From base pairs to the bedside: medical confidentiality in a changing world

12 December 2012 by Rosalind English

This week David Cameron announced plans  to introduce whole genome mapping for cancer patients and those with rare diseases within the NHS. 

Single gene testing is already available across the NHS ranging from diagnosing cancers to assessing patients’ risk of suffering side effects from treatment, but this initiative will mean that the UK will be the first country in the world to introduce the technology within a mainstream health system, with up to 100,000 patients over three to five years having their whole genome – their personal DNA code –sequenced. According to Chief Medical Officer Professor Dame Sally Davies

The genome profile will give doctors a new, advanced understanding of a patient’s genetic make-up, condition and treatment needs, ensuring they have access to the right drugs and personalised care far quicker than ever before.

What will this mean for medical confidentiality?  The official announcement ends with the following declaration:

1. Genome sequencing is entirely voluntary. Patients will be able to opt out of having their genome sequenced without affecting their NHS care.

2.  Whole genome sequence data will be completely anonymised apart from when it is used for an individuals own care.

3. A number of ways to store this data will be investigated. The privacy and confidentiality of NHS patients will be paramount in this decision.

Which all sounds very well until one considers two factors: one, the huge potential of genomic data to provide information as our understanding of it develops, and two, the necessity to link genomic information with clinical data (the “phenotype”). This is crucial as the genetic data in themselves means little if a “function” or “effect” cannot be attributed to them.  For research to benefit more patients, genetic data must be matched with clinical data to discover what genetic variations might be linked to which disease and its prognosis, and which treatment regimens might be most effective. This makes the process of anonymisation more complicated.

The current position

Until recently, the privacy of patient’s records has been taken as a given – more or less. Although the information in a patient’s medical record is technically the property of the hospital or health care institution in question,  that individual has a right to expect that the public health authorities will not disclose or allow access to those records. Medical privacy, long supported by common law confidentiality and health legislation,  is also an established interest under Article 8 in Strasbourg jurisprudence, and approved by the House of Lords in Campbell v MGN Ltd [2004] UKHL 22.  The general view is that the professional obligation of the doctor is to maintain the medical confidences of the patient even after the patient’s death – this is supported by guidance from the GMC  and the Declaration of Geneva (see Lewis v Secretary of State for Health [2008]EWHC 2196 (QB).There have been exceptions of course, and sometimes records have had to be disclosed in the interest of bringing effective prosecutions against health professionals (see Adam’s post on the balancing of private and public interests here). But the baseline has always been that such information should be protected not only in the interests of the patient’s privacy but also to preserve his or her confidence in the medical profession and in the health services in general.

‘Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community.’…now the balancing act has another, potentially weightier factor to put in the scales against the patient’s private interests: the right to health itself. (Baroness Hale in Campbell v MGN Ltd, para 95)

Processing of patient data is covered by the Data Protection Act 1998.  In addition, where disclosure is sought under the 2006 National Health Service Act, the scope of disclosure is strictly limited by the relevant Regulations made under the Act; no more confidential information may be accessed under these regulations “than is necessary to achieve the purpose” as defined in the licence, and no patient information may be processed unless the person requesting the information is “a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional”.

This means, in effect, that if the body seeking the information is not concerned with the management of health and social care services (as required by section 251(12) of the National Health Service Act 2006) then these regulatory hurdles have not been cleared and access is denied.

The challenge presented by Whole Genome Sequencing

But these common law, professional ethical and regulatory protections relate only to clinical data pertaining to patient, i.e. information arising when a patient is seen within an NHS context.  Recent developments in DNA sequencing have dramatically cut the cost and time required to sequence a human genome.  The sequencing of 100,000 patients’ genomes in centres capable of sequencing DNA at speed in the UK will create a huge databank of information which we do not yet have the tools to interpret fully. This in turn has opened the door on a new molecular pathology that will shed light on a potentially open-ended number of conditions relating not only to individuals but their families as well (the so called “cascade effect”).

