Legal Dimensions of Big Data in the Health and Life Sciences

Please find below my welcome speech at last-weeks mini-symposium on “Legal dimensions of Big Data in the Health and Life Sciences From Intellectual Property Rights and Global Pandemics to Privacy and Ethics at the University of Copenhagen (UCPH).  The event was organized by our Global Genes –Local Concerns project, with support from the UCPH Excellence Programme for Interdisciplinary Research.

The symposium, which was inspired by the wonderful recent  PFC & Berkman Center Big Data conference,  featured enlightening speeches by former PFC fellows Nicholson Price on sufficient incentives for the development of personalized medicine and Jeff Skopek on privacy issues. In addition we were lucky enough to have Peter Yu speaking on “Big Data, Intellectual Property and Global Pandemics” and Michael J. Madison on Big Data and Commons”. The presentations and recordings of the session will soon be made available on our Center’s webpage.

Thanks everybody for your dedication, inspiration, great presentations and an exciting panel discussion.

“Legal Dimensions of Big Data in the Health and Life Sciences – From Intellectual Property Rights and Global Pandemics to Privacy and Ethics”

By PI Timo Minssen

“Our goal is to create a European Open Science Cloud to make science more efficient and productive and let millions of researchers share and analyze research data in a trusted environment across technologies, disciplines and borders”.

Carlos Moedas, EU Commissioner for Research, Science & Innovation

“!The European Cloud Initiative will unlock the value of big data by providing world-class supercomputing capability, high-speed connectivity and leading-edge data and software services for science, industry and the public sector.”

– Günther H. Oettinger, Commissioner for the Digital Economy and Society

Continue reading

Data Mining and Pregnancy Prediction

By Katherine Kwong

Our private health decisions may not be as private as we’d like to think. A recent article in the Wall Street Journal revealed a potentially uncomfortable situation: employers using health care analytics companies to mine employees’ health data to determine which employees may be about to make certain health decisions.

While this type of data analytics can be used to predict a variety of health conditions (ranging from an increased risk of diabetes to back surgery to pregnancy), the most attention-grabbing example discussed was pregnancy. By obtaining permission to analyze employees’ medical information, companies such as Castlight are able to look at factors such as search queries and whether employees have been filling their birth control prescriptions to predict pregnancies. Some commentators expressed concerns that this type of information could be used by companies in improper ways. Continue reading

EEOC Tries to Harmonize ACA’s Promotion of Employer Wellness Programs with GINA’s Ban Against Employer Access to Genetic Information of Employees and Employees’ Family Members

[Cross-posted from the Genomics Law Report blog]

By

Gina-name-tagThe Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), which prohibits employers from requesting genetic information (defined broadly) from their prospective, current, or former employees. GINA contains only six limited exceptions to this prohibition, one of which is an exception for wellness programs in which the employee’s participation is voluntary.

On October 30, 2015 the EEOC issued a proposed ruleto amend GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs. The proposed rule tries to clarify that employers are permitted to offer incentives for an employee’s spouse to participate in a voluntary wellness program (but not the employee’s other dependents). The permissible incentives are capped at 30% of the total cost of the plan in which the employee and dependents are enrolled. The EEOC’s expressed intent is to treat GINA’s Title I (health insurance) and Title II (employment) provisions similarly. The proposed rule would allow employers to request current and former health status information from an employee’s spouse as part of their participation in the employer-sponsored wellness program. And there’s the rub: the current or former health status of an employee’s spouse is the employee’s own “genetic information” as the term is statutorily defined in GINA. The EEOC has prepared a Q&A page to explain the proposed rule, and the Congressional Research Service issued a report (R44311) on the topic on December 17, 2015. Continue reading

NPRM Symposium: How Should We Think About Whether To Donate Our Leftover, Non-Identified Tissue to Research?

Proposed changes to the federal Common Rule would ask patients for the first time to decide whether to allow their non-identified, leftover tissue to be used for research or thrown away. For that choice to be meaningful, the public needs to be aware of the nature, risks, and benefits of biospecimens research, and of what the proposed changes will—and will not—do. In my latest Forbes essay, “No, Donating Your Leftover Tissue To Research Is Not Like Letting Someone Rifle Through Your Phone,” I consider the power of analogies and other reflections on Rebecca Skloot’s recent New York Times op-ed on the NPRM.

23andMe Releases Transparency Report About Law Enforcement Requests for Customers’ Data

By Katherine Kwong

The direct-to-consumer genetic testing company 23andMe was widely discussed in the news recently after it announced it would resume providing health information to customers. Less widely reported was another important announcement: for what appears to be the first time, 23andMe has released a public report about the number of requests it has received from law enforcement seeking its customers’ genetic information. According to the Transparency Report, 23andMe has received four requests for user data from law enforcement, with five different affected users.

