CALL FOR ABSTRACTS! 2017 Annual Conference, “Transparency in Health & Health Care: Legal & Ethical Possibilities & Limits”

Medical care prices against a white background

The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School is pleased to announce plans for our 2017 annual conference, entitled: Transparency in Health and Health Care: Legal and Ethical Possibilities and Limits.

Transparency is a relatively new concept to the world of health and health care, considering that just a few short decades ago we were still in the throes of a “doctor-knows-best” model. Today, however, transparency is found on almost every short list of solutions to a variety of health policy problems, ranging from conflicts of interest to rising drug costs to promoting efficient use of health care resources, and more. Doctors are now expected to be transparent about patient diagnoses and treatment options, hospitals are expected to be transparent about error rates, insurers about policy limitations, companies about prices, researchers about data, and policymakers about priorities and rationales for health policy intervention. But a number of important legal and ethical questions remain. For example, what exactly does transparency mean in the context of health, who has a responsibility to be transparent and to whom, what legal mechanisms are there to promote transparency, and what legal protections are needed for things like privacy, intellectual property, and the like?  More specifically, when can transparency improve health and health care, and when is it likely to be nothing more than platitude?

This conference, and anticipated edited volume, will aim to: (1) identify the various thematic roles transparency has been called on to play in American health policy, and why it has emerged in these spaces; (2) understand when, where, how, and why transparency may be a useful policy tool in relation to health and health care, what it can realistically be expected to achieve, and when it is unlikely to be successful, including limits on how patients and consumers utilize information even when we have transparency; (3) assess the legal and ethical issues raised by transparency in health and health care, including obstacles and opportunities; (4) learn from comparative examples of transparency, both in other sectors and outside the United States.  In sum, we hope to reach better understandings of this health policy buzzword so that transparency can be utilized as a solution to pressing health policy issues where appropriate, while recognizing its true limitations.

Call for Abstracts

We welcome submissions on both the broad conceptual questions described above and more specific policy issues, including: Continue reading

Social Media Use in Research Recruitment: A New Guidance Document from Petrie-Flom and Harvard Catalyst

stethoscope_computerImagine this scenario: you are a researcher conducting a clinical trial on a promising treatment for a rare but serious heart condition. Unfortunately, you are struggling to locate and enroll enough eligible participants and your study is at risk of not completing. Then you discover a Facebook support group for precisely the condition you are studying. The group is open: you do not need to be invited or to suffer from the condition to become a member—anyone can join. Here are the eligible participants you have been looking for!

But what are your obligations in approaching members of this group for recruitment? Would such recruitment be ethically advisable? Under what conditions? And what ethical norms apply when approaching sick and potentially vulnerable people for recruitment over social media? How should you (and the IRB) evaluate this type of activity from an ethical perspective?

Continue reading

FitBits Be Free: General Wellness Products Are Not (Generally) Medical Devices

By Nicolas Terry

The FDA has issued a final guidance on low risk wellness devices, and it is refreshingly clear. Rather than applying regulatory discretion as we have seen in the medical app space, the agency has made a broader decision (all usual caveats about non-binding guidances aside) not to even examine large swathes of wellness products to determine whether they are Section 201(h) devices. As such, this guidance more closely resembles the 2013 guidance that declared Personal Sound Amplification Products (PSAPs) not to be medical devices (aka hearing aids).

The FDA approach to defining excluded products breaks no new ground. First, they must be intended for only general wellness use and, second, present a low risk. As to the former, FDA has evolved its approach to referencing specific diseases or conditions. Make no such reference and your product will sail through as a general wellness product. Thus, claims to promote relaxation, to boost self-esteem, to manage sleep patterns, etc., are clearly exempt. On the other hand, the agency will clearly regulate products that claim to treat or diagnose specific conditions. Continue reading

Use of Estimated Data Should Require Informed Consent

Guest post by Donna M. Gitter, Zichlin School of Business, Baruch College, based on Professor Gitter’s presentation at the Petrie-Flom Center’s 2016 Annual Conference, “Big Data, Health Law, and Bioethics,” held May 6, 2016, at Harvard Law School.

