Security for VA's Genomic ResearchA Project Leader Outlines Security Precautions
The Million Veteran Program, launched in January at one VA medical center, hopes to recruit 1 million volunteers nationally within five to seven years. The VA is now enrolling veterans in nine cities and will invite veterans elsewhere to participate over the course of the coming year (see: VA Launches Genomic Research).
The primary goal of the project is to develop a better understanding of the links between genetic variations and diseases and conditions, with a particular focus on veterans' issues, such as recovery from combat injuries, says Timothy O'Leary, M.D., deputy chief research and development officer at the Veterans Health Administration.
The human genome research effort is designed to enable more complex queries than other personalized medicine projects, O'Leary says. "This system is not being built to reach the low-hanging fruit; it's aimed as asking harder questions that require more information to be able to answer them."
Role of Bar CodesIn the voluntary program, veterans will provide blood samples from which DNA information will be gathered. The samples will be labeled with a bar code, which can be used, with a key, to link them to a veteran's de-identified electronic health records. "Only a very small number of staff have access to that key," O'Leary says.
Researchers using the genetic information and patient records will only be able to gain access to a narrow amount of information to support their pre-approved research, O'Leary notes. And they'll never have access to any veterans' identifiers, such as Social Security numbers, he says.
The VA is still ironing out all the details for the security provisions because it will take one to two year to gather enough genetic information to support research, O'Leary explains. But research queries likely will be conducted only by VA staff, who will use the VA's new secure GenISIS (Genomic Informatics System for Integrated Science) computing environment, which is still in the works, he adds.
"We would anticipate that data would be queried from someplace within the VA firewall ... based on a research proposal that has undergone peer review," O'Leary says. Eventually, some researchers may be able to access certain data directly to conduct limited queries, such as, for example, to determine if enough data on veterans who served in combat and have diabetes are available to support a study.
Administrative fields in the EHR that include patient identifiers will be scrubbed before researchers can access information within them, O'Leary explains. The VA is still working out the details of how it will use algorithms to remove any identifying information from the text portion of EHRs.
Veterans' information will not be gathered in one database for the research project; instead, it will be accessed from multiple databases as needed, each with separate access controls, he says.
Other Security Measures
Leaders of the MVP project have applied for a Certificate of Confidentiality from the National Institutes of Health. With this certificate, MVP researchers would be able to avoid being forced, even by a court subpoena, to disclose information that may identify the participants.
Researchers must have their projects approved by a VA oversight committee. They can use the information in the database only for studies of the causes and treatments of disease that meet all ethical, scientific and regulatory criteria established by the VA and other agencies. "A privacy and information security officer will review every VA research protocol," O'Leary notes. "They will look for things that might ... create a security hazard."