Implementing Regulatory Broad Consent Under the Revised Common Rule: Clarifying Key Points and the Need for Evidence.

The revised Common Rule includes a new option for the conduct of secondary research with identifiable data and biospecimens: regulatory broad consent. Motivated by concerns regarding autonomy and trust in the research enterprise, regulators had initially proposed broad consent in a manner that would have rendered it the exclusive approach to secondary research with all biospecimens, regardless of identifiability. Based on public comments from both researchers and patients concerned that this approach would hinder important medical advances, however, regulators decided to largely preserve the status quo approach to secondary research with biospecimens and data. The Final Rule therefore allows such research to proceed without specific informed consent in a number of circumstances, but it also offers regulatory broad consent as a new, optional pathway for secondary research with identifiable data and biospecimens. In this article, we describe the parameters of regulatory broad consent under the new rule, explain why researchers and research institutions are unlikely to utilize it, outline recommendations for regulatory broad consent issued by the Secretary's Advisory Committee on Human Research Protections (SACHRP), and sketch an empirical research agenda for the sorts of questions about regulatory broad consent that remain to be answered as the research community embarks on Final Rule implementation.

No exchange, same pain, no gain: Risk-reward of wearable healthcare disclosure of health personally identifiable information for enhanced pain treatment.

Wearable technologies have created fascinating opportunities for patients to treat chronic pain in a discreet, mobile fashion. However, many of these health wearables require patients to disclose sensitive information, including health information (e.g., heart rate, glucose levels) and personal information (location, email, name, etc.). Individuals using wearables for treatment of chronic pain may sacrifice social health elements, including their privacy, in exchange for better physical and mental health. Utilizing communication privacy management, a popular disclosure theory, this article explores the policy and ethical ramifications of patients disclosing sensitive health information in exchange for better health treatment and relief of chronic pain. The article identifies scenarios where a user must disclose information, and what factors motivate or dissuade disclosure, and ultimately the use of a health wearable. Practical implications of this conceptual article include an improved understanding of how and why consumers may disclose personal data to health wearables, and potential impacts for public policy and ethics regarding how wearables and their manufacturers entice disclosure of private health information.

United States: law and policy concerning transfer of genomic data to third countries.

This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.

United Kingdom: transfers of genomic data to third countries.

In the United Kingdom (UK), transfer of genomic data to third countries is regulated by data protection legislation. This is a composite of domestic and European Union (EU) law, with EU law to be adopted as domestic law when Brexit takes place. In this paper we consider the content of data protection legislation and the likely impact of Brexit on transfers of genomic data from the UK to other countries. We examine the advice by regulators not to rely upon consent as a lawful basis for processing under data protection law, at least not when personal data are used for research purposes, and consider some of the other ways in which the research context can qualify an individual's ability to exercise control over processing operations. We explain how the process of pseudonymization is to be understood in the context of transfer of genomic data to third parties, as well as how adequacy of data protection in a third country is to be determined in general terms. We conclude with reflections on the future direction of UK data protection law post Brexit with the reclassification of the UK itself as a third country.

China: concurring regulation of cross-border genomic data sharing for statist control and individual protection.

This paper reviews the major legal instruments and self-regulations that bear heavily on the cross-border sharing of genomic data in China. It first maps out three overlapping frameworks on genomic data and analyzes their underpinning policy goals. Subsequent sections examine the regulatory approaches with respect to five aspects of responsible use and sharing of genomic data, namely, consent, privacy, security, compatible processing, and oversight. It argues that substantial centralised control exerted by the state is, and would probably remain, the dominant feature of genomic data governance in China, though concerns of individual protection are gaining momentum. Rather than revolving around a simplistic antinomy between privacy preservation and open science, the regulatory landscape is mainly shaped by the tension between government desires for national security, state competitiveness, and public health benefits.

Canada: will privacy rules continue to favour open science?

Canada's regulatory frameworks governing privacy and research are generally permissive of genomic data sharing, though they may soon be tightened in response to public concerns over commercial data handling practices and the strengthening of influential European privacy laws. Regulation can seem complex and uncertain, in part because of the constitutional division of power between federal and provincial governments over both privacy and health care. Broad consent is commonly practiced in genomic research, but without explicit regulatory recognition, it is often scrutinized by research or privacy oversight bodies. Secondary use of health-care data is legally permissible under limited circumstances. A new federal law prohibits genetic discrimination, but is subject to a constitutional challenge. Privacy laws require security safeguards proportionate to the data sensitivity, including breach notification. Special categories of data are not defined a priori. With some exceptions, Canadian researchers are permitted to share personal information internationally but are held accountable for safeguarding the privacy and security of these data. Cloud computing to store and share large scale data sets is permitted, if shared responsibilities for access, responsible use, and security are carefully articulated. For the moment, Canada's commercial sector is recognized as "adequate" by Europe, facilitating import of European data. Maintaining adequacy status under the new European General Data Protection Regulation (GDPR) is a concern because of Canada's weaker individual rights, privacy protections, and regulatory enforcement. Researchers must stay attuned to shifting international and national regulations to ensure a sustainable future for responsible genomic data sharing.

Preventing Unintended Disclosure of Personally Identifiable Data Following Anonymisation.

Errors and anomalies during the capture and processing of health data have the potential to place personally identifiable values into attributes of a dataset that are expected to contain non-identifiable values. Anonymisation focuses on those attributes that have been judged to enable identification of individuals. Attributes that are judged to contain non-identifiable values are not considered, but may be included in datasets that are shared by organisations. Consequently, organisations are at risk of sharing datasets that unintendedly disclose personally identifiable values through these attributes. This would have ethical and legal implications for organisations and privacy implications for individuals whose personally identifiable values are disclosed. In this paper, we formulate the problem of unintended disclosure following anonymisation, describe the necessary steps to address this problem, and discuss some key challenges to applying these steps in practice.

Battle Hacks.

Federal, state, and private-product options exist to help practices stay in compliance with HIPAA privacy and security regulations while keeping patient information secure. The Texas Medical Association offers one such product, the Online HIPAA Security Manager, at a discounted rate for members.