CommentaryPolicy

Reporting Actionable Research Results: Shared Secrets Can Save Lives

See allHide authors and affiliations

Science Translational Medicine  18 Jul 2012:
Vol. 4, Issue 143, pp. 143cm8
DOI: 10.1126/scitranslmed.3003958

Abstract

In this Commentary, we describe a cryptographic method for returning research results to individuals who participate in clinical studies. Controlled use of this method, which relaxes the typical anonymization guarantee, can ensure that clinically actionable results reach participants while also addressing most privacy concerns.

To protect privacy, the current regulatory framework for research on human subjects encourages the use of anonymization—a guarantee that a biological sample cannot be associated with the research participant who donated it. There are multiple approaches to anonymization used by biobanks—repositories for human biological samples—and many are based on the Health Insurance Portability and Accountability Act Privacy Rule (U.S. 65 FR 82462) as well as others (for example, the Vanderbilt Synthetic Derivative) (1). Although there are proposed alternatives to anonymization that provide more flexibility regarding return of information to participants (2), regulatory requirements associated with these frameworks drive most biobanks to choose anonymization. We propose a cryptographic mechanism that relaxes the anonymization guarantee under carefully controlled circumstances, addressing this harm at a modest cost to privacy.

A promise of anonymity is often a central aspect of the informed consent process (35). Although not its primary purpose, anonymity also prevents the return of research results to an individual participant; thus, a participant cannot be informed about any clinically actionable information obtained through the research. Only nonidentifiable aggregate results of a research study are typically made available through publications in scientific journals or other public media (6).

On occasion, a specific research result can suggest clinical action, either preventive or therapeutic, that could benefit a particular participant—action that would unlikely be taken without specific knowledge of the result. This work was motivated in part by the experience of a colleague who ran a large proteomics study intended to validate a predictive proteomic approach for early diagnosis of lung cancer (7). The study involved ~1400 people, some of whom had been diagnosed with lung cancer and others acting as controls who were heavy smokers thought to be cancer-free. In work preliminary to that study, when fewer participants had been recruited, mathematicians at SomaLogic created a high-performance classifier that distinguished (retrospectively) the participants with non–small cell lung cancer (NSCLC) from the controls.

The annual rate of diagnosis of lung cancer in heavy smokers, such as the controls, is ~1% (8); 1 of the 63 controls in this preliminary analysis scored in a range that suggested NSCLC. That is, one of the putative control participants displayed results that were different from the others and similar to those of the cancer patients. Taken together with other information about the participant, these results strongly suggested an undiagnosed NSCLC. If that diagnosis were confirmed, the participant’s life could be saved because early-stage surgical intervention has a high likelihood of success, whereas later-stage diagnoses have no effective therapy (9). There are a variety of other clinical conditions, such as ovarian cancer or sudden cardiac death, in which early detection is likely to have positive therapeutic consequences; in fact, much diagnostic research addresses such conditions.

This proposal regards findings that have clear, immediate clinical utility and are unlikely to be screened or tested for in standard routine medical care. Such results could include both the intended product of the research and unanticipated incidental findings (10). The clinical actionability of a research finding for a participant depends on four factors: the validity, utility, risk, and benefit of the finding. First, the validity of the research findings should be confirmed—for example, by a clinical laboratory. Second, clinical utility means the results are relevant to treatment decisions (4, 6, 11) or entail risks that have effective preventive interventions (12, 13). Last, consideration of the risks and potential benefits of transmitting the result must demonstrate a reasonable chance of improving well-being, reducing harm, or both for the participant. The clinical utility of research results—in particular, those from new and as yet unapproved procedures—must be evaluated carefully in the context of reporting the results to study participants.

Currently, there is no universally recognized authoritative policy that addresses the ethical duty or lack thereof to return individual research results to participants. Concerns about shortcomings of existing international norms are driving additional ethics research (14). However, recommendations that researchers have an ethical obligation to communicate actionable individual results to participants are growing in the literature (4, 6, 1519). In addition, international surveys are in progress (for example, http://www.genomethics.org/about_questionnaire.html) to assess public attitudes toward return of incidental findings.

