In honor of the occasion of the Fifth Anniversary of Bill of Health, this post reflects on the past five years of what’s generally known as “privacy” with respect to health information. The topic is really a giant topic area, covering a vast array of questions about the security and confidentiality of health information, the collection and use of health information for public health and research, commercialization and monetization of information, whether and why we care about health privacy, and much more. Interestingly, Bill of Health has no categorizations for core concepts in this area: privacy, confidentiality, security, health data, HIPAA, health information technology—the closest is a symposium on the re-identification of information, held in 2013. Yet arguably these issues may have a significant impact on patients’ willingness to access care, risks they may face from data theft or misuse, assessment of the quality of care they receive, and the ability of public health to detect emergencies.
Over the past five years, Bill of Health has kept up a steady stream of commentary on privacy and privacy-related topics. Here, I note just a few of the highlights (with apologies to those I might have missed—there were a lot!) There have been important symposia: a 2016 set of critical commentaries on the proposed revisions of the Common Rule governing research ethics and a 2013 symposium on re-identification attacks. There have been reports on the privacy implications of recent or proposed legislation: the 21st Century Cures Act, the 2015 proposal for a Consumer Privacy Bill of Rights, and the proposed Workplace Wellness Bill’s implications for genetic information privacy. Many comments have addressed big data in health care and the possible implications for privacy. Other comments have been highly speculative, such as scoping out the territory of what it might mean for Amazon to get into the health care business. There have also been reports of research about privacy attitudes, such as the survey of participants in instruments for sharing genomic data online. But there have been major gaps, too, such as a dearth of writing about the potential privacy implications of the precision medicine and million lives initiative and only a couple of short pieces about the problem of data security.
Here are a few quick sketches of the major current themes in health privacy and data use, that I hope writers and readers and researchers and most importantly policy makers will continue to monitor over the next five years (spoiler alert: I plan to keep writing about lots of them, and I hope others will too): Continue reading
Graham Cassidy § 105 would repeal the ACA “employer mandate”. Although its sponsors claim that the bill will give states a great deal of flexibility, it will do nothing to help states ensure that employers provide their employees with decent health insurance; quite the reverse. It will also give employers the freedom to ignore the popular ACA requirement that allows children up to age 26 to receive coverage through their parent’ plans, at least when their parents get health insurance from their employers. Here’s why.
The Affordable Care Act (ACA) was designed to foster and build on health insurance plans that employers in the US provide to their employees. With limited exceptions such as provisions about wellness plans, it left in place the Employee Retirement Income Security Act of 1974 (ERISA), the federal statute that governs benefits that employers offer their employees. Rather than amending ERISA to place new federal requirements on employer-provided plans, ACA imposed a tax penalty (called a “shared responsibility payment”) on employers (with at least 50 full-time equivalent employees) with employees who receive tax credits for purchasing insurance through the ACA exchanges. This is the ACA “employer mandate,” aimed to deter employers from dumping their existing health care plans. It is the ACA provision that supported the mantra: “you’ll get to keep the insurance you have.” This mandate is imposed through a tax and otherwise leaves in place the regulatory vacuum created by ERISA. Let me explain how.
ERISA, enacted in 1974, is the federal statute that governs employee “welfare” plans: benefits, including health benefits, that employers offer their employees. Although ERISA imposes quite substantial requirements on pension plans, it imposes only disclosure and fiduciary responsibilities on welfare plans. Employers must state clearly for their employees what they are given—but may also reserve the right to change plans, as long as they tell their employees that they might do this. Employers also must manage their plans as a good fiduciary would, but this does not mean that employers must offer minimum benefits to their employees, or indeed any benefits at all. Continue reading
It might come as a surprise to many in the United States that they may have no Fourth Amendment reasonable expectation of privacy in their physicians’ records when their physicians transfer these records to state agencies under state public health laws. Yet on July 27, the federal district court for the state of Utah said exactly this for records of controlled substance prescriptions—and perhaps for medical records more generally. (United States Department of Justice, Drug Enforcement Administration v. Utah Department of Commerce, 2017 WL 3189868 (D. Utah July 27)). Patients should know that their physicians are required by law to make reports of these prescriptions to state health departments, the court said. Because patients should know about these reports, they have no expectation of privacy in them as far as the Fourth Amendment is concerned. And, so, warrantless searches by the Drug Enforcement Administration (DEA) are constitutionally permissible at least so far as the district of Utah is concerned. Physicians are by law required to make many kinds of reports to state agencies: abuse, various infectious diseases, possible instances of bioterrorism, tumors, abortions, birth defects—and, in most states, controlled substance prescriptions. The Utah court’s reasoning potentially throws into question the extent to which any of these reports may receive Fourth Amendment protection.
