It might come as a surprise to many in the United States that they may have no Fourth Amendment reasonable expectation of privacy in their physicians’ records when their physicians transfer these records to state agencies under state public health laws. Yet on July 27, the federal district court for the state of Utah said exactly this for records of controlled substance prescriptions—and perhaps for medical records more generally. (United States Department of Justice, Drug Enforcement Administration v. Utah Department of Commerce, 2017 WL 3189868 (D. Utah July 27)). Patients should know that their physicians are required by law to make reports of these prescriptions to state health departments, the court said. Because patients should know about these reports, they have no expectation of privacy in them as far as the Fourth Amendment is concerned. And, so, warrantless searches by the Drug Enforcement Administration (DEA) are constitutionally permissible at least so far as the district of Utah is concerned. Physicians are by law required to make many kinds of reports to state agencies: abuse, various infectious diseases, possible instances of bioterrorism, tumors, abortions, birth defects—and, in most states, controlled substance prescriptions. The Utah court’s reasoning potentially throws into question the extent to which any of these reports may receive Fourth Amendment protection.
The 21st Century Cures Act was passed with support from both sides of the aisle (imagine that!) and signed into law by then-President Obama late last year. This ambitious legislation drives action in areas as diverse as drug and device regulation and response to the opioid epidemic. It also tackles the issue of how to make data more broadly available for research use and clinical purposes. In our recently published GIM article, “Sharing data under the 21st Century Cures Act,” we examine the Act’s potential to facilitate data-sharing, in line with a recent position statement of the American College of Medical Genetics and Genomics. We highlight a number of provisions of the Act that either explicitly advance data-sharing or promote policy developments that have the potential to advance it. For example, Section 2014 of the Act authorizes the Director of National Institutes of Health to require award recipients to share data, and Section 4006 requires the Secretary of Health and Human Services to promote policies ensuring that patients have access to their electronic health information and are supported in sharing this information with others.
Just as relevant, the Act takes steps to reduce some major barriers to data sharing. An important feature of the Act, which has not been extensively publicized, is its incorporation of provisions from legislation originally proposed by Senators Elizabeth Warren and Mike Enzi to protect the identifiable, sensitive information of research subjects. Senator Warren, in particular, has been a vocal advocate of data sharing. Arguably, one of the biggest barriers to sharing is public concern about privacy. The relevant provisions address this concern chiefly via Certificates of Confidentiality. Among other things, the Act makes issuance of Certificates automatic for federally-funded research in which identifiable, sensitive information is collected and prohibits disclosure of identifiable, sensitive information by covered researchers, with only a few exceptions such as disclosure for purposes of other research. These protections became effective June 11, 2017. While NIH has signaled its awareness of the Act, it has not yet updated its Certificates of Confidentiality webpage. Continue reading
Ever wondered what happens to the biological material you leave behind when you check out of the hospital? Nothing much, is the usual answer. However, the little bits of blood, tissue, and urine are potentially valuable for medical research; miniscule amounts of it may already allow sophisticated analyses, including genetic ones. Thus, in an approach termed ‘healthcare-embedded biobanking’, healthcare providers have started collections of leftover patient materials to create resources for future research.
However, unlike traditional research, healthcare-embedded biobanking is not done with a clear research question in mind. The materials are simply left-overs from diagnosis or treatment and, at the time of collection, the scientific projects for which they may be used eventually are entirely unclear.
This approach leads to an ethical conundrum. Established research ethics frameworks found here and here require that patients be asked for their consent and that they are given all the information they need to make an informed decision about whether to donate their material (and its associated data) or not. This includes, in particular, the research goals as well as the potential benefits and risks. However, this provision of information is not possible in healthcare-embedded biobanking: the risks and benefits can only be described in very broad terms, and the goals and timing of future research are usually unknown. Indeed, the materials may even not be used at all. Continue reading
The legal status of medical marijuana in the United States is unique. On one hand, the Controlled Substance Act of 1970 classifies marijuana as a Schedule I drug with no acceptable medical use and high potential for abuse. On the other hand, as of February 1, 2017, 27 states and the District of Columbia have passed laws authorizing the use of medical marijuana. This discrepancy between federal and state regulation has led to a wide variation in the ways that medical marijuana is regulated on the state level.
In a study published today in Addiction, our team of researchers from the Temple University Center for Public Health Law Research and the RAND Drug Policy Research Center finds that state laws mimic some aspects of federal prescription drug and controlled substances laws, and regulatory strategies used for alcohol, tobacco and traditional medicines.
