HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights

Barbara J Evans

doi:10.1016/j.ajhg.2017.12.004

. 2018 Jan 4;102(1):5–10. doi: 10.1016/j.ajhg.2017.12.004

HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights

Barbara J Evans ^1,^∗

PMCID: PMC5777935 PMID: 29304376

Abstract

In 2014, the United States granted individuals a right of access to their own laboratory test results, including genomic data. Many observers feel that this right is in tension with regulatory and bioethical standards designed to protect the safety of people who undergo genomic testing. This commentary attributes this tension to growing pains within an expanding federal regulatory program for genetic and genomic testing. The Genetic Information Nondiscrimination Act of 2008 expanded the regulatory agenda to encompass civil rights and consumer safety. The individual access right, as it applies to genomic data, is best understood as a civil-rights regulation. Competing regulatory objectives—safety and civil rights—were not successfully integrated during the initial rollout of genomic civil-rights regulations after 2008. Federal law clarifies how to prioritize safety and civil rights when the two come into conflict, although with careful policy design, the two need not collide. This commentary opens a dialog about possible solutions to advance safety and civil rights together.

Main Text

Introduction

Amendments¹ to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)² Privacy Rule³ in 2014 generated ongoing controversy by granting people a legal right to obtain their test results directly from HIPAA-covered laboratories. This HIPAA access right⁴ applies to many types of laboratory test results but has been especially controversial with respect to genomic data, the focus of this commentary. The access right potentially includes not just confirmed, clinically significant genomic test results but also uninterpreted variants and variants of uncertain significance.⁵ With limited exceptions, it applies to data stored at HIPAA-covered facilities, potentially including some research laboratories.⁶^,⁷^,⁸

Placing genomic research results into laypeople’s hands leaves many bioethicists, physicians, and safety regulators uncomfortable, reflecting concerns that research data could be of subclinical quality in the sense of lacking analytic validity, clinical validity, and/or clinical actionability or being prone to “mix-ups” where one person’s test results are wrongly attributed to another person.⁹^,¹⁰^,¹¹ The National Academies recently launched a study that people hope might help clarify matters.¹²

The generally accepted consumer safety regulatory paradigm blocks consumers’ access to health-related data unless the data meet quality standards appropriate for clinical care. This paradigm informs how the Food and Drug Administration (FDA) oversees medical devices, how the Centers for Medicare and Medicaid Services (CMS) oversees clinical laboratories under the Clinical Laboratory Improvement Amendments of 1988 (CLIA),¹³ and how many bioethicists view the return of incidental findings and individual research results.⁹^,¹⁰^,¹¹ Viewed through the lens of consumer safety regulation, the HIPAA access right seems strange and ill advised, but this commentary explains why that is not the correct lens through which to view it. This commentary positions the HIPAA right of access to genomic data as a federal civil-rights regulation issued in response to a mandate that Congress laid down in the Genetic Information Nondiscrimination Act of 2008 (GINA).¹⁴ Civil rights enjoy special protection in the American system of law, but there are legally permissible pathways for addressing valid safety concerns that surround individual access to genomic test results.

The Development of Genomic Civil Rights

The passage of GINA expanded the United States’ federal regulatory program for genetic and genomic testing to include civil-rights and consumer safety regulations. GINA is best known for banning discrimination in employment and health insurance.¹⁵ Its broader sweep as a civil-rights law is less well understood.

Section 102(a)(4) of GINA defines the “genetic information” that, in Congress’s view, places people’s civil rights at risk. This definition includes all information from genetic tests on a person or the person’s family members, as well as data on manifest disease in the family members.¹⁶ That is far broader than the subset of test results that have a well-understood clinical or reproductive significance. Before GINA, bioethicists debated whether unconfirmed, subclinical-quality genetic test results were even genetic “information.”¹⁷ Although there are a range of bioethical perspectives on this question, there is a fairly broad consensus within the bioethics community that laypeople can be harmed by access to subclinical-quality genomic data.⁹^,¹⁰^,¹¹

The GINA statute recognizes that unconfirmed or uncertain genetic test results have a civil-rights significance, even when they lack clinical significance. People might suffer discrimination if results from another, sicker person are wrongly attributed to them by a laboratory mix-up. Law enforcement might link them to a crime if a research laboratory stores their forensic CODIS markers in its files, and the laboratory’s certificate of confidentiality would not always protect them.¹⁸ Even if a laboratory never deliberately shares people’s data, its files could be hacked, making genomic information a rich tool for re-identifying data stored elsewhere in de-identified form.¹⁹ A laboratory can, without asking people, release their data in de-identified form under the Common Rule and the HIPAA Privacy Rule. Once disclosed to a non-HIPAA-covered entity, there are no further HIPAA protections to prevent de-identified genomic data from being re-identified and redisclosed.¹⁹ A large cast of third parties potentially has access to your whole genome, while ethicists debate whether it is “information”¹⁷ you should have.

