The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
NIH Issues Rules on Genomic Data Sharing
The types of research projects covered by the GDS Policy include genome-wide association studies (GWAS), single nucleotide polymorphisms (SNP) arrays, and genome sequence, transcriptomic, metagenomic, epigenomic, and gene expression data, regardless of NIH funding level and funding mechanism (e.g., grant, contract, cooperative agreement, or intramural support).
The GDS Policy sets forth NIH’s expectation that researchers will obtain the informed consent of study participants for the potential future use of their de-identified data for research and for broad sharing. NIH also expects that informed consent for future research use and broad data sharing will be obtained even if a study involves de-identified cell lines or clinical specimens.
The GDS Policy recognizes that for studies using data from specimens collected before the effective date of the Policy, there may be considerable variation in the extent to which future genomic research and broad sharing were addressed in the informed consent materials for the primary research. The GDS Policy notes that in these cases, an assessment by an IRB, privacy board, or equivalent body is needed to ensure that data submission is not inconsistent with the informed consent provided by the research participant.
The GDS Policy notes that NIH-designated data repositories need not be the exclusive source for facilitating the sharing of genomic data, and that investigators may also elect to submit data to non-NIH-designated data repositories in addition to NIH-designated data repositories. The Policy provides, however, that investigators should ensure that appropriate data security measures are in place at the non-NIH repository, and that confidentiality, privacy, and data use measures are consistent with the GDS Policy.
The Policy states that investigators should de-identify human genomic data in accordance with HHS “Common Rule” and HIPAA Privacy Rule standards, and suggests that investigators and institutions obtain a “Certificate of Confidentiality” as an additional precaution given the re-identifiability of genomic data. The GDS Policy also establishes a tiered model for access to human genomic data, where the informed consent under which the data was collected will determine whether the data should be available through unrestricted or controlled access. Researchers that obtain controlled-access data are expected to agree to an NIH Data Use Certification and to follow NIH guidance on security best practices (e.g., physical security measures and user training).
Although the GDS Policy is not directly applicable to research that is not funded by NIH, it will likely be influential and may be followed as a best practice by researchers that are not subject to its requirements.