Abstract
The identification and arrest of the Golden State Killer using DNA uploaded to an ancestry database occurred shortly before recruitment for the National Institutes of Health’s (NIH) All of Us Study commenced, with a goal of enrolling and collecting DNA, health, and lifestyle information from one million Americans. It also highlighted the need to ensure prospective research participants that their confidentiality will be protected and their materials used appropriately. But there are questions about how well current law protects against these privacy risks. This article is the first to consider comprehensively and simultaneously all the federal and state laws offering protections to participants in genomic research. The literature typically focuses on the federal laws in isolation, questioning the strengths of federal legal protections for genomic research participants provided in the Common Rule, the HIPAA Privacy Rule, or the Genetic Information Nondiscrimination Act. Nevertheless, we found significant numbers and surprising variety among state laws that provide greater protections than federal laws, often filling in federal gaps by broadening the applicability of privacy or nondiscrimination standards or by providing important remedies for individuals harmed by breaches. Identifying and explaining the protections these laws provide is significant both to allow prospective participants to accurately weigh the risks of enrolling in these studies and as models for how federal legal protections could be expanded to fill known gaps.
Introduction
GEDmatch, a DNA database and genealogical resource for “amateur and professional researchers and genealogists,”1 played a critical role in law enforcement’s arrest of the notorious “Golden State Killer,” who had eluded police for decades.2 Using DNA collected from crime scenes, police were able to identify relatives of the suspect that ultimately led to the suspect’s identification and arrest.3 In the months following the Golden State Killer arrest, law enforcement has begun to use this technique to identify suspects for other unsolved crimes.4
Despite the clear benefits to law enforcement and to families who have long sought answers to crimes committed years ago, law enforcement’s use of these genealogy databases has raised concerns.5 After all, the people who uploaded their DNA did not do so for this purpose. The publicity over this use of consumers’ DNA led direct-to-consumer genetic testing companies, including well-known companies like Ancestry and 23andMe, to clarify their privacy policies.6
Although the Golden State Killer case did not involve a research database, its implications for research are significant. Indeed, as recruitment for the NIH’s All of Us study commenced, with its goal of enrolling and collecting DNA and other health information from one million Americans, NIH director Francis Collins and project director, Eric Dishman, sought to reassure potential participants that their data would be safe.7 Collins emphasized the NIH’s efforts to protect participants’ confidentiality, including obtaining a Certificate of Confidentiality that protects against subpoenas or other legal demands for research data, as an important mechanism for “getting people comfortable” with sharing their information.8 While the All of Us Study and the Million Veterans Program9 are among the most ambitious research studies in terms of scale and scope, researchers already hold DNA and health data from a large number of Americans.10
Privacy concerns are not limited to DNA databases. In January 2018, Strava, a GPS tracking company, published an interactive map based on data accumulated through fitness trackers and mobile phones, which then revealed classified military and intelligence facilities of the United States and other western countries.11 In March 2018, the New York Times reported that Cambridge Analytica12 had used data involving millions of Facebook users for election analysis.13 These examples illustrate the massive amount of information that may be collected, analyzed, and used, not always in ways individuals intend.14
For research projects like the All of Us study that seek to harness a broad range of data, including DNA, health information, and data from wearable devices or mobile apps, adequately addressing these privacy concerns is critical to earn public trust in the research enterprise. But there are questions about how well current law protects against these privacy risks. The literature is replete with discussion of the limits of the federal laws, including the Common Rule, the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule, and the Genetic Information Nondiscrimination Act (GINA), that may protect participants of such large-scale, national genomic research studies.15 While state laws that provide greater protections may fill in these gaps, until now, there has been no comprehensive analysis of what those laws provide and how they might work together to protect research participants. We undertook an empirical study how the federal and state laws work together to create a “web of legal protections” and to understand the limits of the web in protecting participant interests in genome research.16 This paper reports key findings from that study.
Like most empirical studies, this article proceeds in four parts. Part I sets forth a framework to describe the potential risks and corresponding legal protections for participants in genomic research, organized conceptually into three stages: research entry, the release of information from research, and unwanted use of research information after release. Part I also summarizes what is known and also what is poorly understood about the nature and substance, as well as existing gaps, within the web of legal protections for participants in genomic research. Part II describes our research methods used in identifying federal and state statutes and regulations that form the web of protections for participants in genomic research. Part III organizes the results of the research, describing the web of protections in four conceptual categories: (a) human subjects research laws, (b) laws specific to genetic information, (c) medical privacy laws, and (d) disability discrimination laws. Of these, the second category of laws specific to genetic information are of particular relevance to participants of genomic research. Part IV synthesizes our research findings and sets forth our discussion of the significance of these findings for participants, researchers, institutional review boards, and policymakers.
I. Background: A Framework for Mapping the Web of Protections
Large-scale genomic research offers unprecedented opportunities to learn more about human health and disease. The technological advances enabling genomic research, however, have also created conditions where genomic data can never be truly anonymized. Despite adherence to data security measures designed to protect participant anonymity, investigators have demonstrated that it is possible to discover the identities of participants based on genomic data that had been considered “de-identified.”17 This unsettling development poses privacy risks to research participants that, if unaddressed, could undermine individuals’ willingness to participate in research.
Good research practice has required that participants’ personal information be kept confidential through technological security measures, such as firewalls or encryption and by limiting use of identifiers, either through coding or, when scientifically feasible, rendering the data anonymous by removing identifiers entirely.18 Indeed, much genetic research has proceeded without consent under regulatory guidance and exceptions that assume that research would present very little risk to participants if the researchers do not have access to or record overt identifiers, such as names, medical record, and social security numbers.19
The assumptions underlying these regulatory exceptions have been challenged by a number of provocative studies that have demonstrated that deidentified genomic data may be re-identified without breaching data security measures.20 In response to the earlier of these studies, the NIH made a number of preemptive modifications to its policy for posting and accessing data contained in its genome-wide association study (GWAS) databases, including removing aggregate genotype data from public access, making them available only through a data access committee process.21 A 2013 study, however, described the ability to deduce individual identities even in the absence of a reference DNA sample, using only free, publicly accessible Internet resources, such as genetic genealogy databases.22 Although the inherent identifiability of genomic data has long been discussed,23 this development adds urgency to the challenge of protecting genomic research participants’ privacy while also ensuring that the data they contribute can be used for the greatest societal good.24
Although several federal laws provide protections to participants in genomic research, these laws also have known gaps. The federal laws include the Common Rule that regulates human subject research conducted or funded by the federal government,25 the HIPAA Privacy and Security Rules that established minimum standards for protecting identifiable health information,26 and GINA that prevents large employers and health insurers from discriminating based on genetic information.27 Each of these laws establishes a minimum national standard but they are limited in their scope of protections. Although state laws that fall below these standards are preempted, state laws that exceed these standards must be followed.28 Figure 1 graphically represents some of the primary federal protections and the known gaps in those protections. These will be presented in more detail throughout the paper.
Figure 1.
Together, these federal and state laws that fill in these known gaps work together to provide what we refer to as the “web of legal protections” for research participants.
Nevertheless, the strengths and weaknesses of the cumulative web of protections created by federal and state law are poorly understood by participants and even researchers engaged in genomic research.29 At the same time, large-scale genomic research endeavors like the All of Us study (previously called The Precision Medicine Initiative) and the Million Veteran Program are each seeking to enroll a million individuals and gather genomic, health, and lifestyle data on an unprecedented scale.30 Thus, we undertook this research to develop a fuller understanding of the web of legal protections applicable to this type of large-scale genomic research with the goals of better informing prospective participants about the extent and limitations of these protections and to provide insight into updates to the legal protections that may be needed to adapt to a rapidly evolving research environment.
The range of risks to participants in genomic research and their corresponding legal protections can be organized in a framework that follows the participant’s information through time, starting from the initial research consent to the possible uses of the data were they to be disclosed outside the research enterprise. The first stage in the framework involves protections at study entry found in laws governing human subjects research. The second stage relies on protections against information release out of the research context found in genetic and health information privacy laws. If the information nonetheless escapes the research context, the third stage addresses protections against use of the information by third parties, including laws prohibiting discrimination on the basis of genetic or other health information.
At the first stage, the primary research risks are that the participant’s data will be used for research purposes that the participant finds objectionable, such as to develop a commercialized product or in research that could be used in ways that could harm their identity or social group.31 The primary legal protections against this risk of harm are found in laws governing human subjects research. In particular are the Common Rule’s requirement for IRB review to minimize risks to participants (including assessment of confidentiality protections), as well as the requirement of informed consent, which protects participants by allowing them to decline to participate in the research if the risks of participation or the research purposes are objectionable.32 When research data is collected prospectively through interaction with the individual, as in the All of Us study, participants must consent to research participation.33 However, their research data may be used for secondary research studies to which the participant does not specifically consent, through broad consent for future research34 or through exceptions to the regulatory requirements, as described further below.35 Similarly, data collected for clinical or other non-research purposes may be used without consent for research purposes under the same regulatory exceptions.36
At the second stage, the primary risk is that the participant’s data will be released from the research context, either through a permitted or unauthorized disclosure. Such disclosure could result in a tangible harm, such as discrimination based on the information released, but unauthorized disclosure itself can be a dignitary harm stemming from the breach of the promise of confidentiality and the unwanted disclosure of information to others.37 The primary legal protection against the privacy harms of disclosure are privacy laws, in particular the federal HIPAA Privacy and Security Rules and, with respect to compelled disclosures from research, Certificates of Confidentiality. The HIPAA Privacy Rule offers scant protection to participants in genomic research. First, the HIPAA Privacy Rule may not apply to researchers or biobanks if they are not HIPAA “covered entities” or “business associates.”38 Furthermore, the Privacy Rule does not apply if the information has been de-identified under the terms of HIPAA, even if they are re-identifiable as demonstrated above.39 Even if the Privacy and Security Rules were to apply to the researcher or biobank and the participant’s information, there are several exceptions where the data could be disclosed outside the research context without the individual’s authorization.40 Of particular concern are compelled disclosures, where researchers may be subject to a legal demand by a court, administrative tribunal, or law enforcement to disclose an individual’s information pursuant to a court order, subpoena, warrant, or summons.41 Individuals’ information may be disclosed, without their knowledge, to law enforcement if they or a family member are identified as a potential criminal suspect.42 Certificates of Confidentiality, which apply to all NIH-funded research, are legal tools authorized by Congress that provide protection against compelled disclosure of sensitive, identifiable research data “in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.”43 Certificates of Confidentiality were developed precisely to protect against compelled disclosure.44 Even with the uncertainty about the strength of its protection, legal counsel have been successful in using its authority to minimize production of research data and crafting protective orders when data are disclosed.45
The protections afforded by HIPAA and Certificates are directed at specific holders of information, covered entities and their business associates and research institutions, respectively.46 However, Certificates permit disclosures mandated by law.47 And the federal Privacy Rule permits disclosure without individual authorization for purposes of government investigation, national security, mandatory reporting obligations, or public health.48 Genetic or genomic data may also be returned to the individual,49 placed in the individual’s health record,50 breached or hacked, which also have implications as to whether and which privacy protections apply. Thus, our research identifies ways in which state laws may fill gaps in privacy protection available to genomic research participants under the federal HIPAA Privacy Rule and Certificates of Confidentiality.
At the third stage, the participant’s genomic and other data has been released outside the research context and there are risks that the information will be used against that individual to limit economic opportunities, such as employment or access to insurance.51 Other risks are that the information can be used for identity theft (including medical identity theft), that the individual will be targeted for unwanted marketing, or suffer embarrassment from having the information made public.52 The primary legal protections against these third-stage risks are laws that prohibit discrimination on the basis of genetic, genomic, or other health information, including the federal Genetic Information Nondiscrimination Act (GINA) and state laws that fill GINA’s gaps.53 These laws prohibit third parties, such as employers or health insurers, from using genetic or other health information in discriminatory ways.54 Nevertheless, GINA’s protections are limited—GINA only applies to employers with 15 or more employees, and it only applies to health insurers and not to life, disability, or long-term care insurers.55 When they understand GINA’s limits and the possibility of genetic discrimination, prospective participants may actually avoid participating in research based on fears of discrimination in insurance or other opportunities.56 Studies demonstrate that individuals avoid even clinically beneficial genetic tests over fear of misuse.57 Though largely anecdotal, stories of misuse and unauthorized disclosure have understandably raised concerns that such fears will thwart the potential benefits of genomic research.58
Given the known limits of federal legal protections, state laws can play a significant role in filling gaps in legal protections for research participants. But the extent, applicability, and variety of state laws that provide additional protections for genomic information are poorly understood. As stated by the Presidential Commission for the Study of Bioethical Issues:
Current U.S. governance and oversight of genetic and genomic data … do not fully protect individuals from the risks associated with sharing their whole genome sequence data and information. In particular, a great degree of variation exists in what protections states afford to their citizens regarding the collection and use of genetic data.59
To address the uncertainty surrounding the patchwork of federal and state laws for acquiring, disclosing, and using genomic information, this project systematically catalogues and analyzes the ways in which state laws may fill known gaps in the federal protections for participants in genomic research. Though often overlooked, these state laws are significant for two reasons. First, they may provide substantive rights and stronger legal protections for participants who are subject to them, which may in turn affect descriptions of these protections and risks in the informed consent process. Second, they may offer models for how federal legal protections could be strengthened. The web of protections for participants in genomic research is what results when we analyze how state laws fill (or do not fill) the known gaps in federal legal baseline. The web of protections, taken together, offers genomic research participants uneven protections and highlights both the shortcomings of the federal laws, as well as a surprisingly robust degree of state action.
II. Methods
To identify laws that make up the “web of legal protections,” we conceptualized several different types of protections afforded by federal and state laws to participants in genomic research. These categories of laws correspond to the sequential framework described above. First, we considered the decision to choose to participate in genomic research and consent to genetic testing by researchers as a protection against the risks of research participation, namely objectionable research uses of the participant’s data. Second, we viewed genetic and health information privacy laws that limit disclosure of information – particularly when coupled with penalties for violation of those obligations – as the next layer of protection after information is obtained in research. The third and final layer of protections were laws that restrict access and use of participants’ information once it is released from the research context, and, thus, guard against third-party uses of the information against the participant’s interests.
Based on this 3-stage conceptualization, we identified several sets of laws that may provide protections to participants in genomic research. For stage one, we identified laws governing human subjects research and informed consent for genetic testing as the primary protections against objectionable research use of the participant’s information. For stage two, we focused on genetic and health information privacy laws as the main protections against the disclosure of data out of the research context. For stage three, we examined genetic discrimination laws and laws against unauthorized use of genetic information as the main protections against use of the data against the individual’s interests by third parties. In each of these sets, there were well-recognized, relevant federal laws.60 These include the federal regulations governing human subjects protections (the Common Rule),61 the HIPAA Privacy Rule,62 Certificates of Confidentiality,63 GINA,64 the Americans with Disabilities Act (ADA),65 the Affordable Care Act (ACA).66 As noted in Part I, these federal laws establish a minimum standard, and all of them have known gaps. These laws also provide limited recourse for individuals who are harmed as a result of a breach. For example, an individual who suffers as a result of a breach in violation of HIPAA may bring a complaint to the United States Department of Justice’s Office of Civil Rights, but may not bring an individual claim against the entity who violated their HIPAA obligations.67 Finally, while these federal laws preempt state laws that offer less protection than the federal law does, state provisions that exceed the federal standards must be followed.68 Accordingly, we conducted searches to identify state laws that had provisions that added to the federal protections in some way.
We crafted formal search strategies to identify state laws for inclusion in our datasets.69 These strategies were developed in consultation with our legal librarians to yield comprehensive, relevant search results, using the Boolean and full-text search capabilities available in legal databases, Westlaw and Lexis-Nexis. We searched only for enacted statutes and promulgated regulations in effect between January 1, 2015 and December 31, 2017. We did not include bills or proposed regulations that were pending at the time of our searches and had not taken effect. Because Westlaw proved to have richer resources for statutory and regulatory research than Lexis-Nexis, our searches were conducted either exclusively in Westlaw or in both Westlaw and Lexis-Nexis; no searches were conducted solely in Lexis-Nexis. In addition to these searches, we used the book browse feature to ensure we had all relevant parts of statute or regulation, as not all sections would contain our search terms. We also compared our results to lists of relevant laws that had been gathered by others to ensure completeness of our datasets.70
We focused our analysis on laws that apply to how and when genetic testing may be conducted, protect the confidentiality of genetic information, and protect against uses of that information.71 Because our research focused on legal protections for participants in genomic research, we searched for laws that would apply to genetic information, tests, and biospecimens, and other health information used and held by researchers and biobanks. We also looked for laws protecting against unwanted use of genetic and other health information by employers, insurers, or “any person” if such information were to be disclosed, breached, hacked, or returned to the participant or their health care provider. There are numerous other laws—such as laws relating to use of genetic information in health care and operations (including licensure requirements of genetic counselors), in paternity or adoption scenarios, intestate succession, or regarding criminal law enforcement DNA databases—that we did not analyze as they are beyond the scope of our research question.72
Research team members worked in pairs to conduct searches and select relevant laws across all 50 states and the District of Columbia for inclusion in the datasets. Initially, each pair conducted searches for their assigned dataset independently and determined whether to include or exclude the law according to defined set of inclusion/exclusion criteria.73 The pair then compared their selections and any disagreements were resolved by discussion. If there were any lingering disagreements, a faculty member would make a final determination. Given the volume of laws we were encountering, we elected to limit the double searching to five states for comparison, with a check for consistency. Each member of the pair continued to review independently the list of search results to identify those laws for inclusion in the dataset and to compare them for agreement. We merged selections and sorted the data in Excel to allow for comparisons of all selections, rather than on a subset of the search results.
Once the searches for and section of relevant laws were complete, we proceeded to coding. We created a coding scheme that would capture both common provisions across the datasets (e.g., right and penalties), and provisions specific to particular datasets. The coding scheme was developed through a collaborative process within the team, during which we defined the different codes. Two independent coders coded each law in the qualitative software program NVivo.74 The research team met regularly to reconcile coding of individual laws and further develop the codebook as coding proceeded. After coding, we compiled summary tables of the relevant coded sections to assess the strengths and weaknesses of the various types of laws analyzed and to identify exemplars of specific kinds of provisions for further exploration. We then used coding reports that contain textual provisions by code, to this deeper exploration of specific types of protections. When necessary, we referred back to the relevant law for context. Any interpretive questions were identified and discussed among the faculty members.
Although we sought to compile a comprehensive picture of the laws relevant to our research questions, there are limitations to our research. We can only provide a snapshot of the laws in place at the times of our searching. Laws may have changed, been repealed, or adopted since our searches. In addition, although we tested and refined our searches based on existing information about relevant laws, it is possible that there are laws that our search terms did not identify. Given our focus on the privacy of genomic or health data held by researchers, laws that might otherwise fall within the broader topics we considered were excluded as not applying to the genomic research context we were studying. Finally, other types of laws that we did not consider may have provisions that expand on the protections we discuss here.
III. Results: The Web of Legal Protections for Participants in Genomic Research
We found substantially more state activity in each of the areas than we expected, and the types of issues these laws address extend beyond those addressed by federal law in unanticipated ways. For example, although the literature tends to refer to only a handful of state laws regulating human subjects research,75 we found that half the states have such laws. In addition, state laws are much more likely than federal laws to provide individuals with legal remedies for violations. Our findings from the different datasets follow.76 The results of the 50-state searches for laws protecting participants in genomic research are organized below under each of the four datasets: (A) human subjects research laws; (B) laws specific to genetic testing and information; (C) medical privacy laws; and (D) disability discrimination laws. In addition, each section includes a brief description of the “baseline” of requirements set forth under applicable federal laws.
A. Human Subjects Research Laws
1. Federal Regulation of Human Subjects Research
The primary federal law addressing human subjects research is the Common Rule.77 It applies to “all research involving human subjects conducted, supported, or otherwise subject to regulation by any Federal department or agency that takes appropriate administrative action to make the policy applicable to such research.”78 The Common Rule generally requires that research studies are reviewed and approved by an Institutional Review Board (IRB), which must, among other things, ensure appropriate consent to research participation, risks are minimized and reasonable in relation to anticipated benefits, and selection of subjects is equitable.79
Although the Common Rule requires consideration of confidentiality protections, when applicable, it does not have any specific provisions that protect research data.80 Federal law authorizes protection of sensitive, identifiable research data from compelled disclosure through a mechanism called a “Certificate of Confidentiality.”81 Historically, the Secretary of Health and Human Services’ authority to issue Certificates was discretionary, whether the research was federally funded or not, and researchers had to apply for the protection.82 However, following the enactment of the 21st Century Cures Act, the Secretary must issue Certificate protections to federally funded research.83 In keeping with this change, the NIH will automatically issue a Certificate to any research it funds in which identifiable information is collected.84 At this point, however, researchers who are not NIH-funded must still apply a Certificate of Confidentiality to protect research data from compelled disclosure.85 This requires the researchers or their IRBs to be aware of Certificates and decide to apply. There is also the possibility that researchers who are not federally funded may not receive one, even if they do apply.86 The revised Certificate statute includes a new provision permitting disclosures in compliance with federal, state, and local law (except for compelled disclosures), which may undermine the Certificate’s protections, although a new provision making research data inadmissible as evidence in legal proceedings may mitigate the effects of this exception.87 Importantly, the revised Certificate statute explicitly provides that the protections against compelled disclosure apply to all copies of the data in perpetuity.88 Accordingly, if biospecimens are shared with identifiers, the Certificate’s protections would apply to subsequent studies using the data. A research biobank protected by a Certificate would be obligated to refuse to disclose its data, including biospecimens, even in a case like the Golden State Killer scenario, where law enforcement seeks to solve a serious crime.89
Research that involves prospective collection of biospecimens is subject to the Common Rule’s requirements for IRB review and participant consent.90 Consent provides a mechanism for individuals to decide whether to participate in research after being told of the relevant benefits, risks, and potential harms of participating in the research. Included in the discussion of potential risks and harms is a description of the relevant legal protections that may prevent or mitigate these harms.91 The consent requirement protects participants because it allows an individual who is risk averse, is concerned about a specified risk, or feels particularly susceptible to a harm to choose not to consent and, thus, not to participate.
