Eleven abstracts of the thousands accepted for publication at this year's annual meeting of the American Society of Clinical Oncology (ASCO), one of the largest cancer research conferences in the world, draw upon data collected through a nonprofit subsidiary of ASCO that in 4 years has brought together the electronic health records (EHRs) of 1.2 million patients.
The ASCO subsidiary — CancerLinQ — will have its own 1200 square foot booth in prime real estate at the entrance to the meeting's exhibit hall. It has received data from 48 healthcare institutions to help them improve care for patients and has compiled a treasure trove of data for researchers studying how expensive cancer drugs work for patients in the real world. But ethicists are concerned that CancerLinQ is allowing companies to sell access to the data after they have been stripped of patient identifiers, without asking for patients' permission.
"I think that the ethics of profiting off of someone else's information is dicey and at the very least the patient should go in with their eyes open, and that requires informing them," said Robert Field, PhD, MPH, JD, a professor of law and public health at Drexel University, Philadelphia, Pennsylvania.
None of the patients whose information is in the database formally consented to their records' inclusion and use for research. CancerLinQ's stated core functions are quality measurement and improvement and other healthcare operations, which means that under the Health Insurance Portability and Accountability Act (HIPAA), patients don't need to give their permission for their information to flow into the database.
CancerLinQ has also struck partnerships with two companies that turn the clinical records into searchable datasets for participating practices to see how they can care for patients better. The two companies, Tempus and Concerto HealthAI, pay CancerLinQ a royalty fee to be able to offer their own customers data and products derived from a deidentified database for research, CancerLinQ Discovery.
Although the setup complies with HIPAA, ethicists and health law experts say it raises questions about patients' data being monetized for research without informed consent.
"Just because something is legal doesn't mean it's ethical, and this case is a really good illustration of that," said Kadija Ferryman, PhD, a researcher at the nonprofit organization, Data and Society Research Institute, in New York City, which focuses on the impact of technology on society. "Even though they are acting within regulatory guidelines, something about this just doesn't feel right."
Partnerships to Support Technical, Financial Viability
On their websites, Tempus and Concerto HealthAI advertise their "exclusive" licenses to CancerLinQ Discovery data. Their customers can't use the data for marketing, according to ASCO's description of the license agreement, but the companies can sell data products if the customer's purpose is improving patient care and treatments. Pharmaceutical company AstraZeneca is a partner and has had access to CancerLinQ Discovery since 2016 to use the database and provide feedback to improve it.
In 2016, CancerLinQ grew quickly from 36 cancer care practices that had signed up in April to 58 practices with 1000 providers in June to 70 practices with 1500 oncologists by October, at which time the platform contained the records of one million patients. CancerLinQ had 100 practices signed up when it announced its agreement with Tempus and Concerto HealthAI (then called Precision HealthAI) in December 2017. As of April 2019, CancerLinQ had 1.2 million patient records from 48 active sites out of 100 total healthcare institutions that had signed up to participate.
In a statement provided to Medscape Medical News by a spokesperson, ASCO CEO Clifford Hudis, MD, said the licensing agreements with Tempus and Concerto were developed "to support the technical and financial viability of CancerLinQ." The nonprofit found that ingesting and curating the EHRs and addressing the challenges of siloed data, interoperability problems, and poor or missing data were more expensive than anticipated, and so it contracted with the companies to create searchable datasets from the clinical records.
"While concerns regarding privacy and autonomy will always need to be weighed and considered when it comes to medical data, CancerLinQ meets or exceeds the legal and ethical standards related to privacy, security, and use of data," Hudis said in the statement. "To meet our ethical obligations, including the need to develop insights that benefit patients as quickly and efficiently as possible, from the outset, we engaged ethicists and patient advocates to help guide our thinking and inform our decisions regarding CancerLinQ," Hudis said. CancerLinQ has policies and procedures to protect patient privacy.
CancerLinQ recently expanded the partnership with Tempus and Concerto HealthAI to include a project with the US Food and Drug Administration to analyze the data of patients who have been treated with the blockbuster immune checkpoint inhibitor cancer drugs. Five of the abstracts at ASCO's annual meeting this year came from this partnership.
For example, one of these abstracts compares outcomes for patients with and those without autoimmune disease who received immune checkpoint inhibitor treatment for advanced non–small cell lung cancer. Another late-breaking abstract analyzes the impact of broadening clinical trial eligibility criteria for advanced non–small cell lung cancer patients.
