There’s anotice of a proposed rulemaking from the US Department of Health and Human Services that deals with the way that HIPAA “common rule” protections for individual human data conflict with the growing reality of networks and clinical studies. I can’t summarize it any better than Dan Vorhaus:
  1. Level of review does not match level of risk, particularly for non-invasive research;
  2. Multi-site IRB review is inefficient and ineffective (nobody takes responsibility);
  3. The informed consent process is broken and serves to protect institutions, not individuals;
  4. Increasing use of genetic information changes the nature of risks from physical to informational, privacy-based (and HIPAA is not adequate protection);
  5. There is no effective mechanism in place to determine whether the current system is/is not effective at protecting individuals;
  6. The current system does not reach all individuals, particularly those in research which is not federally funded and thus (generally) not subject to the Common Rule; and
  7. Overlapping & inconsistent regulatory requirements (HIPAA vs. Common Rule, in particular) make compliance painful, variable and sometimes simply impossible.
\tightlist
What he said.
This seems as good a time as any to tell the world that this is the problem I want to work on now. It seems insane to me that the consent process isn’t something that I can control as an individual, at least as an opt-in.
I’m building out a project as part of my involvement at Sage Bionetworks, with help from some awesome people like Dan, to create a system of “portable” informed consent that builds on open consent models like those at the Personal Genome Project, but more modular and untethered from a specific project. If you get consented, that consent will travel with you.
More to come soon. This is a project that has been consuming my nights and weekends for a while now, and doesn’t show any signs of stopping. If you’re interested, drop me a line.