Cross-posted from the Hastings Center’s Bioethics Forum.

The Icelandic biotech firm deCODE Genetics has pioneered a means of determining an individual’s susceptibility to various medical conditions with 99 percent accuracy by gathering information about that person’s relatives, including their medical and genealogical records. Of course, inferences have long been made about a person’s health by observing and gathering information about her relatives. What is unique about deCODE’s approach in Iceland is that the company uses the detailed genealogical records available in that country in order to estimate genotypes of close relatives of individuals who volunteered to participate in research, and extrapolates this information in order to make inferences about hundreds of thousands of living and deceased Icelanders who have not consented to participate in deCODE’s studies. DeCODE’s technique is particularly effective in Iceland, a small island nation that, due to its largely consanguineous population and detailed genealogical records, lends itself particularly well to genetic research.

While Iceland’s detailed genealogical records enable the widespread use of estimated data in Iceland, a large enough U.S. database could be used to make similar inferences about individuals here. While the U.S. lacks a national database similar to Iceland’s, private companies such as 23andme and have created rough gene maps of several million people, and the National Institutes of Health plans to spend millions of dollars in the coming years sequencing full genome data on tens of thousands of people. These databases could allow the development of estimated data on countless U.S. citizens.

DeCODE plans to use its estimated data for an even bolder new study in Iceland. Having imputed the genotypes of close relatives of volunteers whose DNA had been fully catalogued, deCODE intends to collaborate with Iceland’s National Hospital to link these relatives, without their informed consent, to some of their hospital records, such a surgery codes and prescriptions. When the Icelandic Data Protection Authority (DPA) nixed deCODE’s initial plan, deCODE agreed that it will generate for only a brief period a genetic imputation for those who have not consented, and then delete that imputation from the database. The only accessible data would be statistical results, which would not be traceable to individuals.

Are the individuals from whom estimated data is gathered entitled to informed consent, given that their data will be used for research, even if the data is putatively unidentifiable? In the U.S., consideration of this question must take into account not only the need for privacy enshrined in the federal law of informed consent, but also the right of autonomy, which empowers individuals to decline to participate in research. Although estimated DNA sequences, unlike directly measured sequences, are not very accurate at the individual level, but rather at the group level, individuals may nevertheless object to research participation for moral, ethical, and other reasons. A competing principle, however, is beneficence, and any impediment to deCODE using its estimated data can represent a lost opportunity for the complex disease genetics community.

Continue reading

Legal Dimensions of Big Data in the Health and Life Sciences

Please find below my welcome speech at last-weeks mini-symposium on “Legal dimensions of Big Data in the Health and Life Sciences From Intellectual Property Rights and Global Pandemics to Privacy and Ethics at the University of Copenhagen (UCPH).  The event was organized by our Global Genes –Local Concerns project, with support from the UCPH Excellence Programme for Interdisciplinary Research.

The symposium, which was inspired by the wonderful recent  PFC & Berkman Center Big Data conference,  featured enlightening speeches by former PFC fellows Nicholson Price on incentives for the development of black box personalized medicine and Jeff Skopek on privacy issues. In addition we were lucky to have Peter Yu speaking on “Big Data, Intellectual Property and Global Pandemics” and Michael J. Madison on Big Data and Commons Challenges”. The presentations and recordings of the session will soon be made available on our Center’s webpage.

Thanks everybody for your dedication, inspiration, great presentations and an exciting panel discussion.

“Legal Dimensions of Big Data in the Health and Life Sciences – From Intellectual Property Rights and Global Pandemics to Privacy and Ethics”

Continue reading

Data Mining and Pregnancy Prediction

By Katherine Kwong

Our private health decisions may not be as private as we’d like to think. A recent article in the Wall Street Journal revealed a potentially uncomfortable situation: employers using health care analytics companies to mine employees’ health data to determine which employees may be about to make certain health decisions.

