Software vendors attempting to tap into the nascent clinical sequencing market are taking steps to ensure that their offerings toe the lines set by federal agencies to ensure the privacy and security of patient information.
One of those requirements is the Health Insurance Portability and Accountability Act (HIPAA), which was put in place in 1996 by the Clinton administration and includes a list of administrative, physical, and technical safeguards that govern access to and the use of protected health information.
Representatives from several informatics companies that have staked claims in the clinical analysis market told BioInform that they see HIPAA compliance as a fundamental requirement for their software. Most are taking steps to obtain appropriate certification and, in some cases, already have the documents in hand.
Last week, GenomeQuest announced that its GQ-Dx genomic decision support system, which generates clinical diagnostic reports based on next-generation sequencing data, is now HIPAA certified following the successful completion of an independent audit.
Similarly, NextBio announced this week that its NextBio Clinical software has passed an independent third party audit of its security controls and meets HIPAA requirements.
GenomeQuest’s CEO Richard Resnick said the compliance process required a “fundamental change in the culture of the company,” which has been around for 13 years but has recently shifted its focus from the research market toward the clinical setting.
“Research software companies are quick to move … There [are] lots of fast ideas and lots of changes to products and innovations that are driven by customers,” he told BioInform. “That’s great but it leads to all sorts of unpredictability. So what we … had to do was completely reengineer the culture, the policies, the procedures, and the software of the company so that we could pass the audits necessary to declare ourselves HIPAA compliant.”
In general, under HIPAA, “fewer people get to certain things and they get to do it at times that are well prescribed and documented,” he said. Specifically, this meant addressing things like password polices, change management control, software for remote wiping, as well as what kinds of devices are allowable for use, among other changes, he said.
Furthermore, the move eliminates a data de-identification step that clinical customers previously had to perform in order to use GenomeQuest’s platform in their hospitals and labs. Before the system was HIPAA compliant, users needed to de-identify their patient data before it could be put into GQ-Dx and analyzed, Resnick explained.
“As you move more and more from small panels where you are just looking at a few genes to exomes and genomes … there is a strong argument to be made that the genome itself is personally identifiable and so you can’t continue down that path as you scale because you can’t de-identify your genome,” he said.
Meanwhile, Satnam Alag, NextBio’s chief technology officer and vice president of engineering, said in a statement that NextBio has made “significant investments” in data security as part of its HIPAA certification process, adding features such as automated logging of access to patient information, encryption of log parameters, real-time administrator audit facilities, and encryption of electronic patient health information, or ePHI.
Other features include customized authorization of access to ePHI by client organizations; real-time ePHI access report generation so that clients can immediately review who, what, and when ePHI was accessed; location of ePHI in data centers using a provider that is SSAE16 certified; and more.
The company also invested in HIPAA training for its employees and engaged an external auditor for the certification process, Alag told BioInform.
Presently, NextBio Clinical is being used in a series of private projects — with the Cancer Care Institute, for instance (BI 6/29/2012) — ahead of a full launch at an undisclosed future date.
Meanwhile, Belgian clinical bioinformatics firm Cartagenia said it already offers HIPAA-compliant software tools.
CEO Herman Verrelst said the company has been compliant since 2010 and that it develops its products in accordance with a quality management system that is “fully” ISO13485 and ISO9001 certified.
“We believe this to be the true minimal requirements for software vendors and products in this space,” Verrelst told BioInform in an e-mail. “How could you do business with US labs and hospitals if you're not HIPAA compliant?”
He also said that the company has registered its Bench lab NGS software for clinical laboratories — launched last March (BI 3/30/2012) — as a class 1 exempt medical device with the US Food and Drug Administration.
Representatives from Knome, meantime, told BioInform that they consider regulatory compliance to be a “standard process” in developing software for clinical use.
“It’s really just good engineering practices that need to be incorporated because it makes a lot of sense and allows you to do things in a way that’s controllable,” Mark Rubenfield, Knome’s senior vice president of operations, told BioInform.
Knome is developing KnomeClinic, a software suite that medical researchers can use to interpret and annotate human genomics. This summer, the company launched an early-access program to give clinics a chance to test the suite ahead of a full release at an undisclosed date (BI 6/15/2012).
However, unlike GenomeQuest and NextBio, Knome doesn’t need to seek HIPAA compliance for its software since the product will be installed locally at customer sites rather than accessed through an offsite data center, Jonas Lee, Knome's chief marketing officer, told BioInform.
GenomeQuest’s customers access GQ-Dx on a hosted data center operated by the company although they can also install the system locally. The same is true for NextBio’s clinical product, which will be made available under a cloud-based model.
In Knome’s case, the clinics themselves need to be HIPAA compliant and “what our software needs to do is to make it easy at least for the institution to remain … compliant according to the security and privacy standards of HIPAA,” Lee said.
When KnomeClinic is launched it will have the necessary capabilities for that purpose, including features like access control, and will also meet other regulatory requirements such as the US Food and Drug Administration's Title 21 CFR Part 11 guidelines on electronic signatures, Knome’s Rubenfield said.
Taking HIPAA to Heart
Ensuring that clinical analysis software complies with federal regulations could make these tools more appealing to potential customers in hospitals, academic medical centers, and diagnostics labs who must work within regulatory constraints. Such customers are looking to invest in software that can guarantee that the safety of their patients’ health records and genomic information won’t be compromised.
GenomeQuest’s Resnick told BioInform that the company’s clinical customers “demanded” that its GQ-Dx be brought into compliance with HIPAA requirements.
“We couldn’t serve our growing market without being able to integrate into hospital information systems,” he said.
John Quackenbush, a professor of computational biology and bioinformatics at Dana-Farber and CEO of GenoSpace, one of the more recent entrants into the clinical arena (BI 6/29/2012), said that he would be “surprised” if informatics firms in this market choose not to assure that their platforms are HIPAA complaint.
“It is a simple fact that ultra-high-throughput data presents fundamentally different challenges in data management and security than does other data types," he told BioInform in an e-mail, adding that this holds true “regardless of the domain in which you intend to use it.”
In a conversation with BioInform, Alpana Verma-Alag, NextBio's head of clinical development, said meeting regulatory requirements is a “top priority” for her company.
“Not because we thought it would competitively distinguish us, even though I absolutely think it does, [but] because of the nature of the product we have and realizing that this would be a key need for our clients and give them … the level of security they need because they are also bound by processes and requirements on their end,” she said.
However, not all companies might see things in that light, she pointed out.
She noted that newer startups hoping to reap the benefits of early entry into the space might give investments in security and regulatory compliance a backseat, choosing instead to focus on product development, since “there is no direct relationship [between regulatory compliance and] revenue.”
But the current crop of newcomers in the sector, several of whom have sprung up within the last year (BI 12/22/2011), are taking these regulations to heart.
GenoSpace’s Quackenbush said that his company’s cloud-based system was designed “from the start” to protect genomic data and any associated clinical data.
GenoSpace provides what it says is a secure environment based on Amazon's cloud infrastructure for sharing and storing genomic data as well as bespoke research portals that enable clients to ask particular research questions.
“We recognized that, fundamentally, genomic data were identifiable and that, without proper encryption and data security protocols, we would not be positioned to deal with all of the issues associated with personalized medicine and genomic discovery,” he said.
Meanwhile, Cypher Genomics, which spun out from the Scripps Translational Science Institute, Scripps Health, and the Scripps Research Institute, is working toward making its system HIPAA compliant, Nicholas Schork, director of STSI's bioinformatics and biostatistics division and one of company’s founders, told BioInform in an e-mail.