Abstract
In the current US organ transplantation system, there are no regulations defining how organ procurement organizations must manage personal data and protect the privacy of donors and recipients. In response to the recent announcement of a major overhaul of the US transplantation system, we describe a practical approach to improving transplant data quality and protecting the autonomy of patients interacting with the system.
In the current US organ transplantation system, there are no regulations defining how organ procurement organizations must manage personal data and protect the privacy of donors and recipients. In response to the recent announcement of a major overhaul of the US transplantation system, we describe a practical approach to improving transplant data quality and protecting the autonomy of patients interacting with the system.
Main Text
In the US, when a patient in the hospital meets any number of clinical thresholds that indicate a grave prognosis, the hospital staff must make a call to a local federal contractor with one job: to evaluate the patient to be a potential organ donor. These contractors are called organ procurement organizations (OPOs), and they are permitted to access any patient medical record, contact any family member, request information from any provider, and even perform examinations at the bedside of the patient to collect data and information for the purposes of possible organ donation. OPOs create and hold records for all patients that are referred to them—even if that patient does not become an organ donor—yet are not subject to any current regulatory regimes that protect patient privacy or autonomy.
OPOs are members of the national US transplant system, called the Organ Procurement and Transplantation Network (OPTN). Just weeks ago, the Health Resources and Services Administration (HRSA), which is charged with overseeing the OPTN, announced the Modernization of the Organ Procurement and Transplantation Network initiative. This demonstrates the scale of commitment to change that the public, the US Digital Service, and lawmakers have recommended and demanded due to wasted organs, poor patient safety, and obfuscated metrics and finances. Key elements are modernized information technology, pledges of transparency via data dashboards, and the intent to replace elements within the current single contract with multiple new partners to infuse innovation and change into the decades old National Organ Transplant Act. It is essential that this opportunity includes better safety surveillance across the network and protection of the digital rights of patients cared for by OPOs, organ donors, transplant recipients, and patients awaiting transplants across the nation.
We have previously written that significant opportunities exist to modernize and improve the systems, but a critical gap remains: ensuring data quality, accuracy, availability and the privacy and security of organ donor participants.1 This is essential given there are no information security standards for patient data collected by OPOs imposed upon the OPTN by the federal government, and much of the OPTN is exempt from federal health privacy law, such as Health Insurance Portability and Accountability Act of 1996 (HIPAA).
This means that patients with data shared through and across the OPTN are the only patients within US healthcare that are not protected by federal privacy law or security standards of any kind. They are not protected by HIPAA. They are not subject to the protections afforded participants of clinical research. Moreover, the geographically based 56 OPOs that perform a wide healthcare mandate including the aggregation, storage, and management of the intimate health details of the organ donor patients are not HIPAA-covered entities.
Like many aspects of the OPTN dating back to its formation in the mid-1980s, the original justifications for exempting the OPTN from regulations like HIPAA made sense but have resulted in unintended and detrimental long-term consequences. For example, HIPAA allows the use and disclosure of personally identifiable health information (PHI) for clinical donation and transplantation purposes without authorization.2 The intent here was clear: it is very difficult to clinically evaluate an imminently deceased patient and their medical history when time is of the essence, and it may not be possible to obtain documented permissions from next of kin or other parties. Unfortunately, the lack of regulation has resulted in poor-quality data management in addition to the complete absence of privacy or security protections for patients across the OPTN system.
This partial protection of information is clearly one root cause of the lack of quality and accountability in OPTN data. It can be done better and patients deserve better. For a sense of scale, medical information was transferred between a hospital and an OPO 1,073,084 times in 2018; in other words, in a single year, more than 1,000,000 American patients had health and demographic information transmitted to OPOs under a system that does not define protections, security, or inter-operability for those data.3 Less than 1% of those patients for whom the OPO collected data became deceased organ donors. Yet highly sensitive data such as Human Immunodeficiency Virus (HIV) status, toxicology screenings, and genetic testing results had already been shared within the OPTN.
While the data ecosystem is highly complex, the fixes must be clear and uncomplicated.
First, we would argue against including OPOs as HIPAA-covered entities. They are too diverse in size, quality processes, and technological capability to satisfy covered entity requirements, and, even if they could, the time and resources invested would most likely lead to an even further siloed and discontinuous technology and data environment. Instead, we would advocate for a national universal business associate agreement (BAA), a contract permitted under HHS rules to perform services on behalf of a covered entity where personal health information is utilized, that would standardize the security and privacy practices of the OPTN to the minimum standards of the HIPAA Privacy and Security Rules. The BAA would contain explicit language allowing the essential processes of transplantation, such as donor consent, but would still afford patients served by OPOs and transplant centers all reasonable protections.
Second, the implementation of the BAA should carry specific data quality, availability, and automated interface requirements for OPOs. Looking across the Senate Finance Committee findings and concerns, and the HRSA announcement, the most immediate opportunity to improve organ transplantation in the US is technology modernization. Currently, there are no required data or systems standards across the OPTN. Imagine air travel if each state had its own air traffic controls system without Federal Aviation Administration (FAA) centralization or oversight. It would be chaos—and yet, that is the situation today across 56 OPOs. The ideal solution would be a single, federated, national technology platform for all aspects of organ donation and transplantation, but the next best thing would be universal data standards applied to a single technology interface that all OPOs would be required to use.