Under the revised Common Rule, consent requirements for research involving identifiable data, biospecimens, and whole genome sequencing must describe whether identifiers will be removed, whether biospecimens will be used for commercial purposes, whether the individual can expect to share in any profits, and whether clinically actionable results of genetic testing or genomic sequencing will be returned to the individual.92 A corollary to the right to consent to research participation is the right to withdraw.93 In the context of biospecimens research, the right to withdraw might best be conceived of as a right to revoke consent to further use of the biospecimens.94 There may also be some practical constraints on this right, permitting researchers to retain data already collected from the biospecimen and recognizing that it may not be possible to stop use of biospecimens that have been deidentified, whether they have been shared or not.95 Assuming a participant’s data and specimens are collected appropriately pursuant to Common Rule requirements, there is no federal restriction preventing researchers or biobanks from storing and using such research data or specimens indefinitely. Although researchers may promise to destroy data and samples to the extent they can be identified as that participant’s if she withdraws consent, if the participant does not act, consent does not expire.96 The researchers are not obligated to destroy the data and no expiration of consent by operation of law for continued future use of data and samples for research.97
There are several gaps to the application of the Common Rule. First, the Common Rule applies only to “research” involving “human subjects,” as these terms are defined in the regulations.98 Pursuant to Office for Human Research Protections (OHRP) guidance,99 research involving only coded specimens does not constitute human subjects research if it meets certain conditions. These conditions include that the specimens were not collected specifically for the proposed research through interaction or intervention with a living individual and the investigator cannot readily ascertain the identity of the individuals whose specimens are used.100 Accordingly, such research is not considered human subjects research and is not subject to the consent and IRB review requirements of the Common Rule. If specimen research is considered human subjects research, it still may be exempt from the Common Rule if it involves existing specimens that are either publicly available or the “information … is recorded by the investigator in such a manner that the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects …. .”101 While the IRB may, but is not required to, review the protocol to ensure it meets with the exemption, consent would not be required.102 Finally, human subjects research that does not fit the exemption for existing specimens may be conducted without consent if the researcher can demonstrate it is eligible for a waiver of the consent requirement.103 Thus, with respect to secondary research with biospecimens, there are three ways that genomic research may be conducted without consent, and two ways that such research may be conducted without IRB review.104
That the Common Rule does not extend to non-federally funded research is another well-recognized gap.105 Although many institutions have voluntarily agreed to apply these regulations to all research conducted at their institutions in their “federalwide assurance,” some institutions have “unchecked the box” so that they are not required to apply the regulations to non-federally funded research.106 Research conducted outside of institutions with a federalwide assurance and without federal funding would fall entirely outside the scope of the Common Rule’s protections.107
Finally, the Common Rule does not provide a right of action nor corresponding remedies for individuals who are harmed as a result of violations of its provisions. While OHRP oversees compliance with the Common Rule and may respond to participant complaints, its enforcement actions are directed at researchers and their institutions.108 Aggrieved individuals may bring state law tort claims, based, in part on the obligations enshrined in the regulations, however, there are many obstacles to a successful claim.109
2. State Regulation of Human Subjects Research
Discussions about human subjects research in the literature almost exclusively focus on the federal regulations,110 with little mention of state human subjects protections laws, and then only a few well-known examples, in particular, California, Maryland, and New York.111 However, we found that five states substantially expand upon the Common Rule’s protections in scope or substance for participants in genomic research, although they do so to a different extent. Other states close gaps in the Common Rule in a more incremental fashion.
There are four states – California,112 Maryland,113 New York,114 and Virginia115 – that have laws that apply to human subjects research when the Common Rule does not, namely to non-federally funded research. However, even under these laws, some of the Common Rule’s gaps pertaining to secondary research persist. For example, California, Virginia, and New York permit secondary research without consent using specimens collected for other, non-research purposes.116 Maryland’s picture is more complex. It adopts the federal definition of “human subject,”117 but also explicitly applies federal Common Rule requirements to “all research using a human subject.”118 On its face, the latter provision seems to prevent research that meets one of the federal Common Rule’s exemptions from avoiding avoid the regulatory requirements. However, the Maryland Attorney General indicated that this was not the intention of the statute.119 Accordingly, if Maryland chooses to follow OHRP guidance that some secondary research with biospecimens is not human subjects research, this statute would not change how biospecimen research is treated.120 Interestingly, New York limits who can conduct human subjects research to “researchers,” which are defined as medical professionals or those who an IRB deems qualified.121 By restricting who may conduct research, New York may further limit the number of human subjects who might otherwise fall outside the federal regulations.
Another approach taken by states expands on the Common Rule by applying broader legal protections to research in particular contexts or populations.122 These laws would apply to genomic research conducted in these settings or populations but would not apply more generally. In contrast, Oregon has specific provisions that apply to genetic research.123 Although Oregon permits holders of genetic information to disclose it without consent for anonymous and coded research, Oregon law requires all genetic research to go to an IRB for “explicit prior approval or an explicit determination that the research is anonymous or otherwise exempt.”124 This is more prescriptive than the federal approach, which recommends, but does not require, that institutions review potentially exempt research to confirm that determination.125 In submitting the research to the IRB, Oregon requires researchers to “disclose to the IRB the intended use of human DNA samples, genetic tests or other genetic information for every proposed research project, even anonymous or otherwise exempt research.”126 There is no exception for federally funded research. This requirement has significant implications, particularly for secondary use studies, as it requires IRB review for secondary research that the Common Rule permits to proceed without IRB review. These choices are deliberate, as Oregon’s law also notes that “these rules set state standards that are in addition to, and not intended to alter, any requirement under the Federal Common Rule or the Federal Privacy Rule.”127 Oregon also imposes obligations on the recipient of a limited data set of genetic information, which may limit secondary research using that data set.128
Although the Common Rule requires IRBs to consider confidentiality protections undertaken by the researcher, it does not have any specific provisions to protect research data, and the Certificate’s protections to not automatically extend to non-NIH funded research.129 A few states fill these gaps by providing additional confidentiality protections to research data.130 Most protective are Arkansas and Oklahoma; their laws protect the research records of subjects in “genetic research studies” from “subpoena or discovery” in civil (not criminal) lawsuits, except when “the information in the records is the basis of the suit.”131 Both of these laws apply broadly to all genetic research approved by an IRB or conducted in accordance with the Common Rule or the FDA regulations.132 Unlike the federal Certificate of Confidentiality, it does not depend on federal funding or require an application. However, because the Arkansas and Oklahoma protections rely on IRB approval or compliance with the federal regulations, they may not apply to secondary research when specimens are not identifiable because such research would not require IRB review under federal requirements. Louisiana provides that identifiable information held by researchers in public universities, medical schools, and colleges is not available for subpoena and is not discoverable.133 This law provides similar protections to the Arkansas and Oklahoma laws, but it is not restricted to genetic research. On the other hand, Louisiana’s law only applies to research conducted at public institutions, a substantial limitation. Kentucky provides that identifiable research information is “confidential” and cannot be disclosed to someone outside the research team without consent, but it does not explicitly address subpoena or discovery.134
Only California and Maryland discuss remedies for violation of human subjects protections obligations. California provides for civil damages, criminal fines, imprisonment, attorney’s fees, and court costs for conducting research without consent.135 A researcher who negligently permits research without consent shall be liable to the subject for a minimum of $500 in damages and a maximum of $10,000, and willful failure to obtain consent is subject to minimum damages of $1,000 and a maximum of $25,000.136 Maryland authorizes the Attorney General to seek injunctive of other relief “to prevent violations” of its human subjects research law.137 It does not discuss remedies for the participants affected by any violations.
3. State genetics laws with implications for human subjects research
Several states require the individual’s written consent to retain genetic materials or information.138 These provisions may be coupled with obligations to destroy samples that could limit future research using the biospecimens. For example, Delaware requires prompt destruction of genetic materials, except if needed for criminal or death investigations or proceedings, a court orders retention, the individual authorizes retention, or for “anonymous” research in which the identity of the individual is not disclosed.139 New Jersey provides that “a DNA sample from an individual who is the subject of a research project shall be destroyed promptly upon the completion of the project or withdrawal of the individual from the project, whichever occurs first, unless the individual or the individual’s representative directs otherwise by informed consent.”140 It also provides:
The DNA sample of an individual from which genetic information has been obtained shall be destroyed promptly upon the specific request of that individual or the individual’s representative, unless: (1) Retention is necessary for purposes of a criminal or death investigation or a criminal or juvenile proceeding; or (2) Retention is authorized by order of a court of competent jurisdiction.141
These laws suggest that that they would prohibit a researcher from deidentifying a specimen and continue to use it for research after withdrawal of consent, as permitted under the federal regulations.142 Texas requires destruction of genetic material after “the purpose for which [it] was obtained is accomplished unless” it was obtained for IRB approved research and retention is either required or authorized by the participant.143
There are some common exceptions to the requirement for consent to retain genetic material. These primarily include: retention for public purposes, such as law enforcement (including criminal DNA databases), paternity determinations, newborn screening, by court order, or otherwise authorized by law.144
Similar to the right to withdraw consent to participate in research, several states explicitly grant individuals the right to revoke an authorization to use or disclose genetic information. Louisiana law not only grants the right to an individual to revoke the authorization before disclosure, but it invalidates the authorization if used for any improper purpose.145 Accordingly, any research use not covered by the original consent would invalidate the authorization and could subject researchers to penalties. Minnesota and Washington also grant the right of revocation.146
Finally, a few states have specific provisions limiting the research use of genetic information, but these are limited to newborn spot specimens.147 While they require researchers to return or destroy unused newborn spot specimens obtained from the state,148 cutting off further secondary uses that might otherwise be permissible, these do not apply to materials originally obtained for research.149
As this section demonstrates, a handful of states have laws that fill in some of the gaps in the federal laws governing human research protections. These include a handful of states that have laws that apply to human subjects research when the federal regulations do not, and one, Oregon, that has specifically requires IRB review for all genetic research, including some genetic research that would be exempt from IRB review under federal law. There are also a few states that have adopted specific confidentiality protections that extend beyond federal requirements. Finally, California provides for remedies, including minimum damages for subjects involved in research without their consent.
B. Laws Regarding Access, Use, and Disclosure of Genetic Information
1. Federal Genetic-Specific Laws
One of the main risks of participating in genomic research is that the genomic information will be released beyond the confines of the research study and be used against the individual.150 The primary federal law addressing access, use, and disclosure of genetic information is GINA. Substantively, GINA prohibits employers and health insurers from requesting or requiring prospective or current employees or insureds to submit genetic information, undergo genetic testing, or reveal whether the individual or family member has undergone genetic testing.151 In this way, GINA prohibits employers and health insurers from accessing a person’s genetic information.152 GINA also limits how employers and health insurers may use and disclose genetic information that they may receive. Employers may not make hiring, termination, promotion, or other adverse employment decisions on the basis of genetic information or the fact that an employee or family member has undergone genetic testing.153 Health insurers may not make underwriting decisions, such as whether to offer coverage or setting premiums, based on genetic information and may not require applicants or enrollees to undergo genetic testing or submit genetic information in connection with enrollment or underwriting.154 This feature of GINA was incorporated into the Affordable Care Act’s federal requirements for health insurance plans, which prohibit making coverage determinations or setting premiums upon genetic information or upon health conditions.155 Finally, GINA extends confidentiality protections to genetic information, defining genetic information as “protected health information” (PHI) under the HIPAA Privacy Rule, discussed below.156 GINA also requires employers to keep any genetic information they may have about employees or applicants in separate, confidential medical file and prohibits disclosure of genetic information except for limited purposes.157
GINA’s protections contain notable gaps. First, the employer provisions of GINA only apply to employers with 15 or more employees and therefore do not apply to the approximately 17 million people (almost 15% of all employees), who work in companies with less than 15 employees.158 Second, GINA’s insurance provisions only apply to health insurers and do not apply to other forms of insurance, such as disability, life, or long-term care insurance. Given the aging population and the importance of these forms of insurance to provide financial security to a large and growing segment of the population (and their familial caregivers), GINA’s inapplicability to these other forms of insurance is a significant gap.159
2. State Genetic-Specific Laws
Every state except Mississippi has a law that addresses genetic testing, privacy, or discrimination in some form.160 Collectively, we refer to these laws as “genetic-specific laws.” In some cases, these laws are coextensive with federal protections under GINA, but we found a number of instances in which states go beyond the federal minimums, closing gaps in protection offered by federal law.
As a threshold question, we had to consider whether state laws that apply to genetic testing or information would apply to analyses conducted for research purposes. We found that these laws rarely explicitly apply to research.161 But they also rarely explicitly exclude research from their reach.162 When we did find genetic testing and information laws that excluded research, the exclusion applied only to research conducted under the Common Rule or FDA regulations.163 A few laws do not explicitly limit their application to clinical purposes, but their use of the term “diagnose” suggests such a limitation.164 These examples provide support for our interpretation that states with broad definitions that neither exclude research from their laws or nor define genetic information in terms of clinical uses may apply to research.165 That some states exclude non-clinical types of genetic testing suggests that other states could exclude research should they desire.166 Thus, unless a state law referencing genetic testing or genetic information specifically excluded research or explicitly limited applicability to clinical or diagnostic contexts, we concluded the law could apply to the genetic tests and information of participants in genomic research. There are two independent reasons for taking a broad view of these laws. First, identifying which genetic mutations are associated with specific diseases or conditions is one of the main purposes of genomic research,167 even if the links are not yet confirmed. Second, in the context of whole genome sequencing, the information generated is likely to include genetic mutations whose associations with disease are known, as well as mutations of unknown significance.168
Using these analytical frameworks, we found states’ legal activity in this category is substantial, both in volume and variety. A number of states have passed laws regulating genetic testing or information in ways that go beyond the federal requirements. Notably, state laws create substantive individual rights to control genetic information or assert claims for damages in the event genetic information is inappropriately used or disclosed. The results of our research into state laws specific to genetic information and testing are organized under the following subcategories: (a) laws requiring consent for genetic testing; (b) laws restricting access to or use of genetic information; (c) laws restricting disclosure of genetic information; and (d) laws creating individual rights regarding one’s own genetic information. The results are discussed in detail below.
a. Laws requiring consent to genetic testing
Ten states require written informed consent for genetic testing.169 This is significant because there is no federal requirement for informed consent for genetic testing. While the Common Rule may require written informed consent for individuals to participate in research, including prospective collection of biospecimens for genomic research, it may not require a separate written consent for secondary research or genetic testing of biospecimens.170 To the extent it applies to the research context at all, the HIPAA Privacy Rule’s authorization requirement does not apply to information that has been de-identified.171 Therefore, there may be instances where researchers genetically test specimens without seeking written informed consent or authorization from the individual. Moreover, because GINA prohibits employers and health insurers from requesting or requiring individuals to undergo genetic testing,172 GINA does not speak to whether written informed consent is required for genetic testing.
Most of the states’ statutes are written broadly to apply to “any person” (or “no person” when written in the negative) and thus include researchers in their scope.173 In these states, researchers would have to obtain individual consent to conduct genetic testing on research specimens even if such research would not have required consent under federal law. Oregon’s law is unique in explicitly addressing consent for genetic research. It permits “anonymous” and “coded” research using specimens or genetic information if the individual consents to the specific research project, consents to genetic research generally, or was notified that her information may be used in such research and did not request that her information not be used.174 Researchers likely prefer the last approach because it sets the default as permitting research use unless the individual objects. Research in choice architecture suggests that people are more likely to choose the default option.175
Some of the state laws requiring written informed consent for genetic testing only apply to physicians or other health care providers and, therefore, may only apply to genomic research if it is conducted by physician-investigators.176 Florida requires consent for genetic testing, without specifying that it must be written,177 although in practice consent is likely done in writing.
Contrary to what is required under federal law, in many states, researchers would need to obtain consent, sometimes specific or written consent, to conduct genetic testing on samples from participants in genomic research. Given how broadly many of these statutes are written, it seems that consent would be required even for secondary research.
b. Laws limiting disclosure of genetic information
The primary federal law regulating the disclosure of health information, including genetic information, is the HIPAA Privacy Rule.178 The HIPAA Privacy Rule includes genetic information in the definition of “health information,”179 but the Privacy Rule is limited by its applicability only to HIPAA covered entities or their business associates.180 The HIPAA Privacy Rule generally requires individual authorization to disclose identifiable health information, but there are several exceptions allowing for disclosure without authorization, such as for law enforcement purposes, pursuant to a court order or subpoena, or to public health or other governmental authorities.181 Significantly for participants in genomic research, the HIPAA Privacy Rule may have limited applicability to researchers or biobanks that gather, store, and use genomic data, particularly if those researchers receive the data directly from the participant rather than from health care provider that is covered by the Privacy Rule.182 To the extent that researchers and biobanks de-identify the information or data such as through the use of codes instead of individual identifiers, the HIPAA Privacy Rule’s protections would not apply.183 Moreover, once genetic data escapes the realm of regulated institutional holders (to the extent they are covered entities or their business associates under HIPAA), either through return of results to the participant, breach, hacking, or permitted disclosure (e.g., subpoena or court order), the information is entirely beyond the reach of HIPAA. As noted above, GINA prohibits employers and health insurers from disclosing genetic information of employees, enrollees, or applicants.184 This is an area where state laws are particularly significant—both in their number and in the substantive ways that states fill the gaps in protection left by GINA and HIPAA.
i. Consent to disclosure of genetic information
As noted above, the HIPAA Privacy Rule may not apply to the researcher, biobank, or any other subsequent holder of a participant’s genetic information. States broaden the privacy protection offered by requiring consent to disclosure beyond HIPAA covered entities. Sixteen states prohibit any person, including corporations and entities, who holds information obtained through genetic testing from disclosing the information without the individual’s consent, although some of these laws also have exceptions.185 For example, Nevada provides “[i]t is unlawful to disclose or to compel a person to disclose the identity of a person who was the subject of a genetic test or to disclose genetic information of that person in a manner that allows identification of the person, without first obtaining the informed consent.”186 These restrictions on disclosure would apply both to researchers and biobanks as well as third parties who may subsequently obtain individuals’ genetic information if it were to escape the confines of research.
In addition to these general prohibitions on disclosure of genetic information without consent applicable to any person, states also restrict specific entities from disclosing genetic information. Fifteen states restrict employers’ disclosure of genetic information.187 Vermont restricts disclosure of genetic information to employers.188 California restricts disclosure by insurers.189
Should genetic information get into the individual’s medical record (such as through automatic placement of genomic information into the medical record or through the return of research results to the participant), Arizona’s and Washington’s statutes provide additional protections by imposing obligations on those seeking to access genetic information from providers through a subpoena or discovery request to provide opportunities to limit disclosures through protective order or other judicial mechanisms.190
ii. Confidentiality protections for genetic information
Numerous states provide confidentiality protections for genetic information that extend beyond the protections offered to health information under federal or state laws regarding privacy of non-genetic health information. To the extent they impose a broad obligation upon holders of genetic information to maintain confidentiality of such information and refrain from disclosure, these state laws fill a gap in the HIPAA Privacy Rule by extending obligations beyond HIPAA covered entities191 to the researcher, the biobank, and any subsequent holder if the genetic data of research participants were to get out from the research context.
In some cases, the confidentiality protection is constructed so broadly that its scope is unclear. Examples include Arizona, Colorado, and Georgia,192 which declare genetic information “confidential” and “privileged” without specifying what that means.193 Several states include general statements that genetic information is confidential and may only be disclosed with consent of the person tested.194 The scope of these laws is unclear because they do not necessarily specify to whom the confidentiality obligation applies.
There are mechanisms, such as mandatory public health reporting requirements, that could allow information held by researchers to be disclosed to government officials. Many states do, however, extend confidentiality protections to genetic information held by government agencies and officials (such as public health departments, newborn screening programs, and disease registries) and may protect such information from state open records requests.195 Such protections may provide some reassurance to research participants. However, there are a myriad of exceptions to confidentiality obligations of state or governmental holders of genetic information.196
Several exceptions include those that participants would likely expect, such as disclosure to the person tested or their legally authorized representative, to medical providers or other medical personnel, for treatment or payment purposes, or when the person tested consents (typically in writing). Some states also allow disclosure to relatives for medical purposes if the person tested is deceased. However, other exceptions might surprise research participants, especially given their breadth. These include disclosures for public health purposes, newborn screening, abuse and neglect reporting, research, law enforcement (including identification of persons), paternity determinations, and to monitor legal compliance. There are also exceptions for quality improvement purposes, such as for peer review, utilization review and quality assurance, for health care operations, or other business operations. Other exceptions include: when the person tested brings a lawsuit or other complaint or genetic information is placed at issue in litigation or pursuant to a court order; as authorized or required by law; for marketing; and for due diligence in sale of business.
iii. Laws against compelled disclosure
The Golden State Killer case highlighted the value of genetic information for law enforcement in the identification of suspects.197 Legal demands for genetic information could also stem from civil cases, such as family law disputes or personal injury matters.198 While genomic research databanks may be particularly attractive for law enforcement or civil legal demands, any holder of genetic information could be subject to a legal demand, and federal laws generally do not shield holders other than researchers from having to comply.
No federal laws protect genetic information generally from compelled disclosure via court order or subpoena, although, as described above, federal law authorizing Certificates of Confidentiality and a handful of state laws may protect some research data from compelled disclosure.199 To the extent the information holder is a covered entity, the HIPAA Privacy Rule permits disclosure of PHI without individual authorization to law enforcement to help identify a suspect or in response to a legal demand, such as a subpoena, court order, or warrant.200 For civil legal demands, the HIPAA Privacy Rule permits disclosure of PHI pursuant to a court order or subpoena without individual authorization if the covered entity receives evidence that there were reasonable efforts to notify the individual about the request to allow the individual to object and to seek a qualified protected order for the information from the court.201
Several states more broadly shield any holders of genetic information from compelled disclosure. Texas protects any person against compelled disclosure of an individual’s genetic information without the individual’s consent.202 Delaware, Illinois, Nevada, Oklahoma, and Oregon also provide broad protections for any holder of genetic information from compelled disclosure,203 but with more exceptions than the Texas law.204 These laws would arguably protect researchers and biobanks from compelled disclosure of genetic information pursuant to a subpoena, but they would also apply to other holders of the information if the information were to be released from the research context, such as through a return of research results to the individual or their physician or through breach or hacking. However, with the exception of Illinois, these laws do not protect researchers and biobanks from disclosing genetic information pursuant to a court order.
Utah’s law allowing for compelled disclosure of genetic information is much more restrictive. Such orders must limit disclosure to the parts “essential to fulfill the objective of the order” and to those persons who need access, as well as including other measures necessary to protect the individual.205 Illinois’ law is unique, declaring genetic information inadmissible in legal proceedings.206 This provision can protect an individual’s information from being used against them, even if the information is somehow disclosed.
In sum, state laws creating confidentiality protections for genetic information are significant in a couple ways. First, this is an area where the gap in federal protection could be significant if the research institution declines to extend HIPAA covered entity status to its researchers and biobanks. Moreover, subsequent holders of genetic information gathered through genomic research are not likely covered by the requirements of HIPAA. Nevertheless, the mere designation of genetic information as “confidential,” without more, may offer few substantive protections to the affected individual, particularly given the numerous exceptions to this general rule. But the second significant finding is that some states extend substantial protections against disclosure by the researchers or indeed any holder of genetic information, however obtained. Perhaps the most important of these are protections against compelled disclosure through subpoena for researchers or any other holder of genetic information.
c. Laws restricting access to or use of genetic information
As discussed above, GINA prohibits health insurers and employers with 15 or more employees from requiring, requesting, or conditioning approval or employment on the submission of genetic information. State laws can go beyond GINA’s requirements by extending the prohibitions on access to smaller employers, other types of insurance, or other non-employer or insurance entities.207 These legal protections are relevant to participants in genomic research because of the potential for genetic information to escape the confines of research use and be accessible to employers, insurers, or others who may have an interest in an individual’s genetic information. The primary ways that genetic information could be accessed from the research context are through inclusion of genomic information in the medical record,208 return of the results of genetic testing to the individual and their health care provider, authorized disclosure such as through subpoena or court order, breach, or hacking.
