Two groups of health information technology experts began eating pieces of the elephant that is the Precision Medicine Initiative.
They suggest the massive PMI project will require the application of existing and new health information exchange standards and the creation of new privacy protections.
The PMI, proposed by President Barack Obama in 2015, would create a research cohort of 1 million patients and then make the data available to inform innovative treatments catered to individuals.
A 21-member PMI Task Force this week reported its findings on data exchange standards and specs needed to electronically enroll patients, donate their data (including eventually, enormous caches of genomic data), and then make it searchable, and thus useful, to medical researchers.
“There are balloted standards for some of this and we have identified some gaps,” said Dr. Andrew Wiesenthal, a director with consulting firm Deloitte and the task force co-chair.
One standards gap, Wiesenthal said, is for a future use case—messaging back to patients from PMI data stewards and researchers about research results. “Most people are participating in theses studies, myself included, out of pure altruism."
His own patient data has been used in a number of longitudinal studies conducted by his former employer, Kaiser Permanente. Wiesenthal said patients should know their information is safe and useful.
The task force has recommended that the ONC add to its Interoperability Roadmap a new section on precision medicine, said co-chair Leslie Kelly Hall, senior vice president for policy at Healthwise, a Boise, Idaho,-based developer of patient education content.
The road map is a guideline on where the federal government envisions healthcare information exchange will develop.
It should be updated to include a sense of federal direction around the issues of access and use of data, Hall said.
“It's still unknown what are the rules around use,” Hall said. “If I'm a provider enrolling that patient into the cohort, do I have a right to access that data later? Is it part of treatment or payment? (and thus would be covered by the Health Insurance Portability and Accountability Act and security rules)." She said the task force has asked for additional guidance.
Meanwhile, a team working under the auspices of the World Privacy Forum, a San Diego-based, not-for-profit privacy rights advocacy group, warned in a 23-page report that PMI planners should address ought to get cracking on patient privacy issues, putting policies and rules in place on the front end, before the start of patient data collection expected this year.
Work is already underway on a project to adapt consumer mobile health applications as tools to enroll patients in PMI.
“The goals of the initiative are laudable, but many core privacy questions remain unanswered,” and those “may undercut individuals' willingness to share their data and may create new problems for volunteers,” said the authors of “The Precision Medicine Initiative: Will Any Legal Protections Apply?”
For example, the chief federal health information privacy law, HIPAA, does not apply to the PMI and won't apply to most research activities conducted using information from the database, the privacy experts report. The broader 1974 federal Privacy Act will only apply if all of the data is hosted in a database run by a government entity, they said. According to Hall, due to enormous volumes of data involved, planners are considering using multiple databases for the PMI.
“We didn't write this report thinking there was anything terrible going on here, anything sinister,” said Robert Gellman, a Washington, D.C., privacy lawyer and consultant, and co-author with the forum's founder, Pam Dixon. “We just wanted to wave the privacy flag and say, you have to address it, or it's going to blow up in your face,” Gellman said.
Hall said the project planners have indicated they'll base privacy policy for the PMI on the 1970s era Fair Information Practice Principles, which require person's consent for secondary uses of their data.
That's all well and good, said Gellman and Dixon, but none of that's firm yet in law or rule regarding PMI, so “an individual considering participation and privacy experts who advocate on their behalf cannot tell how the initiative will be structured, who will hold the data, and how or whether privacy concerns will be addressed adequately.”
Indianapolis privacy lawyer and task force member Stanley Crosley said it's appropriate to raise privacy concerns now, on the front end.
“It's never too early to start thinking about privacy and the architecture,” Crosley said. But neither is it a good idea to set privacy rules before the architecture is in place, and with the PMI, it's not too late to create both. “There's certainly enough time to make any changes.”