By passing GINA, Congress ended that debate. Section 105 of GINA orders the Department of Health and Human Services (HHS) to place genetic information—not just clinically significant health information, but all of it—under the HIPAA regulations by 2009. Earlier, HHS had delegated its HIPAA responsibilities to the Office for Civil Rights (OCR),²⁰ so this was a congressional mandate for the OCR to act as a federal regulator to protect genomic civil rights. Congress ordered the OCR to consult with other agencies, such as the Department of Labor, that have various GINA-related responsibilities, but section 105(b) states that the OCR “has the sole authority to promulgate such regulations.”

On the day Congress enacted GINA, the Privacy Rule already included an individual right of access to health data held by HIPAA-covered entities such as healthcare providers, so access seemingly was one of the HIPAA protections that Congress envisioned: how can you detect and correct another person’s disease variant that is wrongly in your file, and how can you assess your overall level of re-identification risk, if you cannot see the data that a laboratory stores about you? The HIPAA access right enables various other genomic civil rights, including some that enjoy constitutional protection. For example, the First Amendment protects people’s rights to assemble and to petition their government. Empowered by access to their data, people with rare variants of unknown significance can and do use social media to locate others with that same variant and assemble cohorts to help researchers clarify its significance.²¹^,²² They can petition Congress to dedicate more resources to study their variant of interest.²² Blocking people’s access to their genomic data has the potential to deprive them of these and other constitutional rights.

The HHS met Congress’s 2009 deadline to place genetic information under HIPAA’s basic privacy protections through a temporary policy until the Privacy Rule was formally revised in 2013 to reflect GINA’s definition of genetic information.²³ Implementing the access right took still longer, until 2014,¹ because of the state-law issues discussed in the next section. After the 2014 amendments, HIPAA’s access right applies to many types of laboratory test results. Insofar as it applies to genetic information, the OCR was implementing a congressional civil-rights mandate set out in GINA. That fact is sometimes misunderstood in the current debate.

Overcoming Barriers to Access

Creating a new civil right of access to genetic information presented a legal problem: states, rather than the federal government, regulate the practice of medicine, so state law has traditionally controlled whether laboratories should deliver results to physicians or directly to patients. The federal CLIA regulations look to the states to define who is an “authorized person”²⁴ to receive laboratory data, much as federal election law looks to the states to decide who is an eligible voter. As originally designed in 2000, HIPAA’s individual access right did not include access to laboratory data, lest HIPAA access conflict with state-law access restrictions.¹ Federal law was deferring to the states.

When the OCR surveyed the laws of 50 US states and five US territories, it found only nine that expressly allowed direct individual access.¹ To state regulators charged with ensuring patient safety, even clinical-quality laboratory results raise concerns about laypeople’s ability to understand the data: “analyses of health literacy indicate that, on average, US adults have limited health literacy.”²⁵ Laypeople’s health illiteracy, many fear, could lead them to make bad decisions that harm both themselves and society—for example, if people overreact and pursue needless medical treatments¹⁷ or waste healthcare resources to clarify findings they misunderstand.²²

A federal right of access to genomic data would need to displace state laws that block access on the basis of people’s perceived health illiteracy. This echoes past American civil-rights struggles. The Voting Rights Act of 1965²⁶ displaced state laws that required unreasonably difficult literacy tests for voter registration. States with such laws, which were common in the racially discriminatory south, had their voting laws placed under supervision of the US Department of Justice or the US District Court for the District of Columbia.²⁷ This federal intervention eliminated state laws blocking a civil right—the right to vote—on the basis of an entrenched elite’s view of everyone else’s “illiteracy.” Voter registration among African Americans rose from 19.3% to 51.6% over 30 months in Alabama and from 6.7% to 59.8% within 2 years in Mississippi.²⁷

The 2014 HIPAA access regulation was a similar intervention. It eliminated the exception that previously blocked HIPAA access to laboratory data and made conforming changes to the CLIA regulation.¹ The general reporting rules of CLIA continue to look to state law to define who is authorized to receive laboratory data,²⁸ but the HHS emphasized that HIPAA displaces any state law that blocks people’s HIPAA access.¹ Like the right to vote, access to one’s own genomic data is a foundational civil right that empowers people to protect all their other civil rights, and HIPAA displaced states’ power to interfere with it.