GINA also prevents the use of genetic information by employers in making employment decisions, including hiring, firing, promotions, and access to other benefits.209 GINA and the ACA prevent health insurers from using genetic information to determine eligibility, benefits, or premiums.210 The gaps in GINA’s protections, described above, limit its applicability to employers with fewer than fifteen employees or other types of insurance providers, such as disability, life, or long-term care insurers. Although the HIPAA Privacy Rule generally requires authorization for use as well as disclosure of individually identifiable health information, it may have limited applicability to researchers, biobanks, and subsequent holders of research participants’ genetic information.211
States impose a variety of limits on analysis or use of genetic materials or information that apply beyond the limits of GINA or the HIPAA Privacy Rule. A few states broadly limit use of genetic information by any person without consent.212 The restrictions that states impose on analysis or use of genetic information are important to protecting research participants from the risk that genetic information generated in research could be used against them in the event that the information escapes the research context.213
To address the concern that genetic information can be used to limit employment, insurance, and other opportunities, states have passed a variety of laws to fill GINA’s gaps by extending prohibitions on use of genetic information to a broader range of employers, other types insurers besides health insurance, and even other contexts.
i. Employment
Seventeen states apply prohibitions on employer access to or use of genetic information where GINA does not because they define employer to include those with less than 15 employees. As Table 1 illustrates, 11 of these applying to employers with only one employee, and the remainder apply to employers with up to five employees (Table 1).214
Table 1.
| Minimum employees to come under state discrimination laws | States |
|---|---|
| 15 | MD |
| 5 | CA, ID |
| 4 | NY |
| 3 | CT |
| 2 | IA, RI |
| 1 | AR, DC, MI, MN, OK, OR, UT, VT, VA, WA, WI |
| Unspecified | NH, SD |
At least two states explicitly prohibit employers from obtaining consent to testing by offering employees a benefit.215 These prohibitions contrast with GINA, which permits limited rewards or penalties in the context of voluntary wellness program.216 Rhode Island, on the other hand, does not allow employees to waive protections with respect to genetic information.217
ii. Insurance
Regarding access, four states go beyond GINA by applying restrictions on use of genetic information to insurance other than health insurance. Vermont prohibits all insurers – specifically including life, disability, and long-term care insurance – from using genetic information for underwriting, providing: “No policy of insurance offered for delivery or issued in this state shall be underwritten or conditioned on the basis of: (1) any requirement or agreement of the individual to undergo genetic testing; or (2) the results of genetic testing of a member of the individual’s family.”218 Colorado and California restrict collection of genetic information by disability insurers, however, California’s law is limited to disability insurance for hospital, medical, and surgical expenses.219 Colorado and Maryland restrict collection of genetic information by long-term care insurers.220
Regarding analysis and use of genetic information by insurers, a few states go beyond GINA and prohibit use of genetic information in disability insurance underwriting outright221 or restrict its use in disability insurance underwriting unless its use is “based on sound actuarial principles or actual or reasonably anticipated claims experience.”222 While the latter approach is less protective, it seems likely to provide some protections to research participants, as much of the genetic information from whole genome sequencing will be of uncertain clinical significance and many conditions are multifactorial and the relationships may not be known.223 Such genetic information is unlikely to provide the kind of actuarial justification to permit their use in underwriting. On the other hand, research involving whole genome sequencing may also generate information that has known clinical significance, and disability insurers would not be restricted from using that information in underwriting. Wyoming prohibits disability insurers from treating genetic information as a preexisting condition in the absence of a diagnosis of a condition related to genetic information.224 While this does not prohibit its use in underwriting, it does provide protection against denial of coverage should a claim arise.
A few states also prohibit use of genetic information225 or limit its use unless it is based in “sound actuarial principles”226 in long term care insurance. Only Vermont prohibits use of genetic information in underwriting for life insurance, although California and Maryland prohibit underwriting based on genetic carrier status.227 A few other states do restrict its use unless such use is based on “sound actuarial practice or actual or reasonably anticipated claim experience.”228
iii. Other
Though GINA’s prohibition on collecting or requesting genetic information does not extend beyond employers or health insurers, we found a number of states that expand prohibitions on use of genetic information beyond GINA to a range of other areas, such as housing, education, and financial transactions.229 Some prohibit discrimination based on genetic information to places of public accommodation, which is an expansive protection to a variety of business that offer services and products to the public.230
Iowa includes genetic information as part of “identification information” for purposes of its identity theft law.231 Vermont explicitly limits putting some genetic specimens into criminal databases. This includes specimens “collected voluntarily,” suggesting that specimens collected with consent for research could not be placed into these databases.232
iv. Exceptions in state laws limiting use of genetic information
There are numerous exceptions to the state law restrictions imposed on analyzing or using genetic information described above.233 These not only may undermine or narrow the protections, but also make it more challenging to describe the protections to participants in genomic research.
For example, states may permit genetic information to be used without individuals’ knowledge or consent for paternity testing, newborn screening, law enforcement purposes, or criminal DNA banking.234 In addition, consistent with GINA (but typically not included in consent forms), states may permit employers to use genetic information for determination of bona fide occupational qualifications, workers’ compensation claims, and worker safety (e.g., to monitor toxic exposures).235
In sum, states extend GINA-type prohibitions on the collection, access, or requesting of genetic information to entities that are not subject to GINA to varying degrees. One-third of states provided GINA-type employment protections to employers with five or fewer employees. Only a few extended protections to non-health insurance and several states extend genetic discrimination protections beyond employment or insurance such as to housing or education, suggesting that affording such protections is possible. One fear often expressed about expanding GINA’s scope is that it would be economically unworkable to extend prohibitions on genetic discrimination to other contexts, including smaller employers, other forms of insurance, educational, or economic opportunities. While empirical study may yet reveal these provisions are largely symbolic and difficult to enforce, the fact that several states have expanded the scope of genetic anti-discrimination may suggest that such expansions are economically feasible.
d. Individual rights created
One of the primary ways states fill in gaps in the federal laws protecting participants in genomic research is to extend broader private rights to the individual. The federal laws offer few legal remedies or enforceable rights for individuals aggrieved by violations of these federal requirements; the Common Rule is silent as to remedies, there is no private right of action (right to sue) under the HIPAA Privacy Rule, although a violation could serve as evidence for a state tort claim,236 and GINA limits recovery.237 The enforcement mechanisms under these federal laws focus on administrative penalties rather than conferring individual causes of action. Thus, perhaps the most significant way that states expand upon the protections offered to participants in genomic research is to provide private rights of action and statutory remedies for violations of state laws limiting access, use, and disclosure of genetic information.
Aside from private enforcement, states may build upon the federal standards by offering individuals more specific rights to access and control their genetic information than offered under federal law, including rights to notification about what is done with the individual’s information, right to access information, right to request the destruction of the individual’s biospecimens or samples, or property rights in one’s genetic information. Given the focus of this project, we have only included laws that are written broadly enough that they could be interpreted to apply to research-related holders of genetic information.
i. Enforcement rights
State laws regarding access, use, or disclosure of genetic information distinguish themselves from their federal counterparts by providing remedies, penalties, or both for violations of their requirements. Twenty-six states create a private right of action for violation of their various genetic-specific laws.238 Eight states make violations of laws regarding genetic information a violation of the state’s unfair or deceptive trade practice statute.239 Unlike the Federal Trade Commission Act (FTCA),240 which may only be enforced by the FTC,241 most state unfair trade practice laws permit private causes of action, allowing individuals to recover compensatory damages and attorneys’ fees, with some states also providing for punitive damages.242 In contrast, other states only authorize state enforcement of their genetic-specific laws either through the attorney general’s office or through the appropriate state agency.243 Several of these state enforcement provisions impose civil or criminal fines or imprisonment for violations of the state’s genetic-specific laws.244 While state action can be an important mechanism for enforcing these laws and serve as a deterrent, they typically do not compensate individuals whose rights have been violated as civil or criminal fines are paid to the state, not the individual. In addition, where state enforcement is the only mechanism, aggrieved individuals may have no recourse against someone who has violated their rights if the state chooses not to act. Accordingly, a state law provision of a private right of action can be significant.
Importantly, eight states provide for statutory damages, that is, a minimum amount that may be collected in damages for a violation of the law (Table 2). The significance of statutory damages is that it obviates the need for the aggrieved individual to prove they were harmed or injured in some tangible way by the violation, it is sufficient to prove the violation occurred,245 which makes it easier to assert a claim for intangible or dignitary harms than it would be under an ordinary tort claim for damages, which requires proving an injury.246 For example, if a researcher or biobank were to disclose a participant’s genetic information without consent, under a statutory damages provision, the affected individual does not have to prove she suffered an economic or other tangible harm from the unlawful disclosure; if she can prove the violation, she is entitled to the statutory damages amount. If the aggrieved individual can demonstrate actual damages that are greater than the statutory damages, typically she may recover her actual damages.
Table 2.
| State (code citation) | Damage amount |
|---|---|
| Alaska (Alaska Stat. Ann. § 18.13.020) | Actual damages + $5,000 (+ $100,000 if the violator profited from violation) |
| California (Cal. Civ. Code 56.17) | Negligent disclosure, civil penalty not to exceed $1,000 (paid to subject) |
| Colo. Rev. Stat. Ann. § 10-3-1104.6 & 10–3-1104.7 | Greater of actual damages or $10,000 per violation |
| Illinois (410 Ill Comp. Stat. Ann. 513/1) | Greater of $2,500 or actual damages (negligent) OR Greater of $15,000 or actual damages (intentional or reckless) |
| Louisiana (La. Rev. Stat. Ann. 22:1023) | Greater of actual damages or $50,000 (negligent) Greater of actual damages or $100,000 (intentional) |
| Massachusetts (Mass. Gen. Laws. Ann. Ch. 151B § 4) | Actual damages (contract) or special damages not to exceed $1,000 |
| New Hampshire (NH Rev. Stat. Ann. § 141-H:1 et seq) | Not less than $1,000 per violation |
| Oregon (Or. Rev. Stat. Ann. § 192.531 et seq) | Violations regarding retention or human subjects requirements (§§ 192.537 & 547) greater of actual damages or: $100 (inadvertent violation) $500 (negligent violation) $10,000 (knowing or reckless violation) $15,000 (knowing violation w/ fraudulent representation) $25,000 (knowing violation with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm) Violations regarding consent or disclosure requirements (§§ 535 and 539) greater of actual damages or: $1,000 (inadvertent violation) $5,000 (negligent violation) $100,000 (knowing or reckless violation) $150,000 (knowing violation w/ fraudulent representation) $250,000 (knowing violation with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm) |
As Table 2 shows, the statutory minimum damages vary considerably, from a total award low of $1,000 to a high of $50,000 for negligent violations and a per violation low of $1,000 and high of $10,000. Nevertheless, provision of any level of statutory damages could be essential for enforcing the rights afforded by these statutes, as actual damages may be difficult to prove. Those states with per violation statutory minimum damages also may facilitate claims from multiple participants because of the ability to aggregate those claims and increase the value of the suit. In addition to statutory damages, several states authorize punitive damages,247 which may be imposed to deter the violator and others from engaging in similar behavior in the future. States also provide for equitable relief, or non-monetary remedies, which can be in addition to or instead of damages, as appropriate.248
Seventeen states also provide for attorneys’ fees249 and twelve provide for court costs.250 These provisions may encourage attorneys to undertake cases and, thus, make it more feasible for people to seek to redress violations under these laws. In contrast, some states provide for attorneys’ fees and costs for the prevailing party, which suggests that defendants could be eligible for attorneys’ fees and costs if the plaintiff does not establish the violation of the statute.251 This adds an additional financial risk to bringing a lawsuit, which could serve as a deterrent to those who seek to enforce their rights under these laws.
ii. Right of notification
A couple of states require individuals to be notified about what is done with their genetic information. For example, Florida and New Jersey require any person who requests or performs genetic testing or analysis to notify the individual when genetic testing is performed or when the results of such genetic tests are obtained.252 Florida also imposes an obligation to provide the results to the person’s physician, upon request, and to indicate whether the information was used to make a decision for “insurance, employment, mortgage, loan, credit, or educational opportunity.”253 Both states’ laws apply the notice requirement to “a person” who requires, requests, or receives the results of genetic testing. In keeping with our analytic approach discussed above,254 we interpret such broad statutes to potentially apply to researchers and biobanks because neither the statutory provision nor the definition of genetic testing is limited to clinical or diagnostic settings.
iii. Right to access information
The right to access one’s information is often viewed as providing individuals with more control over such information.255 Some participants seek full access to their genomic information.256 Nevertheless, in the context of genomic research, the right of access to one’s own genomic information, particularly findings of ambiguous clinical relevance, may also be viewed as creating risk rather than protecting participants from risk. There is considerable debate about the legality and ethics of returning individuals their genomic information, which could expose the individual to a number of risks, including psychological distress, familial disruption, unneeded medical intervention, and discrimination in insurance, employment or other economic opportunities.257
Federal human subjects research regulations under the Common Rule do not require that researchers provide participants with access to their information or data being held by researchers.258 To the extent the research institution designates researchers or biobanks as HIPAA covered entities or uses a HIPAA-covered laboratory, the HIPAA Privacy Rule requires covered entities to provide individuals with access to their health information (which includes genetic information) by request.259 And if that information escapes the research context and is obtained by employers labor organizations, GINA permits, but does not require, employers and labor organizations to disclose an individual’s genetic information to the individual employee or member at the written request of the individual.260
Although numerous states have provisions that grant individuals the right to access their own information, only Oregon’s law explicitly applies to research participants.261 Several states are more broadly written, but grant the right of the person tested to get access to their genetic information.262 Under Florida law, the person tested may request that “the information will be made available to his or her physician.”263 Other states’ laws refer to patients’ rights to access their own records, and, thus, may only apply to research participants who are also patients.264 In addition, some states limit the right to particular circumstances.265 Some of these states allow individuals to amend their genetic information.266 Washington’s law, which applies to medical information, including genetic information, similarly permits correction of information.267
The significance of these state laws is that, for researchers that are not HIPAA covered entities, these states may require researchers to allow participants to access their information where ordinarily the Common Rule and HIPAA would not require it. It also could limit the ability of such researchers to conduct research without giving participants the option to receive their genomic information. Although there are strong arguments for permitting research participants the right to access their information,268 the return of genomic research results to participants poses ethical269 and legal risks. The legal risks stem from the fact that once in the possession of the individual or their physician, genomic information is more apt to be accessed by others who may use the information in a discriminatory or malicious manner.270
iv. Right to destroy samples
Another type of control over one’s genetic information is the right to order that one’s genetic information be destroyed. In the research context, the right to destroy may prevent a health care provider from sharing genetic information with researchers, may prevent researchers who already have genetic information from conducting secondary research with that information or samples, or may prevent further disclosure of the information outside the research context, whether through legal or unauthorized means. Federal laws, including the Common Rule, GINA, and the HIPAA Privacy Rule, do not provide individuals a right to order the destruction of their genetic information by anyone who holds such information.271
Oregon’s law requires destruction of a DNA sample held by “any person” upon the individual’s request, unless the information is required for criminal investigation purposes, retention is authorized by a specific court order, or it is for anonymous or coded research after notification or consent.272 In addition, DNA samples used in non-anonymous research must be destroyed by researchers if the individual withdraws from the study, unless the individual consents to retention.273 New Jersey’s provisions are very similar to Oregon’s, although samples can only be retained for criminal investigation purposes, court order, or with consent.274 Nevada’s law generally provides that a person holding an individual’s genetic information must destroy it upon request.275 Other states limit this right to request destruction of genetic samples to specific circumstances, most commonly newborn screening registries.276
v. Property rights
Five states, Alaska, Colorado, Florida, Georgia, and Louisiana, provide that genetic information is the property of the individual. Alaska’s statute simply says that “a DNA sample and the results of a DNA analysis performed on the sample are the exclusive property of the person sampled or analyzed.”277 Colorado and Georgia refers to genetic information being “the unique property of the individual.”278 Florida provides that “the results of … DNA analysis, whether held by a public or private entity, are the exclusive property of the person tested.”279 Louisiana states that “genetic information is the property of the” applicant, insured, or enrollee.280
It is not clear what these statutes intend. Traditional property rights typically include the right to the use of and benefits from the property and the right to exclude others.281 However, in one of the few cases involving one of these statutes, the federal district court found Florida’s property state law inapplicable to claims brought by biological specimen donors for conversion. It interpreted the statute as providing “only [ ] penalties for disclosure or lack of informed consent if a person is being genetically analyzed.”282 More recently, however, courts have signaled a greater openness to considering claims based on an assertion of genetic property ownership.283 Thus, though courts had historically been reluctant to recognize individuals’ genetic property interests provided under state laws, the legal status of genetic property ownership is unsettled and may be shifting to a broader recognition of an individual property interest in their genetic information.284 If so, these state-level genetic property laws would potentially offer genomic research participants significantly greater control over their genetic information, including the right to exclude others from using the information, a broader right of access to the information, and remedies for unwanted uses.285
C. Medical Privacy Laws
1. Federal Medical Privacy Laws
As described above, the primary federal health information privacy laws are the HIPAA Privacy and Security Rules.286 Participants in genomic research are often generally aware of HIPAA’s privacy protections because of their interactions with the law in the clinical health care setting, but they may not be aware of HIPAA’s specific protections or its limitations. The HIPAA Privacy Rule generally prohibits covered entities287 and their business associates288 from using or disclosing PHI289 without individual authorization.290 The HIPAA Privacy Rule provides individuals the right to access their information, receive an accounting of disclosures, and request amendments or corrections to their PHI.291 In addition, the HIPAA Security Rule imposes technical, physical, and organizational standards for covered entities and their business associates who handle PHI, such as encryption, facility access controls, and workforce security measures.292
The HIPAA Privacy Rule’s general prohibition on uses and disclosures of PHI by covered entities and business associates is subject to several exceptions whereby PHI may be disclosed without individual authorization or an opportunity to object. These exceptions include, among others, uses and disclosures for treatment, payment, or health care operations;293 as required by law; for public health purposes; for law enforcement purposes; about victims of abuse, neglect, or domestic violence; in response to a court order or subpoena in a judicial or administrative proceeding; for government inspection; for national security and intelligence purposes; and for research purposes if an IRB or Privacy Board waives authorization.294 Thus, even if a researcher or biobank is considered a covered entity and the research data were PHI, there are many circumstances under HIPAA where the researcher or biobank may use or disclose participants’ information without their authorization.
As noted above, HIPAA may have limited applicability to researchers and biobanks if they do not furnish health care services to the research participant or engage in covered transactions regarding such services, such as submitting a claim for payment.295 Although research institutions may elect to extend covered entity status beyond their clinical health care providers to researchers, they are not required to do so.296 Moreover, not all research data may be considered PHI if it is not created by a health care provider, health plan, or employer or it is not individually identifiable.297 For example, if a non-covered entity researcher collects data from participants directly or anonymizes the data, the HIPAA Privacy Rule would not apply.298 If the information were to exit the research context through a permitted disclosure or breach, HIPAA would not apply to third parties holding the information. In other words, HIPAA’s protections apply to specific entities and do not follow the health information once it leaves those entities’ hands.
In terms of violations and enforcement, the HIPAA Privacy Rule requires covered entities and their business associates to notify the affected individuals in the event of a breach of their unsecured (unencrypted) information.299 The HIPAA Privacy Rule only provides for enforcement by governmental authorities, who may seek civil or criminal penalties, depending on the severity of the violation.300 Notably, although individuals affected by a breach may file a complaint with the government, HIPAA does not provide individuals with a private cause of action or other mechanism to seek redress for violations.301 In sum, due to its limited applicability, extensive exceptions, and limited remedies, the HIPAA Privacy Rule offers only limited protection to participants in genomic research. In fact, participants who are reassured by consent language referencing federal health information privacy laws may not fully understand how limited those protections are.
2. State Medical Privacy Laws
A multitude of state laws address medical privacy generally, with much duplication as states apply them to various types of health care providers, health insurers, and those businesses that support the health care system. These are generally consistent with the HIPAA Privacy Rule obligations as well as its limits and, thus, do not add to the scope of protections afforded to research participants. We therefore focused on state laws that extend health information privacy obligations beyond the HIPAA Privacy Rule, whether by imposing obligations on entities not covered by HIPAA, imposing obligations that go beyond those required by HIPAA, or providing affected individuals private remedies for violations or additional rights.
a. State laws imposing privacy obligations beyond HIPAA covered entities
Some states impose a broad obligation on “any person” to maintain confidentiality of medical or health information.302 In other cases, states extend the confidentiality obligations to individuals to whom health information is disclosed,303 whereas other states impose confidentiality obligations on specific classes of persons who may not be HIPAA covered entities, such as employers,304 researchers,305 and other non-covered entities, including recipients of health information.306
Three states impose confidentiality and security obligations more broadly to all holders of personal information, which includes medical information.307 For example, Arkansas’s Personal Information Protection Act imposes confidentiality obligations on any person or business that “acquires, owns, or licenses personal information about an Arkansas resident.”308 These obligations require those holding personal information to take steps to secure the data, destroy it when it is no longer needed, and notify people of any breach.309
b. State laws imposing obligations beyond HIPAA
States often impose obligations on researchers or others that seek to access health information held by government agencies, such as public health authorities.310 A few of these restrict researchers’ use of the information in particular ways, such as from secondary research or from reidentification of data.311 Many of the risks associated with the release of data from the research context are only possible if the data are identifiable or could be re-identified.312 Although genomic data stripped of other identifiers is not considered identifiable under the HIPAA Privacy Rule,313 genomic data can itself be a tool for re-identification, particularly when matched with public genetic databases.314 Texas broadly prohibits any person from re-identifying a person from their PHI, which would apply to researchers as well as other third parties attempting re-identification for any purpose.315 This state law goes beyond the HIPAA Privacy Rule, which does not contain any prohibition on reidentification of data, but rather considers deidentified data not to be PHI, and therefore does not restrict the use or disclosure of deidentified information.316 The federal Department of Health & Human Services has not altered the rules regarding deidentification of information with respect to genomic information, despite the fact that genomic information, even stripped of identifiers is inherently re-identifiable.
