The 21st Century Cures Act was passed with support from both sides of the aisle (imagine that!) and signed into law by then-President Obama late last year. This ambitious legislation drives action in areas as diverse as drug and device regulation and response to the opioid epidemic. It also tackles the issue of how to make data more broadly available for research use and clinical purposes. In our recently published GIM article, “Sharing data under the 21st Century Cures Act,” we examine the Act’s potential to facilitate data-sharing, in line with a recent position statement of the American College of Medical Genetics and Genomics. We highlight a number of provisions of the Act that either explicitly advance data-sharing or promote policy developments that have the potential to advance it. For example, Section 2014 of the Act authorizes the Director of National Institutes of Health to require award recipients to share data, and Section 4006 requires the Secretary of Health and Human Services to promote policies ensuring that patients have access to their electronic health information and are supported in sharing this information with others.
Just as relevant, the Act takes steps to reduce some major barriers to data sharing. An important feature of the Act, which has not been extensively publicized, is its incorporation of provisions from legislation originally proposed by Senators Elizabeth Warren and Mike Enzi to protect the identifiable, sensitive information of research subjects. Senator Warren, in particular, has been a vocal advocate of data sharing. Arguably, one of the biggest barriers to sharing is public concern about privacy. The relevant provisions address this concern chiefly via Certificates of Confidentiality. Among other things, the Act makes issuance of Certificates automatic for federally-funded research in which identifiable, sensitive information is collected and prohibits disclosure of identifiable, sensitive information by covered researchers, with only a few exceptions such as disclosure for purposes of other research. These protections became effective June 11, 2017. While NIH has signaled its awareness of the Act, it has not yet updated its Certificates of Confidentiality webpage.
Unfortunately – or perhaps fortunately for policy commentators and scholars – the Act does not resolve all of the policy issues related to data sharing. One major loose end is the confusion that comes with defining “identifiable” (with identifiability serving as a trigger for privacy and other protections for information or biospecimens) and the implications of proof-of-concept work on re-identification of genomic datasets for a range of policies related to data sharing. We only touch on this issue in the article, and we certainly cannot resolve it here. We can say that the current situation, with at least four different definitions at the federal level alone (21st Century Cures aggravated the problem by introducing the fourth), is a recipe for legal confusion. Further, we can add that it is well past time for policy makers to build on existing studies and support more extensive engagement with the general public and research participants regarding the trade-off between maximizing privacy protections for data and maximizing the utility of data for research, clinical, public health, and other legitimate uses.
The cited work was funded by the National Institutes of Health National Human Genome Research Institute grant R01 HG008918. More information on our research is available at: Center for Medical Ethics and Health Policy at Baylor College of Medicine and the Consortium for Science, Policy and Outcomes at Arizona State University.