The access right went into effect in October 2014. Over 3 years later, a large number of individuals—people whose genomes were sequenced at laboratories operating under the CLIA research exception²⁹—continue to face access barriers. The CLIA research exception lets research laboratories avoid being regulated by CLIA as long as they do not report individual-specific results for clinical purposes. Some research laboratories hesitate to provide HIPAA access because they fear they might fall under the CLIA regulations if they do so. The CMS has suggested that research laboratories that provide HIPAA access need to comply with CLIA because the data “will or could be used”³⁰ for clinical purposes.

Some lawyers believe that the position of the CMS is inconsistent with the CLIA statute, but the practical reality is that a federal regulatory agency’s position, whether or not it is correct, “still establishes the law for all those unwilling to pay the expense, or suffer the ill-will of challenging the agency in court.”³¹ Moreover, it is not clear that research laboratories have any rational incentive to challenge the position of the CMS. Providing HIPAA access is troublesome and costly: the HHS estimated that laboratories nationwide will collectively incur costs of up to $63 million per year to respond to HIPAA access requests.¹ It is plausible that research laboratories that store genomic data could be hit with a disproportionate share of these access requests because people find genomic data intriguing. Laboratories operating under the CLIA research exception understandably might not wish to challenge the view that these amendments tie their hands with respect to HIPAA access. The position of the CMS has had the practical effect of making it harder for research participants to exercise their HIPAA access right. Research participants face an uphill battle, because the HIPAA and CLIA statutes both lack a so-called private right of action³²^,³³ that lets citizens sue to protect their own civil rights, so they depend on regulators to protect them.

Reconciling Safety and Civil Rights

As the federal regulatory agenda expanded after GINA, competing safety and civil-rights regulatory objectives were not successfully integrated. These objectives point to different policies on specific issues, such as whether individual access to genomic data should be narrow or broad. When consumer safety and civil rights collide, safety regulators must carefully craft safety solutions that preserve people’s civil rights.

Section 242 of Title 18 of the US Code exemplifies the high priority that civil rights receive in the American system of law: state and federal regulators cannot take actions “under the color of any law” that would “willfully subject any person … to the deprivation of any rights … protected by the Constitution or laws of the United States.”³⁴ HIPAA access is the sort of right that section 242 aims to protect: it is a right protected by federal law, and it enables the exercise of various other civil rights, including some constitutional rights. The Department of Justice emphasizes that section 242 protects civil rights broadly and is not limited to traditional civil-rights abuses “motivated by animus toward the race, color, religion, sex, handicap, familial status or national origin of the victim.”³⁵ The civil rights that GINA and HIPAA protect are well within its scope. Actions under the color of law include acts that public officials perform lawfully, as well as acts “done while the official is purporting to or pretending to act in the performance of his or her official duties.”³⁵ This means that it is largely beside the point to debate whether the FDA and CMS have legal authority to block HIPAA access. Whether they do or do not, they are expected to fulfill their consumer safety responsibilities in a way that protects people’s civil rights, including people’s right to access their own data.

Suppose, hypothetically, that patients of Polynesian ancestry experience a high rate of serious drug-related injuries when prescribed a particular FDA-approved drug. The FDA has legal authority, at section 355-1(f)(3) of Title 21 of the US Code, to impose use restrictions on drugs. Should the FDA use this power to block physicians from prescribing the drug to patients of Polynesian ancestry? Of course not. Doing so would violate the patients’ civil rights, unless the FDA has proof that every single one of them will suffer the injury, and maybe not even then because they are autonomous agents with different preferences for benefits and risk. The FDA has other tools to address safety risks without blocking access: warnings in drug labeling, medication guides to inform patients directly, “Dear Doctor” letters for physicians, or postmarketing studies to clarify who is at risk. Federal law requires agencies to craft safety solutions that preserve civil rights.

This fact matters most with respect to data generated in the past at research laboratories operating under the CLIA research exception,²⁹ although it also affects the vast array of subclinical-quality findings that clinical laboratories generate as a byproduct of detecting the 200 or so variants that, under current scientific understanding, have a known clinical significance.³⁶ Some observers call for all research laboratories simply to comply with CLIA. Even if research laboratories complied with CLIA prospectively, however, this would not resolve problems with data generated in the past, which can never be made CLIA compliant. So long as old test results are stored and shared for secondary uses, they potentially affect people’s civil rights, and individuals need access. There are various civil-rights-respecting ways to address safety concerns, such as requiring laboratories to disclose problems with data quality or to warn consumers not to use research-quality data for medical decisions without confirmation. Regulators could send “Dear Doctor” letters instructing clinicians that low-quality HIPAA access data are in circulation and to resolve doubts about data provenance in favor of retesting. Regulators could use their public information power to publish reliability scores for the many available genomic interpretation services to help steer the public to good ones.