Third, a uniform approach to cybersecurity is essential across the network at a time when the number of medical records stolen in cyberattacks exceeds the annual number of inpatient hospitalizations.4 There are multiple pathways, compliance regimes, and cybersecurity certifications for this. If they are required for patients and research subjects in federally funded programs, OPTN patients and donors deserve the same protections.
Lastly, the BAA and resulting technology transformations should be undertaken with the intent of satisfying the American Medical Association Code of Medical Ethics’ Opinions on Organ Transplantation.5 The Achilles heel of all the above would be the types of differential implementation seen across the OPTN today. If rules are only followed by some, or if implementation is too heterogeneous, the disparity of performance and quality across the OPTN will remain unchanged.
We applaud these announcements by HRSA. It is time to protect all patients receiving care from members of the OPTN.
Acknowledgments
Declaration of interests
Brianna L. Doby reports consulting or advisory relationships with Arkansas Regional Organ Recovery Agency, LifeConnection of Ohio, and Organ Alliance, Inc. The remaining authors declare no competing interests.
Biographies
About the authors
Eric Perakslis, PhD, is the Chief Science and Digital Officer at the Duke Clinical Research Institute and Professor of Population Health Sciences at the Duke University School of Medicine, where he studies the benefits and risks of digital health technologies. Previously Eric was a Rubenstein Fellow at Duke, Senior Vice President and Head of the Takeda R&D Data Science Institute, Executive Director of the Center for Biomedical Informatics at Harvard Medical School, Chief Information Officer and Chief Scientist (Informatics) at the U.S. Food and Drug Administration, and Senior Vice President of R&D Information Technology at Johnson & Johnson Pharmaceuticals R&D.
Stuart J. Knechtle, M.D. is the William R. Kenan, Jr. Professor of Surgery at Duke University School of Medicine and serves as Executive Director of the Duke Transplant Center. He graduated from Princeton University and obtained his M.D. from Cornell University. He trained in surgery at Duke, in transplantation at University of Wisconsin, and became the Ray D. Owen Professor of Surgery at University of Wisconsin, and then Transplant Chief at Emory and Children’s Healthcare of Atlanta. He returned to Duke in 2015, and is committed to helping patients needing transplants to have equitable and timely access to transplantation.
Brian McCourt currently serves as Senior Director, Data and Knowledge Management at Duke Clinical Research Institute. He began his career as a study coordinator at Massachusetts General Hospital and has since held a variety of leadership roles at Duke. Notably, he initiated a clinical research informatics group, set the vision for and led the integration of disparate informatics, data management and technology functions, and set up an institutional data governance program. Brian has been an active contributor to professional societies and standards development organizations. Recently he’s been engaged in improvement efforts in the US transplant system.
Raymond J. Lynch is a professor in the departments of surgery and public health at the Penn State Health Milton S. Hershey Medical Center. He is a liver and kidney transplant surgeon with a strong interest in promoting equity in access to care for both organ donor and organ failure patients. Dr. Lynch is active in the development of national procurement and transplant policies and serves at the principal investigator on the NIH-funded VALOR grant in collaboration with the Veterans Health Administration and multiple organ procurement organizations.
Brianna Doby is a health services researcher, incoming CDC Public Health Law fellow (beginning May 2023), and consultant. Her research interests include modernization of the organ procurement system in the U.S., data collection and transparency related to organ procurement organizations, and equitable access to organ procurement clinical care for all patients. Currently, she is engaged on an NIH-funded study of a system-wide intervention to increase access to organ procurement care at Veterans Administration medical centers.
References
- 1.Perakslis E., Knechtle S.J. Information design to support growth, quality, and equity of the US transplant system. Am. J. Transplant. 2023;23:5–10. doi: 10.1016/j.ajt.2022.10.005. [DOI] [PubMed] [Google Scholar]
- 2.Glazier A.K., Heffernan K.G., Rodrigue J.R. A Framework for Conducting deceased donor research in the United States. Transplantation. 2015;99:2252–2257. doi: 10.1097/TP.0000000000000841. [DOI] [PubMed] [Google Scholar]
- 3.Israni A.K., Zaun D., Hadley N., Rosendale J.D., Schaffhausen C., McKinney W., Snyder J.J., Kasiske B.L. OPTN/SRTR 2018 annual data Report: deceased organ donation. Am. J. Transplant. 2020;20(Suppl s1):509–541. doi: 10.1111/ajt.15678. [DOI] [PubMed] [Google Scholar]
- 4.Perakslis E. Responding to the Escalating cybersecurity Threat to health care. N. Engl. J. Med. 2022;387:767–770. doi: 10.1056/NEJMp2205144. [DOI] [PubMed] [Google Scholar]
- 5.AMA Council on Ethical and Judicial Affairs AMA Code of medical Ethics' Opinions on organ transplantation. AMA Journal of Ethics. 2012;14:204–214. doi: 10.1001/virtualmentor.2012.14.3.coet1-1203. [DOI] [Google Scholar]