GDPR, Informed Consent and the Opportunity to Overreach
The General Data Protection Regulation (GDPR) from the European Union is upon us. I won’t go into the motivation and minutiae of the directive, but will concentrate on what we’ve seen before around the release of information necessary to carry out lifesaving clinical trials: overreach.
More than ten years ago, when AG Mednet pioneered the electronic collection and quality control of medical images in support of clinical trials, we began to wrestle with the question of what needed to be de-identified to meet US and European patient privacy rules. We needed to consider a number of technical constraints. While simply obliterating every element of image metadata would eliminate the possibility that some protected health information (PHI) would escape, this approach would also guarantee that the medical images could not be rendered by the software required to view them. We also encountered those who argued that any set of medical images containing a head scan of the patient had to be redacted in a way that would prevent a reconstruction of the subject’s actual face. This of course would guarantee that most of the time, MRI or CT scans of the head would be rendered useless.
Eventually rational minds prevailed, enabling an orderly approach to de-identification. For image metadata we released functionality that was based on blacklisting those tags that the industry and our users deemed to either contain, or were at risk of containing, PHI. We also released pixel-level de-identification functionality to redact PHI that could be burned into the images themselves. To date, these features have been used in nearly 800 different clinical trials, across tens of millions of images.
With GDPR, we can see how the same rational minds have become again uneasy, and are instinctively gravitating back to a philosophy of “too much is always enough.” There is a sense that somehow the new regulations have changed something that was already binary. You were either using your best efforts to avoid PHI escapes, or you were not, independent of the punitive consequences. To help those who feel there are more t’s to cross and i’s to dot, we are releasing a whitelist de-identification capability for DICOM private tags that enable our clients to remove all private tags except those they deem necessary for image rendering.
No action, however, will guarantee that in 100% of cases, 100% of images will be impossible to re-identify. This is not a technical limitation, but rather the result of human behavior. For instance, a de-identification scheme can fully implement the DICOM working group’s suggested metadata clearing process, but there is nothing preventing a hospital or imaging center from recording patient health information in a random tag.
This brings me to the issue of “informed consent.” This agreement, signed by every patient wishing to become a clinical trial subject, provides them with a detailed and well-defined description of how their data will be used in the project. It provides the best opportunity to describe in plain language how their data will be safeguarded by the parties defining and running the trial in which they wish to participate. This document explains that their data is what makes the clinical trial possible. By signing it, they agree to have that data shared. Through the same agreement, those responsible for the safekeeping of that data agree to protect it.
As an industry, we must focus on providing that protection, and indeed the regulation rightly demands it. Every bit of data being used in a clinical trial is, by definition, personal health information, not just a simple name or a birthday. Focusing on single atomic elements of the patient’s data produces nothing but an illusion of compliance. Someone’s genome is unique. Someone’s bone structure is unique as well. Both can lead to patient identification.
We therefore cannot avoid sharing personal health information. Our duty as an industry should not be stubbornly focused on avoiding sharing data that the subject has already agreed to share. Our duty is to protect all the data at all times because, no matter what, either it represents the subject, or it is useless for the drug discovery process.
As a company, we continue to provide and add capabilities to the most advanced data de-identification solutions in the industry, and our customers remain compliant with the most stringent anonymization schemes. Our platform is in line with GDPR by enabling not only state-of-the-art anonymization, but strict protection mechanisms that both safeguard patient data and enable the smooth execution of clinical trials.