.g., discrimination), and (2) regarding the use of such data for research purposes (e.g., proper disclosure of the risk of personal identification and the need to prohibit data mining and aggregating techniques designed specifically to circumvent individual privacy protection).
When considering whether genetic/genomic test information can be used to discriminate in health insurance and employment decisions, the following characteristics of the information are most notable: it is predictive, immutable, historically misused, and normally requires testing to be carried out. A predisposition to develop a disease is distinct from the manifestation of a condition, yet the fear of discrimination has discouraged individuals from obtaining medically relevant and cost-effective predictive genetic/genomic tests. For these reasons, state and federal policies have been enacted to prevent discrimination based on genetic information.27,28
Large-scale genome analysis platforms have generated a wealth of data in the last 20 years, providing researchers with a greater quantity of genetic/genomic information than has been available at any point in history. However, given that an individual’s genetic marker profile is as unique as his/her fingerprint, appropriate informed consent practices should be required for researchers to obtain genetic/genomic test information. Genetic/genomic information is exceptional relative to other sensitive medical information in this regard; it is possible that one inconsequential sequence with attached identity could be used to link identity to genetic information that the individual does not wish to disclose. Proper disclosure and informed consent can make individuals aware of this reidentification possibility before granting access.29 In the future, centralized databases that assimilate large volumes of clinical and genome sequence information may require additional protections, as data mining techniques that can assemble information about a specific individual can theoretically be used to circumvent privacy and confidentiality protections. Although an individual’s medical genetic information may not in itself exhibit exceptional characteristics, given the ability to identify an individual using a limited number of markers, HIPAA privacy policies should be clarified to ensure that they protect genetic/genomic test information appropriately.
Genetics IN Medicine

The inclusion of genetic/genomic information in the EHR will greatly impact personalized health care by informing disease risk determination, appropriate drug dosing, and the selection of effective treatment or preventive action. To realize the full potential of personalized medicine, however, policies must be implemented to protect the confidentiality, privacy, and security of genetic/genomic test information appropriately with regard to access and use. Genetic/genomic information features a series of attributes that must be carefully considered in the aggregate with regard to policy development. Genetic/genomic data should be afforded the same provisions as other sensitive health information with regard to potential restricted access in the EHR. Protection against potential discrimination based on genetic/genomic information must be ensured, and proper disclosures must also be made for the use of such data for research purposes. Attention to the issues raised by these discussions will help policy developers and health care professionals ensure that confidentiality, privacy, and security are appropriately maintained for genetic/genomic information contained in the EHR.
1. Kluge EH. Security and privacy of EHR systems– ethical, social and legal requirements. Stud Health Technol Inform 2003;96:121–127.
2. Ray P, Wimalasiri J. The need for technical solutions for maintaining the privacy of EHR. Conf Proc IEEE Eng Med Biol Soc 2006;1:4686 – 4689.
3. Nusbaum R, Isaacs C. Management updates for women with BRCA1 or BRCA2 mutation. Mol Diagn Ther 2007;11:133–144.
4. Lynch T, Price A. The effect of cytochrome P450 metabolism on drug response, interactions, and adverse effects. Am Fam Physician 2007;76:391–396.
5. Viani GA, Afonso SL, Stefano EJ, de Fendi LI, Soares FV. Adjuvant trastuzumab in the treatment of her-2-positive early breast cancer: a meta-analysis of published randomized trials. BMC Cancer 2007;7:153.
6. Office for Civil Rights, United States Department of Health & Human Services. Standards for privacy of individually identifiable health information. Final rule. Fed Regist 2002;67:53181–53273.
7. Centers for Medicare & Medicaid Services, United States Department of Health & Human Services. Health insurance reform: security standards. Final rule. Fed Regist. 2003;68:8334 – 8381.
8. National Committee on Vital and Health Statistics. Report to the Secretary of the U.S. Department of Health and Human Services on enhanced protections for uses of health data: a stewardship framework for “secondary uses” of electronically collected and transmitted health data. Available at: 071031fr.htm. Accessed November 27, 2007.
9. Malin B, Sweeney L. Re-identification of DNA through an automated linkage process. Determining the identifiability of DNA database entries. Washington DC: Hanley & Belfus, 2001:423– 427.

Electronic health records and genetic information
10. Lin Z, Owen AB, Altman RB. Genomic research and human subject privacy. Science 2004;305:183.
11. Lowrance WW, Collins FS. Ethics. Identifiability in genomic research. Science 2007; 317:600 – 602.
12. United States Department of Health and Human Services. Personalized health care. Available at: Accessed November 5, 2007.
13. United States Department of Health and Human Services. Personalized health care: opportunities, pathways, resources. Available at: news/presonalized-healthcare9 –2007.html. Accessed November 4, 2007.
14. United States Department of Health & Human Services, Secretary’s Advisory Committee on Genetics Health and Society. U.S. system of oversight of genetic testing: a response to the charge of the Secretary of HHS, 2007. Available at: http:// Accessed November 20, 2007.
15. United States Department of Health & Human Services, National Committee on Vital and Health Statistics, 2007. Available at: Accessed November 19, 2007.
16. United States Department of Health and Human Services. Health Information Technology: American Health Information Community. Available at: http://www. Accessed November 5, 2007.
17. Glaser J, Henley DE, Brinner KM, et al. Advancing personalized health care through health information technology: an update from the American Health Information Community’s Personalized Health Care Workgroup. J Am Med Inform Assoc. In press.
18. Centers for Disease Control and Prevention, United States Department of Health and Human Services. Notice of intent: genetic testing under the Clinical Laboratory Improvement Amendments. Fed Regist 2000;65:25928 –25934.
19. Murray TH. Genetic exceptionalism and ‘future diaries’: is genetic information different from other medical information? In: Rothstein MA, editor. Genetic secrets: protecting privacy and confidentiality in the genetic era. New Haven, CT: Yale University Press, 1997.
20. Rothstein MA. Genetic exceptionalism and legislative pragmatism. J Law Med Ethics 2007;35:59 – 65.
21. Diergaarde B, Bowen DJ, Ludman EJ, Culver JO, Press N, Burke W. Genetic information: special or not? Responses from focus groups with members of a health maintenance organization. Am J Med Genet Part A 2007;143A:564 –569.
22. Pernick MS. Eugenics and public health in American history. Am J Public Health 1997;87:1767–1772.
23. Slaughter L. Slaughter testifies in support of GINA. Available at: http://www.louise.ϭcom_content&taskϭview&idϭ755. Accessed November 29, 2007.
24. Confidentiality of alcohol and drug abuse patient records. Code Fed Reg Title 42, Part 2, 2002.
25. National Committee on Vital and Health Statistics. Report to the Secretary of the U.S. Department of Health and Human Services on individual control of sensitive health information accessible via the Nationwide Health Information Network for purposes of treatment, 2008. Available at: Accessed March 31, 2008.
26. Rothstein MA, Talbott MK. Compelled authorizations for disclosure of health records: magnitude and implications. Am J Bioeth 2007;7:38 – 45.
27. Genetic Information Nondiscrimination Act, Pub L No. 110-233, 2008. 28. National Human Genome Research Institute. Policy and Legislation Database.
Available at: Accessed May 22, 2008. 29. McGuire AL, Gibbs RA. Genetics. No longer de-identified. Science 2006;312:370 – 371.

July 2008 ⅐ Vol. 10 ⅐ No. 7