The deeper problem with requiring all research laboratories to comply with CLIA is that CLIA would not resolve concerns about the quality of research data. Congress enacted the CLIA statute after problems with cervical cancer screening³⁷ and tailored the CLIA requirements to the context of commercial clinical testing. Thus, laboratories are required by CLIA to have a scientifically trained laboratory director as opposed to a business major who might pressure pathologists to interpret too many slides per hour. This same protection adds less value in research settings, where there is little risk that grant sponsors would fund studies led by scientifically unqualified investigators. The CLIA regulations require no proof of clinical validity or utility.³⁸ A laboratory’s analytical validation “is reviewed during its routine biennial survey—after the laboratory has already started testing.”³⁸ At clinical laboratories, this ensures that patients tested after a new test has been in service for at least 2 years will receive an analytically validated test. The CLIA biennial survey might not come in time to ensure the analytic validity of research tests used during limited-term research grants. Even if the proficiency-testing requirements of CLIA were vigorously enforced, which is not always the case,³⁹^,⁴⁰ proficiency-testing materials do not yet exist for many genomic tests, and this might be especially true of novel tests used in genomic research.⁴¹ As for mix-ups, the CLIA requirements for sample and record identification are surprisingly modest—they require just “two unique identifiers,”⁴¹ and mix-ups sadly occur even at CLIA-regulated clinical laboratories.⁴⁰

This is not to deny that the safety of clinical laboratory testing has improved after CLIA, but the research exception exists for good reason and should not be abandoned without careful, reality-based deliberation. This commentary’s reference to section 242 was simply to explain the priority that federal civil-rights laws enjoy in relation to other laws. It was not to suggest that any agency has violated it—yet. Section 242 addresses willful violations of people’s civil rights. Recent barriers to access appear to be the product of a well-intentioned misunderstanding about what the HIPAA access right is.

The Ethical Imperative of Individual Access

Discourse about HIPAA access sometimes conveys a tone of shocked indignation, as if the access right burst out of nowhere and took everybody by surprise. In fact, HIPAA access codifies long-standing ethical principles enunciated in analyses that Congress commissioned at the dawn of the information age in the 1970s⁴² and again in the late 1990s.⁴³ In both cases, legislators were grappling with how to protect people’s rights in an age when storing, sharing, and using personal data offered important societal benefits, and both studies converged on two ethical principles. First, people cannot grant valid informed consent for their data to be used in research if they do not know what their records contain,⁴³ so individual access facilitates socially beneficial data access. Second, there is sometimes ethical justification for using people’s data without consent, but unconsented access implies the need for an individual access right so that people can at least understand and mitigate the resulting risks to their civil rights.⁴² The Privacy Protection Study Commission’s 1977 report specifically examined access to research data and concluded that if research records cannot be “totally protected against the possibility that individually identifiable information in them will be disclosed for any other purpose, the individual's concern is obvious and his access right highly relevant.”⁴²

If policy makers feel that the safety risks of HIPAA access to research data are unacceptable, they can block it prospectively by moving genomic research to non-HIPAA-covered laboratories. There is no access right there. This implies, however, that privacy and data-security policies for genomic research would need to become far stronger than the protections that HIPAA currently provides. HIPAA’s access right is a civil-rights safety net that helps people protect themselves in the face of various HIPAA provisions that leave their civil rights at risk: for example, unrestricted sharing of de-identified data, the lack of mandatory restrictions on downstream re-identification and redisclosure, and the use of institutional-review-board-approved waivers to effectuate research access to people’s data without their permission. These same HIPAA provisions enable socially beneficial uses of data and foster the creation of large-scale data commons to advance public health, precision medicine, and genomic research.⁴⁴^,⁴⁵ Taking people’s access away would imply that they need tighter control over their data to protect their civil rights. Goodbye, genomic data commons.

Conclusion

HIPAA’s access right is a federal civil-rights law. As such, it merits special respect and care. In GINA, Congress authorized the OCR to make regulations to protect genomic civil rights. Federal law constrains how far other regulators can go to interfere with these rights. Debate about the access right should focus on crafting civil-rights-preserving strategies to address valid, evidence-backed safety concerns. Financial impacts on research laboratories also bear close monitoring. For research laboratories, HIPAA access is an ongoing, unfunded federal civil-rights mandate. Congress created genomic civil rights and might need to authorize funds to help—not just during research grants but also after grants end.