By Leslie Francis
Persistent differences in participation in clinical trials by race and ethnicity are well known; for example, the 2015 Report of the Working Group on Precision Medicine (PMI) relies on statistics that only 5% of clinical trial participants are African-American and only 1% are Hispanic. A recently-launched website of the FDA, “Drug Trials Snapshots,” confirms this dismal picture.
Designed to “make demographic data more available and transparent,” and to “highlight whether there were any differences in the benefits and side effects among sex, race and age groups,” the website reveals instead an impressive lack of information. Reported on the website are 70 new drug approvals for 78 different indications. These data report only evidence about differences by the census categories for race (White, Black or African-American, Asian, American Indian or Alaska Native, Native Hawaiian or Other Pacific Islander, and Unknown). In nine of the reported trials data were considered sufficient to report detected differences in efficacy or side-effects in all racial categories, in two data were considered sufficient to report these differences for African-Americans and Asians, in seven data were considered sufficient to report these differences for Asians, and in two data were considered sufficient to report these differences only for African-Americans. No data are reported about ethnicity, socioeconomic status, disability, or other categories that might be important to the PMI and the benefits data about the planned cohort might bring. Continue reading
By Leslie Francis
On July 30, the White House announced the updated 2020 HIV/AIDS strategy. The admirable vision of the strategy is that “The United States will become a place where new HIV infections are rare, and when they do occur, every person, regardless of age, gender, race/ethnicity, sexual orientation, gender identity, or socio-economic circumstance, will have unfettered access to high quality, life-extending care, free from stigma and discrimination.”
This said, the strategy reflects continuing concerns about the numbers of people who do not know their HIV status, who do not have access to effective treatment, and who do not take advantage of preventive strategies. Demographic groups especially at risk include men having sex with men, African American men and women, Latino men and women, people who inject drugs, youth age 13-24, people in the Southern United States, and transgender women. The strategy emphasizes care coordination, coordination between health care and other social services such as housing, treatment as prevention, and pre-exposure prophylaxis. Notable initiatives since the 2010 HIV/AIDS strategy include interagency efforts to address the intersection of HIV and violence against women, a DOJ and CDC collaboration to publish a comprehensive examination and best practices guide on the intersection between HIV and criminal laws, and demonstration projects funded through the HHS Minority AIDS Initiative Fund. Continue reading
By Leslie Francis
[Cross-posted at HealthLawProfs blog.]
