Privacy and Confidentiality Protections
Biospecimen research depends on protecting the privacy of individuals who contribute biospecimens and on maintaining the confidentiality of associated clinical data and information [97]. Applying the highest possible ethical standards is necessary to ensure the support and participation of human research participants, physicians, researchers, and others in biospecimen resource activities. With the recent advances in genomic and proteomic technology, the sequencing of the human genome, and the increasing reliance of biospecimen resources on electronic and Web-based databases for data tracking, it is even more crucial to address the risk of breaches in privacy. The unintended release or disclosure of sensitive information can place individuals at risk for discrimination and related groups at risk for stigmatization although the frequency of these types of harms is unknown.
C.3.1. Federal Regulations Pertaining to Privacy
The DHHS-issued regulation titled “Standards for Privacy of Individually Identifiable Health Information,” commonly known as the HIPAA Privacy Rule (see 45 CFR Part 164 [98] and Subparts A and E of Part 160 [99]), was created to protect the privacy of health information that identifies an individual while still allowing other activities of benefit to society, such as research. While the HIPAA Privacy Rule does not apply to biospecimens directly, it may affect biospecimen resources that are considered covered entities, or business associates of covered entities, in that human specimens often are accompanied by identifiable protected health information (PHI). For more information on the application of the HIPAA Privacy Rule to research repositories and databases, see [100]. If the biospecimen resource is considered a covered entity under HIPAA, compliance with the regulation titled “Security Standards for the Protection of Electronic Protected Health Information,” commonly known as the Security Rule, is required to ensure appropriate security of electronic PHI (see 45 CFR Part 160 and Part 164 Subparts A and C [98, 99]). Detailed information on the HIPAA Security Rule is available at [101].
In January of 2013 the US Department of Health and Human Services issued an Omnibus Final Rule implementing amendments to HIPAA enacted under legislation known as HITECH (Health Information Technology for Economic and Clinical Health). The HITECH amendments to HIPAA contain several provisions affecting research involving biospecimens and the creation of biospecimen resources for future research. The rule was published in the Federal Register and is available at [102].
Under the NIH Genome Data Sharing (GDS) Policy [69], any restrictions on participant consent for future research uses of data must be captured in the data use limitations that accompany the data when it is submitted to an NIH-designated repository, via the institutional certification process [103] [see also below].
C.3.2. NCI Recommendations Pertaining to Privacy
and Confidentiality
C.3.2.1.
Biospecimen resources should establish clear policies for protecting the confidentiality of identifiable information. These policies may include data encryption, coding, establishing limited access or varying levels of access to data by biospecimen resource employees, and use of nondisclosure agreements. An honest broker-guided procedure, if appropriate, should be considered for sharing of samples and data to protect research participants’ privacy [104, 105]. The informatics system and not necessarily an individual can function as the honest broker.
C.3.2.2.
Biospecimen resources may apply for “certificates of confidentiality” to protect identifiable research information from forced disclosure. Under section 301(d) of the Public Health Service Act [106](42 USC 241(d)), the NIH may issue certificates of confidentiality to authorize persons engaged in biomedical, behavioral, clinical, or other research to refuse to disclose identifying information about human research participants in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding. Certificates of confidentiality should be considered by the biospecimen resource and/or the recipient investigator depending on the nature and sensitivity of the identifiable data associated with the biospecimen. Certificates of confidentiality may not be appropriate for all biospecimen resources. If a certificate of confidentiality is obtained, this should be explicitly stated in the informed consent document. Further information about certificates of confidentiality may be found at [107].
C.3.2.3.
Biospecimen resources should document their policies for maintaining the privacy of human research participants and the confidentiality of associated clinical data, including descriptions of mechanisms for auditing effectiveness, enforcement measures, agreements not to release code keys or not to attempt re-identification of individuals from de-identified data (see database of Genotypes and Phenotypes (dbGaP) Code of Conduct [108]).
The level of security should be appropriate to the type of biospecimen resource and the sensitivity of the data it houses. Genetic data, in particular, may involve additional risks such as discrimination and/or stigmatization, and these concerns may have an impact on research participants’ families or broader population groups. De-identification of research data cannot completely guarantee privacy given the growth in publically available and electronically shared databases, as well as evolving technologies for linking different types and sources of data [109-111]. Respect for research participants requires transparency about the tradeoffs between limiting access to individual medical data and facilitating the greatest utility of such data in research.
C.3.2.4.
Biospecimen resources should comply with all applicable State and local statutes and regulations pertaining to privacy. Biospecimen resources that collect, store and/or distribute large scale human or non-human genomic data derived from NIH-funded research should comply with the relevant mandates of the NIH Genome Data Sharing Policy [69].
C.3.2.5.
Biospecimen resources should use a system of data access with defined levels of access privileges for biospecimen resource staff in order to protect the confidentiality of human research participants’ data, if necessitated by data type and sensitivity.
- Access levels for biospecimen resource staff should be described in the protocol for operation of the biospecimen resource and approved by an IRB and/or a bioethics/scientific advisory board, as appropriate.
- Access to human research participants’ identities and medical, genetic, social, and personal histories should be restricted to only those biospecimen resource staff members who need to access such records as part of their assigned duties or to those persons permitted access by law.
- The number of personnel allowed to access links and reidentify information should be kept to a minimum, and access should be appropriately monitored to ensure compliance.
C.3.2.6.
Data submitted to an NIH-designated repository under the GDS Policy [69] must be de-identified according to standards set forth under the regulations for the protection of human subjects at 45 CFR 46, as well as the requirements of the HIPAA Privacy Rule. In addition, NIH has obtained a Certificate of Confidentiality for dbGaP as an additional precaution because genomic data can be re-identified.
These GDS Policy elements should be discussed in the informed consent, consistent with NCI recommendations that the informed consent disclose whether biospecimens may at some point be de-identified [see C.2.2.5], and that if a certificate of confidentiality is obtained, this should be explicitly stated in the informed consent document [see C.3.2.2].