States may extend privacy protections beyond HIPAA by shielding identifiable health data from disclosure in response to a legal demand or from being admitted as evidence in a legal proceeding. In many cases, these additional protections only apply to information held by state agencies.317 For instance, California does not permit government agencies to disclose personal data in response to a “subpoena, court order, or other compulsory legal process,” without first making reasonable “attempts to notify the individual to whom the record pertains.”318 Such protections, including those making such government-held data inadmissible in a legal proceeding, could apply to data that is shared with researchers. For example, in authorizing researchers’ access to data contained in its Parkinson’s Disease Registry, California law makes explicit that the data, regardless of the holder, shall be protected from subpoena, discovery, or admission in any legal proceeding.319
States may also impose stricter limits on commercial uses of health information. Although HIPAA prohibits covered entities and their business associates from selling, using, or disclosing PHI for marketing purposes without individual authorization,320 some states further restrict marketing and commercial uses of health information.321
Finally, some states provide a greater right of access to health information when such information is in the form of laboratory test results. Although HIPAA provides individuals a right of access to their own health information from covered entities, genomic researchers, biobanks, and genetic laboratories may not be HIPAA covered entities.322 A few states provide individuals a right to laboratory testing results, but these “rights” are primarily discussed in terms of health care providers’ obligations to patients.323 In contrast, Delaware provides that a medical laboratory “shall provide a copy” of laboratory results upon written request of the individual; “medical laboratory” is not defined.324 New Hampshire declares that medical information contained in the medical records of a hospital or other facility is the property of the patient, who is entitled to a copy upon request.325 States frequently create a right to access records, but this right typically is cast in terms of patients, and, thus, likely do not apply to research participants who are not also patients.326 States may also impose obligations on insurers toward insureds or applicants.327 A few states offer individuals a right to remove328 or amend information held by insurers or the state health information exchange.329 Some also provide an option from opting out of certain uses of information.330
c. State laws providing remedies and penalties beyond HIPAA
As noted above, one of the most significant ways that state laws close gaps in protections offered by the HIPAA privacy Rule is to offer individuals a private right of action for violations of state medical privacy laws. At least sixteen states authorize a statutory private right of action for breach of the state’s medical privacy laws.331 This explicit right simplifies the case for recovery, compared to a tort cause of action that relies on the statute as evidence of the duty to maintain confidentiality, and renders it less susceptible to dismissal. A couple of these laws provide for statutory minimum damages or punitive damages, which as discussed earlier, means it may be easier for the individual to assert the claim without having to prove they were tangibly (e.g., economically) harmed by the violation, which may be difficult to establish for breaches of confidentiality.332 Maryland does not provide a private right of action, but allows a patient to petition the State prosecutor to investigate an allegation that a “medical record has been inappropriately obtained, maintained, or disclosed.”333
Like HIPAA, states may impose criminal or civil penalties for failing to maintain confidentiality, although some states may require specific intent.334 Notably, HIPAA’s prohibitions and penalties do not apply to third parties who improperly access, use, or appropriate health information without authorization. A few states penalize those who acquire or use medical information without authorization through criminal laws against medical identity theft or other medical privacy violations.335 In some cases, these state laws that punish obtaining health information on false pretenses or misappropriation of health information only apply to data held by certain entities, such as government officials or health insurers, which may be less relevant to research participants.336
As noted above, the HIPAA Privacy Rule requires covered entities and their business associates to notify affected individuals (and the media if the breach affects more than 500 individuals in a state) of a breach.337 Breach notification must be provided within 60 days of the discovery of the breach and must include descriptions of breach, the information involved, the steps the individuals can take to protect themselves, contact information for the covered entity, and the steps the covered entity is taking to mitigate the breach.338 States may impose breach notification obligations beyond HIPAA’s by extending applicability to non-HIPAA covered entities and business associates. Wisconsin broadly imposes a requirement of breach notification on any “entity,” defined as “a person other than an individual, that … [c]onducts business in this state and maintains personal information in the ordinary course of business,” if the personal information of 1,000 individuals or more is disclosed without authorization.339 Virginia’s law applies to government funded entities, including public universities, that may not otherwise be covered by HIPAA.340 States that impose privacy obligations on holders of consumers’ “personal information” may also require breach notification.341
Research participants may feel particularly reassured when HIPAA is invoked because the law is broadly recognized and synonymous with health information privacy in many peoples’ minds.342 Thus, mention of the HIPAA Privacy Rule during a research consent process may provide an unrealistic and inaccurate sense of reassurance to prospective participants in genomic research. In fact, HIPAA provides limited protections, particularly against the risk that information will be used or disclosed outside the research context because of its broad exceptions and inapplicability to non-covered entities. More than other laws, HIPAA may be highly salient to research participants, but also subject to the broad misconception that its protections follow the data. State laws are thus significant to the extent they extend and fill in known gaps in the HIPAA Privacy Rule’s protection, which they do in three primary ways: by expanding privacy obligations to non-covered entities; by imposing stricter obligations beyond those required in the Privacy Rule; and by providing individuals with private remedies, including damages, for violations of state privacy requirements.
D. Disability Discrimination Laws
Were data to escape the research context, disability discrimination laws may provide some protection against the risk that the information will be used to limit an individual’s opportunities, such as employment. Disability discrimination laws,343 like the federal ADA and similar state statutes, generally protect those who have manifest conditions from discrimination, whereas GINA and state genetic discrimination laws apply only to pre-symptomatic genetic information.344 Although it may appear that disability discrimination laws would not afford protection to participants in genomic research, they do have a limited role, given how disability is defined under the laws. The ADA applies not only to physical or mental impairments that substantially limit a major life activity, but also to individuals who are “regarded as” having a disability.345 This protection focuses on the perception of the employer or other actor and does not require the individual to in fact have a disability.346 While undoubtedly more limited than genetic-specific protections, this protection can supplement genetic-specific protections, for example, by expanding protections beyond large employers and health insurers, as well as applying to non-genetic information collected as part of the research data.347
1. Federal Disability Discrimination Laws
As noted above, GINA and the ADA generally cover different ends of the disease spectrum, with GINA addressing discrimination based on pre-symptomatic genetic information and the ADA addressing manifest conditions.348 While it may arise infrequently, the ADA could provide protections beyond the large employers and health insurers GINA covers to the extent a participant is “regarded-as” disabled. In addition, states, which largely follow the ADA approach, can expand coverage to smaller employers. With these applications in mind, we describe the broad federal protections the ADA provides for people living with disabilities.349 The ADA protects people with disabilities from discrimination in employment, access to goods and services, and participating in State and local government programs.350 The ADA defines disability as “a physical or mental impairment that substantially limits one or more of the major life activities of such individual,” having a record of such an impairment, or being regarded as having such impairment.351 These latter two provisions can be read to cover genetic information that has not manifested.352 Unlike many of the other federal laws we considered, the ADA also provides individuals a mechanism for seeking redress for violations of the law.353 However, like GINA, the ADA only applies to employers with 15 or more employees,354 creating a significant gap in its protections. In addition, insurers may take disabilities into account in underwriting, as long as such decisions are actuarially justified, and not based on disability alone.355
There are several exceptions to both the ADA and state laws prohibiting discrimination on the basis of disability. These laws often do not apply to private clubs or accommodations owned or operated on behalf of a religious corporation, association or society, or other organization that is not open to the public. Employment discrimination laws typically have exceptions for bona fide occupational qualifications or to protect the safety and well-being of employees.
2. State Disability Discrimination Laws
State disability discrimination laws, like the ADA, tend to be generally applicable, but may have broader reach than the ADA.356 For example, many states have laws that prohibit employers from asking about or making employment decisions based on disability,357 but these laws may apply to more employers than the ADA does because of how employer is defined.358 As Table 3 shows, 21 states have discrimination laws that apply to more employers than the ADA does, and ten apply to employers with only one employee. These provisions, coupled with the GINA provisions, extend protections against discrimination in employment to smaller employers in 33 states, with 17 of these applying to only one employee.
Table 3.
| Minimum employees to come under state discrimination laws | States |
|---|---|
| 15 | MD, NC, NV, TX, UT |
| 12 | WV |
| 9 | AR |
| 8 | KY |
| 6 | IN, MO, NH, OR |
| 4 | OH, PA |
| 2 | IA, CO, WY |
| 1 | HI, IL, NJ, ME, MT, MI, MN, ND, SD, WI |
| Unspecified | LA, VA |
State disability discrimination laws apply to a number of areas beyond employment. For the most part, these are areas covered by the ADA, such as sale or rental of housing, financial transactions, education, by the state, or healthcare, as well as the broad “places of public accommodation,” used in the ADA and, thus, do not expand on its protections.359 However, states also have specific provisions regarding insurance that, given court interpretations of the ADA, may expand disability protections beyond the ADA.360 In particular, the provisions prohibiting discrimination based on disability in insurance generally in Oregon and Maryland, in disability insurance in California, and in life insurance in Illinois and New York expand on the genetic-specific prohibitions described supra. As a result of these state expansions, participants in the same research study could have more protections should their genetic information be used against them depending on where they live.
The ADA permits individuals to bring a claim when they are discriminated against. In addition to authorizing aggrieved individuals to bring claims,361 states often also create commissions or other organizations for investigating claims and enforcing the rights afforded.362 Some states also authorize minimum damage amounts, although these appear limited to discrimination in credit.363 Authorization for recovery of attorneys’ fees and costs is broader, but limited to only a few states.364 Others may impose fines.365 State employees or licensees may face disciplinary proceedings for discriminatory actions.366
State disability discrimination laws may afford additional protections when states lack genetic-specific laws, when they extend the protections to employers with fewer than fifteen employees, and when they extend the protections to insurers. These protections are not as robust as genetic-specific laws in this context because they apply only when a participant is “regarded-as” disabled on the basis of the genomic information revealed through the research. However, they provide additional protections than genetic-specific laws because they apply to non-genetic information collected in the study.
IV. Discussion
A. Key Findings of the Web of State Legal Protections: Volume and Variety
This project aimed to determine whether and how well state laws fill known gaps in federal laws that protect participants in genomic research. We embarked on this research knowing states had adopted their own laws that sometimes went beyond the floor established by federal laws such as the Common Rule, the HIPAA Privacy Rule, GINA, and the ADA, but we were surprised by the sheer quantity of state laws that we uncovered, even after limiting consideration to laws that expand on federal protection and apply to a large genomic research project, like the All of Us study. The quantity of state laws is striking, standing alone, as it points to the complexity of identifying what protections are afforded to research participants and communicating those protections effectively to participants.367
Applicable state laws are not just numerous, they are extremely variable. States expand on the substantive protections provided by federal laws in myriad ways. One significant shortfall in the federal laws is their limited scope of application; the Common Rule applies only to federally-funded or federally-conducted research, HIPAA applies only to covered entities and their business associates, and GINA applies only to health insurers and large employers. We found several instances where state laws broadened the scope of these protections. In the most dramatic cases, states would apply the protections, such as the requirements for consent for genetic testing or prohibitions on disclosure of genetic or health information, to any person.368 Thus, unlike the federal laws, the reach of these state legal protections did not depend on who sought or held the information.
In other instances, states explicitly expanded the scope of protections to a broader range of entities beyond those covered by comparable federal laws. In particular, state genetic and disability discrimination laws apply to much smaller employers than GINA’s or the ADA’s limit of fifteen-employees. In total, 33 states apply non-discrimination requirements to employers with fewer than 15 employees, and 17 of these states apply the requirements to employers with only one employee.369
There is also significant variation among states’ substantive legal protections. In the most notable cases, the state laws expand on the federal protections not just by degree, but in kind. For example, a few states also expand GINA’s protections beyond health insurance to long-term care and disability insurance, and even life insurance.370 In the area of human subjects research, a few states also have human subjects research laws that apply the Common Rule’s IRB review and consent requirements to contexts when the Common Rule would not. In particular, Oregon’s law requiring IRB review for even anonymous and deidentified genetic research is a dramatic departure from how such research is conducted under federal law. In the privacy context, Texas takes a completely different approach than the HIPAA Privacy Rule by prohibiting re-identification of any person from their PHI. The additional protection offered by this Texas law is particularly relevant to participants of genomic research now that it is technically possible to re-identify supposedly “de-identified” genomic information without access to identification codes or breaching data security.371
Perhaps the most significant way that state laws differ from the federal laws is their explicit provision of enforcement rights for violations of the laws. The HIPAA Privacy Rule does not permit a private right of action, and the Common Rule is silent on the issue. GINA allows for a private right of action, but limits recovery. In practice, this means that an individual whose information is used or disclosed in violation of law has few options to seek redress if they are harmed. In contrast, a majority of states create a private right of action for violation of their various genetic-specific laws.372 A number of states similarly create a private of right of action for breach of their medical privacy laws.373 Several states also provide for statutory minimum damages, attorneys fees, and court costs for breach of the genetic and medical privacy laws.374 Because injury as a result of breach may be difficult to prove, these provisions can make it feasible for an aggrieved participant to seek redress and for attorneys to take their cases. As a result, it also can create an incentive for holders of participants’ information to ensure compliance with those obligations.
State laws also create rights that are not afforded by the federal laws. For example, a couple of states require notification regarding what is done with their genetic information.375 Others provide a right to request destruction of genetic information.376 These provisions may afford participants more control over the use of the genomic materials than is provided under federal law or in other states. Finally, a handful of states declare genetic information to be the property of the person tested, which, as discussed above, could give participants significantly more control over their genomic research information if courts change course and begin to recognize these property rights.377
B. Implications for Researchers and Participants
As the foregoing suggests, there is no single “web of legal protections,” but rather multiple “webs of legal protections” that vary greatly depending on which state laws are implicated. This reality makes it challenging to convey accurately and concisely the risks, benefits, and protections afforded to research participants in a large-scale, national genomic research study.
1. Challenges in Developing the Study Consent Form
In a national study like the All of Us project, the multiplicity and variation of state laws mean some participants may have legal protections and rights that other participants do not. This raises challenging questions for IRB review and consent form drafting. How does the IRB appropriately assess the risk/benefit ratio for the study in the review process? And how does the consent form communicate the different protections afforded to participants? We consulted with such a study that sought to develop a common consent form. The attempt quickly bogged down on the question of which laws would apply. An attempt to adopt the laws of “most protective” state as a voluntary standard was quickly abandoned. While ethically appealing, there are two problems to this approach: first, as our analysis demonstrates, there is no single “most protective” state to follow, even if researchers and their institutions would be willing to voluntarily commit to protections that go beyond those required by federal law. Even when states expand on federal protections, their choices are not consistent. For example, each of the states presented in Table 4 have expanded on GINA’s restrictions on use of genetic information in insurance underwriting to disability, long-term care, and/or life insurance. However, none of these states have made the same choices.
Table 4.
| State restrictions of use of genetic information in insurance underwriting | |||
|---|---|---|---|
| CO | MD | VT | |
| Disability | |||
| Long-Term Care | |||
| Life | |||
Moreover, although Vermont has been very protective with respect to expanding GINA-like protections, it has not adopted some protections that other states have. In short, while its provisions against use of genetic information in insurance underwriting extend to disability, long-term care, and life insurance and to employment for employers with only one employee, and it also creates a private right of action, it did not create the statutory minimums that other states have. In addition, it does not have human subjects protections that fill in the Common Rule gaps. Thus, it is not possible, even in this limited context, to say that Vermont’s law is the most protective law.
The second challenge of trying to adopt a “most protective” common consent form is that in some instances researchers cannot extend substantive rights that are afforded by some states but not others. For example, researchers may wish to promise to protect the confidentiality of research data and not to disclose research information to anyone outside of the research team, even a subpoena. But unless the project has a Certificate, as authorized by federal law, or is taking place in one of the few states with laws that afford protection against subpoena, a researcher would not be able to fulfill that promise.
2. Determining the Choice of Law
A further implication for researchers and institutions is a choice of law question: which jurisdiction’s law applies in a large-scale study, where participants, researchers, and the biobank may all reside in different states? The rights and protections afforded to participants in a national study may differ depending on where they live, where their data or biospecimens are stored, or where the researcher is located. Researchers, institutions, and IRBs lack guidance on this choice of law question and may struggle to comply if the applicable law varies with each participant.
Given the variation in state laws and that no single consent form will comply with all states’ laws, a national, multi-site study may be tempted to ignore state laws and focus solely on complying with federal laws. However, ignoring state laws may not be legal or ethical. For example, Delaware law requires that consent for genetic testing disclose the right to results unless the individual directs otherwise.378 If Delaware law applies to participants who live in Delaware, the researcher may be required to researcher offer these participants their genomic sequencing results, even if the research protocol specifies, and federal law permits, that researchers would not return results of unknown clinical significance.
Alternatively, choice of law questions are often addressed by agreement, and consent forms potentially could specify which state’s laws applies, particularly if the law chosen is justifiable (for example, the researcher’s state). However, this option poses its own challenges, including how to describe in simple terms what a reasonable person would want to know about the implications of the law chosen, as required by the Common Rule. In addition, if the consent form’s choice of law resulted in an individual waiving their state-based rights, this may violate the Common Rule’s provision prohibiting exculpatory clauses in consent forms.379 Finally, because consent forms may not be considered binding contracts, their choice of law provisions may not be enforced in the same way as ordinary commercial contracts.380
Although answering the choice of law question is beyond the scope of this project, our research findings underscore the importance of answering the question. Without guidance, significant legal and ethical uncertainties result, including what information must be provided in the consent form, how long data may be stored, what rights participants retain throughout research, how often re-authorization must be sought to use participants’ data, whether data can or must be disclosed or re-identified, and what liabilities and obligations would flow if data are breached or misused.
3. State Laws as Models for Closing Gaps in Federal Legal Protections
Despite the complex picture presented by the various state laws, they provide valuable models of how the known gaps in federal legal protections may be closed. The state laws may provide an opportunity to test models that are the subject of intense policy debate. For example, GINA is often criticized for neglecting to extend genetic discrimination protection to life, disability, or long-term care insurance.381 Opponents have argued that GINA cannot be feasibly extended to these other types of insurance without destroying the market for these products.382 There are several states that could be used to test, empirically, whether extending GINA’s protections to other insurance products yields these results. Where state have extended protections beyond federal laws without incurring excessive costs, such “successful” state experiments may counsel expanding the federal protections accordingly. In other areas, such as the provision of private remedies, states may be better situated than the federal government to provide for these legal rights and protections, due to their traditional role and the relative competence of state jurists to enforce these protections. But even where state variation does not suggest adoption into the federal standards, it could serve as a model for encouraging other states to afford fuller protections to research participants and closing the gaps between states.
V. Conclusion
This article undertakes to map the web of legal protections across federal and state laws protecting the participants in large-scale genomic research. The scope, complexity, and variety of these state laws, ranging from privacy to anti-discrimination, is poorly understood. Yet, understanding the scope, strengths, and limits of these protections is particularly critical as enrollment commences in two federally-funded studies, the All of Us and Million Veteran studies, aiming to amass DNA, health, and lifestyle data on an unprecedented scale from millions of individuals. At the same time, the identification and arrest of the “Golden State Killer” using DNA uploaded to an ancestry database highlighted how DNA databanks of the scale of the All of Us and Million Veteran studies can be used for purposes that participants may find objectionable. These concerns about law enforcement use add to risks that information will be hacked or otherwise disclosed and then be used against the individual in insurance, employment, or identity theft. Without assurances of the privacy and limits on use of their information, research participants should rightly be concerned about the risks of participation.
This article is the first to consider comprehensively and simultaneously all the federal and state laws offering protections to participants in genomic research. The literature typically focuses on the federal laws in isolation, questioning the strengths of federal legal protections for genomic research participants provided in the Common Rule, the HIPAA Privacy Rule, or GINA. Nevertheless, we found significant numbers and surprising variety of state laws that provide greater protections than federal laws, often filling in federal gaps by broadening the applicability of privacy or nondiscrimination standards or by providing important remedies for individuals harmed by breaches. Identifying and explaining the protections these laws provide is significant both to allow prospective participants to accurately weigh the risks of enrolling in these studies and as models for how federal legal protections could be expanded to fill known gaps.
Appendix
1. Searches Conducted
All the searches were developed after some experimentation with different search terms. We include only the final searches that were used.
Human Subjects Research:
-
Search terms
Multiple searches were performed, as follows:- To identify state laws that particularly focused on consent for research, we conducted searches using advanced search (for statutes and regulations) for TE(“informed consent” and “DNA”) [the “TE” limiter was used to limit searches to Text (to avoid discussion only in annotations, as “research” frequently appears in unrelated areas), TE(“informed consent” and “genetic testing”); and TE(“informed consent” and “genetic information”). The goal was to use broad terms to ensure coverage, while using precise terms that apply to the concepts we are studying.
- To identify state laws that more generally discussed genomic research, we conducted searches using advanced search (for both statutes and regulations) for TE(“research and “genetic information”), TE(research and “genetic testing”), and TE(research and “DNA”). We also used the more general search “human subjects” w/5 research.
-
Exclusion criteria
We excluded search results that did not apply to human subjects research, such as laws that cover state school curricula (about research), income tax incentives for certain research, law enforcement DNA databases and permissible testing of those databases, and licensure requirements (to the extent it only requires training in human subjects research). We also excluded laws that talk about genetic information and research, but not protections (e.g., plant and pesticide research). We also excluded laws that address regenerative medicine/stem cell research, as these laws address a very specific type of research that typically is not considered human subjects research and the oversight mechanism is not generally applicable. We also excluded laws that addressed genetic privacy or consent to genetic testing (rather than research) because, while related, they are not research-specific and will be addressed in separate datasets.
Genetic Testing:
-
Search terms
Consent w/10 (genetic! Or genom! Or DNA or biospecimen or “blood specimen”)
adv: TE(“informed consent” and “DNA”)
adv: TE(“informed consent” and “genetic testing”)
adv: TE(“informed consent” and “genetic information”)
-
Exclusion criteria
We excluded laws that did not pertain to the research context. For example, we excluded laws that addressed genetic testing in the criminal context (arrest, conviction), pertained only to paternity testing, or solely addressed admissibility in court proceedings.
Genetic Privacy:
-
Search terms
Adv: TI(genetic genom! DNA) TE((gene genetic genom! DNA) AND (privacy confidential! disclos!))
Note: Three secondary sources were used as a reference: 1) a collection of state statutes on “Privacy” available from the National Human Genome Research Institute (available at http://www.genome.gov/PolicyEthics/LegDatabase/pubsearch.cfm); (2) a 50-state survey of state genetic privacy laws by the American Health Lawyers Association (available at http://www.healthlawyers.org/SiteCollectionDocuments/50state_chart_final.pdf); and (3) a Westlaw 50 state survey, Maintaining Privacy of Health Information, 0100 SURVEYS 7 (Oct. 2013)
-
Exclusion criteria – Applicable to Genetic Privacy and Health Information Privacy Laws
We focused on identifying those state health information privacy laws that create private rights of action or extend requirements beyond HIPAA covered entities and business associates. So we excluded state laws from our analysis that simply duplicated or were less stringent than the HIPAA Privacy Rule. To further limit the dataset to those that are relevant to the privacy of genomic or health data held by researchers that was the subject of our inquiry, we used the following exclusion criteria:- Communicable diseases, injuries, etc.: The primary category are laws that protect the privacy/confidentiality of health information that is unlikely to pertain to information collected from genomic research because it doesn’t involve genetic information. For example, all laws that apply to communicable diseases (STDs, TB, HIV), injuries, drug testing results, immunization records, etc. can be excluded. Continue to include laws that protect health information generally as well as information that may have some genetic component (mental health information, cancer registries).
- Utilization review laws, independent or external review – exclude laws that require these entities to maintain confidentiality.
- Provider-specific confidentiality obligations: Laws setting forth a general obligation to maintain confidentiality of health records for particular types of health care providers or facilities (e.g., nurses, genetic counselors, home health, assisted living, nursing homes, hospice, behavioral health, etc.) unless it is accompanied by a manner of private enforcement for violation (e.g., private cause of action, damages, etc.) - if it has private enforcement mechanism, include. Also include laws that set forth specific requirements for maintaining privacy/retention/patient access/authorization, etc. that may be different from HIPAA’s.
- Rules of evidence, forensic DNA databases, and other law enforcement uses of genetic or health information. However, include laws that implicate the obligation of health care providers or others to provide genetic information pursuant to subpoena or court order.
- Laws related to disclosure or privacy and confidentiality of patient records in the context of disciplinary or licensing actions against health care professionals.
- Laws that pertain to child protective services, adoption, custodial disputes, domestic violence, paternity disputes.
- Laws that address intestate succession, probate, establishment of heirs.
Health Information Privacy:
-
Search terms
Adv: (TE((health medical) /s (information data record)) /30 (privacy confidential! disclos!) & “any person” & (penalty! or crim! ((right cause) /2 action)))
Exclusion criteria - see Genetic Privacy (above)
Genetic Discrimination:
-
Search terms
(discrimin! or refus! or deny or denial) w/25 (genet! or genom!)
Note: in conducting our test searches, we discovered that some of the laws included on the NHGRI list did not include the word discrimination. This search was constructed to capture those laws, as well as laws that explicitly discuss discrimination.