Although 23andMe has thus far successfully fought off all of the law enforcement requests for its users’ data, there has long been concern about the potential release of 23andMe’s customers’ information to law enforcement. The 23andMe Privacy Statement states, “23andMe will preserve and disclose any and all information to law enforcement agencies” when it believes it is required to do so. Even though 23andMe has not yet disclosed any of its users’ information, the day may soon come when it is required to do so. That disclosure could have significant impacts for not only users who consented to the use of their data, but for users’ families, who may be implicated through familial DNA searches.

Continue reading

NPRM Summary from HHS

As Michelle noted, the Notice of Proposed Rule Making (NPRM) on human subjects research is out after a long delay. For my (and many Bill of Health bloggers’) view about its predecessor ANPRM, you can check out our 2014 book, Human Subjects Research Regulation: Perspectives on the Future.

Here is HHS’s own summary of what has changed and what it thinks is most important:

The U.S. Department of Health and Human Services and fifteen other Federal Departments and Agencies have announced proposed revisions to modernize, strengthen, and make more effective the Federal Policy for the Protection of Human Subjects that was promulgated as a Common Rule in 1991.  A Notice of Proposed Rulemaking (NPRM) was put on public display on September 2, 2015 by the Office of the Federal Register.  The NPRM seeks comment on proposals to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators. It is expected that the NPRM will be published in the Federal Register on September 8, 2015.  There are plans to release several webinars that will explain the changes proposed in the NPRM, and a town hall meeting is planned to be held in Washington, D.C. in October. Continue reading

The 21st Century Cures Act, HIPAA, Big Data, and Medical Research

By Nicholson Price

The 21st Century Cures Act is a big deal; the House passed it handily, and we’re still waiting to see what the Senate does.  A lot has been written about what it does in terms of changing FDA review processes, and a fair bit about the lovely increase in funding for NIH (see Rachel Sachs’ blog posts here, here, and here).  These are tremendously important.

But another provision in the bill has been getting much less play: the way it changes HIPAA to enable large-scale research, which is also a big deal all by itself. Continue reading

Should Health Lawyers Pay Attention To The Administration’s Privacy Bill?

By Nicolas Terry

Cross Posted from Health Affairs Blog

Health care lawyers justifiably ignored the 2012 Obama administration consumer privacy framework because it expressly and broadly exempted entities subject to HIPAA, stating “To avoid creating duplicative regulatory burdens, the Administration supports exempting companies from consumer data privacy legislation to the extent that their activities are subject to existing Federal data privacy laws.”

In contrast, the administration’s 2015 draft bill, the Consumer Privacy Bill of Rights Act, though based on that framework, substantially affects health care entities, including those subject to HIPAA, and so demands more attention in the health law community.

The “HIPAA clause” in the draft bill is subtly different (and noticeably narrower than its preemption of state law clause): “If a covered entity is subject to a provision of this Act and a comparable provision of a Federal privacy or security law [the list includes HIPAA] such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy or security law applies to such person.” Continue reading

Federal Newborn Screening Law Emphasizes Informed Consent

Allison M. Whelan, J.D.
Senior Fellow, Center for Bioethics and Global Health Policy, University of California, Irvine
Guest Blogger

On December 18, 2014, President Obama signed into law the Newborn Screening Saves Lives Reauthorization Act of 2014. The Act includes new timeliness and tracking measures to ensure newborn babies with deadly yet treatable disorders are diagnosed quickly. These changes responded to a Milwaukee Journal Sentinel investigation that found thousands of hospitals delayed sending babies’ blood samples to state labs.  A primary purpose of newborn screening is to detect disorders quickly, so any delays increase the risk of illness, disability, and even death.

Although a major reason for the Act’s amendments is to address these problematic delays, another important addition to the Act establishes a parental consent requirement before residual newborn blood spots (NBS) are used in federally-funded research. The Act directs the Department of Health and Human Services (HHS) to update the Federal Policy for the Protection of Human Subjects (the “Common Rule”) to recognize federally-funded research on NBS as “human subjects” research. It also eliminates the ability of an institutional review board to waive informed consent requirements for NBS research.

Continue reading

A Chief Privacy Officer’s Take on the Chanko Case

Earlier this month, Charles Ornstein explored a New York City family’s charge that their privacy was violated by a local hospital and a reality television show in ProPublica. More specifically, he details how the death of one Mr. Mark Chanko was filmed at NY Presbyterian Hospital without the family’s consent, and then nationally aired on ABC’s NY MED over a year later. Mr. Chanko’s face was blurred for viewers but he remained recognizable to family and friends who watched the show. Since the broadcast, the family has pursued legal action through several New York courts with little success thus far.