Anonymization prevents any information derived from biological samples provided by the participant from ever being associated with the participant for any reason. So despite the apparently compelling reason to contact the participant in the NSCLC case, there is no way to reconnect the sample to a specific research participant. Alternative approaches for reaching this participant are problematic; for example, contacting all participants involved in the study and informing them of the finding would cause unjustified concern among the vast majority of participants, who are not the ones who had the actionable result (20). In addition, conveying that one person out of potentially many thousands of possible participants has an actionable problem might not be motivating enough to lead to action by the individual that could benefit from the knowledge. Furthermore, the NSCLC study described above was conducted under an exemption (anonymization) from investigational device regulation (21 CFR 812), making any attempt to provide results to a patient—no matter how indirect—a violation of U.S. law.

The very possibility of a guarantee of anonymity for genomic data has been called into question by recent technical advances. Genomic data itself is an indicator of identity and can be decoded, even when samples are provided anonymously. Individual participants have been identified from pooled genotypic data (21) and through the use of bioinformatics approaches (22). Current regulation of anonymized research samples and the communication about anonymization provided during the informed consent process probably overstate the guarantee of privacy protection and can lead to clinical or psychosocial harm. The failure to return clinically actionable information clearly harms research participants; we’ve been making this case above. There are other harms (which we find less compelling) that are covered in the citations. (23, 24).

CRYPTEX SECURITY

As a much-needed replacement for anonymization of biomedical research samples, we recommend a cryptographic approach that is based on the idea of “secret sharing,” which involves several parties, each of whom holds a share of a secret (25). The secret can be reconstructed only when a sufficient number of shares are combined. The individual shares are of no use in reconstructing the secret until the sufficient number is reached. By sharing the secret of a research participant’s identity among the researcher and other responsible parties, most advantages of anonymization can be retained while making possible the identification of participants who have clinically actionable results. Although there are previous proposals to use secret sharing in genomics (26), we are not aware of any biobanks implementing a secret-sharing approach for delivering research results to participants.

An illustrative scenario for the proposed approach is a case in which a research participant consents to donate a tissue sample to a biobank (Fig. 1). The informed consent process would ascertain whether a participant desires to be contacted in the unlikely event that a researcher discovers a result with actionable implications for the participant’s health. For participants who consent, the biobank would assign a random identifier to each donated sample and use secret sharing to encrypt the link between that random key and the donor’s identity. The sample or data from it would be distributed by the biobank using only the random identifier, but each researcher using it would also be given part of the shared secret for each participant’s identity. The data and safety monitoring board overseeing the experiment would also be given a share of the secret. The biobank would keep only its part of the shared secret and destroy any copies it has of the researcher’s and the board’s parts.

Fig. 1. Code read.

An illustrative scenario for the Cryptex security approach. Step 1. Codes created. Participant gives sample to biobank and consent to be contacted to report actionable results. Biobank deidentifies the participant’s record, creates shared secret codes, keeps one shared secret code (B), and destroys links to participant’s identity. Researcher gets a set of deidentified records and one part of the shared secret code (R); data and safety monitoring board gets one part of the shared secret code. Step 2. Actionable research result detected. Researcher detects an actionable research result for a participant and reports this to the biobank and monitoring board. Biobank confirms result and reports the confirming results to the monitoring board. Step 3. Agreement to share. All three groups agree that the result should be shared with participant. Secret codes are shared to reveal participant’s identity (B, biobank; R, researcher; M, monitoring board). Biobank contacts participant and his or her physician and delivers the result.

CREDIT: Y. HAMMOND/SCIENCE TRANSLATIONAL MEDICINE

In the event that a researcher believes a clinically actionable result has been found, a request is sent to the biobank to identify the participant, along with justifying documentation. The biobank then independently evaluates the result by, for example, sending the sample to a clinical laboratory for a confirmatory test. If the biobank concurs that the result is actionable, then the biobank sends the findings to the board for assessment. If all parties agree that the result is actionable and the rationale for contacting the participant is justified, then the combination of the three entities’ shares of the secret can reconstruct the identity of the participant and facilitate contact. The biobank would have the responsibility of contacting the participant, who would then be asked to designate a physician to receive the actionable information or decline. We propose to involve the patient’s physician because effective use of the actionable information requires that it be integrated into the patient’s care, which conforms to the traditional practices of delivering other sorts of clinically relevant information. As with any other sort of personally identifiable health information, all parties involved in the secret sharing have a clear obligation to protect that information by not sharing it with anyone except as authorized by law. Costs and other managerial challenges to implementing this approach are likely to be modest.