While this type of data analytics can be used to predict a variety of health conditions (ranging from an increased risk of diabetes to back surgery to pregnancy), the most attention-grabbing example discussed was pregnancy. By obtaining permission to analyze employees’ medical information, companies such as Castlight are able to look at factors such as search queries and whether employees have been filling their birth control prescriptions to predict pregnancies. Some commentators expressed concerns that this type of information could be used by companies in improper ways. Continue reading

EEOC Tries to Harmonize ACA’s Promotion of Employer Wellness Programs with GINA’s Ban Against Employer Access to Genetic Information of Employees and Employees’ Family Members

[Cross-posted from the Genomics Law Report blog]


Gina-name-tagThe Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), which prohibits employers from requesting genetic information (defined broadly) from their prospective, current, or former employees. GINA contains only six limited exceptions to this prohibition, one of which is an exception for wellness programs in which the employee’s participation is voluntary.

On October 30, 2015 the EEOC issued a proposed ruleto amend GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs. The proposed rule tries to clarify that employers are permitted to offer incentives for an employee’s spouse to participate in a voluntary wellness program (but not the employee’s other dependents). The permissible incentives are capped at 30% of the total cost of the plan in which the employee and dependents are enrolled. The EEOC’s expressed intent is to treat GINA’s Title I (health insurance) and Title II (employment) provisions similarly. The proposed rule would allow employers to request current and former health status information from an employee’s spouse as part of their participation in the employer-sponsored wellness program. And there’s the rub: the current or former health status of an employee’s spouse is the employee’s own “genetic information” as the term is statutorily defined in GINA. The EEOC has prepared a Q&A page to explain the proposed rule, and the Congressional Research Service issued a report (R44311) on the topic on December 17, 2015. Continue reading

NPRM Symposium: How Should We Think About Whether To Donate Our Leftover, Non-Identified Tissue to Research?

Proposed changes to the federal Common Rule would ask patients for the first time to decide whether to allow their non-identified, leftover tissue to be used for research or thrown away. For that choice to be meaningful, the public needs to be aware of the nature, risks, and benefits of biospecimens research, and of what the proposed changes will—and will not—do. In my latest Forbes essay, “No, Donating Your Leftover Tissue To Research Is Not Like Letting Someone Rifle Through Your Phone,” I consider the power of analogies and other reflections on Rebecca Skloot’s recent New York Times op-ed on the NPRM.

23andMe Releases Transparency Report About Law Enforcement Requests for Customers’ Data

By Katherine Kwong

The direct-to-consumer genetic testing company 23andMe was widely discussed in the news recently after it announced it would resume providing health information to customers. Less widely reported was another important announcement: for what appears to be the first time, 23andMe has released a public report about the number of requests it has received from law enforcement seeking its customers’ genetic information. According to the Transparency Report, 23andMe has received four requests for user data from law enforcement, with five different affected users.

Although 23andMe has thus far successfully fought off all of the law enforcement requests for its users’ data, there has long been concern about the potential release of 23andMe’s customers’ information to law enforcement. The 23andMe Privacy Statement states, “23andMe will preserve and disclose any and all information to law enforcement agencies” when it believes it is required to do so. Even though 23andMe has not yet disclosed any of its users’ information, the day may soon come when it is required to do so. That disclosure could have significant impacts for not only users who consented to the use of their data, but for users’ families, who may be implicated through familial DNA searches.

Continue reading

NPRM Summary from HHS

As Michelle noted, the Notice of Proposed Rule Making (NPRM) on human subjects research is out after a long delay. For my (and many Bill of Health bloggers’) view about its predecessor ANPRM, you can check out our 2014 book, Human Subjects Research Regulation: Perspectives on the Future.

Here is HHS’s own summary of what has changed and what it thinks is most important:

The U.S. Department of Health and Human Services and fifteen other Federal Departments and Agencies have announced proposed revisions to modernize, strengthen, and make more effective the Federal Policy for the Protection of Human Subjects that was promulgated as a Common Rule in 1991.  A Notice of Proposed Rulemaking (NPRM) was put on public display on September 2, 2015 by the Office of the Federal Register.  The NPRM seeks comment on proposals to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators. It is expected that the NPRM will be published in the Federal Register on September 8, 2015.  There are plans to release several webinars that will explain the changes proposed in the NPRM, and a town hall meeting is planned to be held in Washington, D.C. in October. Continue reading

The 21st Century Cures Act, HIPAA, Big Data, and Medical Research

By Nicholson Price

The 21st Century Cures Act is a big deal; the House passed it handily, and we’re still waiting to see what the Senate does.  A lot has been written about what it does in terms of changing FDA review processes, and a fair bit about the lovely increase in funding for NIH (see Rachel Sachs’ blog posts here, here, and here).  These are tremendously important.