In the light of these developments, the doctor/patient basis for confidentiality has been rendered far more complicated. Even the confidentiality of research data – currently dealt with by the anonymisation system – is open to question when the speed of analysis promises to overtake de-identifying techniques.  For example, the direct-to-customer  US sequencing company 23andMe has just announced that it has raised fifty million dollars in new financing as part of a concerted effort to grow its genetic database to one million customers. The use of the word “customers” (or “customers qua research participants”) underscores the very different approach in the private sector to those who supply raw genetic, phenotypic and other material for these companies’ expanding databases.  The legal framework is not keeping pace with these developments.

Confidentiality is just one of the many “ethical, legal and social implications” of this explosion in molecular knowledge (“ELSI”) exercising the experts in this field. Organisations like the Foundation for Genomics and Popular Health are trying to anticipate some of the problems created by establishing the role of genomics in mainstream medicine by undertaking what they call “rigorous conceptual and ethico-legal analysis” of the issues raised.  At the PHG conference in Cambridge last week, speakers explored the way in which policy makers can make the best use of these biomedical innovations, particularly when the cheaper and faster “next generation sequencing” (NGS) is eventually used in health services:

the scale of genetic information generated by NGS technologies will dwarf that currently provided by existing diagnostic techniques. One of the principle concerns is what we do with that information, particularly incidental, unsolicited findings from test results. We simply do not know what ethical, legal, social and practical issues will arise when NGS is introduced into the clinical setting.

As one of the speakers remarked, one of the advantages of genomic data (at the moment) is that it represents “low legal involvement”. It is global, open and shared between many laboratories all over the world. Clinical data, on the other hand, is closed and surrounded by a “high level of legislation”. So the idea of having global resources of individual genomic data is problematic. How do we use the clinical data to help us interpret all this open genomic/molecular data? To be more specific, how do we classify variants in the genome whose function is not yet fully understood?  One of the presentations discussed this “incidentalome” – the massive amount of data that we don’t yet fully understand, but may prove vital in future treatment development (the Myriad saga shows how important these single point mutations without a known function can be in the context of breast cancer therapy). This challenge will only be met if personal data is made available for storage and research.

The government has decreed that the Clinical Practice Research Database might be the process by which access happens, but the devil will lie in the detail.  Should all this new science lead to a root and branch review of our old rules on privacy of clinical data? Some speakers – not entirely surprisingly – regarded law as too reactionary a force. Bartha Koppers, professor of law and medicine at McGill University, suggested that policymaking in this area will be caught “by the advent of internationalisation of research”. More stringent legal and ethical privacy requirements are not the way ahead, she stressed.   What we need is a “better, complex and adaptive system to guide policy” in this area.  If we are to step up to this challenge we should move towards an “anticipatory ethics” which is less a protection against the “presumed” dangers of science but a better dialogue, avoiding regulations and laws the prevent science from developing and helping the patient. Policy in this area

should be used not as a hammer or a wall but a filter that responds to science and public needs… the alliance of total confidentiality and efficiency [within the NHS] is no longer sustainable. It’s a matter of stopping protecting patients from themselves. Records should be easily transferable and shareable.

The Department of Health set up a working party, the Human Genetics Strategy Group, to tackle some of these questions in their report of January 2012. One of the Group’s recommendations was a national central genomic data storage facility, as this week’s Downing Street announcement suggests. But it is difficult to see how this fits in with the current array of biodatabases freely exchanging information across the globe. The general view at this conference was that centralisation was not the answer, that it would get in the way of the spirit of cooperation and transparency that is vital to the translation of genomic technology into medicine.

Postscript:  While we wait for the great strides in genomic knowledge to be made manifest in clinical medicine, some may be encouraged by a fascinating story reported in the New York Times of  a young genomics researcher at Washington University in St. Louis who got cancer, had access to detailed information about his tumors, and—after some wrestling with his insurance company—ended up getting a targeted drug nobody would have thought to prescribe without that information. Also, see this interesting article on the “goldmine of DNA” for marketers by Canadian journalist Carolyn Abrahams, who observes that “a six-billion-unit code brimming with nothing but personal data” will be irresistable-

 pointing out people at risk of obesity, or cancers and high cholesterol, or even those with dead-straight hair, making the carriers of these gene variants prime targets to receive tailored ads for, say, discount gym memberships, weight-loss programs, antioxidants, cholesterol-lowering drugs or even home perms.