In the first part of this article, we revisited progress in genetic testing, from mid-20th century blood-typing through to personalized medicine. The huge increase in personal health and genome data drag along security and ethical questions which, in some cases, lag behind the technology. Genomic data obtained in a clinical setting are largely subject to the same regulations and confidentiality concerns as other types of patient medical information. In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy of all patient information collected in a clinical setting.
In addition, the U.S. Genetic Information Nondiscrimination Act of 2008 (GINA) protects individuals from discrimination based on genotype from insurance companies and employers alike. A patchwork of regulatory guidelines also mandates security standards for records and test results, including software used for electronic medical records. Similar requirements exist or are being implemented across Europe, Canada, Australia, and New Zealand, where wrinkles and hiccups are generally fewer due to more centralized health care networks.
And now fill in the gaps
Thorough as these measures might seem on paper, they were not designed to deal with the length and breadth of genomic data. NGS output files differ by platform and downstream analysis. Encryption protocols vary by security level and implementation. While security is present (HIPAA), it is far from standardized, leaving many to fret that patient information may slip through the cracks. A panel of American scientists recently (http://bioethics.gov/node/764) recommended tweaks to HIPAA and GINA that should tighten privacy laws (including prohibition against NGS of samples obtained by clandestine means), standardize security and encryption procedures, and provide adequate HIPAA-based training to the computer scientists who will handle NGS clinical data. If implemented, these changes could serve as a model to other countries facing similar headaches.
We are right to wring our hands over patient privacy concerns, especially since NGS will likely play an ever greater role in medicine over the coming decades. However, most of the rules and regulations across North America and Europe do not cover NGS data gathered in a non-clinical research setting. In these cases, ad hoc security and encryption methods theoretically protect patient anonymity, but oversight varies by institution and jurisdiction. In addition, the degree of consent subjects give for use of their NGS data vary wildly, creating confusion as to how and when these data can be shared among scientists. In the United States, measures to bring some degree of standardized security and consent have been proposed, but not implemented at the federal level. European Union countries face a similar mess!
The long arm of the law
As servers across the globe are being rapidly filled with NGS data, some of the largest repositories of genetic and genomic information belong to law enforcement agencies. DNA and tissue samples, as well as genetic (and now genomic) tests conducted as part of criminal investigations, sit in storerooms, freezers, and hard drives. Generally, law enforcement officials, prosecutors, and magistrates often have discretionary powers to use these data in future investigations and share them with other government entities. Civil liberties advocates are particularly sweating over vast and poorly-managed repositories in the United States and United Kingdom, among the largest in the world. Governments have yet to address these concerns with coherent policies which preserve individual liberties without impeding criminal investigations or threatening national security. The role of NGS in law enforcement remains a ‘sleeping giant’. Another apt metaphor would characterize this issue as a ‘political hot potato’, long overlooked by both the general public and elected officials.
A work in progress
Most laws on the books don’t anticipate the power and pitfalls of the genomic era. Although Western democracies defer to the confidentiality of patient information, the challenge now is to integrate those values into the security procedures for NGS data. Standards and some minor oversight could also protect research subjects who donate DNA for non-clinical NGS studies. Much could be done, but we must take care that fixes to ensure confidentiality do not tie up researchers in red tape. The devil, as always, is in the details. The same could be said about the human genome.