Americans who are old enough still recall the heated debate after Congress passed the 1965 Voting Rights Act. Respected civic and spiritual leaders and grandfathers we loved voiced deep ethical convictions that eliminating literacy tests would subject voters and society to ill-informed decisions and risks of harm. This author’s views are biased by having seen, before the age of 6, that highly ethical people can be wrong about civil rights.

Acknowledgments

This work received support from awards UO1HG006507, UO1HG007307, and R01HG008605 from the National Human Genome Research Institute and National Cancer Institute of the National Institutes of Health and additional support from R01HG008918 and from the University of Houston Law Foundation. The author received research assistance from Emily Lawson, J.D., a professional law librarian employed by the University of Houston Law Library. The International Committee of Medical Journal Editors disclosure form acknowledges sources of support for this and related research.

References

1.Centers for Medicare & Medicaid Services (CMS), HHS. Centers for Disease Control and Prevention (CDC), HHS. Office for Civil Rights (OCR), HHS Fed. Regist. 2014;79:7289–7316. [Google Scholar]
2.Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996). [PubMed]
3.HIPAA Privacy Rule, 45 C.F.R. pts. 160, 164.
4.HIPAA Privacy Rule, 45 C.F.R. §164.524.
5.US Department of Health and Human Services, Office for Civil Rights. (2016). Individuals’ right under HIPAA to access their health information 45 CFR § 164.524. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
6.Evans B.J., Dorschner M.O., Burke W., Jarvik G.P. Genet. Med. 2014;16:799–803. doi: 10.1038/gim.2014.127. [DOI] [PMC free article] [PubMed] [Google Scholar]
7.HIPAA Privacy Rule, 45 C.F.R. § 164.524(a)(2)(iii).
8.National Institutes of Health (2017). Return of Genetic Results in the All of Us Research Program (Day 2), March 7, 2017, 1:34:39–1:35:36. https://videocast.nih.gov/summary.asp?Live=21887&bhcp=1.
9.Bookman E.B., Langehorne A.A., Eckfeldt J.H., Glass K.C., Jarvik G.P., Klag M., Koski G., Motulsky A., Wilfond B., Manolio T.A., NHLBI Working Group Am. J. Med. Genet. A. 2006;140:1033–1040. doi: 10.1002/ajmg.a.31195. [DOI] [PMC free article] [PubMed] [Google Scholar]
10.Wolf S.M., Lawrenz F.P., Nelson C.A., Kahn J.P., Cho M.K., Clayton E.W., Fletcher J.G., Georgieff M.K., Hammerschmidt D., Hudson K. J. Law Med. Ethics. 2008;36:219–248. doi: 10.1111/j.1748-720X.2008.00266.x. [DOI] [PMC free article] [PubMed] [Google Scholar]
11.Fabsitz R.R., McGuire A., Sharp R.R., Puggal M., Beskow L.M., Biesecker L.G., Bookman E., Burke W., Burchard E.G., Church G., National Heart, Lung, and Blood Institute working group Circ. Cardiovasc. Genet. 2010;3:574–580. doi: 10.1161/CIRCGENETICS.110.958827. [DOI] [PMC free article] [PubMed] [Google Scholar]
12.National Academies of Science, Engineering, and Medicine (2017). Return of individual-specific research results generated in research laboratories. http://www8.nationalacademies.org/cp/projectview.aspx?key=49880&_ga=2.133779980.325504638.1502874998-990034784.1497022755.
13.Clinical Laboratory Improvement Amendments of 1988, 42 U.S.C. § 263a; see regulations at 42 C.F.R. pt. 493.
14.Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233, 122 Stat. 881 (2008). [PubMed]
15.Roberts J.L. Notre Dame Law Rev. 2010;86:597–648. [Google Scholar]
16.Public Health Service Act, 42 U.S.C. § 300gg–91.
17.National Bioethics Advisory Commission . Volume 1. NBAC; 1999. Research Involving Human Biological Materials: Ethical Issues and Policy Guidance. [Google Scholar]
18.Check D.K., Wolf L.E., Dame L.A., Beskow L.M. IRB. 2014;36:1–8. [PMC free article] [PubMed] [Google Scholar]
19.National Committee on Vital and Health Statistics (2017). Recommendations on de-identification of protected health information under HIPAA. https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2017-Ltr-Privacy-DeIdentification-Feb-23-Final-w-sig.pdf.
20.Department of Health and Human Services. Office for Civil Rights Fed. Regist. 2000;65:82381. [Google Scholar]