In the past, studies on medical marijuana laws have focused on the spillover effect of medical marijuana to recreational use and not on whether the laws are regulating marijuana effectively as a medicine. Using policy surveillance methods to analyze the state of medical marijuana laws and their variations across states, this study lays the groundwork for future research evaluating the implementation, impacts, and efficacy of these laws.
The study focuses on three domains of medical marijuana regulation that were in effect as of February 1, 2017: patient protections and requirements, product safety, and dispensary regulation.
Here’s some of what we found:
While the effort to repeal and replace the Affordable Care Act (ACA) has taken center stage, another health-related bill has been making its way through the House without nearly as much attention. On March 2, 2017, Representative Virginia Foxx (R-NC) introduced House Resolution (HR) 1313 on behalf of herself and Representative Tim Walberg (R-MI). The bill would lift current legal restrictions on access to genetic and other health-related information. Specifically, HR 1313 targets provisions of the Americans with Disabilities Act (ADA) that prohibit employers from conducting unnecessary medical examinations and inquiries that do not relate to job performance; the Genetic Information Nondiscrimination Act’s (GINA) provisions proscribing employers from requesting, requiring or purchasing the genetic information of their employees; and GINA’s prohibition on group health insurance plans acquiring genetic information for underwriting purposes and prior to enrollment. The bill passed through the Committee on Education and the Workforce last Wednesday along strict party lines with 22 Republicans supporting the proposed legislation and 17 Democrats opposing it.
Despite the public outcry against the bill, HR 1313 may not be as far-reaching as it initially appears. First, while advocates of genetic privacy fear the worst, both the ADA and GINA contain exceptions for wellness programs that already allow employers to access at least some employee health data. Second, even if HR 1313 passes, employees would still enjoy the ADA’s and GINA’s antidiscrimination protections. HR 1313 could well give employers additional access to genetic and other health-related information about their employees but it is not a license to then use that information to discriminate.
Guest Post by author Sharona Hoffman
I am pleased to post that my new book, “Electronic Health Records and Medical Big Data: Law and Policy” was recently published by Cambridge University Press. The book enables readers gain an in-depth understanding of electronic health record (EHR) systems, medical big data, and the regulations that govern them. It is useful both as a primer for students and as a resource for knowledgeable professionals.
The transition from paper medical records to electronic health record (EHR) systems has had a dramatic impact on clinical care. In addition, EHR systems enable the creation of “medical big data,” that is, very large electronic data resources that can be put to secondary, non-clinical uses, such as medical research, public health initiatives, quality improvement efforts, and other health-related endeavors. This book provides thorough, interdisciplinary analysis of EHR systems and medical big data, offering a multitude of technical and legal insights. Continue reading
By Seán Finan
Almost any test can return incidental results. An incidental result is something demonstrated by the test but not an answer to the test’s original question. Trying on a new pair of trousers, for example, can tell you whether or not they fit. It can also return the incidental result that the holiday feasting hadn’t been as kind to your waistline as you had hoped. Incidental results in genetic testing can be even more alarming. Whether done for clinical or research purposes, genetic tests can reveal a range of mutations, markers and predispositions far beyond the range being tested for. As technology advances, it expands the breadth of possible results.
Incidental results can often impart life changing information. Many can be a cause for dramatic but potentially life saving medical intervention: the presence of BRCA1 and BRCA2 variants that indicate an increased risk of breast cancer, for example.Where incidental results suggest that a patient might have an increased risk of developing a condition in the distant future, that information might allow them to act immediately to mitigate that risk. Genetic testing might also reveal inherited or inheritable mutations that could be crucial information for a patient’s entire family. Even outside the realm of disease, a genetic test might reveal something that could have huge psychological or social ramifications for a patient: for example, a test might reveal true paternity. However, the potentially life altering nature of some of these findings, in contexts where they are not being looked for or even expected, has led to questions about whether they should be revealed to the test subject at all.
April 28, 2017
Wasserstein Hall, Milstein East ABC (2036)
Harvard Law School, 1585 Massachusetts Ave., Cambridge, MA
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School is pleased to announce plans for our 2017 annual conference, entitled: “Transparency in Health and Health Care: Legal and Ethical Possibilities and Limits.”