But another provision in the bill has been getting much less play: the way it changes HIPAA to enable large-scale research, which is also a big deal all by itself. Continue reading

Should Health Lawyers Pay Attention To The Administration’s Privacy Bill?

By Nicolas Terry

Cross Posted from Health Affairs Blog

Health care lawyers justifiably ignored the 2012 Obama administration consumer privacy framework because it expressly and broadly exempted entities subject to HIPAA, stating “To avoid creating duplicative regulatory burdens, the Administration supports exempting companies from consumer data privacy legislation to the extent that their activities are subject to existing Federal data privacy laws.”

In contrast, the administration’s 2015 draft bill, the Consumer Privacy Bill of Rights Act, though based on that framework, substantially affects health care entities, including those subject to HIPAA, and so demands more attention in the health law community.

The “HIPAA clause” in the draft bill is subtly different (and noticeably narrower than its preemption of state law clause): “If a covered entity is subject to a provision of this Act and a comparable provision of a Federal privacy or security law [the list includes HIPAA] such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy or security law applies to such person.” Continue reading

Federal Newborn Screening Law Emphasizes Informed Consent

Allison M. Whelan, J.D.
Senior Fellow, Center for Bioethics and Global Health Policy, University of California, Irvine
Guest Blogger

On December 18, 2014, President Obama signed into law the Newborn Screening Saves Lives Reauthorization Act of 2014. The Act includes new timeliness and tracking measures to ensure newborn babies with deadly yet treatable disorders are diagnosed quickly. These changes responded to a Milwaukee Journal Sentinel investigation that found thousands of hospitals delayed sending babies’ blood samples to state labs.  A primary purpose of newborn screening is to detect disorders quickly, so any delays increase the risk of illness, disability, and even death.

Although a major reason for the Act’s amendments is to address these problematic delays, another important addition to the Act establishes a parental consent requirement before residual newborn blood spots (NBS) are used in federally-funded research. The Act directs the Department of Health and Human Services (HHS) to update the Federal Policy for the Protection of Human Subjects (the “Common Rule”) to recognize federally-funded research on NBS as “human subjects” research. It also eliminates the ability of an institutional review board to waive informed consent requirements for NBS research.

Continue reading

A Chief Privacy Officer’s Take on the Chanko Case

Earlier this month, Charles Ornstein explored a New York City family’s charge that their privacy was violated by a local hospital and a reality television show in ProPublica. More specifically, he details how the death of one Mr. Mark Chanko was filmed at NY Presbyterian Hospital without the family’s consent, and then nationally aired on ABC’s NY MED over a year later. Mr. Chanko’s face was blurred for viewers but he remained recognizable to family and friends who watched the show. Since the broadcast, the family has pursued legal action through several New York courts with little success thus far.

The piece has already been commented upon by several smart people, most recently Kay Lazar of the Boston Globe. Just one day after Ornstein’s piece went to press, the Dean of Harvard Medical School Jeffrey Flier (@jflier) tweeted “How could this be allowed to happen?” only to be informed by the Chair of Surgery at Boston Medical Center, Gerard Doherty, (@GerardDoherty4) that three Harvard-affiliated hospitals are in fact currently hosting camera crews for a similar series. The ensuing conversation reminded me just how limited a platform Twitter is for tricky conversations about health care law and ethics. So I did what any self-respecting millennial would do – I went home for the holidays and asked my mom to help me understand what the internet couldn’t.