The piece has already been commented upon by several smart people, most recently Kay Lazar of the Boston Globe. Just one day after Ornstein’s piece went to press, the Dean of Harvard Medical School Jeffrey Flier (@jflier) tweeted “How could this be allowed to happen?” only to be informed by the Chair of Surgery at Boston Medical Center, Gerard Doherty, (@GerardDoherty4) that three Harvard-affiliated hospitals are in fact currently hosting camera crews for a similar series. The ensuing conversation reminded me just how limited a platform Twitter is for tricky conversations about health care law and ethics. So I did what any self-respecting millennial would do – I went home for the holidays and asked my mom to help me understand what the internet couldn’t.

Continue reading

The Constitutional Implications of Ebola: Civil Liberties and Civil Rights In Times of Health Crises

Join us for an important public forum:

Constitutional Implications of Ebola:
Civil Liberties & Civil Rights In Times of Health Crises

This public forum addresses the constitutional and public health implications of Ebola response in the United States.  According to state and federal laws, patient information is deemed private and is to be held in strict confidentiality.  However, in the wake of Ebola, well-established protocols to guard patient privacy have been neglected or suspended without public debate.  At this forum, a panel of experts raise questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy, civil liberties, and civil rights.  To what extent are Americans’ Ebola fears influenced by the origins of the disease?  What liberties are Americans willing to sacrifice to calm their fears?  How to balance the concern for public welfare with legal and ethical privacy principles?

Speakers: Reverend Jesse L. Jackson, Sr.;  Michele Goodwin, Chancellor’s Chair, UC Irvine School of Law;  Professor Andrew Noymer, UC Irvine School of Public Health; and Dr. George Woods, American Psychiatric Association.

This Forum intervenes in the current national and international discourse on Ebola by probing law’s role in addressing public health crises.  This forum is free and open to the public.

WHEN: Wednesday, November 19, 2014, 3.30pm-5.30pm

WHERE: University of California Irvine, School of Law; ROOM EDU 1111, 401 E Peltason Dr, Irvine, CA 92612

Ebola and Privacy

By Michele Goodwin

As the nation braces for possibly more Ebola cases, civil liberties should be considered, including patient privacy.  As news media feature headline-grabbing stories about quarantines,  let’s think about the laws governing privacy in healthcare. Despite federal laws enacted to protect patient privacy, the Ebola scare brings the vulnerability of individuals and the regulations intended to help them into sharp relief.

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy.  Specifically, HIPAA’s Privacy Rule requires that healthcare providers and their business associates restrict access to patients’ health care information.  For many years, the law has been regarded as the strongest federal statement regarding patient privacy. But it may be tested in the wake of the Ebola scare with patients’ names, photographs, and even family information entering the public sphere.

Ebola hysteria raises questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy.  What liberties are Americans willing to sacrifice to calm their fears?  How to balance the concern for public welfare with legal and ethical privacy principles?  For example, will Americans tolerate profiling travelers based on their race or national origin as precautionary measures?  What type of reporting norms should govern Ebola cases?  Should reporting the existence of an Ebola case also include disclosing the name of the patient?  I don’t think so, but the jury appears out for many.

Facebook Rumored To Be Planning Foray Into the Online Health Space

Reuters broke the story on Friday, citing anonymous sources:

The company is exploring creating online “support communities” that would connect Facebook users suffering from various ailments. . . . Recently, Facebook executives have come to realize that healthcare might work as a tool to increase engagement with the site. One catalyst: the unexpected success of Facebook’s “organ-donor status initiative,” introduced in 2012. The day that Facebook altered profile pages to allow members to specify their organ donor-status, 13,054 people registered to be organ donors online in the United States, a 21 fold increase over the daily average of 616 registrations . . . . Separately, Facebook product teams noticed that people with chronic ailments such as diabetes would search the social networking site for advice, said one former Facebook insider. In addition, the proliferation of patient networks such as PatientsLikeMe demonstrate that people are increasingly comfortable sharing symptoms and treatment experiences online. . . . Facebook may already have a few ideas to alleviate privacy concerns around its health initiatives. The company is considering rolling out its first health application quietly and under a different name, a source said.

I’m quoted in this International Business Times article about Facebook’s rumored plans. After the jump is the full statement I provided to the reporter (links added).  Continue reading

HHS Issues Guidance on Same Sex Spouses and HIPAA

[Cross-posted at HealthLawProfs blog.]