Transparency is a relatively new concept to the world of health and health care, considering that just a few short decades ago we were still in the throes of a “doctor-knows-best” model. Today, however, transparency is found on almost every short list of solutions to a variety of health policy problems, ranging from conflicts of interest to rising drug costs to promoting efficient use of health care resources, and more. Doctors are now expected to be transparent about patient diagnoses and treatment options, hospitals are expected to be transparent about error rates, insurers about policy limitations, companies about prices, researchers about data, and policymakers about priorities and rationales for health policy intervention. But a number of important legal and ethical questions remain. For example, what exactly does transparency mean in the context of health, who has a responsibility to be transparent and to whom, what legal mechanisms are there to promote transparency, and what legal protections are needed for things like privacy, intellectual property, and the like? More specifically, when can transparency improve health and health care, and when is it likely to be nothing more than platitude?
This conference, and anticipated edited volume, will aim to: (1) identify the various thematic roles transparency has been called on to play in American health policy, and why it has emerged in these spaces; (2) understand when, where, how, and why transparency may be a useful policy tool in relation to health and health care, what it can realistically be expected to achieve, and when it is unlikely to be successful, including limits on how patients and consumers utilize information even when we have transparency; (3) assess the legal and ethical issues raised by transparency in health and health care, including obstacles and opportunities; (4) learn from comparative examples of transparency, both in other sectors and outside the United States. In sum, we hope to reach better understandings of this health policy buzzword so that transparency can be utilized as a solution to pressing health policy issues where appropriate, while recognizing its true limitations.
Call for Abstracts
We welcome submissions on both the broad conceptual questions described above and more specific policy issues, including: Continue reading
Imagine this scenario: you are a researcher conducting a clinical trial on a promising treatment for a rare but serious heart condition. Unfortunately, you are struggling to locate and enroll enough eligible participants and your study is at risk of not completing. Then you discover a Facebook support group for precisely the condition you are studying. The group is open: you do not need to be invited or to suffer from the condition to become a member—anyone can join. Here are the eligible participants you have been looking for!
But what are your obligations in approaching members of this group for recruitment? Would such recruitment be ethically advisable? Under what conditions? And what ethical norms apply when approaching sick and potentially vulnerable people for recruitment over social media? How should you (and the IRB) evaluate this type of activity from an ethical perspective?
The FDA has issued a final guidance on low risk wellness devices, and it is refreshingly clear. Rather than applying regulatory discretion as we have seen in the medical app space, the agency has made a broader decision (all usual caveats about non-binding guidances aside) not to even examine large swathes of wellness products to determine whether they are Section 201(h) devices. As such, this guidance more closely resembles the 2013 guidance that declared Personal Sound Amplification Products (PSAPs) not to be medical devices (aka hearing aids).
The FDA approach to defining excluded products breaks no new ground. First, they must be intended for only general wellness use and, second, present a low risk. As to the former, FDA has evolved its approach to referencing specific diseases or conditions. Make no such reference and your product will sail through as a general wellness product. Thus, claims to promote relaxation, to boost self-esteem, to manage sleep patterns, etc., are clearly exempt. On the other hand, the agency will clearly regulate products that claim to treat or diagnose specific conditions. Continue reading
Guest post by Donna M. Gitter, Zichlin School of Business, Baruch College, based on Professor Gitter’s presentation at the Petrie-Flom Center’s 2016 Annual Conference, “Big Data, Health Law, and Bioethics,” held May 6, 2016, at Harvard Law School.
Cross-posted from the Hastings Center’s Bioethics Forum.
The Icelandic biotech firm deCODE Genetics has pioneered a means of determining an individual’s susceptibility to various medical conditions with 99 percent accuracy by gathering information about that person’s relatives, including their medical and genealogical records. Of course, inferences have long been made about a person’s health by observing and gathering information about her relatives. What is unique about deCODE’s approach in Iceland is that the company uses the detailed genealogical records available in that country in order to estimate genotypes of close relatives of individuals who volunteered to participate in research, and extrapolates this information in order to make inferences about hundreds of thousands of living and deceased Icelanders who have not consented to participate in deCODE’s studies. DeCODE’s technique is particularly effective in Iceland, a small island nation that, due to its largely consanguineous population and detailed genealogical records, lends itself particularly well to genetic research.
While Iceland’s detailed genealogical records enable the widespread use of estimated data in Iceland, a large enough U.S. database could be used to make similar inferences about individuals here. While the U.S. lacks a national database similar to Iceland’s, private companies such as 23andme and Ancestry.com have created rough gene maps of several million people, and the National Institutes of Health plans to spend millions of dollars in the coming years sequencing full genome data on tens of thousands of people. These databases could allow the development of estimated data on countless U.S. citizens.