Continue reading

The Constitutional Implications of Ebola: Civil Liberties and Civil Rights In Times of Health Crises

Join us for an important public forum:

Constitutional Implications of Ebola:
Civil Liberties & Civil Rights In Times of Health Crises

This public forum addresses the constitutional and public health implications of Ebola response in the United States.  According to state and federal laws, patient information is deemed private and is to be held in strict confidentiality.  However, in the wake of Ebola, well-established protocols to guard patient privacy have been neglected or suspended without public debate.  At this forum, a panel of experts raise questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy, civil liberties, and civil rights.  To what extent are Americans’ Ebola fears influenced by the origins of the disease?  What liberties are Americans willing to sacrifice to calm their fears?  How to balance the concern for public welfare with legal and ethical privacy principles?

Speakers: Reverend Jesse L. Jackson, Sr.;  Michele Goodwin, Chancellor’s Chair, UC Irvine School of Law;  Professor Andrew Noymer, UC Irvine School of Public Health; and Dr. George Woods, American Psychiatric Association.

This Forum intervenes in the current national and international discourse on Ebola by probing law’s role in addressing public health crises.  This forum is free and open to the public.

WHEN: Wednesday, November 19, 2014, 3.30pm-5.30pm

WHERE: University of California Irvine, School of Law; ROOM EDU 1111, 401 E Peltason Dr, Irvine, CA 92612

Ebola and Privacy

By Michele Goodwin

As the nation braces for possibly more Ebola cases, civil liberties should be considered, including patient privacy.  As news media feature headline-grabbing stories about quarantines,  let’s think about the laws governing privacy in healthcare. Despite federal laws enacted to protect patient privacy, the Ebola scare brings the vulnerability of individuals and the regulations intended to help them into sharp relief.

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy.  Specifically, HIPAA’s Privacy Rule requires that healthcare providers and their business associates restrict access to patients’ health care information.  For many years, the law has been regarded as the strongest federal statement regarding patient privacy. But it may be tested in the wake of the Ebola scare with patients’ names, photographs, and even family information entering the public sphere.

Ebola hysteria raises questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy.  What liberties are Americans willing to sacrifice to calm their fears?  How to balance the concern for public welfare with legal and ethical privacy principles?  For example, will Americans tolerate profiling travelers based on their race or national origin as precautionary measures?  What type of reporting norms should govern Ebola cases?  Should reporting the existence of an Ebola case also include disclosing the name of the patient?  I don’t think so, but the jury appears out for many.

Facebook Rumored To Be Planning Foray Into the Online Health Space

Reuters broke the story on Friday, citing anonymous sources:

The company is exploring creating online “support communities” that would connect Facebook users suffering from various ailments. . . . Recently, Facebook executives have come to realize that healthcare might work as a tool to increase engagement with the site. One catalyst: the unexpected success of Facebook’s “organ-donor status initiative,” introduced in 2012. The day that Facebook altered profile pages to allow members to specify their organ donor-status, 13,054 people registered to be organ donors online in the United States, a 21 fold increase over the daily average of 616 registrations . . . . Separately, Facebook product teams noticed that people with chronic ailments such as diabetes would search the social networking site for advice, said one former Facebook insider. In addition, the proliferation of patient networks such as PatientsLikeMe demonstrate that people are increasingly comfortable sharing symptoms and treatment experiences online. . . . Facebook may already have a few ideas to alleviate privacy concerns around its health initiatives. The company is considering rolling out its first health application quietly and under a different name, a source said.

I’m quoted in this International Business Times article about Facebook’s rumored plans. After the jump is the full statement I provided to the reporter (links added).  Continue reading

HHS Issues Guidance on Same Sex Spouses and HIPAA

[Cross-posted at HealthLawProfs blog.]

Under HIPAA, patients’ spouses and other family members have certain rights to access health information. In an important guidance document in the wake of United States v. Windsor, the Office for Civil Rights (OCR) at HHS has clarified that “spouse” under HIPAA refers to legally married same-sex spouses, even if the individual is receiving services in a jurisdiction not recognizing same-sex marriage.  Continue reading

Getting Granular with Apple’s mHealth Guidelines

By Nicolas Terry

In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.

Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture. Continue reading

Apple’s mHealth Rules Fear to Tread Where Our Privacy Laws Fall Short

By Nicolas Terry

On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.

What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.

But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading