Privacy and Confidentiality of Data in the PharmGKB

PharmGKB has been created by Stanford University as part of a nationwide collaborative research effort funded by the United States National Institutes of Health (NIH) and is available to the public. It is a research tool and, in part, will be publicly available on the internet. The purpose of this project is to aid researchers in understanding how genetic variation among individuals contributes to their differences in responses to drugs.

This database contains genetic and clinical information about people who have participated in research studies at various medical centers throughout the United States. These research centers have agreed to send their data to the PharmGKB, which will be the central repository. Since some of the information obtained on individuals will be available on the internet, PharmGKB has established procedures to protect the privacy of the individuals. In order to protect the privacy and confidentiality of the patients and investigators who have contributed data to this database, the PharmGKB staff are adhering to the following procedures:

Procedures to Maintain Privacy and Confidentiality

The PharmGKB staff will comply with and follow the principles of the privacy of health information outlined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA - Public Law 104-191). That is, "individually identifiable health information" of individuals who contribute data to the database will be treated as follows:

• No identifying information about patients, such as name, address, phone number, hospital name, patient identification number or social security number will be transmitted to the PharmGKB, or accepted by the PharmGKB, from participating research centers;
• Any type of directly identifying information will not be in the database;
• The PharmGKB staff will assess the likelihood that certain data can be used to indirectly identify individuals, and will modify that data, if necessary to make the probability of identification of an individual to be very low; and
• The database will be monitored for suspicious or inappropriate use, and if such use is detected, the PharmGKB staff will immediately take all actions to terminate such use.

The PharmGKB protocol has been reviewed and approved the Stanford University Institution Review Board (IRB) which reviews research studies and determines that the studies adequately protect the rights, including privacy rights, and well-being of research subjects. Information included in the database is being obtained by participating research centers with the consent of the subjects participating in the research.

Security of the database will be maintained by the procedures outlined in HIPAA, which the PharmGKB has adopted for individual identifiable data. These same procedures will be applied voluntarily by the PharmGKB for data that are not individually identifiable. These procedures are as follows:

• Administrative procedures to guard data integrity, confidentiality and availability;
• Physical safeguards to guard data integrity, confidentiality and availability, including protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as intrusion. Physical safeguards also consist of the use of locks, keys and administrative measures used to control and/or limit access to computer systems and facilities;
• Technical security services to guard data integrity, confidentiality and availability including processes to protect, control and monitor information; and
• Technical security mechanisms to prevent unauthorized access to data transmitted over the communications network.