Legal and Ethical Issues Module 5

The following information has been developed with assistance and input from Rebecca Spence, JD, MPH – Associate Counsel for Ethics, American Society of Clinical Oncology (ASCO) This information does not constitute an endorsement by ASCO Disclosure

Ethical Issues of Big Data Thinking back to the conversation about the CASE STUDY, discuss: What ethical issues such as privacy and consent might arise from using big data? How would this impact patients? What happens when you share information about yourself that becomes part of big data? Ethical Issues of Big Data

Ethical Issues of Big Data Remember: Data can lose anonymity because of details (i.e. as found in a very rare disease) Data that becomes part of big data is no longer “owned” by the patient and can be used for things completely unrelated to patients’ interests or original consent Patients do not consent explicitly for some uses of data (i.e. FDA reporting) Ethical Issues of Big Data

Privacy refers to the right to control access to ourselves and to our personal information. It means that we have the right to control the degree, the timing, and the conditions for sharing our bodies, thoughts, and experiences with others. Privacy must be protected before and during the recruitment of subjects, the consent process, and participation in the research activity. Methods to protect subject privacy include conducting research activities in a private setting or ensuring that data are not collected without the individual’s knowledge and consent. - Collaborative Institutional Training Initiative, Human Subjects Research Training Privacy and Consent

Informed Consent is given by a person or proxy (e.g. parent) for: Treatment Research After being informed of the purpose, methods, procedures, benefits, and risks Standards for informed consent for treatment differ by state; research standards are much more regulated What makes consent informed? Knowledge and comprehension Freely given without duress or undue influence Can be withdrawn at any time Informed consent. (n.d.) Farlex Partner Medical Dictionary. (2012). Retrieved August 10 2016 from http://medical-dictionary.thefreedictionary.com/informed+consent Informed Consent

How do these laws impact patients and big data? Which federal laws are relevant to big data, patients’ health data, and privacy? HIPAA – Health Insurance Portability and Accountability Act GINA – Genetics Information Nondiscrimination Act Common Rule – the baseline standard of ethics How do these laws impact patients and big data? Privacy Laws

Sets rules for healthcare information privacy and healthcare data records standards. Defines who can and cannot view or handle healthcare records and confidentially of communications and records. Requires informing patients about privacy. Sets data security requirements for healthcare records and information. Remember: HIPAA is not a law that covers everyone who ever sees your health information Source: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html HIPAA

HIPAA HIPAA applies ONLY to covered entities and business associates… Healthcare providers – doctors, dentists, chiropractors, pharmacies, etc. Health plans – health insurers, HMOs, Medicare & Medicaid, etc. Health care clearinghouse – processes health information Business associates - a third party that helps covered entities with their work (i.e. insurance claims processor, pharmacy benefits manager) …NOT to individuals, advocacy groups, etc. HIPAA

Non-covered entities can choose to comply with HIPAA regulations if they want Advocacy organizations Disease/condition information-sharing websites Loyalty programs (i.e. CVS, Harris Teeter) There are no guidelines with what these groups can do with stored information There are no legal privacy and security standards for this collected data HIPAA

HIPAA allows for covered entities to share information (a “Permitted Use”) for: Treatment – sharing information between hospital and physician’s office or specialist about lab reports, X-rays, pathology reports, diagnoses, etc. Payment – sharing diagnoses and procedures with health plans to ensure appropriate reimbursement Healthcare operations – developing clinical guidelines, evaluating provider performance, conducting training programs, etc. Per HIPAA, once data has been de-identified it can be used for research purposes; if not de-identified it can’t be used for research. Source: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/permitted-uses/index.html HIPAA

Prohibits the use of genetic information in health insurance and employment But nothing else – not life, long-term care, or disability insurance Specifically prohibits the use of genetic information in hiring, firing, job placement, or promotion decisions Specifically prohibits the use of genetic information to deny healthcare coverage or set healthcare premiums But just genetic information, not already manifested genetic disease GINA

Genetic information includes information about an individual’s genetic tests and the genetic tests of an individual’s family members, as well as information about the manifestation of a disease or disorder in an individual’s family members (i.e. family medical history). Family medical history is often used to determine whether someone has an increased risk of getting a disease, disorder, or condition in the future. Genetic information can also include: An individual's request for, or receipt of, genetic services Participation in clinical research that includes genetic services by the individual or a family member The genetic information of a fetus carried by an individual who is a family member of the individual The genetic information of any embryo legally held by the individual or family member using an assisted reproductive technology Source: Rebecca Spence, JD, MPH – American Society of Clinical Oncology (ASCO) GINA

Common Rule: Health Information from Research Baseline standard of ethics that all government- funded and most academic research must adhere to – safeguards individuals who participate in research. Including research collected in a clinical setting. Most research organizations voluntarily comply. Regulated by Internal Review Board for all human subject research. Has specific provisions for vulnerable populations, including minors, prisoners, and pregnant women. Allows biological samples to be stored and used for research indefinitely as long as the sample is de- identified. Significant changes to the Common Rule were made in January 2017 pursuant to public input. **Most provisions will go into effect in 2018** Source: http://wayback.archive-it.org/3926/20170127095200/https://www.hhs.gov/about/news/2017/01/18/final-rule-enhances-protections- research-participants-modernizes-oversight-system.html Common Rule: Health Information from Research

