A national network of university medicine
The Federal Ministry of Education and Research (BMBF) is funding a national network of university medicine (NUM) to support COVID-19 and pandemic research at national level. Within the NUM project “COVID-19 Data Exchange Platform” (CODEX), as one of several funded projects of NUM, a nationwide standardised infrastructure is to be established that supports the storage and provision of COVID-19 research datasets in a data protection-compliant manner [1].
For this purpose, the structured COVID-19 data of the participating 34 university hospitals (NUM sites), which include clinical data, image data and data on biospecimens [2], are to be pseudonymously transferred in the form of the German Corona Consensus data set (GECCO83) [3] in the central platform CODEX. The assessment of patient related data, the transfer to a comprehensive, standardised data repository, and the use & access procedure, that will allow researchers to analyse the data to answer urgent scientific questions, are all based on an individual informed consent.
The infrastructure required for multicentre data exchange must meet the requirements of research ethics and the EU General Data Protection Regulation (GDPR). The planned processing of a patient's health data at the NUM site and the standardised transfer to the central platform CODEX for research purposes requires, according to the GDPR Art. 6 (1) lit. a) [4], the consent of the patient.
In a complex interaction of centralised and decentralised infrastructure components, the transfer of appropriately consented health data at the NUM sites to the central platform is only indirect. Each individual site has a data integration centre (DIC) and a local Trusted Third Party (TTP) including a local consent management. The NUM sites ensure that only consented data is transferred to the central research repository CODEX. Central infrastructure components, such as the federated Trusted Third Party (fTTP), ensure, that patients can be uniquely identified across sites based on a privacy preserving record linkage (PPRL) [5]. Uniformly generated pseudonyms are provided by the fTTP. The GECCO Transfer Hub (GTH) transfers the pseudonymised research data to the central platform CODEX using the HiGHmed Data Sharing Framework (DSF) [6]. The exchange of person-identifying information (PII), health data and consent data are carried out in NUM by means of the Health Level 7 (HL7®) standard Fast Healthcare Interoperable Resources (FHIR®).
A broad consent promotes broad research
In the Medical Informatics Initiative (MII) the BMBF funded the four consortia, MIRACUM [7], HiGHmed [8], SMITH [9] and DIFUTURE [10]. The aim of the MII, which started before NUM, is, among others, “to improve medical research and patient care with innovative data architectures and software solutions” [11]. This project is primarily based on decentralised infrastructures and is not limited to COVID-19 or pandemic research, but shall support a very broad approach of medical research based on patient data from diagnostic and therapeutic clinical routine in all University Hospitals in Germany, and their cooperation partners.
In order to solve MII-wide challenges in a uniform manner, a number of corresponding working groups and task forces were set up. Particularly, the working group consent (WG Consent) has designed a uniform and modular consent document: the MII Broad Consent (version 1.6d) [12]. Moreover, the WG Consent has successfully coordinated this broad consent, which was approved by all the data protection authorities at both all federated states and the national level in Germany. It shall “be used over all sites in the four consortia” [11].
In close cooperation between WG Consent and the Technology, Methods, and Infrastructure for Networked Medical Research e.V. (TMF), the already approved MII Broad Consent (MII BC) was extended for NUM by a NUM-specific consent module (version 1.6f) [13]. This supplementary module (called Z-module) grants patients the opportunity to decide on their own responsibility (1) whether their data may be transmitted to the central platform CODEX for the purpose of COVID-19 and pandemic research, in order to then be used for research in conformity with the GDPR, and (2) may even be transferred to countries in which the European Commission did not explicitly confirm a suitable level of data protection, yet (“unsecure third countries” [14]).
Ideally, the NUM-specific version of the MII Broad Consent (v.1.6f) is to be used at all NUM sites as a uniform basis for the data protection-compliant collection and transfer of the GECCO83 data set to the central platform CODEX.