21.Might, M. Discovering new diseases with the internet: how to find a matching patient forging social networks with genetically similar individuals. http://matt.might.net/articles/rare-disease-internet-matchmaking/.
22.Terry S.F. Minn. J. Law Sci. Technol. 2012;13:691–736. [Google Scholar]
23.Fed. Regist. 2013;78:5565–5702. [PubMed] [Google Scholar]
24.CLIA regulations, 42 C.F.R. § 493.2.
25.Parson, K., Allen, M.P., Alvarado-Little, W., and Rudd, R. (2017). Health literacy insights for health crises. https://nam.edu/health-literacy-insights-for-health-crises.
26.Voting Rights Act of 1965, Pub. L. No. 89-110, 79 Stat. 437 (1965).
27.Thernstrom A. Georgetown J. Law Pub. Policy. 2007;5:41–78. [Google Scholar]
28.CLIA regulations, 42 C.F.R. § 493.1291(f), § 493.2.
29.CLIA regulations, 42 C.F.R. § 493.3(b)(2).
30.Centers for Medicare and Medicaid Services (2014). Research testing and Clinical Laboratory Improvement Amendments of 1988 (CLIA). https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/Research-Testing-and-CLIA.pdf.
31.Mendelson N.A. Cornell Law Rev. 2007;92:397–452. [PubMed] [Google Scholar]
32.HIPAA Privacy Rule, 45 C.F.R. § 160.306, as interpreted by Acara v. Banks, 470 F.3d 569, 571–572 (5th Cir. 2006).
33.Jewell v. Pinson, 2005 WL 2105417 5-6 (Mich. App. 2005), citing Wood v. Schuen, 760 NE2d 61 (Ind. App., 2001) [CLIA].
34.Civil Rights: Deprivation of rights under color of law, 18 U.S.C. § 242.
35.Department of Justice. (2015). Deprivation of rights under color of law. https://www.justice.gov/crt/deprivation-rights-under-color-law.
36.Dewey F.E., Grove M.E., Pan C., Goldstein B.A., Bernstein J.A., Chaib H., Merker J.D., Goldfeder R.L., Enns G.M., David S.P. JAMA. 2014;311:1035–1045. doi: 10.1001/jama.2014.1717. [DOI] [PMC free article] [PubMed] [Google Scholar]
37.Centers for Medicare and Medicaid Services (2006). CMS Initiatives to Improve Quality of Laboratory Testing Under the CLIA Program. https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/060630BackgrounderrlEG.pdf.
38.Centers for Medicare and Medicaid Services (2013). What is CMS’ authority regarding Laboratory Developed Tests (LDTs) and how does it differ from FDA’s authority? https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/LDT-and-CLIA_FAQs.pdf.
39.United States Governmental Accountability Office (2006). Clinical Lab Quality: CMS and Survey Oversight Should be Strengthened, GAO-06-416. http://www.gao.gov/assets/260/250504.pdf.
40.Gabler, E. (2015). Weak Oversight Allows Lab Failures to Put Patients at Risk. Journal Sentinel, May 7, 2015. http://archive.jsonline.com/watchdog/watchdogreports/weak-oversight-allows-lab-failures-to-put-patients-at-risk-303445851.html/.
41.Chen, B., Gagnon, M., Shahangian, S., Anderson, N.L., Howerton, D.A., and Boone, D.A. (2009). Good Laboratory Practices for Molecular Genetic Testing for Heritable Diseases and Conditions. https://www.cdc.gov/mmwr/preview/mmwrhtml/rr5806a1.htm. [PubMed]
42.Privacy Protection Study Commission (1977). Personal Privacy in an Information Society. http://epic.org/privacy/ppsc1977report.
43.Department of Health and Human Services (1997). Confidentiality of Individually Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996. https://aspe.hhs.gov/report/confidentiality-individually-identifiable-health-information.
44.Strandburg K.J., Frischmann B.M., Madison J.M. Governing Medical Knowledge Commons. In: Strandburg K.J., Frischmann B.M., Madison J.M., editors. Cambridge University Press; 2017. pp. 1–8. [Google Scholar]
45.Deverka P.A., Majumder M.A., Villanueva A.G., Anderson M., Bakker A.C., Bardill J., Boerwinkle E., Bubela T., Evans B.J., Garrison N.A. Genome Med. 2017;9:84. doi: 10.1186/s13073-017-0476-3. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib1] 1.Centers for Medicare & Medicaid Services (CMS), HHS. Centers for Disease Control and Prevention (CDC), HHS. Office for Civil Rights (OCR), HHS Fed. Regist. 2014;79:7289–7316. [Google Scholar]

[bib2] 2.Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996). [PubMed]

[bib3] 3.HIPAA Privacy Rule, 45 C.F.R. pts. 160, 164.