-
Exclusion criteria
We excluded laws that did not apply to the research context we were interested in. Example of such laws that our searches captured include laws regulating genetic counselors as a profession (not genetic discrimination), laws that pertained only to prenatal diagnoses, paternity laws, and laws that addressed genetically modified organisms.
General Disability Discrimination:
-
Search terms
adv: TE(discrimin! or refus! or deny or denial) and TI(disab!)
-
Exclusion criteria
Given the focus of our research, we focused on laws that specifically mentioned disability that could be interpreted as applying to discrimination based on genetic information for a condition that was not yet manifest. We excluded laws that pertained only to physical disabilities, and we also excluded broad civil rights or discrimination laws that did not mention disability.
Despite these restrictions, we still identified vast quantities of laws that were not likely to go beyond the federal floor HIPAA sets. Accordingly, we did not include these in the final analysis.
2. Common exceptions to obligations/restrictions
Legend
C = Exceptions to confidentiality obligations
A = Exception to analysis or use restrictions
R = Exceptions to retention
| As authorized or required by law | Court order | Criminal DNA banking | For abuse or neglect reporting | For criminal databases | For determination of bona fide occupational qualifications | For due diligence in sale of business | For genealogy of deceased | For health care operations or other business operations | For law enforcement | For marketing | For newborn screening | For paternity determinations | For payment | For peer review | For public health purposes | For purposes of providing disability accommodations | For research | For treatment | For worker safety (e.g., monitor toxic exposures) | For workers’ compensation claims | If approved by an IRB or Ethics committees | Legally Authorized representative | Litigation where genetic information is at issue | Medical providers | Person tested | To blood relatives of decedent for medical purposes | To identify deceased individuals | To monitor legal compliance or eligibility | When person tested brings a lawsuit or other complain | With consent | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ariz. Rev. Stat. Ann. § 12–2801 et seq. | C | C | C | C | C | C | C | C | C | ||||||||||||||||||||||
| Cal. Civ. Code § 56.17 | C | ||||||||||||||||||||||||||||||
| Cal. Code Regs. Tit. 10 § 2218.20 | C | C | |||||||||||||||||||||||||||||
| Cal. Code Regs. Tit. 22 §126055 | C | C | |||||||||||||||||||||||||||||
| Cal. Health & Safety Code § 124975 et seq | C | ||||||||||||||||||||||||||||||
| Cal. Ins. Code §10123.35 | C | ||||||||||||||||||||||||||||||
| Code Ark. R. 016.14.2–1078 | C | C | |||||||||||||||||||||||||||||
| Colo. Rev. Stat. Ann. § 10-3-1104.6 & 1104.7 | C | C | C | C | |||||||||||||||||||||||||||
| Colo. Rev. Stat. Ann. § 13-64-502 | C | ||||||||||||||||||||||||||||||
| D.C. Code § 2–1401.03 | A | A | A | ||||||||||||||||||||||||||||
| D.C. Mun. Regs. Tit. 4 § 509 | A | A | A | ||||||||||||||||||||||||||||
| Del. Code Ann. Tit. 16, § 1205 | C | C | C | C | C | C | C | C | C | ||||||||||||||||||||||
| Del. Code Ann. Tit. 16, § 1202 | C | C | C | C | C | ||||||||||||||||||||||||||
| Del. Code Ann. Tit. 16, § 1203 | R | R | R | R | R | ||||||||||||||||||||||||||
| Fla. Stat. Ann. § 760.40 | A | A | A | ||||||||||||||||||||||||||||
| Ga. Code Ann. § 33-54-1 et seq. | C | ||||||||||||||||||||||||||||||
| Idaho Code Ann. § 398301 et seq. | A | C | |||||||||||||||||||||||||||||
| 225 III. Comp. Stat. Ann. 135:90 | C | C | C | C | |||||||||||||||||||||||||||
| 410 III. Comp. Stat. Ann. § 50:3 | C | C | C | C | C | C | C | C | |||||||||||||||||||||||
| 410 III. Comp. Stat. Ann. 513:1 et seq. | A | C | A | C | C, A | C | C | C | A | A | C | C | C | ||||||||||||||||||
| lowa Admin. Code r. 641–4.3(136A) & 4.7(136A) | C | C | C | C | |||||||||||||||||||||||||||
| lowa Code Ann. § 729.6 | c | C | C | C | A | A | C | ||||||||||||||||||||||||
| 37 La. Admin. Code Pt. XIII, 415 | R | R | C | ||||||||||||||||||||||||||||
| La. Rev. Stat. Ann. 22:1023 | C | C | C | C | C | ||||||||||||||||||||||||||
| La. Rev. Stat. Ann. 23:368 | C | ||||||||||||||||||||||||||||||
| La. Rev. Stat. Ann. 23368 | A | C | |||||||||||||||||||||||||||||
| La. Rev. Stat. Ann. 23368 | C | C | A | C | |||||||||||||||||||||||||||
| Mass. Gen. Laws Ann. Ch. 111, § 70G | C | C | |||||||||||||||||||||||||||||
| Md. Code Regs. 10.10.13.15 | C | ||||||||||||||||||||||||||||||
| Me. Rev. Stat. Tit. 22 § 1711-C | C | ||||||||||||||||||||||||||||||
| Me. Rev. Stat. tit. 24-A, § 2215 | C | C | C | C | C | C | C | C | C | C | C | C | |||||||||||||||||||
| Mich. Comp. Laws Ann. § 37.1202 | A | ||||||||||||||||||||||||||||||
| Minn. Stat. Ann. § 62V.06 | C | C | C | C | |||||||||||||||||||||||||||
| Mo. Ann. Stat. § 191.317 | C | C | C | ||||||||||||||||||||||||||||
| Mo. Ann. Stat. § 375.1300 et seq. | C | A | C | C | C | C | |||||||||||||||||||||||||
| Mont. Admin. R. 2.21.6615 | C | C | C | C | |||||||||||||||||||||||||||
| Mont. Code Ann. § 33–18.902 | C | C | C | C | |||||||||||||||||||||||||||
| N.C. Gen. Stat. Ann. § 130A-131-.17 | C | ||||||||||||||||||||||||||||||
| N.D. Cent. Code Ann. § 23–01.3–02 - 07 | C | C | C | ||||||||||||||||||||||||||||
| N.D. Cent. Code Ann. § 25-16-07 | C | C | C | C | C | ||||||||||||||||||||||||||
| N.D. Legis H.B. 1108 (2015) 2015 North Dakota Laws H.B. 1108 | C | C | C | C | C | C | C | ||||||||||||||||||||||||
| N.H. Rev. Stat. Ann. § 141-H:1 et seq. | A | A | A | A | A | ||||||||||||||||||||||||||
| N.J. Stat. Ann. § 10:5–43 et seq. | C, R | C | R | C, R | C | C, R | C | C, R | C | C | |||||||||||||||||||||
| N.M.Stat. Ann. § 24-21-1 | R | R | C, R | C | C, R | C | C | C | |||||||||||||||||||||||
| N.Y. Civ. Rights Law § 79–1 | C | C | C | ||||||||||||||||||||||||||||
| N.Y. Exec. Law § 296 | A | C | A | A | C | ||||||||||||||||||||||||||
| N.Y. Pub. Health Law § 2733 | C | ||||||||||||||||||||||||||||||
| Neb. Rev. Stat. § 48–236 | A | ||||||||||||||||||||||||||||||
| Nev. Rev. Stat. Ann. § 629.101 et seq. | C, R | R | C, R | C | C | R | C | C | R | C | C | ||||||||||||||||||||
| Okla. Admin. Code 310:550-19-1 | C | C | C | ||||||||||||||||||||||||||||
| Okla. Stat. Ann. Tit. 36 § 3614.3 | C | C | C | ||||||||||||||||||||||||||||
| Okla. Stat. Ann. Tit. 36 § 3614.1 | C | C | |||||||||||||||||||||||||||||
| Or. Admin. R. 582-030-0010 | C | C | |||||||||||||||||||||||||||||
| Or. Rev. Stat. Ann. § 192.531 et seq. | R | R | C, R | C, R | C | R | C | R | C | C | |||||||||||||||||||||
| Or. Rev. Stat. Ann. § 192.581 | A | ||||||||||||||||||||||||||||||
| R.I. Gen. Laws Ann. § 27-18-52,52.1 § 27-19-44, 44.127-20-39,39.127-41-53,53.1 | C | ||||||||||||||||||||||||||||||
| R.I. Gen. Laws Ann. § 5–37.3–4 | C | C | C | C | C | C | A | C | |||||||||||||||||||||||
| S.C. Code Ann. § 38-93-10 etseq. | C | C | C | C | C | C | |||||||||||||||||||||||||
| S.C. Code Ann. § 44-37-30 | C | C | |||||||||||||||||||||||||||||
| S.C. Code Ann. Regs. 61–80 | C | ||||||||||||||||||||||||||||||
| S.D. Admin. R. 20:06:39:46-.46 & 49 20:06:40:29 et seq. | C | C | |||||||||||||||||||||||||||||
| S.D. Codified Laws § 60-2-20 | C | ||||||||||||||||||||||||||||||
| Tenn. Code Ann. § 68-5-506 | C | ||||||||||||||||||||||||||||||
| Tex. Health & Safety Code Ann. § 33.011 et seq. | C | C | C | C | C | c | C | ||||||||||||||||||||||||
| Tex. Ins. Code Ann. § 546.001 et seq. | C, R | C | C | R | C | C, R | C | C | C | R | |||||||||||||||||||||
| Tex. Labor Code Ann. § 21.401 et seq. | C, R | C | R | C | C, R | C | C | C | R | ||||||||||||||||||||||
| Tex. Occ. Code Ann. § 58.001 et seq. | C, R | C | R | c | C, R | C | C | C | R | ||||||||||||||||||||||
| Utah Code Ann. § 26-45-101 et seq. | C | C | C | A | C | C | |||||||||||||||||||||||||
| Va. Code Ann. § 32.1–69 | C | ||||||||||||||||||||||||||||||
| Va. Code Ann. § 38.2–3450 | C | C | |||||||||||||||||||||||||||||
| Va. Code Ann. § 40.1–28.7:1 | C | ||||||||||||||||||||||||||||||
| Vt. Stat. Ann. Tit. 18, § 9332 | A | A | A | A | C | C | |||||||||||||||||||||||||
| Wash. Rev. Code Ann. § 70.02.005 et seq. | C | C | C | C | C | C | C | C | |||||||||||||||||||||||
| Wis. Stat. Ann. § 111.372 | A | A | |||||||||||||||||||||||||||||
| Wis. Stat. Ann. § 253.12 | C | C | C | C | C | ||||||||||||||||||||||||||
| Wyo. Stat. Ann. § 26-19-107 | C | C | |||||||||||||||||||||||||||||
| Wyo. Stat. Ann. § 26-29-306 | C | C |
Footnotes
Leslie E. Wolf is a Professor of Law at Georgia State University College of Law and Director of the Center for Law, Health & Society. Erin C. Fuse Brown is an Associate Professor of Law at Georgia State University College of Law and faculty member of the Center for Law, Health & Society. In keeping with the tradition of health sciences research and due to the scope of the research, we are naming as co-authors all the graduate research assistants who contributed substantively to the research and conceptualization of this project. This project was funded by a federal NIH grant: Beyond Data Security: Promoting Confidentiality and Advancing Science, Laura M. Beskow, Principal Investigator, National Human Genome Research Institute, R01-HG-007733. The authors wish to acknowledge the intellectual and research contributions of our collaborators, Laura Beskow, Ph.D., M.P.H.; Kathleen Brelsford, Ph.D., M.P.H., Catherine Hammack J.D., M.A., at Vanderbilt University and Kevin McKenna, M.P.H., and Zachary Lampron, M.P.H. at Duke University.
Tools for DNA and Genealogy Research, GEDmatch, www.gedmatch.com/login1.php (last visited Feb. 7, 2019).
Thomas Fuller, How a Genealogy Site Led to the Front Door of the Golden State Killer Suspect, N.Y. Times (April 26, 2018), https://www.nytimes.com/2018/04/26/us/golden-state-killer.html.
Id.
See Heather Murphy, Genealogists Turn to Cousins’ DNA and Family Trees to Crack Five More Cold Cases, N.Y. Times (Jun. 27, 2018), https://www.nytimes.com/2018/06/27/science/dna-family-trees-cold-cases.html; Kyle Swenson, Undercover Cops Grabbed a DJ’s Chewing Gum. It Helped Crack a Teacher’s 1992 Murder, Police Say, Wash. Post (June 26, 2018), https://www.washingtonpost.com/news/morning-mix/wp/2018/06/26/undercover-cops-grabbed-a-djs-chewing-gum-it-helped-crack-a-teachers-1992-murder-police-say/?utm_term=.6796d2ff6caa; Kyle Swenson, After 30 Years, Police Say They’ve Captured A Child-Killer Who Left A Sickening Trail of Taunts, Wash. Post (July 16, 2018), https://www.washingtonpost.com/news/morning-mix/wp/2018/07/16/i-been-watching-you-a-child-killer-taunted-little-girls-with-terrifying-notes-police-say-after-30-years-dna-led-to-an-arrest/.
Natalie Ram et al., Genealogy Databases and the Future of Criminal Investigation, 360 Science 1078 (2018); see also Fuller, supra note 2; Adhiti Bandlamudi, Tactics Used to Find Golden State Killer Raise Privacy and Legal Questions, NPR (Apr. 27, 2018, 4:22 PM), https://www.npr.org/2018/04/27/606580162/tactics-used-to-find-golden-state-killer-raise-privacy-and-legal-questions; Ashley May, Took an Ancestry DNA Test? You Might be a ‘Genetic Informant’ Unleashing Secrets About Your Relatives, USA Today, (Apr. 27, 2018, 11:31 AM), https://www.usatoday.com/story/tech/nation-now/2018/04/27/ancestry-genealogy-dna-test-privacy-golden-state-killer/557263002/.
Tony Romm & Drew Harwell, Ancestry, 23andMe and Others Say They Will Follow These Rules When Giving DNA Data to Businesses or Police, Wash. Post (July 31, 2018), https://www.washingtonpost.com/technology/2018/07/31/ancestry-andme-others-say-they-will-follow-these-rules-when-giving-dna-data-businesses-or-police/?utm_term=.5c123617f2e5. The new guidelines would include getting “separate express consent” before sharing individual genetic information with other entities and disclosing the number of law enforcement requests received each year. The guidelines are available at Carson Martinez, Privacy Best Practices for Consumers Genetic Testing Services, Future of Privacy Forum (Jul. 31, 2018), https://fpf.org/2018/07/31/privacy-best-practices-for-consumer-genetic-testing-services. GEDmatch is not one of the listed companies associated with these practices. At the time of the Golden State Killer case, they noted that their privacy policy informed consumers that their data could be used for other purposes. Fuller, supra note 2; News of 23andMe’s agreement to share its DNA information with GlaxoSmithKline to develop drugs raised additional concerns. Jamie Ducharme, A Major Drug Company Now Has Access to 23andMe Genetic Data. Should You Be Concerned?, TIME (July 26, 2018), http://time.com/5349896/23andmeglaxo-smith-kline/.
Lenny Bernstein, NIH Seeks Health Data of 1 Million People, With Genetic Privacy Suddenly an Issue, Wash. Post (May 1, 2018), https://www.washingtonpost.com/national/health-science/nih-seeks-health-data-of-1-million-people-with-genetic-privacy-suddenly-an-issue/2018/05/01/cb38a588-4d4b-11e8-b72592c89fe3ca4c_story.html?noredirect=on&utm_term=.e533459c6db9.
Id.
The goal of the Million Veterans Program is “to study how genes affect health” and “build[ing] one of the world’s largest medical databases” by enrolling one million Veterans and collecting blood samples. Million Veteran Program (MVP), U.S. Dep’t of Veterans Affairs, https://www.research.va.gov/mvp/ (last visited. Feb. 4, 2019).
National Bioethics Advisory Commission (NBAC) estimated that, in 1998, there were over 280 million biospecimens collected from over 176 million individuals held in a variety of clinical and research repositories in the United States and biospecimens from 20 million individuals were added each year. Nat’l Bioethics Advisory Comm’n, Research Involving Human Biological Materials: Ethical Issues and Policy Guidance, 13–14 (Vol. 1 1999); NBAC noted that many of these specimens may not be used for research purposes, but these estimates provide a picture of how many specimens are collected that could be used in research and how many Americans are implicated. Id. at 24. In contrast, 23andMe and Ancestry have collected more than 9 million DNA samples. About Us, https://mediacenter.23andme.com/company/about-us/ (last visited Dec. 28, 2018) and AncestryDNA Reaches 4 Million Customers in DNA Database, Ancestry Blog (Apr. 27, 2017) https://blogs.ancestry.com/ancestry/2017/04/27/ancestrydna-reaches-4-million-customers-in-dna-database/.
Liz Sly, U.S. Soldiers are Revealing Sensitive and Dangerous Information by Jogging, Wash. Post (Jan. 29, 2018), https://www.washingtonpost.com/world/a-map-showing-the-users-of-fitness-devices-lets-the-world-see-where-us-soldiers-are-and-what-they-are-doing/2018/01/28/86915662-0441-11e8-aa61-f3391373867e_story.html?utm_term=.1d3e66ff9c38.
Matthew Rosenberg et al., How Trump Consultants Exploited the Facebook Data of Millions, N.Y. Times (Mar. 17, 2018), https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html (explaining that Cambridge Analytica analyses data and uses behavioral science to offer businesses and political candidates marketing materials targeted as specific consumers).
Matthew Rosenberg et al., How Trump Consultants Exploited the Facebook Data of Millions, N.Y. Times (Mar. 17, 2018), https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html (explaining that the data was originally provided to a researcher).
Id.; According to reports, the wearable manufacturer FitBit adopted privacy practices akin to those adopted in clinical research, although not required to, to ease some of these concerns. Alex Ruoff, Fitbit Lauds Research Protections Amid Expansion, Bloomberg L. News, May 19, 2016; See also Julie Appleby, Privacy Advocates Urge Stronger Protection of Employee Health Data, Kaiser Health News (Sept. 30, 2015), https://khn.org/news/privacy-advocates-urge-stronger-protection-of-employee-health-data/.
See, e.g., Robert Green et al., GINA, Genetic Discrimination, and Genomic Medicine, 372 N. Engl. J. Med. 397, 397 (2015); Heather Harrell & Mark Rothstein, Biobanking Research and Privacy Laws in the United States, 11 J.L. Med. & Ethics 106, 111–12 (2016); Sharona Hoffman, Citizen Science: The Law and Ethics of Public Access to Medical Big Data, 30 Berkeley Tech. L.J. 1741, 1746 (2015); Valerie Gutmann Koch & Kelly Todd, Research Revolution or Status Quo?: The New Common Rule and Research Arising from Direct-to-Consumer Genetic Testing, 56 Hous. L. Rev. 81 (2018); Amy L. McGuire & Mary Anderlik Majumder, Two Cheers for GINA?, 1 Genome Med. 6 (2009); Elizabeth R. Pike, Securing Sequences: Ensuring Adequate Protections for Genetic Samples in the Era of Big Data, 37 Cardozo L. Rev. 1977, 2026 (2016); Mark A. Rothstein, The End of the HIPAA Privacy Rule?, 44 J.L. Med & Ethics 352, 352 (2016); Shuang Wang et al., Genome Privacy: Challenges, Technical Approaches to Mitigate Risk, and Ethical Considerations in the United States, 1387 Annals N.Y. Acad. Sci. 73, 82 (2017); Ellen Wright Clayton, Why the Americans with Disabilities Act Matters for Genetics, 313 J. Am. Med. Ass’n 2225, 2226 (2015).
This project was part of a larger project, Beyond Data Security: Promoting Confidentiality and Advancing Science (Laura M. Beskow, Principal Investigator, R01-HG-007733), funded by the National Human Research Institute.
Gymrek et al., Identifying Personal Genomes by Surname Inference, 339 Science 321, 324 (2013).
Jane Kaye, The Tension Between Data Sharing and the Protection of Privacy in Genomics Research, 13 Annual Rev. Genomics Hum. Genetics 1, 10 (2012); These practices are consistent with the federal regulations governing human subjects protections, which requires IRBs to ensure “[w]hen appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.” 45 C.F.R. § 46.111(a)(7) (2018).
U.S. Dep’t of Health & Hum. Services, Guidance on Coded Private Information or Biological Specimens Use in Research (2008), available at http://www.hhs.gov/ohrp/policy/cdebiol.html [hereinafter Guidance on Coded]; Nat’l Bioethics Advisory Comm’n, Research Involving Human Biological Materials: Ethical Issues and Policy Guidance, 28 (Vol. 1 1999).
See Nils Homer et al., Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays, 4 PLOS Genetics 8, 1 (2008); Eric E. Schadt et al., Bayesian Method to Predict Individual SNP Genotypes from Gene Expression Data, 44 Nature Genetics 603, 606–607 (2012); Hae Kyung Im et al., On Sharing Quantitative Trait GWAS Results in an Era of Multiple-omics Data and the Limits of Genomic Privacy, 90 AM. J. Hum. Genetics 591, 591 (2012); Jean E. McEwen et al., Evolving Approaches to the Ethical Management of Genomic Data, 29 Trends Genetics 375, 376 (2013); Jeantine E. Lunshof et al., From Genetic Privacy to Open Consent, 9 Genetics 406, 406 (2008); Bradley Malin et al., Technical and Policy Approaches to Balancing Patient Privacy and Data Sharing in Clinical Translation Research, 58 J. Investigating Med. 1, 1 (2010); Carol J. Weil et al., NCI Think Tank Concerning the Identifiability of Biospecimens and “Omic” Data, 15 Genetics Med. 997, 1002 (2013); Gina Kolata, Poking Holes in Genetic Privacy, N.Y. TIMES (Jun. 16, 2013), https://www.nytimes.com/2013/06/18/science/poking-holes-in-the-privacy-of-dna.html; Amy Gutmann & James W. Wagner, Found Your DNA on the Web: Reconciling Privacy and Progress, 43 Hastings Ctr. Rep. (2013); Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. Rev. 1701, 1716 (2010).
Nat’l Institutes of Health, Modifications to GWAS Data Access (2008), available at https://osp.od.nih.gov/wp-content/uploads/Data_Sharing_Policy_Modifications.pdf.
Gymrek, supra note 17.
Amy L. McGuire & Richard A. Gibbs, No Longer De-Identified, 312 SCIENCE 370, 370 (2006); William W. Lowrance & Francis S. Collins, Identifiability in Genomic Research, 317 Science Mag. 600, 600 (2007); Harald Schmidt & Shawneequa Callier, How Anonymous is ‘Anonymous’? Some Suggestions Towards a Coherent Universal Coding System for Genetic Samples, 38 J. Med. Ethics 304 (2012); Heather Patterson, Contextual Expectations of Privacy in Self-Generated Health Information Flows, 41 TRPC: The 41ST Res. Conf. on Comm., Info., & Internet Pol’y (2013).
Laura L. Rodriguez et al., The Complexities of Genomic Identifiability, 339 Science 275 (2013); Gutmann, supra note 20.
45 C.F.R. § 46 (2018); Dep’t Health & Hum. Services, Revised Common Rule Regulatory Text (Mar. 17, 2017), available at https://www.hhs.gov/ohrp/regulations-and-policy/regulations/revised-common-rule-regulatory-text/index.html.