There are variations on the above scenario that might be appropriate in different circumstances. For example, when the researcher collects samples without a biobank as an intermediary, an independent data- and safety-monitoring panel and the researcher would hold shares of the secret and must agree to cooperate in order to establish a participant’s identity. In some cases, the research participants may be given a share of the secret; therefore, this approach may also be a suitable technology to support efforts to confer on research participants rights of ownership of their research results (27).

Our proposal is based on four balancing ethical principles: beneficence, justice, trust, and privacy. Beneficence entails the duty of researchers to act on behalf of the study participants’ welfare by maximizing the benefits and minimizing the harms of research. In the case of this proposal, the benefit is a meaningful improvement in health. Although the benefit is limited to the small number of people who participate in research and have an actionable result materialize, the number of people affected may grow with advances in proteomics and genomics research. There can conceivably be negative consequences to providing actionable results to research participants (28), including anxiety and the costs of further evaluation; these would be disclosed in the consent process. As with any other aspect of consent, a participant could opt out of the potential to be informed of actionable results at any time.

Moreover, this benefit provides a way to reward those who volunteer for biomedical research and increase the public trust in researchers and the scientific process. Because of the long-term nature of clinical and translational research, the benefits typically are reaped by society rather than by the study participants. Therefore, when the opportunity arises for the participants to obtain benefit from the research, the principle of justice is served (29). Likewise, research policies that place the health of volunteers as a paramount concern promote the trust that sustains the research enterprise (30).

The benefits in beneficence and justice are balanced by some cost to privacy. Individuals may have good reasons for not wanting to share personal health information with researchers. Genetic research may carry social risks to individuals or members of specific racial or ethnic groups (31). Furthermore, participants have not only a right to know but also a right not to know information about themselves (32).

However, there are degrees of invasion of privacy. For example, disclosure of private information to a small number of trusted people is different in degree from broad disclosure to the general public, and the potential disclosure of information about a single research participant is different in its effect on society from disclosure of information about a large number of research participants. Thus, our proposal carries a low degree of privacy invasion. Not even the monitoring board of a clinical study needs to know the identity of the research participant; the only disclosure of identifiable information is to a representative of the biobank for the purpose of contacting the participant and the designated physician. Studies indicate that most participants endorse the return of individual research results despite these possible negative implications (18, 33, 34).

The requirements of a shared secret decrease the likelihood that accidents or mistakes, such as lost disk drives or hacker break-ins, will cause the release of research participants’ identities. Furthermore, the risk of privacy loss accrues only to the person who benefits: the participant who receives actionable health information. If adopted by regulators, this proposal for cryptographic secret sharing would allow research participants to decide for themselves whether or not their actionable research results are returnable.

References and Notes

  1. Acknowledgments: A workshop on Privacy Risks on Data Sharing in Genomics held at the University of Colorado Anschutz Medical Campus in August 2010 started the discussions that led to this Commentary. We gratefully acknowledge M. Yarborough and K. Edwards, who helped organize the workshop, as well as all of the participants. During the workshop, L. Gold of SomaLogic expressed his alarm at not being able to contact a participant of the research, which sparked our approach. We thank J. Sakai, M. Yarborough, B. Blankenship, and S. Williams for close readings and helpful suggestions. Funding: M.E.C. and C.H. are supported in part by NIH grant 5R01DA029258002. M.E.C. is also supported in part by NIH grants UL1-RR025780 and 5P60DA011015-13. L.E.H. is supported in part by NIH grants 5R01LM000811-07 and 2R01LM009254-04. Competing interests: The authors declare that they have no competing interests.
View Abstract

Navigate This Article