Consent forms have to include information about the project’s risks and benefits (for informed consent) Requirements to use a single IRB for multi- institutional research studies Use of broad consent for future research (for studies on stored identifiable data or biospecimens), rather than seeking IRB approval for a consent waiver New “exempt” categories for research – i.e. “secondary research involving identifiable private information if the research is regulated by and participants protected under HIPAA” Public posting of consent forms for certain federally-funded clinical trials Common Rule Changes - 2017

Research vs. Non-research Uses of Data Developing generalizable knowledge Often published or publically available Can be observational, experimental, simulation, compiled, or reference Can include documents, surveys, data files, models, field notes, etc. Source: https://www.bu.edu/datamanagement/background/whatisdata/ Non-research Internal business/operational development In healthcare, services/programs to improve overall public health and services Can contribute to general knowledge **Data may not be initially collected for the purpose of generalizable knowledge – instead for clinical care** Research vs. Non-research Uses of Data

Laws: What is Covered? Common Rule HIPAA Standard of ethics for government-funded and academic research Safeguard for individuals who participate in research Biological samples can be used for research indefinitely as long as de-identified HIPAA Sets rules for information privacy and data records standards Covered entities Sets data security requirements Everything Else

Impact of Policy on Big Data How do these policies affect you? Data security and privacy – all those handling patients’ records must meet applicable privacy and security rules Only certain people can view patient records Disclosure of genetic information cannot be used against people for healthcare insurance or employment decisions Almost everyone in the US will/does have insurance records Impact of Policy on Big Data

Discussion/ For Your Consideration How might these laws (HIPAA, GINA, Common Rule) impact uses of big data? What more is required from an ethical perspective? Discussion/ For Your Consideration

Consent: Opt-in vs. Opt-out With Opt-in, by default you must give affirmative consent With Opt-out, by default you are a participant unless you revoke your consent Most applicable to research that isn’t federally- funded You can’t only opt-out of part of the research; you must opt-out of everything Discussion/For Your Consideration: Why might opt-in vs. opt-out consent be an issue for patients/advocates? How might it impact patients/advocates? Could one type of consent be more beneficial to research? Consent: Opt-in vs. Opt-out

Data Privacy: When Are Data No Longer Anonymous? Enough data can be collected so that a patient is no longer anonymous For example: Some diseases only affect a very small population With enough information, people may be identified (via demographics, hospital/doctor location, food preferences, children, education, diseases, genetics, exercise activity, etc.) Some diseases or even just genetics (e.g. carrier status) can have social or ethical implications Hormone therapy for individuals who are transgender Oral contraception for certain religious groups Abortion status HIV status Data Privacy: When Are Data No Longer Anonymous?

Re-identification & Privacy With enough information, anonymized records can be used to identify people. For example: From genetic information: you can get racial background, genetic diseases, mitochondrial DNA (which indicates mother), and basic characteristics such as eye and hair color From insurance information: you can get age, weight, height, diseases, pregnancies, surgeries, current medication, and location of healthcare provider. From pharmacy records and prescription insurance: you can get current medications, which can indicate diseases, psychological diseases, and can indicate if someone is on hormone therapy From self-reported data: activity, location, weight, height, age, major medical conditions, sleep patterns, etc. Re-identification & Privacy

Re-identification Example 1 Dr. Latanya Sweeney was able to link de-identified patient-specific medical data to a voter registration list to re-identify patients by name. Showed that 87% of the US population can be uniquely identified by three data points: date of birth, gender, 5-digit ZIP code. 216 million people of 248 million of the population in the United States could be uniquely identified. Dr. Sweeney later showed similar identifiability in data sources such as pharmacy records, clinical trial data, and tax, public health, and criminal registries. Source: http://latanyasweeney.org/work/identifiability.html Re-identification Example 1

Re-identification Example 2 It can be possible to identify participants in genetic research studies by cross-referencing data with publically available information A 2013 paper showed that a completely anonymous DNA donor could be identified. Researchers used a computer program (lobSTR) to analyze anonymous data obtained from the 1000 Genomes Project. The participants’ ages and family information was available on the research website. The researchers were able to cross-reference the analyzed results with the research website and other publically available information. Almost 50 participants were identified. The study showed that participants in research could be identified by linking their genetic data to information readily available online. Source: http://www.nature.com/news/privacy-protections-the-genome-hacker-1.12940#/b1 Re-identification Example 2

Discussion/ For Your Consideration Questions to consider: What do these re-identification examples have in common? What questions should a participant ask about data sharing? Can a participant fairly expect complete privacy in the “Internet Age”? Can you think of a scenario where re-identification or privacy would be an issue that you might encounter as a patient advocate? What are some implications of publically available data used in unexpected ways to potentially allow re-identification? Discussion/ For Your Consideration