45 C.F.R. § 160 (2018); 45 C.F.R. § 164 (2018).
29 U.S.C. § 1182(b) (2018) (prohibiting discrimination in employer-based insurance); 42 U.S.C. § 300gg-3(b)(1)(B) (2011) (regarding group health insurance); 42 U.S.C. § 2000ff-1 (2018) (prohibiting employment discrimination on the basis of genetic information).
Elizabeth McCuskey, Body of Preemption: Health Law Traditions and the Presumption of Preemption, 89 Temple L. Rev. 95, 99, 103 (2016) (discussing the traditions of preemption analysis in various federal health law statutes).
Alicia A. Parkman et al., Public Awareness of Genetic Nondiscrimination Laws in Four States and Perceived Importance of Life Insurance Protections, 24 J. Genetic Counsel 512, 512–13 (2015) (lack of awareness of GINA among public); Leslie E. Wolf et al., Certificates of Confidentiality: Legal Counsels’ Experiences with and Perspectives on Legal Demands for Research Data, 7 J. Empirical Res. on Hum. Res. Ethics 1, 9 (2012) (legal counsel) [hereinafter Certificates of Confidentiality]; Laura M. Beskow et al., Institutional Review Boards’ Use of Understanding Certificates of Confidentiality, PLOS One (Sept. 4, 2012), https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0044050.
Nat’l Inst. of Health, All of Us Research Program, https://allofus.nih.gov/about (last visited Dec. 30, 2018); U.S. Dep’t of Veteran’s Affairs., supra note 9.
Unlike clinical trials where the research risk involves physical injury or harm, in genomic research the primary harm to participants is informational: that their data will be used in research for which that they would not consent. This is because the actual physical intervention in genomic research, such as the drawing of blood, poses a relatively low risk in terms of physical injury. When specimens are collected prospectively, individuals have the opportunity to decide whether they are willing to have their genomic information collected and used. But, as described infra in detail in Part II below, research can be conducted on specimens collected for other purposes without the individuals’ knowledge or consent.
Federal Policy for the Protection of Human Subjects (‘Common Rule’), Dep’t of Health & Hum. Serv., https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html (last visited Feb. 2, 2019) [hereinafter Federal Policy].
Leslie E. Wolf, Advancing Research of Stored Biological Material: Reconciling Law, Ethics, and Practice, 11 Minn. J.L., Sci., & Tech. 99, 130 (2010) [hereinafter Advancing Research].
Secondary research use refers to research involving data or specimens that are beyond the original purposes. Such research may be done with consent – either specific or broad – or without consent under regulatory provisions that permit such uses. In specific consent, the participant consents only to the specific purposes, risks, and benefits of a particular research use of specimens or information. By contrast, broad consent involves a more open-ended consent to unspecified or generally described future research uses of the participant’s specimens or information. Broad consent is generally viewed as necessary for large-scale genomic research, where it would be impracticable to seek specific consent from each participant for every subsequent research use of the information. Pike, supra note 15, at 2026–2027.
See infra, Part III.A.1.
How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule, U.S. Dep’t of Health & Hum. Serv., https://privacyruleandresearch.nih.gov/pr_08.asp (last visited Feb. 7, 2019) [hereinafter How Can Covered Entities].
See Nat’l Research Council, Protecting Participants and Facilitating Social and Behavioral Sciences Research 25–30 (Constance F. Citro et al., eds., 2003) (describing different types of research risks and harms and describing confidentiality protection as a “means of showing respect for a person”).
45 C.F.R. §§ 160.102–103 (2018).
U.S. Dept. of Health & Hum. Services, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (2015).
45 C.F.R. § 164.512 (2018) (setting forth disclosures where an individual’s authorization is not required, including those required by law, for public health activities, about victims of abuse or domestic violence, health oversight activities, for law enforcement purposes, for research purposes, and others); see also Harrell et al., supra note 15, at 353–354.
45 C.F.R. § 164.512 (2018).
See supra text accompanying notes 1–7.
42 U.S.C. § 241d (2016).
Leslie E. Wolf et al., Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 43 J.L., Med., & Ethics 594, 595 (2016).
Id. at 7.
Certificates of Confidentiality, supra note 29.
Leslie E. Wolf & Laura M. Beskow, New and Improved? 21st Century Cures Act Revisions to Certificates of Confidentiality, 44 Am. J.L. & Med. 343, 350–52 (2018) (discussing the exceptions to the Certificates disclosure prohibition following the amendments to Certificates under the 21st Century Cures Act) [New and Improved]; see also Leslie E. Wolf et al., Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 43 J.L., Med., & Ethics 594, 597–600 (2015) (discussing cases involving Certificates and their implications).
45 C.F.R. §164.512 (2018).
Amy L. McGuire et al., Returning Genetic Research Results: Study Type Matters, 10 Personalized Med. 27, 27–28 (2013); Bartha Maria Knoppers et al., Return of Genetic Testing Results in the Era of Whole Genome Sequencing, 16 Nature Rev. Genetics 553, 555 (2015).
Jalayne J. Arias & Jason Karlawish, Confidentiality in Preclinical Alzheimer Disease Studies, 82 Neurology 725, 726 (2014); Anya E.R. Prince et al., Automatic Placement of Genomic Research Results in Medical Records: Do Researchers Have a Duty? Should Participants Have a Choice?, 43 J.L, Med., & Ethics 827, 833 (2015).
Laura M. Beskow et al., Thought-Leader Perspectives on Risks in Precision Medicine Research, in Big Data, Health Law, and Bioethics 161 (I. Glenn Cohen et al., eds., 2018) [hereinafter Thought-Leader].
Id.
The Genetic Information Nondiscrimination Act (GINA), Huntington’s Disease Soc’y of Am., https://hdsa.org/living-with-hd/gina/ (last visited Feb. 7, 2019).
See also Eric A. Feldman & Chelsea Darnell, Health Insurance, Employment, and the Human Genome: Genetic Discrimination and Biobanks in the United States, in Comparative Issues in the Governance of Research Biobanks: Property, Privacy, Intellectual Property, and the Role of Technology 66 (2013), also available at https://scholarship.law.upenn.edu/faculty_scholarship/1550/.
Pub. L. No. 110–233, §§ 2, 201(2)(B), 122 Stat. 881 (2008); see also Green et al., supra note 15, at 397.
Green et al., supra note 15, at 398.
Clayton, supra note 15.
Id.
Presidential Comm’n for the Study of Bioethical Issues, Privacy and Progress in Whole Genome Sequencing at 3 (2012).
The Newborn Screening Saves Lives Reauthorization Act of 2014, Pub. L. No. 113–240, 128 Stat. 2851 (2014).
Federal Policy, supra note 32; 21 C.F.R. § 50 (2019) (providing provisions substantially the same as those in the Common Rule); 21 C.F.R. § 56 (2019) (providing provisions substantially the same as those in the Common Rule).
45 C.F.R. § 160 (2018); 45 C.F.R. § 162 (2018); 45 C.F.R. § 164 (2018).
42 U.S.C. § 241d (2016).
Pub. L. No. 110–223, 122 Stat. 881 (2008).
Pub. L. No. 101–336, 104 Stat. 328 (1990).
Pub. L. No. 111–148, 124 Stat. 119 (2010).
45 C.F.R. § 160.306(a) (2018); Kenneth L. Shigley & John D. Hadden, Federal HIPAA Medical Privacy Regulations, Ga. Law of Torts Preparation for Trial § 8:2 (2017 ed.).
45 C.F.R. § 46.101(f) (2019) (setting forth the Common Rule’s application, which does not affect any state or local laws that provide additional protections); Pub. L. No. 110–233, § 209(a)(1), 122 Stat. 881 (2008) (setting forth the construction of GINA, which should not be construed to limit rights or protections provided under another federal or state statute providing equal or greater protections); 45 C.F.R. § 160.203(b) (2018) (setting forth HIPAA’s preemption only of conflicting or less-stringent state laws); 42 U.S.C. § 18041(d) (2018) (setting forth the Affordable Care Act’s preemption of conflicting state laws); see generally McCuskey, supra note 28 (discussing the traditions of preemption analysis in various federal health law statutes).
See infra Appendix (listing specific searches for each data set).
For example, we looked at Table of State Statutes Related to Genomics, Nat’l Hum. Genome Res. Inst., www.genome.gov/27552194 (last updated july 11, 2018), and Presidential Comm’n for the Study of Bioethical Issues, Privacy and Progress in Whole Genome Sequencing at 121–124 (2012).
We searched for laws in each of these categories independently and analyzed them separately. However, as there is substantial, but not perfect, overlap, we present this analysis together.
We used exclusion criteria to limit the scope of state laws to those most relevant to the privacy of genomic or health data held by researchers, set forth in the Appendix.
See infra Appendix (listing inclusion and exclusion criteria).
We moved from NVivo 10™ to NVivo 11™ over the course of the project.
See, e.g., Harrell, supra note 15, at 114; See U.S. Dep’t of Health & Hum. Services, Secretary’s Advisory Comm. on Hum. Res. Protections Meeting Minutes (May 25, 2017) (minutes reference less than 5 states).
It is important to note that there is some overlap between the datasets. For example, genetic privacy laws often have genetic discrimination provisions. However, that is not always true. We treated each dataset separately in terms of identification and coding.
Federal Policy, supra note 32; Revisions to the Common Rule were promulgated on January 19, 2017. Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149, 7211–14 (Jan. 19, 2017) (Final Rule); These revisions were originally to take effect in January 2018, but the effective date has since been deferred until July 2018. Federal Policy for the Protection of Human Subjects: Delay of the Revisions to the Federal Policy for the Protection of Human Subjects, 83 Fed. Reg. 2885, 2886 (Jan. 22, 2018) (to be codified at 10 C.F.R pt. 745); The Food and Drug Administration has its own regulations, 21 C.F.R. §§ 50 & 56. Its provisions are substantial similar to the Common Rule, although the FDA regulations do not have the exemptions or waiver of consent provisions the Common Rule does. For these reasons, we focus our discussion on the Common Rule.
45 C.F.R. § 46.101(a); Fifteen federal agencies took appropriate administrative action to make the policy applicable to their research, which is the reason these regulations are referred to as the Common Rule. Federal Policy, supra note 32.
45 C.F.R. § 46.111(a)(1)-(5) (2018); 45 C.F.R. § 46.116 (2019) (providing the requirements for consent).
45 C.F.R. § 46.111(a)(7) (2018) (stating that “[t]he Secretary of HHS will, after consultation with the Office of Management and Budget’s privacy office and other Federal departments and agencies that have adopted this policy, issue guidance to assist IRBs in assessing what provisions are adequate to protect the privacy of subjects and to maintain the confidentiality of data”).
Congress originally authorized this protection as part of the Comprehensive Drug Abuse Prevention and Control Act of 1970, Pub. L. No. 91–513, § 3(a), § 303(a), 84 Stat. 1236, 1241 (codified at 42 U.S.C. § 242a(a) (1970)) (repealed 2000); This provision has been revised multiple times over the years, most recently through the 21st Century Cures Act, Pub. L. 114–255, sec. 2012(a), 130 Stat. 1033, 1049–50 (2016) (codified at 42 U.S.C. § 241d (2016)). In all versions, researchers holding a Certificate may avoid identifying research participants in “any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings.”
See New and Improved, supra note 47, at 345 n.8 (citing the original language of 42 U.S.C. § 241(d)) and at 347–348 (discussing the changes under the 21st Century Cures Act).
21st Century Cures Act, H.R. 34, 114th Cong. § 2012(a) (2016); see New and Improved, supra note 47, at 347–348 for a discussion of this change.
Certificates of Confidentiality, Nat’l Institutes of Health, https://humansubjects.nih.gov/coc/index (last visited March 20, 2019).
Id. at 347–348.
Id. at 347–348.
Id. at 349–350.
Id. at 346.
People v. Newman, 32 N.Y.2d 379, 386–389 (1973), cert. denied, 414 U.S. 1163 (1974) (upholding the director of a methadone clinic protected by a Certificate refusal to disclose patient photographs to assist in a line-up, despite the statement of a witness to a murder that she had seen the murderer at the clinic).
Regardless of method, prospective collection of biospecimens constitutes human subjects research under the Common Rule. A “human subject” is defined as a “living individual about whom an investigator obtains (1) data through intervention or interaction with the individual, or (2) identifiable information.” 45 C.F.R. § 46.102(f) (2019). Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.” 45 C.F.R. § 46.102(d) (2019). These definitions are largely unchanged in the Final Rule. Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149, 7150 (Jan. 19, 2017) (to be codified at 45 C.F.R. pt. 46); 82 Fed. Reg. 7150 (2017); See also Advancing Research, supra note 33, at 130.
See 45 C.F.R. § 46.116 (2019).
82 Fed. Reg. 7149 (2017); 82 Fed. Reg. 7256 (2017); 82 Fed. Reg. 7266 (2017).
Included in the required consent disclosures is “a statement that … the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled.” See 45 C.F.R. § 46.116(a)(8) (2019). See generally G. Owen Schaefer & Alan Wertheimer, The Right to Withdraw from Research, 20 Kennedy Inst. Ethics J. 329 (2010).
This right has not been conceived of an absolute right to stop further research. Some have permitted researchers to strip biospecimens of identifiers and to continue to use the now deidentified biospecimens in research. Advancing Research, supra note 33, at 116–118, 140–142, 154–155.
Id. at 154–155.
See Attachment D - Recommendations for a Broad Consent Template, U.S. Dep’t of Health & Hum. Services, https://www.hhs.gov/ohrp/sachrp-committee/recommendations/attachment-d-august-2-2017/index.html (last visited March 20, 2019) (recommendation approved by the Secretary’s Advisory Committee on Human Research Protections on July 26, 2017).
See id.
45 C.F.R. § 46.102(f) (defining a human subject as a “living individual about whom an investigator obtains (1) data through intervention or interaction with the individual, or (2) identifiable information”); 45 C.F.R. § 46.102(d) (2019) (defining research as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge”); These definitions are largely unchanged in the Final Rule. Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149 (2017) (to be codified at 48 C.F.R. pt. 46); 82 Fed. Reg. 7150 (2017) (to be codified at 48 C.F.R. pt. 46).
OHRP leads HHS efforts with respect to human research protections, including providing guidance on the regulatory requirements. History, Dep’t of Health and Hum. Services, https://www.hhs.gov/ohrp/about-ohrp/history/index.html (last visited Feb. 7, 2019).
Guidance on Coded, supra note 19; An example for when research with specimens is not human subjects research is when there is an agreement not to release the key that would identify the individuals with the researchers to whom the specimens are provided. Id.
45 C.F.R. § 46.104(d) (2019). Research that falls within any of these are collectively referred to as “exempt research.”
Exempt Research Determination FAQs, U.S. Dep’t of Health & Hum. Services, https://www.hhs.gov/ohrp/regulations-and-policy/guidance/faq/exempt-research-determination/index.html (last visited Mar. 11, 2018) [Exempt Research].
45 C.F.R. § 46.116(d) (2019) (permitting a waiver of consent if an IRB determines that: (1) the research involves no more than minimal risk to the subjects; (2) the waiver will not adversely affect the rights and welfare of the subject; (3) the research could not practicably be carried out without the waiver; and (4) whenever appropriate, the subjects will be provided with additional pertinent information after participation); Id.; The last provision is more commonly applicable to deception research, in which some information must be withheld during the consent process in order to conduct the study. See Roseanna Sommers & Franklin G. Miller, Forgoing Debriefing in Deceptive Research: Is It Ever Ethical?, 23 Ethics & Behav. 98, 99 (2013).
The Newborn Screening Saves Lives Reauthorization Act of 2014 alters the Common Rule’s treatment of research on specimens with respect to newborn blood spots, which are collected for screening for specific genetic conditions postnatally. The Act categorized all research involving newborn blood spots as “human subjects” research and, thus, subject to the Common Rule provisions. Section 12 of the Newborn Screening Saves Lives Reauthorization Act of 2014, P.L. 113–240, § 12, 128 Stat. 2851 (2014) (December 18, 2014 provides: “Research on newborn dried blood spots shall be considered research carried out on human subjects meeting the definition of section 46.102(f)(2) of title 45, Code of Federal Regulations, for purposes of Federally funded research conducted pursuant to the Public Health Service Act until such time as updates to the Federal Policy for the Protection of Human Subjects (the Common Rule) are promulgated … For purposes of this subsection, sections 46.116(c) and 46.116(d) [permitting waiver of consent] of title 45, Code of Federal Regulations, shall not apply”). At the time that this Act was adopted, the proposed revisions to the Common Rule would have required consent for all biospecimen research. 80 Fed. Reg. 53933, 53943 (proposed Sept. 8, 2015) (to be codified at 48 C.F.R. pt. 46); However, the Final Rule did not do so. Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149, 7150 (Jan. 19, 2017) (to be codified at 48 C.F.R. pt. 46). Accordingly, this requirement for consent will be eliminated when the Final Rule becomes effective. Id.
Eric M. Meslin & Kimberly A. Quaid, Ethical Issues in the Collection, Storage, and Research Use of Human Biological Materials, 144 J. Laboratory & Clinical Med. 229, 230 (2004).
See Assurance Process Frequently Asked Questions (FAQs), U.S. Dep’t of Health and Hum. Services, https://www.hhs.gov/ohrp/register-irbsand-obtain-fwas/fwas/assurance-process-faq/index.html (last visited Dec. 30, 2018) (regarding assurance and the ability to voluntarily extend scope); See generally Fanny K. Ennever, Reducing Regulatory Burdens on Research with Human Subjects: A Case Study of the Transition to the Final Common Rule at Boston Medical Center and Boston University Medical Campus, 46 J.L., Med., & Ethics 164 (2018) (discussing the “check the box” option and the Final Common Rule change removing this option).
See Adil E. Shamoo & Jack Schwartz, Universal and Uniform Protections of Human Subjects in Research, 8 Am. J. Bioethics 7 (2007) (describing “a patchwork of regulation[s] [that] leaves a significant number of human subjects in research without any regulatory protection”); Inder M. Verma, Editorial Expression of Concern and Correction, 111 Proc. Nat’l Acad. Sci. U.S. 10779 (2014) (explaining the publication decision of the Facebook emotional contagion experiment, despite the lack of IRB approval, on that grounds that “as a private company Facebook was under no obligation to conform to the provisions of the Common Rule when it collected the data used by the authors, and the Common Rule does not preclude their use of the data.”).
Office for Hum. Res. Protections, Compliance Oversight Procedures for Evaluating Institutions (2009), U.S. Dep’t of Health & Hum. Services (Oct. 14, 2009), https://www.hhs.gov/ohrp/compliance-and-reporting/evaluating-institutions/index.html; See also OHRP Generally Conducted Its Compliance Activities Independently, But Changes Would Strength Its Independence, U.S. Dep’t of Health & Hum. Services (July 2017), https://oig.hhs.gov/oei/reports/oei-01-15-00350.asp.
Michelle M. Mello et al., The Rise of Litigation in Human Subjects Research, 139 Annals Internal Med. 40, 41–43 (2003) (commenting on an increase in human subjects litigation). Despite a brief peak in the number of such cases, they appear to remain relatively rare. Interestingly, lawsuits in Minnesota and Texas led those states to require consent to use newborn screening spots in research. See, e.g., Sonia M. Suter, Did You Give the Government Your Baby’s DNA? Rethinking Consent in Newborn Screening, 15 Minn. J.L., Sci., & Tech. 729, 748–50 (2014); Allison M. Wheelan, Federal Newborn Screening Law Emphasizes Informed Consent, Bill of Health Blog (Jan. 16, 2015), http://blog.petrieflom.law.harvard.edu/2015/01/16/federal-newborn-screening-law-emphasizes-informed-consent/.
This conversation also generally focuses on the Common Rule, unless the particular research falls under FDA authority.
See e.g., Harrell et al., supra note 15, at 111. This article goes further than some in mentioning some state laws that apply to specific populations.
Cal. Health & Safety Code § 24170 (West 1999); These statutory provisions apply to a “medical experiment” that is defined as “(a) [t]he severance or penetration or damaging of tissues of a human subject or the use of a drug or device … electromagnetic radiation, heat or cold, or a biological substance or organism, in or upon a human subject in the practice or research of medicine in a manner not reasonably related to maintaining or improving the health of the subject or otherwise directly benefiting the subject; (b) The investigational use of a drug or device …; (c) Withholding medical treatment from a human subject for any purpose other than maintenance or improvement of the health of the subject.” Cal. Health & Safety Code § 24174 (West 2019); However, the statute “shall not apply to any person who is conducting a medical experiment as an investigator within an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations and who obtains informed consent in the method and manner required by those regulations.” Cal. Health & Safety Code § 24178 (West 2019).
Md. Code Ann., Health-Gen. § 13–2001 (West 2018). With respect to compliance with the federal regulations, this statute provides “a person may not conduct research using a human subject unless the person conducts the research in accordance with the federal regulations on the protection of human subjects” and “[n]otwithstanding any provision in the federal regulations on the protection of human subjects that limits the applicability of the federal regulations to certain research, subsection (a) of this section applies to all research using a human subject.” Md. Code Ann., Health-Gen. § 13–2002(a)-(b) (West 2018).
N.Y. Pub. Health Law § 2440 (McKinney 2019); “The provisions of this article shall not apply to the conduct of human research which is subject to, and which is in compliance with, policies and regulations promulgated by any agency of the federal government for the protection of human subjects.” N.Y. Pub. Health Law § 2445 (McKinney 2019).
Virginia also has some regulations that apply to specific state agencies. Va. Code Ann. §32.1–162.20 (2018); see. e.g., 22 Va. Admin. Code § 30-40-10 (2018) (Department for Aging and Rehabilitative Services); 22 VA. Admin. Code § 40–890 et seq. (2018) (Department of Social Services).
Virginia exempts research that is exempt from the federal regulations from its provisions. Va. Code Ann. §32.1–162.16 (2018) (referencing specifically the exemptions contained in 45 C.F.R. § 46.101(b)); See also Va. Code Ann. §32.1–162.17 (2018) (exempting several types of research in language similar to the Common Rule exemptions, in addition to exempting research conducted by the Virginia Department of Health); New York’s definition of human research explicitly excludes research using biospecimens removed for clinical purposes. N.Y. Pub. Health Law § 2441 (McKinney 2019) (“Human research shall not, however, be construed to mean the conduct of biological studies exclusively utilizing tissue or fluids after their removal or withdrawal from a human subject in the course of standard medical practice, or to include epidemiological investigations.”); California’s definition of “medical experiment” appears to cover research in which biospecimens are prospectively collected, but not research involving biospecimens collected for other purposes. Cal. Health & Safety Code § 24174 (West 2019), Advancing Research, supra note 33, 116–118, 140–142, 154–155.
Md. Code Ann., Health-Gen. § 13–2001(c) (West 2018).
Notwithstanding any provision in the federal regulations on the protection of human subjects that limits the applicability of the federal regulations to certain research, subsection (a) of this section [which requires compliance with the federal regulations] applies to all research using a human subject.” Md. Code Ann., Health-Gen. § 13–2002(b) (West 2018).
Letter from J. Joseph Curran, Jr. Regarding House Bill 917 – “Human Subject Research – Institutional Review Boards”, Maryland Att’y Gen., to Parris N. Glendening, Governor of Maryland (May 2, 2002), available at http://www.marylandattorneygeneral.gov/Health%20Policy%20Documents/hb917letter.pdf (last visited Dec. 30, 2018).
See supra note 100.