DeCODE plans to use its estimated data for an even bolder new study in Iceland. Having imputed the genotypes of close relatives of volunteers whose DNA had been fully catalogued, deCODE intends to collaborate with Iceland’s National Hospital to link these relatives, without their informed consent, to some of their hospital records, such a surgery codes and prescriptions. When the Icelandic Data Protection Authority (DPA) nixed deCODE’s initial plan, deCODE agreed that it will generate for only a brief period a genetic imputation for those who have not consented, and then delete that imputation from the database. The only accessible data would be statistical results, which would not be traceable to individuals.
Are the individuals from whom estimated data is gathered entitled to informed consent, given that their data will be used for research, even if the data is putatively unidentifiable? In the U.S., consideration of this question must take into account not only the need for privacy enshrined in the federal law of informed consent, but also the right of autonomy, which empowers individuals to decline to participate in research. Although estimated DNA sequences, unlike directly measured sequences, are not very accurate at the individual level, but rather at the group level, individuals may nevertheless object to research participation for moral, ethical, and other reasons. A competing principle, however, is beneficence, and any impediment to deCODE using its estimated data can represent a lost opportunity for the complex disease genetics community.
By Timo Minssen
Please find below my welcome speech at last-weeks mini-symposium on “Legal dimensions of Big Data in the Health and Life Sciences – From Intellectual Property Rights and Global Pandemics to Privacy and Ethics at the University of Copenhagen (UCPH). The event was organized by our Global Genes –Local Concerns project, with support from the UCPH Excellence Programme for Interdisciplinary Research.
The symposium, which was inspired by the wonderful recent PFC & Berkman Center Big Data conference, featured enlightening speeches by former PFC fellows Nicholson Price on incentives for the development of black box personalized medicine and Jeff Skopek on privacy issues. In addition we were lucky to have Peter Yu speaking on “Big Data, Intellectual Property and Global Pandemics” and Michael J. Madison on Big Data and Commons Challenges”. The presentations and recordings of the session will soon be made available on our Center’s webpage.
Thanks everybody for your dedication, inspiration, great presentations and an exciting panel discussion.
“Legal Dimensions of Big Data in the Health and Life Sciences – From Intellectual Property Rights and Global Pandemics to Privacy and Ethics”
Our private health decisions may not be as private as we’d like to think. A recent article in the Wall Street Journal revealed a potentially uncomfortable situation: employers using health care analytics companies to mine employees’ health data to determine which employees may be about to make certain health decisions.
While this type of data analytics can be used to predict a variety of health conditions (ranging from an increased risk of diabetes to back surgery to pregnancy), the most attention-grabbing example discussed was pregnancy. By obtaining permission to analyze employees’ medical information, companies such as Castlight are able to look at factors such as search queries and whether employees have been filling their birth control prescriptions to predict pregnancies. Some commentators expressed concerns that this type of information could be used by companies in improper ways. Continue reading
[Cross-posted from the Genomics Law Report blog]
The Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), which prohibits employers from requesting genetic information (defined broadly) from their prospective, current, or former employees. GINA contains only six limited exceptions to this prohibition, one of which is an exception for wellness programs in which the employee’s participation is voluntary.
On October 30, 2015 the EEOC issued a proposed ruleto amend GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs. The proposed rule tries to clarify that employers are permitted to offer incentives for an employee’s spouse to participate in a voluntary wellness program (but not the employee’s other dependents). The permissible incentives are capped at 30% of the total cost of the plan in which the employee and dependents are enrolled. The EEOC’s expressed intent is to treat GINA’s Title I (health insurance) and Title II (employment) provisions similarly. The proposed rule would allow employers to request current and former health status information from an employee’s spouse as part of their participation in the employer-sponsored wellness program. And there’s the rub: the current or former health status of an employee’s spouse is the employee’s own “genetic information” as the term is statutorily defined in GINA. The EEOC has prepared a Q&A page to explain the proposed rule, and the Congressional Research Service issued a report (R44311) on the topic on December 17, 2015. Continue reading
Proposed changes to the federal Common Rule would ask patients for the first time to decide whether to allow their non-identified, leftover tissue to be used for research or thrown away. For that choice to be meaningful, the public needs to be aware of the nature, risks, and benefits of biospecimens research, and of what the proposed changes will—and will not—do. In my latest Forbes essay, “No, Donating Your Leftover Tissue To Research Is Not Like Letting Someone Rifle Through Your Phone,” I consider the power of analogies and other reflections on Rebecca Skloot’s recent New York Times op-ed on the NPRM.