Under HIPAA, patients’ spouses and other family members have certain rights to access health information. In an important guidance document in the wake of United States v. Windsor, the Office for Civil Rights (OCR) at HHS has clarified that “spouse” under HIPAA refers to legally married same-sex spouses, even if the individual is receiving services in a jurisdiction not recognizing same-sex marriage.  Continue reading

Getting Granular with Apple’s mHealth Guidelines

By Nicolas Terry

In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.

Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture. Continue reading

Apple’s mHealth Rules Fear to Tread Where Our Privacy Laws Fall Short

By Nicolas Terry

On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.

What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.

But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading

The $4 billion Medical Data Breach Case That Lost Its Way

By Nicolas Terry

Sutter Health v. Superior Court, 2014 WL 3589699 (Cal. App. 2014), is a medical data breach class action case that raises questions beyond the specifics of the Californian Confidentiality of Medical Information Act.

The stakes were high in Sutter — under the California statute medical data breach claims trigger (or should trigger!) nominal damages at $1000 per patient. Here four million records were stolen.

Plaintiffs’ first argued the defendant breached a section prohibiting unconsented-to disclosure. The not unreasonable response from the court was that this provision required an affirmative act of disclosure by the defendant which was not satisfied by a theft.

A second statutory provision argued by the plaintiffs looked like a winner. This section provided, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” Continue reading

Art Caplan Says Vasectomy Has No Place in Plea Deal

Art Caplan has a new opinion piece on NBCNews on the controversy over the case of Jessie Herald, in which he was offered a plea bargain that involved sterilization for a reduced sentencing. From the piece:

Jessie Lee Herald was facing five years or more in prison after a crash in which police and prosecutors said his 3-year-old son was bloodied but not seriously hurt. But Herald cut a deal. Or more accurately, the state agreed to reduce his sentence if he would agree to be cut. Shenandoah County assistant prosecutor Ilona White said she offered Herald, 27, of Edinburg, Virginia, the opportunity to get a drastically reduced sentence if he would agree to a vasectomy. It may not be immediately clear what a vasectomy has to do with driving dangerously and recklessly. It shouldn’t be. There is no connection.

Read the full article.

Chip and Fish: Inadvertent Spies

Art Caplan has authored a new opinion piece on Bioethics.net on the issue of “chipping” human beings. From the piece:

There has been a great deal of fingerpointing, second-guessing and recrimination over the decision by the President to exchange five former Taliban leaders for the American soldier, Bowe Bergdahl.  “You’ve just released five extremely dangerous people, who in my opinion … will rejoin the battlefield,” Senator Marco Rubio, R-Fla., and likely Presidential candidate told Fox News.  Senator John McCain, R-AZ, told ABC news and many other outlets that he would never have supported the swap if he’d known exactly which prisoners would be exchanged given their former high roles in battling the U.S. in Afghanistan.

Put aside for a second whether the five Taliban leaders that were flown to Qatar for Bergdahl are now too old and too long removed from Taliban affairs to resume anything close to their old roles.  Presume, instead, they will eagerly resume where they left off prior to their capture, attacking Americans and others they see as hindering Taliban goals for Afghanistan.  Is it possible that the U.S. did something to these men before letting them go in the swap—surreptitiously implanting them with microchips so that they could be tracked or traced?

Read the full article.

PCAST, Big Data, and Privacy

By Leslie Francis

Cross-post from HealthLawProf Blog

The President’s Council of Advisors on Science and Technology (PCAST) has issued a report intended to be a technological complement to the recent White House report on big data. This PCAST report, however, is far more than a technological analysis—although as a description of technological developments it is wonderfully accessible, clear and informative.  It also contains policy recommendations of sweeping significance about how technology should be used and developed.  PCAST’s recommendations carry the imprimatur of scientific expertise—and lawyers interested in health policy should be alert to the normative approach of PCAST to big data.

Here, in PCAST’s own words, is the basic approach: “In light of the continuing proliferation of ways to collect and use information about people, PCAST recommends that policy focus primarily on whether specific uses of information about people affect privacy adversely. It also recommends that policy focus on outcomes, on the “what” rather than the “how,” to avoid becoming obsolete as technology advances. The policy framework should accelerate the development and commercialization of technologies that can help to contain adverse impacts on privacy, including research into new technological options. By using technology more effectively, the Nation can lead internationally in making the most of big data’s benefits while limiting the concerns it poses for privacy. Finally, PCAST calls for efforts to assure that there is enough talent available with the expertise needed to develop and use big data in a privacy-sensitive way.”  In other words:  assume the importance of continuing to collect and analyze big data, identify potential harms and fixes on a case-by-case basis possibly after the fact, and enlist the help of the commercial sector to develop profitable privacy technologies.  Continue reading