Under HIPAA, patients’ spouses and other family members have certain rights to access health information. In an important guidance document in the wake of United States v. Windsor, the Office for Civil Rights (OCR) at HHS has clarified that “spouse” under HIPAA refers to legally married same-sex spouses, even if the individual is receiving services in a jurisdiction not recognizing same-sex marriage. Continue reading
By Leslie Francis
Like the recent Supreme Court decision in Hobby Lobby, the D.C. Circuit’s ruling earlier this week in Halbig v. Burwell is being hailed by conservatives and bemoaned by liberals as a death knell for Obamacare. Unlike the decision in Hobby Lobby, however the D.C. Circuit’s ruling is not the end of the matter, and many liberals are finding hope in the ruling of the 4th Circuit the same day, the probability of an en banc hearing in the D.C. Circuit, and the ultimate possibility of a favorable Supreme Court decision. In an earlier post in HealthLawProf, I decided to take seriously the possibility of damage control from a limited reading of Hobby Lobby. It is pretty much universally agreed—and I believe correctly—that it is not possible to do similar damage control by giving a limited reading to Halbig v. Burwell. If the ruling stands, that tax subsidies are not available to people purchasing coverage through the exchanges in the states that are letting the federal government do the work, many important other provisions of the ACA will be untenable, including the penalties for large employers not offering insurance whose employees receive subsidies and likely the individual mandate itself. But I think it is possible to undermine Halbig in a way not generally recognized by the liberal critics who argue (correctly) that the statutory provision at issue is ambiguous: argue that the jurisprudence of the majority opinion in Halbig is internally inconsistent. Here’s how. Continue reading
By Leslie Francis
Cross-post from HealthLawProf Blog
The President’s Council of Advisors on Science and Technology (PCAST) has issued a report intended to be a technological complement to the recent White House report on big data. This PCAST report, however, is far more than a technological analysis—although as a description of technological developments it is wonderfully accessible, clear and informative. It also contains policy recommendations of sweeping significance about how technology should be used and developed. PCAST’s recommendations carry the imprimatur of scientific expertise—and lawyers interested in health policy should be alert to the normative approach of PCAST to big data.
Here, in PCAST’s own words, is the basic approach: “In light of the continuing proliferation of ways to collect and use information about people, PCAST recommends that policy focus primarily on whether specific uses of information about people affect privacy adversely. It also recommends that policy focus on outcomes, on the “what” rather than the “how,” to avoid becoming obsolete as technology advances. The policy framework should accelerate the development and commercialization of technologies that can help to contain adverse impacts on privacy, including research into new technological options. By using technology more effectively, the Nation can lead internationally in making the most of big data’s benefits while limiting the concerns it poses for privacy. Finally, PCAST calls for efforts to assure that there is enough talent available with the expertise needed to develop and use big data in a privacy-sensitive way.” In other words: assume the importance of continuing to collect and analyze big data, identify potential harms and fixes on a case-by-case basis possibly after the fact, and enlist the help of the commercial sector to develop profitable privacy technologies. Continue reading
By Leslie Francis
At last year’s Petrie-Flom conference on the FDA in the 21st Century, I had an experience that I’ve never really had before in my academic career. I gave a paper (co-authored, actually) that was met with genuine ire. The paper dealt with labeling GMO foods. Several in the audience—including friends—heard me as going over to the dark side of anti-science, irrational skepticism, and downright immoral ignorance of important nutritional and commercial advantages. I wasn’t buying into such bad science, however. The written paper (concededly it’s always possible that a lengthy legal argument doesn’t come across in a nuanced way in a short presentation) argued three points: (1) the FDA has not acted to the full extent of its statutory labeling authority; (2) the present processes for granting market clearance for particular GMO products is highly deferential to industry submissions with respect to safety (the safety of a particular GMO product is a different question from the general question of GMO safety—the FDA’s own example is the unknown allergenic effects of adding peanut genes to other agricultural products); and (3) in a context in which scrutiny of safety is so industry-dependent, there is a case to be made for labeling so that consumers can make their own choices.
In a nutshell, the current FDA process for allowing a particular GMO product to be marketed is a variant of the process for allowing marketing of additives Generally Recognized as Safe (GRAS). Under the GRAS process, anyone can petition for a determination that an additive is GRAS; industry can also make its own GRAS determinations. The procedure for clearing GMO foods is a consultative process that is also voluntary and entirely reliant on information from industry. Unlike the GRAS process, however, it does not even require publication of the information relied on for consultations.
In an article published this week in JAMA Internal Medicine, Neitner et al. demonstrate the extent to which GRAS determinations are riddled with conflicts of interest. The authors conclude, “The lack of independent review in GRAS determinations raises concerns about the integrity of the process and whether it ensures the safety of the food supply, particularly in instances where the manufacturer does not notify the FDA of the determination. The FDA should address these concerns.” Given the parallels between the GRAS process and the process applied to GMO foods, one might hypothesize that conflicts of interest are similarly present in the latter. The FDA should address these concerns, too. This is not anti-science; it is respect for good science.