The direct-to-consumer genetic testing company 23andMe was widely discussed in the news recently after it announced it would resume providing health information to customers. Less widely reported was another important announcement: for what appears to be the first time, 23andMe has released a public report about the number of requests it has received from law enforcement seeking its customers’ genetic information. According to the Transparency Report, 23andMe has received four requests for user data from law enforcement, with five different affected users.
Although 23andMe has thus far successfully fought off all of the law enforcement requests for its users’ data, there has long been concern about the potential release of 23andMe’s customers’ information to law enforcement. The 23andMe Privacy Statement states, “23andMe will preserve and disclose any and all information to law enforcement agencies” when it believes it is required to do so. Even though 23andMe has not yet disclosed any of its users’ information, the day may soon come when it is required to do so. That disclosure could have significant impacts for not only users who consented to the use of their data, but for users’ families, who may be implicated through familial DNA searches.
As Michelle noted, the Notice of Proposed Rule Making (NPRM) on human subjects research is out after a long delay. For my (and many Bill of Health bloggers’) view about its predecessor ANPRM, you can check out our 2014 book, Human Subjects Research Regulation: Perspectives on the Future.
Here is HHS’s own summary of what has changed and what it thinks is most important:
The U.S. Department of Health and Human Services and fifteen other Federal Departments and Agencies have announced proposed revisions to modernize, strengthen, and make more effective the Federal Policy for the Protection of Human Subjects that was promulgated as a Common Rule in 1991. A Notice of Proposed Rulemaking (NPRM) was put on public display on September 2, 2015 by the Office of the Federal Register. The NPRM seeks comment on proposals to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators. It is expected that the NPRM will be published in the Federal Register on September 8, 2015. There are plans to release several webinars that will explain the changes proposed in the NPRM, and a town hall meeting is planned to be held in Washington, D.C. in October. Continue reading
The 21st Century Cures Act is a big deal; the House passed it handily, and we’re still waiting to see what the Senate does. A lot has been written about what it does in terms of changing FDA review processes, and a fair bit about the lovely increase in funding for NIH (see Rachel Sachs’ blog posts here, here, and here). These are tremendously important.
But another provision in the bill has been getting much less play: the way it changes HIPAA to enable large-scale research, which is also a big deal all by itself. Continue reading
Cross Posted from Health Affairs Blog
Health care lawyers justifiably ignored the 2012 Obama administration consumer privacy framework because it expressly and broadly exempted entities subject to HIPAA, stating “To avoid creating duplicative regulatory burdens, the Administration supports exempting companies from consumer data privacy legislation to the extent that their activities are subject to existing Federal data privacy laws.”
In contrast, the administration’s 2015 draft bill, the Consumer Privacy Bill of Rights Act, though based on that framework, substantially affects health care entities, including those subject to HIPAA, and so demands more attention in the health law community.
The “HIPAA clause” in the draft bill is subtly different (and noticeably narrower than its preemption of state law clause): “If a covered entity is subject to a provision of this Act and a comparable provision of a Federal privacy or security law [the list includes HIPAA] such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy or security law applies to such person.” Continue reading
By Allison M. Whelan (Guest Blogger)
On December 18, 2014, President Obama signed into law the Newborn Screening Saves Lives Reauthorization Act of 2014. The Act includes new timeliness and tracking measures to ensure newborn babies with deadly yet treatable disorders are diagnosed quickly. These changes responded to a Milwaukee Journal Sentinel investigation that found thousands of hospitals delayed sending babies’ blood samples to state labs. A primary purpose of newborn screening is to detect disorders quickly, so any delays increase the risk of illness, disability, and even death.
Although a major reason for the Act’s amendments is to address these problematic delays, another important addition to the Act establishes a parental consent requirement before residual newborn blood spots (NBS) are used in federally-funded research. The Act directs the Department of Health and Human Services (HHS) to update the Federal Policy for the Protection of Human Subjects (the “Common Rule”) to recognize federally-funded research on NBS as “human subjects” research. It also eliminates the ability of an institutional review board to waive informed consent requirements for NBS research.