CancerLinQ does instruct participating practices to inform patients as to how their data are being used (it supplies an informational brochure that mentions research but not commercial use) and allows patients to opt out of the program. ASCO is aware of only one patient who didn't want to participate and opted out.
CancerLinQ's practice of collecting patient data without consent for quality improvement initiatives isn't an issue, Ferryman said. She understands why the institutional review board (IRB) that was consulted regarding the regulatory framework published in 2014 deemed the project not to be research. But she questions whether the partnerships that later emerged to license the data fit the description of research as a secondary goal of the data collection.
"I'm not sure that licensing to a private company that has the potential to make millions of dollars is really what was in mind when this idea of secondary research was developed," Ferryman said. For her, it raises the question of whether research was always the motivation or whether operating a quality improvement initiative was a strategy to get the patient data.
Is HIPAA Compliance Enough?
Mark Rothstein, JD, the founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine in Kentucky, finds the setup "a little bit too clever," he told Medscape Medical News. "To say it's compliant with the HIPAA privacy rule and besides that some IRB said that it wasn't research doesn't really impress me a whole lot."
People with cancer are among the patients most willing and eager to participate in research, Rothstein said. "If it's so valuable, then take the time and spend the effort to get consent of patients. They will give it to you if you ask them."
Breast cancer survivor Casey Quinlan called ASCO and the goal of getting real-time information from health IT systems "awesome," but said the professional society and CancerLinQ "missed a step" regarding informed consent.
"If you ask a person who has or is undergoing cancer treatment, 'Would you like your information to improve care or treatment options for other people who end up in your situation?,' the answer will be a resounding, 'Yes,' " Quinlan told Medscape Medical News. "But in practice, the privacy and the purity of that wish has been screwed up."
While CancerLinQ was in development, researchers led by Reshma Jagsi, MD, DPhil, at the University of Michigan, surveyed 621 cancer patients about their views on the ethics of using medical records for research. Seventy-two percent said they thought it was critically important or very important to conduct this type of research, and nearly the same amount, 71%, believed that physicians should ask a patient for permission to use their medical records for research at least once. Thirty-five percent thought it was important for physicians to ask for permission each time their record would be used for research, "even if it means that a great deal of research will not be done," according to the article describing the findings.
That's a trade-off that worries bioethicists who don't see a problem with CancerLinQ's setup. "You would use all of your resources trying to track down people and get permission, with no time or money left to do the research," said Sharona Hoffman, JD, co-director of the Law-Medicine Center, Case Western Reserve University School of Law, Cleveland, Ohio.
Requiring informed consent would "undermine the project logistically and scientifically," said Steven Joffe, MD, MPH, pediatric oncologist and chief of the Division of Medical Ethics at the University of Pennsylvania Perelman School of Medicine, Philadelphia, who is also on ASCO's ethics committee. He thinks even having an opt-out option for patients is unnecessary, assuming that the data are deidentified and are properly secured, that CancerLinQ is transparent about who they work with and what they're doing, and that the data are used in a manner consistent with CancerLinQ's mission of improving care for patients. Working only with nonprofit or federally funded entities instead of industry would be "potentially leaving value for patients on the table, and that would be a shame," Joffe said.
"There's always a tension between asking individual people to sacrifice some measure of privacy for the benefit of future patients like them," said Kayte Spector-Bagdady, JD, MBE, a bioethicist at the University of Michigan in Ann Arbor, who has studied the ethics of so-called "learning healthcare systems" or "rapid learning systems," such as CancerLinQ, that blend research with the practice of medicine in an effort to use the data generated from patient care to improve quickly.
Such uses of EHRs are becoming more common. Besides CancerLinQ, Flatiron Health also compiles medical records from cancer patients without consent for quality improvement. The company uses deidentified data to conduct research with industry. In 2018, Flatiron Health was acquired by Roche, the Swiss pharmaceutical company that makes many cancer drugs, for $2 billion.
Data from EHRs "might provide insights into unrecognized toxicities, interactions, subtle outcome differences with therapies, and off-label use, especially in the old days when drugs were frequently given off-label," ASCO's Hudis told Medscape Medical News earlier this year. "The reason ASCO, your nonprofit professional society, is conducting this project is to improve quality of care."
Follow Ellie Kincaid on Twitter: @ellie_kincaid
Medscape Medical News © 2019
Cite this: Using ASCO's Clinical Database for Commercial Research Raises Questions, Ethicists Say - Medscape - May 31, 2019.