Historically, research into rare diseases has been siloed and lacking in standardization. This has resulted in meaning overlaps, wasted time, and wasted resources, all of which delay potential breakthroughs for patients.
You can ensure the data in your registry actively supports new research, rather than hinders it, by employing a database platform that federates your data to find potential overlaps in outcomes for multiple diseases. For example, a registry for Duchenne muscular dystrophy may contain research that applies to Becker muscular dystrophy or similar diseases.
Let the tech work for you
Modern technology can let databases autonomously federate data and find potential points of research overlap, with little to no effort from you. Federated data usually contains fewer information points than traditional, aggregated systems, but they are also easier to search.
As more registries become federated, the ability to compare research and identify points of connection increases. This accelerates progress and bringing new treatments and even cures closer for people living with rare diseases across the world. Federated data will put your registry at the forefront of research as an indispensable tool for scientists and researchers.
However, mechanizing data sharing also includes legal risks. It is vital that you and your technology provider know the laws governing the handling and management of patient data.
Responsible data processing
Collecting and storing data comes with a range of legal and ethical considerations. If you do not follow the associated laws, you risk tough sanctions and potential distrust from future contributors.
Around the world, different laws govern the use and management of data. You will likely encounter the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulations (GDPR) in the European Union (EU) most frequently.
Both give enhanced protections for individuals but have different focuses, other than the obvious geographical one. Within the EU, GDPR focuses on the protection of personally identifiable information (PII). This includes any data that can positively identify an individual. In the US, HIPAA focuses purely on organizations that handle protected health information (PHI).
Also, GDPR has a broader scope than HIPAA, including “sensitive personal data” like race, ethnic origin, and religion under its protection. HIPAA, in contrast, covers PHI alone.
Registries and consent
You may ask why organizations in the US or Canada might concern themselves with the EU’s GDPR laws. However, GDPR offers protection for everyone in EU countries—even if an entity outside the EU collects their data. This means that you must collect their data in accordance with GDPR, even if your organization is not based within the EU.
There are several important differences between GDPR and HIPAA, particularly with regards to consent. While HIPAA allows for some degree of PHI disclosure without consent, GDPR does not. If you know that you need permission to share data from some patients but not others, you can reduce delays in information transfer by collecting consent early, especially if you need information quickly.
GDPR also gives people the “right to be forgotten”, while HIPAA does not. This means individuals can request that an organization erases their data, with certain exceptions. To carry out that request, an organization’s IT and security teams need complete visibility and control over where that patient’s data is stored—including on third-party platforms.
If your registry is cloud-based or on a third-party server, you must know what mechanisms are in place to fulfill the patient’s right to erasure. Your cloud vendor must provide the data you need and know the data’s location for complete erasure.
While this may seem complicated, Rare Central can help you build a federated and HIPAA/GDPR compliant registry. To find out how, visit www.pulseinfoframe.com or email our Head of Clinical Product Management, Nina (nliu@pulseinfoframe.com).