By Leslie Francis
At the University of Utah, our Center on Law and Biomedical Sciences was fortunate to be able to hold a recent symposium on the future of gene patenting. Our speakers included Ken Chahine and Amelia Rinehart, both faculty at the College of Law, presenting accounts of the science and patent law; Brian Dawson, co-director of the molecular genetics lab at the Mayo Clinic, and Elaine Lyon, co-director of pharmacogenomics at ARUP and incoming president of the Association of Molecular Pathologists, speaking from the perspectives of laboratory directors and the Association of Molecular Pathologists; John Meija, legal director of the ACLU of Utah, speaking on patients’ rights; Wendy Kohlmann, manager of genetic counseling at the Huntsman Cancer Center, considering the ethical dilemmas for genetic counselors confronted by intellectual property restrictions; and Benjamin Jackson, senior director of legal affairs at Myriad Genetics, speaking from the perspective of Myriad. A recording of the symposium can be found here.
For those wishing to follow ongoing developments in gene patenting, we have prepared a libguide with resources on the Myriad decision and ongoing gene patenting cases.
[This is a cross-post from the HealthLawProf blog.]
By Leslie Francis
Cross-posted from the HealthLawProfs blog.
Challenges designed to spur innovative uses of data are springing up frequently. These are contests, sponsored by a mix of government agencies, industry, foundations, a variety of not-for-profit groups, or even individuals. They offer prize money or other incentives for people or teams to come up with solutions to a wide range of problems. In addition to grand prizes, they often offer many smaller prizes or networking opportunities. The latest such challenge to come to my attention was announced August 19 by the Knight Foundation: $2 million for answers to the question “how can we harnass data and information for the health of communities?” Companion prizes, of up to $200,000, are also being offered by the Robert Wood Johnson Foundation and the California Healthcare Foundation.
Such challenges are also a favorite of the Obama administration. From promoting Obamacare among younger Americans (over 100 prizes of up to $30,000)–now entered by Karl Rove’s Crossroads group–to arms control and identification of sewer overflows, the federal government has gone in for challenges big time. Check out challenge.gov to see the impressive list. Use of information and technological innovation feature prominently in the challenges, but there is also a challenge for “innovative communications strategies to target individuals who experience high levels of involuntary breaks (“churn”) in health insurance coverage” (from SAMHSA), a challenge to design posters to educate kids about concussions (from CDC), a challenge to develop a robot that can retrieve samples (from NASA), and a challenge to use technology for atrocity prevention (from USAID and Humanity United). All in all, some 285 challenges sponsored by the federal government are currently active, although for some the submission period has closed. Continue reading
By Leslie Francis
A case from the employment discrimination world that might be of interest to health law folks is EEOC v. Houston Funding II, Ltd., 2013 U.S. App. LEXIS 10933 (May 30, 2013). The employee in the case, Donnicia Venters, was told that her position had been filled when she returned to work post partum and requested to use space in a back room to express milk. The issue in the case was whether firing Venters for expressing breast milk is sex discrimination under Title VII of the Civil Rights Act. The district court had concluded that it was not, as a matter of law, and the 5th Circuit reversed. Although at first glance this outcome is apparently a favorable one for women and children, it also reveals ongoing mismatches between anti-discrimination law in the US and the health needs of workers and their families.
The relevant detail of employment discrimination law is that the Pregnancy Discrimination Act (PDA) provides that discrimination “on the basis of” or “because of” sex includes discrimination on the basis of or because of “pregnancy, childbirth, or related medical conditions.” In holding that breastfeeding is a related medical condition of pregnancy, the 5th Circuit stated “Lactation is the physiological process of secreting milk from mammary glands and is directly caused by hormonal changes associated with pregnancy and childbirth.” Thus, on the 5th Circuit’s plain meaning interpretation of the statute, breastfeeding is within the PDA.