[bib4] 4.HIPAA Privacy Rule, 45 C.F.R. §164.524.

[bib5] 5.US Department of Health and Human Services, Office for Civil Rights. (2016). Individuals’ right under HIPAA to access their health information 45 CFR § 164.524. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

[bib6] 6.Evans B.J., Dorschner M.O., Burke W., Jarvik G.P. Genet. Med. 2014;16:799–803. doi: 10.1038/gim.2014.127. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib7] 7.HIPAA Privacy Rule, 45 C.F.R. § 164.524(a)(2)(iii).

[bib8] 8.National Institutes of Health (2017). Return of Genetic Results in the All of Us Research Program (Day 2), March 7, 2017, 1:34:39–1:35:36. https://videocast.nih.gov/summary.asp?Live=21887&bhcp=1.

[bib9] 9.Bookman E.B., Langehorne A.A., Eckfeldt J.H., Glass K.C., Jarvik G.P., Klag M., Koski G., Motulsky A., Wilfond B., Manolio T.A., NHLBI Working Group Am. J. Med. Genet. A. 2006;140:1033–1040. doi: 10.1002/ajmg.a.31195. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib10] 10.Wolf S.M., Lawrenz F.P., Nelson C.A., Kahn J.P., Cho M.K., Clayton E.W., Fletcher J.G., Georgieff M.K., Hammerschmidt D., Hudson K. J. Law Med. Ethics. 2008;36:219–248. doi: 10.1111/j.1748-720X.2008.00266.x. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib11] 11.Fabsitz R.R., McGuire A., Sharp R.R., Puggal M., Beskow L.M., Biesecker L.G., Bookman E., Burke W., Burchard E.G., Church G., National Heart, Lung, and Blood Institute working group Circ. Cardiovasc. Genet. 2010;3:574–580. doi: 10.1161/CIRCGENETICS.110.958827. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib12] 12.National Academies of Science, Engineering, and Medicine (2017). Return of individual-specific research results generated in research laboratories. http://www8.nationalacademies.org/cp/projectview.aspx?key=49880&_ga=2.133779980.325504638.1502874998-990034784.1497022755.

[bib13] 13.Clinical Laboratory Improvement Amendments of 1988, 42 U.S.C. § 263a; see regulations at 42 C.F.R. pt. 493.

[bib14] 14.Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233, 122 Stat. 881 (2008). [PubMed]

[bib15] 15.Roberts J.L. Notre Dame Law Rev. 2010;86:597–648. [Google Scholar]

[bib16] 16.Public Health Service Act, 42 U.S.C. § 300gg–91.

[bib17] 17.National Bioethics Advisory Commission . Volume 1. NBAC; 1999. Research Involving Human Biological Materials: Ethical Issues and Policy Guidance. [Google Scholar]

[bib18] 18.Check D.K., Wolf L.E., Dame L.A., Beskow L.M. IRB. 2014;36:1–8. [PMC free article] [PubMed] [Google Scholar]

[bib19] 19.National Committee on Vital and Health Statistics (2017). Recommendations on de-identification of protected health information under HIPAA. https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2017-Ltr-Privacy-DeIdentification-Feb-23-Final-w-sig.pdf.

[bib20] 20.Department of Health and Human Services. Office for Civil Rights Fed. Regist. 2000;65:82381. [Google Scholar]

[bib21] 21.Might, M. Discovering new diseases with the internet: how to find a matching patient forging social networks with genetically similar individuals. http://matt.might.net/articles/rare-disease-internet-matchmaking/.

[bib22] 22.Terry S.F. Minn. J. Law Sci. Technol. 2012;13:691–736. [Google Scholar]

[bib23] 23.Fed. Regist. 2013;78:5565–5702. [PubMed] [Google Scholar]

[bib24] 24.CLIA regulations, 42 C.F.R. § 493.2.

[bib25] 25.Parson, K., Allen, M.P., Alvarado-Little, W., and Rudd, R. (2017). Health literacy insights for health crises. https://nam.edu/health-literacy-insights-for-health-crises.

[bib26] 26.Voting Rights Act of 1965, Pub. L. No. 89-110, 79 Stat. 437 (1965).