N.Y. Pub. Health Law § 2443 (McKinney 2019); “Researcher” is defined as “any person licensed under title VIII of the education law to perform diagnosis, treatment, medical services, prescription or therapeutic exercises with regard to or upon human beings, or any other person deemed appropriately competent and qualified by a human research review committee as provided by section twenty-four hundred forty-four of this chapter.” N.Y. Pub. Health Law § 2441 (McKinney 2019).
Most commonly, states have laws that apply to research conducted in mental health or substance abuse facilities. See, e.g., Tex. Health & Safety Code Ann. § 87.063 (West 2017); Wis. Stat. § 51.61 (2018). There are also laws that apply to prisons. See, e.g., Ill. Admin. Code tit. 20, § 106 (2019). In addition, states have laws regulating human subjects research that are conducted or funded by particular state government entities, such as the department of health, public health, or mental health. A list of these laws is on file with the authors.
Or. Admin. R. 333-025-0120 (2019).
Or. Admin. R. 333-025-0120 (2019).
Exempt Research, supra note 102.
Or. Admin. R. 333-025-0110(3) (2019) (emphasis added).
Or. Admin. R. 333-025-0105(2) (2019).
It provides that the recipient of limited data set will “not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; (ii) use appropriate safeguards to prevent use or disclosure of the information other than as provided for in the data use agreement; (iii) report to the investigator any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; (iv) ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient . . and (v) not identify the information or contact the individuals.” Or. Admin. R. 333-025-0120 (2019).
Other federal agencies may follow NIH’s lead to automatically provide Certificates to the research they fund, but they have not done so as of the date of this writing. Moreover, Certificate protection for non-federally funded research is discretionary. See discussion supra in text accompanying notes 81–89. In this section, we address laws that apply to research data. For a discussion of laws that provide protection to genetic information, see Part III.B, infra.
In this section, we address laws that apply to research data. For a discussion of laws that provide protection to genetic information, see infra Part III.B.
Ark. Code Ann. §§ 20-35-102, 35–103 (2018); Okla. Stat. tit. 36, § 3614.4C (2019).
Ark. Code Ann. § 20-35-102 (2018); Okla. Stat. tit. 36, § 3614.4B (2019) (referring to the federal regulations without specifying a date).
La. Stat. Ann. § 44:7 (2018) (“All records of interviews, health surveys, questionnaires, laboratory and clinical data, reports, statements, notes, and memoranda, which contain identifying characteristics of research subjects hereinafter referred to as ‘confidential data’, and which are procured and prepared by employees of public universities, medical schools, and colleges for the purpose of research, and acting in accordance with institutional Internal Review Board [sic] policy and procedures for research involving human subjects, … shall be subject to the following provisions: (1) No part of the confidential data shall be available for subpoena nor shall it be disclosed, discoverable, or be compelled to be produced in any civil, criminal, or administrative proceeding, or other tribunal or court for any reason.”)
920 Ky. Admin. Regs. 1.060 (2019) (“Research information that identifies an individual subject shall be regarded as confidential in accordance with [state and federal law] and shall not be disclosed to a person outside the research project staff or published without the subject’s prior written authorization”).
Cal. Health & Safety Code § 24176 (West 2019).
Id. at subsections (a) & (b). When the willful failure is coupled with a “known substantial risk of serious injury, either bodily harm or psychological harm,” it is a misdemeanor punishable by imprisonment of up to one year in the county jail, a $50,000 fine or both; The same penalties apply to pharmaceutical company representatives or employees who contract the research and willfully withholds information about the risks of the research. Id. at subsections (c) and (d); Further ‘[e]ach and every experiment performed in violation of any provision of this chapter is a separate and actionable offense.” Id. at subsection (e); The statute explicitly preserves the rights of injured subjects to seek recovery under other laws, such as state tort law. Id. at subsection (g).
Md. Code Ann., Health-Gen. § 13–2004 (West 2018).
Alaska Stat. § 18.13.010 (2018) (“a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person’s legal guardian or authorized representative, for the collection, analysis, retention, or disclosure”); Del. Code Ann. tit. 16, § 1203(a) (2019) (“No person shall retain an individual’s genetic information without first obtaining informed consent from the individual”); Iowa Code § 729.6 (2019); 29 U.S.C. § 1191b (2017) (“A person shall not perform genetic testing on an individual or collect, retain, transmit, or use genetic information without the informed and written consent of the individual or the individual’s authorized representative” where genetic information is defined as an individual’s genetic tests or that of their family members and genetic test “means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes”); La. Stat. Ann. § 22:1023 (2018) (“No person shall retain an insured’s or enrollee’s genetic information without first obtaining authorization from the insured, enrollee, or their representative ….”); La. Admin. Code tit. 37 § 4515 (2018) (“No person shall retain an insured’s or enrollee’s genetic information without first obtaining authorization from the insured, enrollee, or their representative”); N.J. Stat. Ann. § 10:5–46 (West 2018) (“No person shall retain an individual’s genetic information without first obtaining authorization under the informed consent requirement … ”); N.M. Stat. Ann. § 24–21-3(B) (2019). (“[G]enetic analysis of an individual or collection, retention, transmission or use of genetic information without the informed consent of the individual or the individual’s authorized representative is prohibited”); Nev. Rev. Stat. § 629.161 (2019) (“It is unlawful to retain genetic information that identifies a person, without obtaining the informed consent of the person or the person’s legal guardian ….”); Or. Rev. Stat. § 192.537(3) (2019) (“A person may not retain another individual’s genetic information or DNA sample without first obtaining authorization from the individual or the individual’s representative”).
Del. Code Ann. tit. 16, § 1203 (2019).
N.J. Stat. Ann. § 10:5–46 (West 2018).
Id.
Attachment C - Recommendations for Broad Consent Guidance, U.S. Dep’t of Health & Hum. Services, https://www.hhs.gov/ohrp/sachrp-committee/recommendations/attachment-c-august-2-2017/index.html (last visited Dec. 30, 2018); In contrast, Nevada requires destruction of genetic information upon request, but includes an exception when “authorized or required by state or federal law or regulation.” Nev. Rev. Stat. § 629.161 (2017); Oregon similarly allows retention after an individual requests destruction for “anonymous research or coded research” provided the individual has been notified that the information may be retained for such research or has consented to such retention. Or. Rev. Stat. § 192.537(2) (2019).
Tex. Ins. Code § 546.054 (2017); Tex. Lab. Code Ann. § 21.405 (2017); Tex. Occ. Code Ann. § 58.052 (2017); see also Me. Stat. tit. 24-A, § 2215(H) (2018) (allowing insurers to share genetic information for actuarial or research studies, but requiring that identifiable samples to be “returned or destroyed as soon as they are no longer needed”).
See table in Appendix for list of laws with such exceptions.
La. Stat. Ann. § 22:1023 (2018); La. Admin. Code tit. 37, § 4511 (2018).
Cal. Code Regs. tit. 22 § 126055 (West 2019); Minn. Stat. § 144.125 (2019); R.I. Dep’t of Hum. Services, HIPPA-1, Notice of Privacy Practices (2018); R.I. Gen. Laws § 5-37.3-4 (2018); Wash. Rev. Code § 70.02.040 (2019).
Cal. Health & Safety Code § 124975 (West 2019); Cal. Code Regs. tit. 17 § 6551 (West 2019); Md. Code Regs. 10.10.13.15 (2018); 181 Neb. Admin. Code § 2–007 (2019).
Id.; Dried Blood Spot Usage and Storage, Baby’s First Test, https://www.babysfirsttest.org/newborn-screening/dried-blood-spot-storage-and-usage (last visited Feb. 7, 2019) (“When newborn screening is performed, a nurse collects a few drops of blood from the baby’s heel on filter paper. After the sample dries and is sent to the state-approved laboratory, multiple “punches” of varying sizes are taken from the blood spots so they can be tested for the conditions included in the state’s newborn screening panel. After newborn screening is complete, a small amount of dried blood remains on the filter paper”); Newborn spot specimens are blood samples obtained within forty-eight hours of birth and sent to a public health laboratory to be tested for congenital disorders. Newborn Screening Laboratory Bulletin, Ctr. For Disease Control, https://www.cdc.gov/nbslabbulletin/bulletin.html (last updated Feb. 21, 2014); What Happens to the Blood Sample, Baby’s First Test, https://www.babysfirsttest.org/newborn-screening/what-happens-to-the-blood-sample (last reviewed Oct. 12, 2018).
Cal. Health & Safety Code § 124975 (West 2019).
Thought-Leader, supra note 51.
Pub. L. No. 110–233, §§ 101, 202(b), 122 Stat. 881 (2008) (codified at 29 U.S.C. § 1182(b)) (regarding employer-based insurance); 42 U.S.C. § 300gg-3(b)(1)(B) (2011) (regarding group health insurance); 42 U.S.C. § 2000ff-1 (2008) (regarding employers); GINA defines genetic information to include genetic test of the individual and their family members, plus the manifestation of a disease or disorder in a family member. Genetic Information Nondiscrimination Act of 2008, 110 Pub. L. No. 233, § 201(4)(A), 122 Stat. 881; Pub. L. No. 110–233, §§ 101, 202(b), 122 Stat. 881 (2008); Pub. L. No. 110–233, 122 Stat. 881 (2008); GINA’s definition of “genetic test” as “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes” does not limit it to clinical tests. Genetic Information Nondiscrimination Act of 2008, 110 Pub. L. 233, § 201(7), 122 Stat. 881; GINA’s definition of “genetic test” as “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes” does not limit it to clinical tests. See, e.g., Summary of Genetic Information Non-Discrimination Act of 2003 (S. 1053), Nat’l Hum. Genome Res. Inst. (Mar. 17, 2012), https://www.genome.gov/11508845/summary-of-s-1053/.
There are six exceptions to GINA’s prohibition on employers from accessing genetic information: (1) inadvertent acquisitions; (2) as part of health services and wellness programs offered by the employer on a voluntary basis; (3) family medical history as part of certification of family medical leave to care for a family member with a serious health condition; (4) acquisitions through commercially and publicly available documents, as long as the employer is not searching those sources with the intent of finding genetic information; (5) through a genetic monitoring program that monitors the biological effects of toxic substances in the workplace; and (6) acquisition of genetic information of employees by employers who engage in DNA testing for law enforcement purposes as a forensic lab or for purposes of human remains identification is permitted for limited purposes. 42 U.S.C. § 2000ff-1 (2008).
42 U.S.C. §§ 2000ff–2000ff-6 (2008); Note, however, that GINA’s prohibition on employment discrimination on the basis of genetic information does not apply to manifestations of diseases or conditions in the employee him- or herself, including manifestations of diseases with genetic bases. 42 U.S.C. § 2000ff-9 (2008).
29 U.S.C. § 1182b (2008) (applying to employer-based health plans); 42 U.S.C. § 300gg-3(b)(1)(B) (2011) (applying to group health plans).
42 U.S.C. § 300gg-53(a), 53(d) (2008) (prohibiting group or individual health insurers from determining eligibility for coverage based on health status factors, including genetic information); see 42 U.S.C. §300gg (2010) (prohibiting small group or individual health insurance issuers from charging charged higher health insurance premiums on the basis of anything other than factors: individual or family plan, age, tobacco use, geography. The implication is that premiums may not vary on the basis of health status factors or genetic information).
42 U.S.C. § 1320d-9 (2017); The requirements of the HIPAA Privacy Rule are discussed in text accompanying infra notes 178–183.
42 U.S.C. § 2000ff-5 (2008); Employers may disclose employees’ genetic information (1) to the employee himself or herself; (2) to an occupational or other health researcher if the research is conducted in compliance with the Common Rule; (3) in response to a court order with a requirement to inform the employee of the disclosure; (4) to government officials who are investigating compliance with GINA; (5) in connection with an employee’s application for certification under the Family Medical Leave Act or state medical leave laws; (6) to a Federal, State, or local public health agency only with regard to a contagious disease that presents an imminent hazard of death or life-threatening illness; and (7) in compliance with the HIPAA Privacy Rule. Id.
U.S. Census Bureau, 2015 SUSB Annual Data Tables by Establishment Industry, U.S. and States, NAICS Sectors, Small Employment Sizes Less than 500 (Jan. 2018), https://www.census.gov/data/tables/2015/econ/susb/2015-susb-annual.html.
McGuire & Majumbder, supra note 15; Sarah Zhang, The Loopholes in the Law Prohibiting Genetic Discrimination, The Atlantic (Mar. 13, 2017), https://www.theatlantic.com/health/archive/2017/03/genetic-discrimination-law-gina/519216/.
Nat’l Hum. Genome Res. Inst., Table of State Statutes Related to Health Insurance Nondiscrimination, https://www.genome.gov/policyethics/legdatabase/pubsearchresult.cfm?content_type=1&content_type_id=1&topic=2&topic_id=1&source_id=1 (choose content type “state statute”, search topic “health insurance nondiscrimination”).
One exception is N.M. Stat. Ann. § 24-21-2(D) (2019) (defining “genetic information” to “mean … information about the genetic makeup of an individual or members of an individual’s family, including information resulting from genetic testing, genetic analysis, DNA composition, participation in genetic research or use of genetic services.”) (emphasis added); Oregon’s law has specific provisions regarding research. Or. Rev. Stat. § 192.531 (2019).
We identified two states, Nebraska and Michigan, that explicitly exempted research from its laws while also limiting the relevant definition to clinical purposes. Specifically, although Nebraska has a broad definition of “genetic information,” its requirements for consent apply to “genetic tests”, which is defined as “analysis of human DNA, RNA, chromosomes, epigenetic status, and those tissues, proteins, and metabolites used to detect heritable or somatic disease-related genotypes or karyotypes for clinical purposes.” (emphasis added). It further explicitly states that genetic test “does not include a procedure performed as a component of biomedical research that is conducted pursuant to federal common rule under 21 C.F.R. parts 50 and 56 and 45 C.F.R. part 46.” Neb. Rev. Stat. § 71–551 (2019); 181 Neb. Admin. Code § 001 (2019). Michigan similarly defines genetic information in relation to genetic test, which is defined as “the analysis of DNA, RNA, chromosomes, and those proteins and metabolites used to detect heritable or somatic disease-related genotypes or karyotypes for clinical purposes. A genetic test must be generally accepted in the scientific and medical communities as being specifically determinative for the presence, absence, or mutation of a gene or chromosome in order to qualify under this definition.” (emphasis added). Like the Nebraska statute, it goes on to state that “the term ‘genetic test’ does not include a procedure performed as a component of biomedical research that is conducted pursuant to federal common rule under 21 C.F.R. parts 50 and 56 and 45 C.F.R. part 46”. Mich. Comp. Laws §§ 333.17020(8)(b), 333.17520(8)(b) (2018); In addition, Massachusetts requires laboratories and health care providers to obtain written consent for genetic testing, but exempts testing involving “confidential research information,” which is defined as “any results of a genetic test maintained pursuant to pharmacological or clinical research protocols which are subject to and conducted in accordance with the review and approval of an Institutional Review Board established pursuant to the provisions of 45 CFR 46 and 21 CFR 50 and 56 which protects the confidentiality of the individual who is the subject of the genetic test either by encryption, encoding or other means consistent with the requirements of said federal regulations, or where the identity of the individual is unknown or protected from disclosure by encrypting or encoding, or by other means consistent with the requirements of said federal regulations.” Mass. Gen. Laws. ch. 111, § 70G (2018). Unlike the Michigan and Nebraska laws, Massachusetts does not explicitly mention “clinical purposes” in its definitions.
The elimination of the option to “check the box” and legally commit to applying the federal regulations to all research conducted at an institution may expand the scope of the research to which this applies.
N.Y. Civ. Rights Law § 79-L (McKinney 2019) (“‘genetic test’ shall mean any laboratory test of human DNA, chromosomes, genes, or gene products to diagnose the presence of a genetic variation linked to a predisposition to a genetic disease or disability in the individual or the individual’s offspring; such term shall also include DNA profile analysis”) (emphasis added).
These laws may variably use terms such as “DNA analysis”, “DNA test”, “genetic characteristic”, or “genetic tests,” in addition to “genetic information”. These broad definitions may apply generally to the makeup of the genome, the absence, presence, or alternation of a gene, and the like. See, e.g., S.C. Code Ann. § 38-93-10 (2018) (defining genetic test as “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites that detects genotypes, mutations or chromosomal changes”); Fla. Stat. § 760.40 (2018) (uses the term “DNA analysis,” which it defines to mean “the medical and biological examination and analysis of a person to identify the presence and composition of genes in that person’s body. The term includes DNA typing and genetic testing”). Idaho Code § 39–8302 (2019) (genetic testing is “the testing or analysis of an identifiable individual’s DNA that results in information that is derived from the presence, absence, alteration or mutation of an inherited gene or genes, or the presence or absence of a specific DNA marker or markers” and “Private genetic information” is defined as “any information about an identifiable individual that is derived from the presence, absence, alteration or mutation of an inherited gene or genes, or the presence or absence of a specific DNA marker or markers, and which has been obtained from a genetic test or analysis of the individual’s DNA or from a genetic test of analysis of a person’s DNA of whom the individual is a blood relative”).
See, e.g., Mass. Gen. Laws. ch. 111, § 70G (2018), Mass. Gen. Laws Ann. ch. 151B § 1 (2018) (“The term ‘genetic test,’ shall mean any tests of human DNA, RNA, mitochondrial DNA, chromosomes or proteins for the purpose of identifying genes or genetic abnormalities, or the presence or absence of inherited or acquired characteristics in genetic material.” (excepts information pertaining to abuse of drugs or alcohol)).
What is Genetic Testing?, Genetics Home Reference, (Jan. 8, 2019), https://ghr.nlm.nih.gov/primer/testing/genetictesting.
What do the Results of Genetic Tests Mean?, Genetics Home Reference, (Jan. 8, 2019), https://ghr.nlm.nih.gov/primer/testing/interpretingresults; Sue Richards et al., Standards and Guidelines for the Interpretation of Sequence Variants: A Joint Consensus Recommendation of the American College of Medical Genetics and Genomics and the Association for Molecular Pathology, 17 Genetics Med. 1, 2, 18 (2015) (about the scientific application); for discussion as part for return of results see Susan M. Wolf et al. Mapping the Ethics of Translational Genomics: Situating Return of Results and Navigating the Research-Clinical Divide, 15 J.L., MED., & ETHICS 1, 12–13 (2015); Wylie Burke et al., Recommendations for Returning Genomic Incidental Findings? We Need to Talk!, 15 Genetics Med. 1, 2 (2013); Ellen Wright Clayton and Amy L. McGuire, The Legal Risks of Returning Results of Genomic Research, 14 Genetics Med. 1 (2012).
See infra note 173; Examples of State-Required Components of Informed Consent for Genetic Testing, Ctr. For Disease Control (June 12, 2009), https://www.cdc.gov/mmwr/preview/mmwrhtml/rr5806a3.htm.
Informed Consent Guidelines & Templates, Res. Ethics & Compliance: U. Mich. (Dec. 19, 2018, 11:36 PM), https://research-compliance.umich.edu/informed-consent-guidelines; U-M Implementation: Informed Consent Changes, Res. Ethics & Compliance: U. Mich. (Nov. 13, 2018, 1:42 PM), https://research-compliance.umich.edu/human-subjects/common-rule-other-changes/u-m-implementation-informed-consent-changes; See supra discussion in text accompanying notes 100–104.
45 C.F.R. § 164.502(d) (2018).
Background Information of EEOC Final Rule of Title II of the Genetic Information Nondiscrimination Act of 2008, U.S Equal Emp’t Opportunity Comm’n, https://www.eeoc.gov/laws/regulations/gina-background.cfm (last visited Feb. 7, 2019); See 42 U.S.C. § 2000ff-1(b) (2008); 42 U.S.C. § 300gg-53(d) (2008) (limiting request for genetic testing in employment and health insurance, respectively).
These include Alaska Stat. § 18.13.010 (2018); Ariz. Rev. Stat. Ann. § 20–448.02(a) (2019) (“a person shall not require the performance of or perform a genetic test without first receiving the specific written informed consent of the subject [or legally authorized representative]” where “genetic test” is defined as “an analysis of an individual’s DNA, gene products or chromosomes that indicates a propensity for or susceptibility to illness, disease, impairment or other disorders, whether physical or mental, or that demonstrates genetic or chromosomal damage due to environmental factors, or carrier status for disease or disorder”); Del. Code Ann. tit. 16, §§ 1201–1202 (2019) (“No person shall obtain genetic information about an individual without first obtaining informed consent from the individual” where “genetic information” is defined as “information about inherited genes or chromosomes, and of alterations thereof, whether obtained from an individual or family member, that is scientifically or medically believed to predispose an individual to disease, disorder or syndrome or believed to be associated with a statistically significant increased research of development of a disease, disorder or syndrome”); Fla. Stat. § 760.40 (2018) (“Except for purposes of criminal prosecution, [determining paternity, and for criminal DNA banking], DNA analysis may be performed only with the informed consent of the person to be tested” where “DNA analysis” is defined to mean “the medical and biological examination and analysis of a person to identify the presence and composition of genes in that person’s body. The term includes DNA typing and genetic testing.”); Iowa Code § 729.6 (2019) (“a. A person shall not obtain genetic information or samples for genetic testing from an individual without first obtaining informed and written consent from the individual or the individual’s authorized representative. b. A person shall not perform genetic testing of an individual or collect, retain, transmit, or use genetic information without the informed and written consent of the individual or the individual’s authorized representative.” Genetic information and testing are defined as in 29 U.S.C. § 1191b (2017), which include the broad definition of genetic test as “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes” and excepting analysis of proteins or metabolites, including those related to a manifested disease, disorder, or condition); Minn. Stat. § 13.386 (2019) (“… genetic information about an individual: (1) may be collected by a government entity … or any other person only with the written informed consent of the individual” where “genetic information” is defined as “information about an identifiable individual derived from the presence, absence, alteration or mutation of a gene, or the presence or absence of a specific DNA or RNA marker, which has been obtained from an analysis of: (1) the individual’s biological information or specimen; or (2) the biological information or specimen of a person to whom the individual is related”. Interestingly, it “also means medical or biological information collected from an individual about a particular genetic condition that is or might be used to provide medical care to that individual or the individual’s family members.”); N.H. Rev. Stat. Ann. § 141-H:1 (2018); N.M. Stat. Ann. § 24-21-3 (2019) (“[N]o person shall obtain genetic information or samples for genetic analysis from an individual without first obtaining informed and written consent from the individual or the individual’s authorized representative” where “genetic information means information about the genetic makeup of an individual or members of an individual’s family, including information resulting from genetic testing, genetic analysis, DNA composition, participation in genetic research or use of genetic services” and “genetic analysis means a test of an individual’s DNA, gene products or chromosomes that indicates a propensity for or susceptibility to illness, disease, impairment or other disorders, whether physical or mental; that demonstrates genetic or chromosomal damage due to environmental factors; or that indicates carrier status for disease or disorder; excluded, however, are routine physical measurements, chemical, blood and urine analyses, tests for drugs, tests for the presence of HIV virus and any other tests or analyses commonly accepted in clinical practice at the time ordered”). It is important to note that the New Mexico statute has multiple, common exceptions to the consent requirement, including to identify an individual for a criminal investigation, for DNA banking purposes (if convicted of a felony), to identify deceased individual, for parental determinations, to screen newborns, if not identified with the individual or family members, by court order for damage awards for the Genetic Information Privacy Act, by medical repositories or registries, for purposes of medical or scientific research or education if identity of individual or family members not disclosure, for emergency treatment, by a laboratory pursuant to healthcare practitioner order); Nev. Admin. Code § 629.100 (2019) and Nev. Rev. Stat. § 629.121 (2019) (“A person, governmental agency or political subdivision of a government that wishes to obtain genetic information of a person … must first … obtain from the person who is the subject of the genetic test or his legal guardian the [signed] consent document described in NAC 629.110” and “genetic information” refers to the results of a genetic test, which is defined as “a test … to determine the presences of abnormalities or deficiencies, including carrier status, that: 1. Are linked to physical or mental disorders or impairments; or 2. Indicate a susceptibility to illness, disease, impairment or any other disease, whether physical or mental.”); individual’s DNA sample, without first obtaining informed consent of the individual or the individual’s representative” with limited exceptions, including “anonymous … or coded research” where notice provisions are complied with, for law enforcement, identification of persons, newborn screening, and paternity determinations. Or. Rev. Stat. §§ 192.535(11), (14), (2019) “Genetic information” means “information about an individual or the individual’s blood relatives obtained from a genetic test,” which is defined as “a test for determining the presence or absence of genetic characteristics in an individual or the individual’s blood relatives, including tests of nucleic acids such as DNA, RNA, and mitochondrial DNA, chromosomes or proteins in order to diagnose or determine a genetic characteristic”).