Other courts have reached conclusions less favorable to breastfeeding. The district court in Colorado wrote thus in deciding that a refusal to give breaks for breast feeding was not sex or disability discrimination: “A plaintiff could potentially succeed on a claim if she alleged and was able to prove that lactation was a medical condition related to pregnancy, and that this condition, and not a desire to breastfeed, was the reason for the discriminatory action(s) that she suffered.” Falk v. City of Glendale, 2012 U.S. Dist. LEXIS 87278 (D. Colo. 2012). Indeed, understaffing at the Glendale police department was so severe that no one was able to take breaks, even to use the restroom—so the court concluded that Falk’s problem was equal opportunity bad working conditions, not sex discrimination. Continue reading
By Leslie Francis
On May 29th, HHS issued the final rule governing wellness incentives in group health plans. While the incentives themselves are not a surprise, the scope they are given is worthy of ongoing attention. Wellness incentives have been controversial because of their potential for intrusion into individual choice, their subtle (or not so subtle) coerciveness, their valorization of a particularly model of health, and the possibility that they will impose differential burdens and costs on people with disabilities or other disfavored groups. The final rule attempts to meet these objections in several helpful ways.
Nonetheless, the final rule still will allow programs that are differentially burdensome as a result of factors other than health status. It will also allow programs under which it is more difficult for some than for others to obtain rewards because of their states of health. In programs that give rewards for health outcomes, alternatives must be available for those who do not meet targets—but the reasonableness standard for these alternatives permits requirements that may be differentially burdensome so if they are medically appropriate and follow the recommendations of the patient’s personal physician. HHS supports wellness programs as engaging individuals in their health, as encouraging them in healthy behaviors and discouraging them in unhealthy behaviors, and as incentivizing people to make use of recommended health care services such as screenings. Continue reading
By Leslie Francis
[this is a cross post from HealthLawProf]
Warning: some of this post is HIPAA-wonky. But read on: the punch line is that HIPAA does not protect the living or the dead from blanket release of medical records to their personal representatives—unless state law provides otherwise or patients have thought to specify in advance that they do not want anyone to see the record or parts of it and state law gives them this opportunity. This means that the default position is that personal representatives may see highly sensitive health information, including mental health records or sexual or reproductive histories: veritable skeletons in family medical closets.
In an important recent decision, the 11th Circuit has held that the federal Health Insurance Portability and Accountability Act (HIPAA) preempts a Florida statute that gave spouses and other enumerated parties the right to request the medical records of deceased nursing home residents. Opis Management Resources v. Secretary, Florida Agency for Health Care Administration, 2013 U.S. App. LEXIS 7194 (April 9, 2013). The nursing homes had refused to respond to requests for records made by spouses and attorneys-in-fact, arguing that these requesters were not “personal representatives” under Florida law. The requesters filed complaints with HHS’s Office for Civil Rights, which determined that the refusals were consistent with HIPAA. The Florida Agency for Health Care Administration issued citations against the homes for violating Florida law, and the homes went to court seeking a declaratory judgment that the Florida statute was preempted by HIPAA.
We’re pleased to introduce Leslie P. Francis as a regular contributor to Bill of Health.
Professor Francis holds joint appointments at the University of Utah as Alfred C. Emery distinguished professor of law and distinguished professor of philosophy, and adjunct appointments in Family and Preventive Medicine (in the Division of Public Health), Internal Medicine (in the Division of Medical Ethics), and Political Science. Since 2012, she has also served the College of Law as Associate Dean for Faculty Research and Development. Professor Francis received a B.A. from Wellesley College, where she graduated with high honors in philosophy and was a member of Phi Beta Kappa. She received a Ph.D. in philosophy (1974) from the University of Michigan. After joining Utah’s philosophy faculty, she received her J.D. from the University of Utah (1981) and served as a law clerk to Judge Abner Mikva on the United States Court of Appeals for the District of Columbia Circuit. Appointed to the law faculty in 1982, she teaches and writes extensively in the areas of health law, bioethics, and disability. Professor Francis currently serves as a member of the National Committee on Vital and Health Statistics, where she co-chairs the subcommittee on Privacy, Confidentiality, and Security; and as a member of the Executive Committee of the International Association for Philosophy of Law and Social Philosophy (IVR). Professor Francis also has been a member of the Medicare Coverage Advisory Committee and of the American Bar Association’s Commission on Law and Aging.