[bib27] 27.Thernstrom A. Georgetown J. Law Pub. Policy. 2007;5:41–78. [Google Scholar]

[bib28] 28.CLIA regulations, 42 C.F.R. § 493.1291(f), § 493.2.

[bib29] 29.CLIA regulations, 42 C.F.R. § 493.3(b)(2).

[bib30] 30.Centers for Medicare and Medicaid Services (2014). Research testing and Clinical Laboratory Improvement Amendments of 1988 (CLIA). https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/Research-Testing-and-CLIA.pdf.

[bib31] 31.Mendelson N.A. Cornell Law Rev. 2007;92:397–452. [PubMed] [Google Scholar]

[bib32] 32.HIPAA Privacy Rule, 45 C.F.R. § 160.306, as interpreted by Acara v. Banks, 470 F.3d 569, 571–572 (5th Cir. 2006).

[bib33] 33.Jewell v. Pinson, 2005 WL 2105417 5-6 (Mich. App. 2005), citing Wood v. Schuen, 760 NE2d 61 (Ind. App., 2001) [CLIA].

[bib34] 34.Civil Rights: Deprivation of rights under color of law, 18 U.S.C. § 242.

[bib35] 35.Department of Justice. (2015). Deprivation of rights under color of law. https://www.justice.gov/crt/deprivation-rights-under-color-law.

[bib36] 36.Dewey F.E., Grove M.E., Pan C., Goldstein B.A., Bernstein J.A., Chaib H., Merker J.D., Goldfeder R.L., Enns G.M., David S.P. JAMA. 2014;311:1035–1045. doi: 10.1001/jama.2014.1717. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib37] 37.Centers for Medicare and Medicaid Services (2006). CMS Initiatives to Improve Quality of Laboratory Testing Under the CLIA Program. https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/060630BackgrounderrlEG.pdf.

[bib38] 38.Centers for Medicare and Medicaid Services (2013). What is CMS’ authority regarding Laboratory Developed Tests (LDTs) and how does it differ from FDA’s authority? https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/LDT-and-CLIA_FAQs.pdf.

[bib39] 39.United States Governmental Accountability Office (2006). Clinical Lab Quality: CMS and Survey Oversight Should be Strengthened, GAO-06-416. http://www.gao.gov/assets/260/250504.pdf.

[bib40] 40.Gabler, E. (2015). Weak Oversight Allows Lab Failures to Put Patients at Risk. Journal Sentinel, May 7, 2015. http://archive.jsonline.com/watchdog/watchdogreports/weak-oversight-allows-lab-failures-to-put-patients-at-risk-303445851.html/.

[bib41] 41.Chen, B., Gagnon, M., Shahangian, S., Anderson, N.L., Howerton, D.A., and Boone, D.A. (2009). Good Laboratory Practices for Molecular Genetic Testing for Heritable Diseases and Conditions. https://www.cdc.gov/mmwr/preview/mmwrhtml/rr5806a1.htm. [PubMed]

[bib42] 42.Privacy Protection Study Commission (1977). Personal Privacy in an Information Society. http://epic.org/privacy/ppsc1977report.

[bib43] 43.Department of Health and Human Services (1997). Confidentiality of Individually Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996. https://aspe.hhs.gov/report/confidentiality-individually-identifiable-health-information.

[bib44] 44.Strandburg K.J., Frischmann B.M., Madison J.M. Governing Medical Knowledge Commons. In: Strandburg K.J., Frischmann B.M., Madison J.M., editors. Cambridge University Press; 2017. pp. 1–8. [Google Scholar]

[bib45] 45.Deverka P.A., Majumder M.A., Villanueva A.G., Anderson M., Bakker A.C., Bardill J., Boerwinkle E., Bubela T., Evans B.J., Garrison N.A. Genome Med. 2017;9:84. doi: 10.1186/s13073-017-0476-3. [DOI] [PMC free article] [PubMed] [Google Scholar]

PERMALINK

HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights

Barbara J Evans

Abstract

Main Text

Introduction

The Development of Genomic Civil Rights

Overcoming Barriers to Access

Reconciling Safety and Civil Rights

The Ethical Imperative of Individual Access

Conclusion

Acknowledgments

References

ACTIONS

PERMALINK

RESOURCES

Cite

Add to Collections

PERMALINK

HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights

Barbara J Evans

Abstract

Main Text

Introduction

The Development of Genomic Civil Rights

Overcoming Barriers to Access

Reconciling Safety and Civil Rights

The Ethical Imperative of Individual Access

Conclusion

Acknowledgments

References

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases