Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Health Privacy/HIPAA

NIH Issues Rules on Genomic Data Sharing

On August 27, 2014, the National Institutes of Health (NIH) issued a new Genomic Data Sharing (GDS) Policy, which replaces the current genome-wide association study (GWAS) data policy that was instituted in 2007.  The GDS Policy applies to all NIH-funded research that generates large-scale human or non-human genomic data as well as the use of that data for subsequent research.   As discussed below, the Policy promotes the use of broad informed consent for future study and sharing.

The types of research projects covered by the GDS Policy include genome-wide association studies (GWAS), single nucleotide polymorphisms (SNP) arrays, and genome sequence, transcriptomic, metagenomic, epigenomic, and gene expression data, regardless of NIH funding level and funding mechanism (e.g., grant, contract, cooperative agreement, or intramural support).

The GDS Policy sets forth NIH’s expectation that researchers will obtain the informed consent of study participants for the potential future use of their de-identified data for research and for broad sharing.  NIH also expects that informed consent for future research use and broad data sharing will be obtained even if a study involves de-identified cell lines or clinical specimens.

The GDS Policy recognizes that for studies using data from specimens collected before the effective date of the Policy, there may be considerable variation in the extent to which future genomic research and broad sharing were addressed in the informed consent materials for the primary research.  The GDS Policy notes that in these cases, an assessment by an IRB, privacy board, or equivalent body is needed to ensure that data submission is not inconsistent with the informed consent provided by the research participant.

The GDS Policy notes that NIH-designated data repositories need not be the exclusive source for facilitating the sharing of genomic data, and that investigators may also elect to submit data to non-NIH-designated data repositories in addition to NIH-designated data repositories.  The Policy provides, however, that investigators should ensure that appropriate data security measures are in place at the non-NIH repository, and that confidentiality, privacy, and data use measures are consistent with the GDS Policy.

The Policy states that investigators should de-identify human genomic data in accordance with HHS “Common Rule” and HIPAA Privacy Rule standards, and suggests that investigators and institutions obtain a “Certificate of Confidentiality” as an additional precaution given the re-identifiability of genomic data.  The GDS Policy also establishes a tiered model for access to human genomic data, where the informed consent under which the data was collected will determine whether the data should be available through unrestricted or controlled access.  Researchers that obtain controlled-access data are expected to agree to an NIH Data Use Certification and to follow NIH guidance on security best practices (e.g., physical security measures and user training).

Although the GDS Policy is not directly applicable to research that is not funded by NIH, it will likely be influential and may be followed as a best practice by researchers that are not subject to its requirements.