Editor’s Note: The FDA’s Draft Guidance for Stakeholders and Food and Drug Administration Staff on Use of Public Human Genetic Variant Databases to Support Clinical Validity for Next Generation Sequencing (NGS)-Based In Vitro Diagnostics places the burden for maintaining patient privacy on the database administrator who is charged with determining what laws and regulation apply and then following them. The database administrator would also be required to “put in place adequate security measures to ensure the protection and privacy of patient and protected health information” without defining what the agency means by “adequate.” Since, as the Harvard Business Review recently explained, “There’s No Such Thing as Anonymous Data,” the security section of the draft guidance appears to more about marking the database administrator as the fall person in event of a privacy breach then in actually protecting patient privacy.
***
Security and Privacy: Genetic variant database operations must be in compliance with all applicable federal laws and regulations (e.g., the Health Insurance Portability and Accountability Act, the Genetic Information Nondiscrimination Act, the Privacy Act, the Federal Policy for the Protection of Human Subjects (“Common Rule”), etc.) regarding protected health information, patient privacy, research involving human subjects, and data security, as applicable. It is the responsibility of the genetic variant database administrator to identify the applicable laws and regulations and to assure that any requirements are addressed. Genetic variant database administrators should also put in place adequate security measures to ensure the protection and privacy of patient and protected health information and provide training for database staff on security and privacy protection.
Leave a Reply