Healthcare Data Security in the Age of Precision Medicine
Pharmacogenomics, or the study of the human genome's response to drugs, originated in the late 1990s. It has continued to grow and culminated in what we call today precision medicine. Precision medicine includes the in-depth analysis of the genomic data and DNA sequencing files of an individual and his/her lineage for generations. This genetic information is used to select personalized treatment options.
The fact that one file contains an entire family line's detailed protected health information (PHI) increases the data's sensitivity and makes governments and the healthcare industry more wary of its need for advanced protection. Such privacy and security concerns have long hindered the growth of precision medicine.
The Obama administration paved the way for precision medicine through its $200 million initiative which encouraged the participation of one million volunteers in a long-term study. The participants' medical and genetic information was placed in a large database that is open to researchers. To protect PHI and comply with HIPAA, researchers de-identify the data as anonymous PHI is not covered by the Privacy Rule.
However, Johns Hopkins Hospital and Health System Senior Counsel, Jennifer Kulynych, said that even though HIPAA does not cover de-identified data, re-identification is always a possible risk. Consequently, patients and any research participants should be made aware of that possibility rather than be kept in the dark under the pretense that their anonymous data can never be re-identified by malicious actors.
Like everything else in healthcare, the growth of precision medicine should not come at the expense of data security. In response to growing security concerns, federal agencies are coming to terms with potential threats. The Office of the National Coordinator (ONC) released the Precision Medicine Initiative (PMI) Data Security Principles Implementation Guide. This was done in association with the Office for Civil Rights (OCR) and the National Institute of Standards Technology (NIST).
The guide aims to provide a framework and a set of best practices that organizations can leverage to maintain the privacy and security of data in their quest for understanding precision medicine. Adopting this framework not only makes data sharing related to precision medicine safer, but it also helps standardize security agreements, processes and breach notification procedures.
Though the guide is a great first step, it does not guarantee HIPAA compliance. Covered entities should continue to perform risk assessments and implement security measures to safeguard against breaches. Moreover, because this area of research is relatively new, experts recommend that more clear-cut guidelines be put in place, including detailed incident response plans and a clear identification of systems that should be monitored.