A harmonised representation of the patient’s consent for technical interoperability
As each site of the four MII consortia is free to choose the technical implementation for managing consent information, such as Integrating the Healthcare Enterprise (IHE) Basic Patient Privacy Consents (BPPC) or FHIR® consent resources [15], the MII Task Force Consent Implementation (TFCI) has successfully faced the challenge of defining a technically interoperable solution [16]. The TFCI utilised globally unique object identifiers (OID) to develop a common representation of the MII Broad Consent [16].
This approach was extended with a concrete set of semantic statements for each consent module as selected by the patient (enforceable consent policies). Corresponding representations of questions, answers, modules and assigned policies of the MII Broad Consent were modelled in ART-DÉCOR [17] [18] after intensive coordination with WG Consent and TMF.
Since every NUM site is also a MII site, corresponding additions for the NUM-specific extension of the MII Broad Consent (version 1.6f) have already been considered. Despite considerable complexity, TFCI has paved the way for the technically independent exchange of semantic consent information in MII and NUM.
Each NUM site is responsible for the individual implementation of this interoperable but complex approach. This also includes ensuring that the content of the exchanged consent information is always semantically correct in order to prevent possible data protection violations (e.g. data transmissions to the central platform CODEX in the absence of a valid consent).
A reliable consent management is essential to ensure patient’s rights
The Independent Trusted Third-Party (TTP) of the University Medicine Greifswald has successfully supported the data protection-compliance of research projects since 2014 (e.g. NAKO Health Study, German Centre for Cardiovascular Research) [19]. The open source solutions gICS® (generic Informed Consent Service), gPAS® (generic Pseudonymisation Administration Service) and E-PIX® (Enterprise Master Person Index) form the basis for the implementation of the informational separation of powers [20]. These TTP tools are part of the MIRACOLIX Toolbox 2.0 [21] of the MII consortium MIRACUM.
The correct consideration and implementation of the patient's rights, in particular the handling of consents and the implementation of patient withdrawals, require a reliable consent management [11].
University Medicine Greifswald has already successfully implemented a completely digitally MII broad consent in mid of 2020 [22]. As part of the NUM-CODEX project, the University Medicine Greifswald supports the NUM sites to establish necessary local Trusted Third Parties and corresponding consent processes by providing the necessary decentral component gICS® for digital consent management.
Each NUM site decides individually whether to apply gICS® for local consent management. Also, efforts required to integrate gICS® into individual processes and infrastructures remain with the site. This typically includes not only technical aspects (e.g. network zones, authentication, various local IT-security measures), but also human resources for sufficient information of the patient, retrieval and documentation of consent, as well as for quality control of consent information.
gICS® supports digital- and paper-based consent processes and follows the principles of “privacy by design” [11]. Based on consent policies and consent modules gICS® allows to automatically determine and query the detailed consent status for each patient at any time. [15]
The web-based functionalities of gICS® have so far been provided to users exclusively via SOAP interface [23]. In the NUM-CODEX project, however, the exchange of consent information is intended solely in HL7® FHIR® format. Due to a lack of uniform specification, this has not yet been satisfactorily supported by any other software solution [15].
A standardised specification for FHIR® consent
In order to be able to implement the clear objective in the NUM-CODEX project for cross-site data exchange via FHIR® in the area of consents, current developments in the FHIR® community must be considered.
The HL7®working group on consent management (WGCM), with significant participation from University Medicine Greifswald, has fundamentally renovated the handling of FHIR® consent resources in collaboration with representatives from all four MII consortia. With regard to national characteristics in Germany, required profiles, vocabularies and extensions for the exchange of modular consent templates and contents were specified [24], considering applicable standards such as IHE BPPC and IHE APPC [25], and numerous examples were made available in the form of a uniform implementation guide [26]. This specification is publicly available and the balloting process started in April 2021, in order to introduce these new profiles as part of the official national HL7® FHIR® standard.
The examples provided by the WGCM consider the OID-based preliminary work of the TFCI. The challenge of the syntactically and semantically correct implementation of these complex FHIR® consent profiles, however, still exists and requires both extensive practical experience in the field of consent management and a comprehensive understanding of the designed FHIR® consent concepts.