Or. Rev. Stat. § 192.537(2) (2019); If proceeding under notice, the notice must describe how the specimen or information may be used and include a place for the person to mark if they want to opt out of the research. Or. Rev. Stat. § 192.538(3) (2019).
See, e.g., Richard H. Thaler et al., Choice Architecture, SSRN, 4–6 (2010), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1583509.
See, e.g., Ariz. Rev. Stat. Ann. § 12–2803 (2019) (a “health care provider shall not conduct a genetic test … unless the health care provider first obtains written informed consent …”).
Fla. Stat. § 760.40 (2018). (“Except for purposes of criminal prosecution, [determining paternity, and for criminal DNA banking], DNA analysis may be performed only with the informed consent fo the person to be tested” where “DNA analysis” is defined to mean “the medical and biological examination and analysis of a person to identify the presence and composition of genes in that person’s body. The term includes DNA typing and genetic testing”).
45 C.F.R. §§ 160, 164 (2018).
45 C.F.R. § 160.103 (2018) (defining health information as “any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual”) (emphasis added).
The HIPAA Privacy Rule applies to “covered entities,” which include health care providers, health plans, and health care clearinghouses. It also applies to covered entities’ “business associates” who are persons who receive protected health information from covered entities to provide certain business or administrative functions, such as claims processing, billing, management, or quality assurance. 45 C.F.R. § 160.103 (2018).
45 C.F.R. § 164.512 (2018) (specifying disclosures for which authorizations are not required).
Researchers and biobanks would not be covered entities or business associates unless the researcher is part of a covered entity and the entity elects to include the researcher’s activities as part of its HIPAA-covered functions. See How Can Covered Entities, supra note 36.
45 C.F.R. § 164.502(d)(2) (2018), providing, in relevant part: “Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: (i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and (ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.”
42 U.S.C. § 1320d-9 (2008); 42 U.S.C. § 2000ff-5 (2008); see supra text accompanying notes 156–157. Although GINA prohibits employers from requesting or requiring collection of genetic information, employers may receive such information inadvertently or if it pertains to occupational exposures. 42 U.S.C. § 2000ff-1(b) (2018); see also Unif. Protection of Genetic Info. Emp’t Act § 4 (Unif. Law Comm’n 2011).
Alaska Stat. § 18.13.010 (2018) (“a person may not … disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person’s legal guardian or authorized representative …” with exceptions for law enforcement (including criminal DNA databanks, paternity, newborn screening, or emergency medical treatment); Ariz. Rev. Stat. Ann. § 12–448.02 (2019) (“The results of a genetic test performed are privileged and confidential and may not be released to any party without the expressed consent of the subject of the test”); Ark. Code Ann. § 20-35-103 (2001); Cal. Civ. Code § 56.17 (West 2019) (providing penalties for negligent or willful disclosure without consent, but limited to genetic information contained in the medical record); Colo. Rev. Stat. §§ 10-3-1104.6 (West 2019) (exceptions for diagnosis, treatment, or therapy, and others); Del. Code Ann. tit. 16, § 1205 (2019) (“Regardless of the manner of receipt of the source of genetic information … a person shall not disclose or be compelled, by subpoena or any other means, to disclose the identity of an individual upon whom a genetic test has been performed or to disclose genetic information about the individual in a manner that permits identification of the individual” with exceptions for paternity determinations, court orders, criminal DNA banking, with consent, for medical diagnosis of blood relatives of person tested who is deceased; for identifying dead bodies, for newborn screening, for identifying persons, by insurer to regulatory agency, or authorized by law; includes penalties for unauthorized disclosure); Fla. Stat. § 760.40 (2018) (DNA analysis results “are confidential, and may not be disclosed without the consent of the person tested” with exceptions for criminal prosecutions, paternity testing, and criminal DNA databases); 410 Ill. Comp. Stat. 513/15(a-b) (2019) (“Except as otherwise provided in this Act, genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing … by that individual to receive the information” with exceptions for criminal investigations and prosecutions for underwriting); Mass. Gen. Laws ch. 111, § 70G (2018) (applying to hospital, dispensary, laboratory, hospital-affiliated registry, physician, insurance institution, insurance support organization, or insurance representative, and commercial genetic testing company, agency or association reports and records, but limiting exceptions for court orders, persons whose official duties entitle receipt (per insurance commissioner determination), life, disabilities, and long term care insurance, or “confidential” research); Minn. Stat. § 13.386 (2018) (genetic information “may be disseminated only: (i) with the individual’s written informed consent; or (ii) if necessary in order to accomplish purposes described [in individual’s written consent, which is limited to one year unless otherwise specified”]); Mo. Rev. Stat. § 375.1309(1) (2018) (“Any person who, in the ordinary course of business, practice of a profession or rendering of a service, creates, stores, receives or furnishes genetic information … shall hold such information as confidential medical records and shall not disclose such information except pursuant to written authorization of the person to whom such information pertains or to that person’s authorized representative” with exceptions for statistical data (without identifiers), health research conducted according to the Common Rule or using data that protects the identity from disclosure, as required by law, or for body identification); Nev. Admin. Code § 629.100 (2019) (“A person … that wishes to … disclose or compel a person to disclose the identity of a person who was the subject of a genetic test or to disclose genetic information of a person in a manner that allows identification of the person must first … [o]btain from the person who is the subject of the genetic test or his or her legal guardian the [written] consent document described in NAC 629.110”); N.H. Rev. Stat. Ann. § 141-H:1 (2018); N.J. Stat. Ann. § 10:5–48 (West 2019); N.M. Stat. Ann. § 24-21-3(C) (2019) (“[T]ransmission … of genetic information without the informed and written consent of the individual or the individual’s authorized representative is prohibited” except to identify individuals in criminal investigations, for criminal DNA databases, for paternity determinations, for newborn screening, for information that does not identify the individual or their family members, for determination of damages under the act, by medical registries or repositories, or for research without disclosure of the identities or the individual or their family members, for emergency medical treatment, or for laboratory testing under written order); Or. Rev. Stat. § 192.537–539 (2019) (“an individual’s genetic information and DNA sample are private and must be protected, and an individual has a right to the protection of that privacy. Any person authorized by law or by an individual or an individual’s representative to obtain, retain or use an individual’s genetic information or any DNA sample must maintain the confidentiality of the information or sample and protect the information or sample from unauthorized disclosure or misuse.” And “[r]egardless of the manner of receipt or the source of genetic information … a person may not disclose or be compelled, by subpoena or any other means, to disclose the identity of an individual upon whom a genetic test has been performed or the identity of a blood relative of the individual, or to disclose genetic information about the individual or a blood relative of the individual in a manner that permits identification of the individual” except when necessary for criminal or death investigations (including identification of bodies, pursuant to a specific court order, for purposes of paternity determinations, with individual consent, for furnishing information to decedent’s relatives for purposes of medical diagnosis); Me. Stat. tit. 24-A, § 2215 (2018) does not require consent, but sets conditions on when information can be disclosed, including requiring “due consideration” to the interests of those affected, limiting information disclosed to minimal necessary to achieve a lawful purpose; Ariz. Rev. Stat. Ann. § 1–602 (2018) requires consent for disclosure, but only applies to samples of minor children and excepts the newborn screening program; Ga. Code Ann. § 33-54-1, 33-54-3 (2019) (requiring consent for disclosure, but it is limited to insurer held information).
Nev. Rev. Stat. § 629.171 (2019).
These state laws limit further disclosure by the employer. 016–14 Ark. Code. R. § 004–4009.7.4 (LexisNexis 2018); D.C. Code § 2–1401.03 (2005); Idaho Code § 39–8301 (2006) (Employer access to genetic information is limited to proceedings in which employee health is at issue or an employment decision in which reasonably believe the health condition poses a real risk and cannot be redisclosed); 410 Ill. Comp. Stat. 513/25 (restricts employers from disclosing lawfully acquired genetic information and also prohibits disclosure of individually identifiable genetic information from wellness programs to employers); La. Stat. Ann. § 23:368(4) (employers cannot disclose genetic information except to the individual, a research who complies with the Common Rule, if required by law, or to agency for compliance investigation; genetic information must be kept separate from personnel files); Mont. Admin. R. 2.21.6615 (2010) (Limits employer disclosure for research consistent with the Common Rule, court order, compliance investigation, and public health agency for infectious disease investigation; genetic information must be kept separate from personnel file); R.I. Gen. Laws § 28–6.7–1 (2018) (broad prohibition of revealing genetic information about employees, licensees, or applicants).
“No person shall disclose to an employer, labor organization, employment agency or licensing agency, any genetic testing results or genetic information, that genetic services have been requested, or that genetic testing has been performed.” Vt. Stat. Ann. tit. 18, § 9333 (2018).
California Civ. Code § 56.265 (“A person or entity who underwrites or sells annuity contracts or contracts insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death …. shall not disclose individually identifiable information concerning the health of, or the medical or genetic history of, a customer … to any affiliated or nonaffiliated depository institution, or to any other affiliated or nonaffiliated third party for the use with regard to the granting of credit)(emphasis added), Cal. Ins. Code §§ 10123.35, 10140.1, 10149.1 (life and disability insurers), and 742.407 (multiple welfare arrangements, includes imposition of penalties for disclosure without consent).
Arizona’s law provides that “if genetic testing information is subpoenaed, a health care provider shall respond pursuant to § 12–2294.01 subsection E …. the court shall take all steps necessary to prevent the disclosure or dissemination of that information.” Ariz. Rev. Stat. Ann. § 12–2802C (2019); The statute also protects genetic information in government hands (e.g., public health department) from disclosure. See Ariz. Rev. Stat. Ann. § 12–2802A (2019); See Wash. Rev. Code Ann. § 70.02.060 (West 2019) (requiring attorneys to give notice to health care providers and patients before serving a discovery request or a subpoena for health care information to allow time for a protective order. In addition, health care providers may not disclose information without consent if the appropriate notice was not given).
HIPAA covered entities include health care providers, health insurers, and health care clearinghouses. 45 C.F.R. § 160.103 (2018).
See Ariz. Rev. Stat. Ann. § 12–2802A (2019); Colo. Rev. Stat. § 10-3-1104.6 (2018); Ga. Code Ann. § 33-54-3 (2019).
Colorado’s and Georgia’s laws are explicit that written consent is required to disclose genetic information. Colo. Rev. Stat. Ann. § 10-3-1104.6 (2018) (the only exceptions are for diagnosis, treatment, or therapy); Ga. Code Ann. § 33-54-3 (2019). While these may be more specific than some of the other broad laws, other states are much more specific about the scope of the confidentiality protections afforded, such as protection from discovery, including subpoena.
Arizona declares the results of genetic tests performed according to Ariz. Rev. Stat. Ann. § 20–448.02 (2019) are “privileged and confidential” and “may not be released to any party without the expressed consent of the subject of the test”; see also Ariz. Rev. Stat. Ann. § 12–2802A (2019); Georgia, Florida, Massachusetts, New York, and South Carolina have similar language. Ga. Code Ann. § 33-54-3 (2019); Fla. Stat. § 760.40 (2018); N.Y. Civ. Rights Law § 79-L (Consol. 2019); see S.C. Code Ann. § 38-92-10 (2019); New York does permit a court to order disclosure, but requires the court to “consider the privacy interests of the individual subjects of the genetic test and of close relatives of such individual, the public interest, and, in the case of medical or anthropologic research, the ethical appropriateness of the research. Disclosure shall be permitted only to the individuals or agencies expressly named in court orders N.Y. Civ. Rights Law § 79-L (Consol. 2019); D.C. Mun. Regs. tit. 4, §§ 509.3 (2019) and D.C. Mun. Regs. tit. 4, §§ 509.7–8 (2019) (imposes requirement on employers, employment agencies, or labor organization that if they “obtain … protected genetic information when seeking current health status information, the genetic information will be subject to the same restrictions that apply to genetic information generally” also must put in in a “separate confidential file, not in the employee’s general file” if received for “any lawful reason”); R.I. Gen. Laws Ann. § 5–37.3–4 (2018) (individuals with confidential patient information must establish security procedures and have employees sign confidentiality statement).
This protection often extends to state open records acts. See, e.g. Minn. Stat. § 13.386 (2018) (specifically classifies genetic information that is held by a government entity as “private data on individuals,” which would shield such data from disclosure in response to requests under state open government laws); 410 Ill. Comp. Stat. 513/30(d) (2019) (a state agency, local health authority, or health oversight agency); 65 Pa. Cons. Stat. § 67.708 (2018) (extending state open record acts to commonwealth agency or local agencies); North Dakota’s law permits public health to disclose genetic information to law enforcement, but also provides that such information cannot be used in “any administrative, civil, or criminal action or investigation directed against the individual” unless it was collected in that criminal investigation. N.D. Cent. Code § 23–01.3–06 (2017).
See Appendix for list of these exceptions by state.
See Fuller, supra note 2; Ram et al., supra note 5.
Wolf et al., Certificates of Confidentiality: Legal Counsels’ Experiences with and Perspectives on Legal Demands for Research Data, 7 J. Empirical Res. Hum. Res. Ethics 1, 3 (2012).
See supra Part III.A.1 & III.A.2.
45 C.F.R. § 164.512(f) (2018).
45 C.F.R. § 164.512(e)(1)(ii) (2018); To make the disclosure, the covered entity would have receive evidence in the form of a written statement and documentation of either (1) the requestor’s notice to the individual with information about the litigation and instructions for raising objections, or (2) documentation of an agreement between the parties or a request to the court for a qualified protective order. What “Satisfactory Assurances” Must a Covered Entity That Is Not a Party to the Litigation Receive Before It May Respond to a Subpoena Without a Court Order?, U.S. Dep’t of Health & Hum. Services, https://www.hhs.gov/hipaa/for-professionals/faq/706/what-satisfactory-assurances-must-a-covered-entity-receive-before-it-responds-to-a-subpoena/index.html (last reviewed July 26, 2013).
“A person or entity that holds genetic information about an individual may not disclose or be compelled to disclose, by subpoena or otherwise, that information unless the disclosure is specifically authorized by the individual.” Tex. Ins. Code § 546.102(b) (2017); see also Tex. Lab. Code Ann. § 21.403 (2017); Tex. Occ. Code Ann. § 58.001 et seq. (2017) (suggesting the language of the statute may apply more broadly) (“Except as provided by [other sections], genetic information is confidential and privileged regardless of the source of the information … This section applies to a redisclosure of genetic information by a secondary recipient of the information after disclosure of the information by an initial recipient. Except as provided by [statutory section], a health benefit plan issuer may not redisclose genetic information unless, the redisclosure is consistent with the disclosures authorized by the tested individual under an authorization executed under [statutory provision]”). That the law refers both “any person” language and health benefit plans specifically within the same section suggests the wording is deliberate.
The Delaware statute provides that “regardless of the manner of receipt of the source of genetic information, a person shall not disclose or be compelled, by subpoena or other means, to disclose the identity of an individual upon whom a genetic test has been performed or to disclose genetic information about the individual in a manner that permits identification of the individual.” Del. Code Ann. tit. 16, § 1205 (2015) (emphasis added). However, there are many exceptions to this protection, including disclosure for criminal investigations or proceedings, paternity determinations, court order, for data bank requirements, with consent of the individual, for medical diagnosis of a blood relative when the individual is dead, for identifying bodies, for newborn screening, an insurer discloses to its regulator, or the disclosure is otherwise legally permitted. Oregon, Nevada, and New Jersey use similar language in their statutes, including the exceptions. Or. Rev. Stat. § 192.539(1) (2019); Nev. Rev. Stat. § 629.171 (2017); N.J. Stat. Ann. § 10:5–46 (West 2018); Illinois provides that genetic information “shall not be admissible as evidence, nor discoverable in any action of any kind in any court, or before any tribunal, board, agency or person,” with exceptions for individual consent, specific law enforcement purposes, or paternity testing. 410 Ill. Comp. Stat. Ann. 513/30(a).
The Delaware, New Jersey, and Oregon use similar language and all three provide for the following exceptions: criminal or death investigation (including identification of bodies) or criminal or juvenile proceeding; for paternity determinations; by court order (Oregon requires it to be a specific court order); for criminal DNA banking; with consent of the individual tested; for medical diagnosis of a blood relative when the person tested is deceased; for newborn screening required by law; Finally, Delaware also excepts disclosure by insurers to protect against fraud, material misrepresentation or material nondisclosure. Delaware and New Jersey except disclosure to an insurance regulatory authority; and Delaware also excepts disclosure as authorized by law. Del. Code Ann. tit. 16, § 1203 (2019); Or. Rev. Stat. § 192.539(1) (2019); N.J. Stat. Ann. § 10:5–46 (West 2018); Oklahoma also excepts disclosures for law enforcement proceedings and investigations, insurers who “anticipates or is reporting fraud or criminal activity” and for paternity determinations, as well as where the individual is a party to the proceeding at which the genetic information is at issue or the individual was insured and the insurance policy and the genetic information is at issue. Okla. Stat. tit. 36, § 3614.3A (2019).
Utah Code Ann. § 26-45-103(2)(b)(ii)(A) (West 2018).
410 Ill. Comp. Stat. Ann. 513/15 (2019).
See supra text accompanying notes 218–232.
Prince et al., supra note 50, at 827, 829, 832 (indicating that some studies automatically place genomic research results into participant medical records without participant consent); see, e.g., Iftikhar J. Kullo et al., Return of Results in the Genomic Medicine Projects of the eMerge Network, 5 Frontiers in Genetics 1, 2 (2014) (describing research results from the eMerge network being included “preemptively” in electronic health records).
42 U.S.C. § 20000ff-1(a) (2008).
42 U.S.C. § 300gg-53(d) (2008).
See supra text accompanying notes 180–183.
N.M. Stat. Ann. §§ 24-21-2, 21–3 (2019) (“[G]enetic analysis of an individual or collection, retention, transmission or use of genetic information without the informed consent of the individual or the individual’s authorized representative is prohibited” except for law enforcement purposes (including identifying bodies), criminal DNA databases, parental determinations, newborn screening, if results are not identified with the individual or family, court determinations of damage awards under the Genetic Information Privacy Act, by medical repositories or registries, medical or scientific research and education if the identity of the individual or the individual’s family members is not disclosed, emergency treatment, by a laboratory pursuant to a written order from a health care practitioner); N.J. Stat. Ann. § 10:5–46 (West 2018) (“No person shall retain an individual’s genetic information without first obtaining authorization” except if for purposes of criminal or death investigation or a criminal or juvenile proceeding, for paternity determination, by court order, for criminal DNA banking, or for “anonymous research where the identity of the subject will not be released”); Or. Rev. Stat. § 192.537(3) (2019) (no retention unless by court order, as authorized to benefit blood relatives of deceased individuals, for newborn screen).
There are several plausible ways a participant’s genetic information may escape the research context, including the return of results to the individual and/or the health care provider, a permitted disclosure such as via court order or subpoena, breach, or hacking. See Thought-Leader, supra note 51.
Ark. Code Ann. § 11-5-402(2) (2018) (Arkansas provisions limiting collection and use of genetic information apply to employers as defined by 21 U.S.C. § 203(d), which includes “any person acting directly or indirectly in the interest of an employer in relation to an employee”); Ark. Code § 016–14.2–1078 (2018); Cal. Gov’t Code §§ 12926, 12940 (West 2019), Cal. Code Regs. tit. 2, § 11008 (West 2019), Cal. Code Regs. tit. 2, § 11072 (West 2019) (California provisions allow exceptions permitted by GINA and apply to employers who employ five or more people but does not include certain religious entities within the definition of employer); Conn. Gen. Stat. §§ 46a-51, 46a-60 (2019) (Connecticut provisions apply to employers who employ three or more people); D.C. Code § 2–1402.11 (2017) (D.C. provisions apply to employers who employ “an individual”); Idaho Code § 39–8301 (2019) (Idaho provisions apply to employers who employ five or more people); Iowa Code § 729.6 (2019) (Iowa provisions apply to any employers who employ “employees in the state”, thus suggesting the employer must have more than one employee); Md. Code Ann., State Gov’t § 20–601 (West 2018); Mich. Comp. Laws §§ 37.1200–1202 (2018) (Michigan provisions apply to employers who employ one or more people); Minn. Stat. § 181.974 (2019) (Minnesota provisions apply to employers who employ one or more people); Minn. Stat. § 181.974.1(b) (2018) (Minnesota provisions apply to employers who employ one or more people); N.H. Rev. Stat. Ann § 141-H:3 (1996); N.Y. Exec. Law §§ 292(5) (McKinney 2019), N.Y. Exec. Law 296(1)(a) (McKinney 2019) (New York provisions apply to employers who employ four or more people); Okla. Stat. tit. 36, § 3614.2 (2019) (Oklahoma provisions apply to employers as defined by 29 U.S.C. § 203(d), which includes “any person acting directly or indirectly in the interest of an employer in relation to an employee”); Or. Rev. Stat. §§ 659A.001, 659A.300, 659A.303 (2019) (Oregon provisions apply to employers who employ one or more people); R.I. Gen. Laws § 28–6.7–1 6.7–2.1 (2018) (Rhode Island provisions apply to employers employing “individuals”, thus suggesting the employer must have more than one employee); S.D. Codified Laws § 60-2-20 (2019) (employer not defined); Utah Code Ann. § 26-45-103 (West 2018), Utah Code Ann. § 34A-2–103(2)(a) (West 2018), (noting Utah provisions apply to employers employing one or more people); Vt. Stat. Ann. tit. 18, §§ 9331, 9333 (2018) (Vermont provisions apply to employers as defined by Vt. Stat. Ann. tit. 21, § 495d, which includes employers who employ one or more individuals); Va. Code Ann. §§ 40.1–2 through 40.1–28.7:1 (2018) (Virginia provisions apply to employers who employ another person); Wash. Rev. Code § 49.44.180 (2019) (applying to any person, firm, corporation, and the state’s access only); Wis. Stat. §§ 111.32 through 111.372 (2018) (applying to employers employing one or more people but not including certain social clubs and fraternal societies); Although Nebraska has a similar law, it defines genetic testing as limited to testing conducted for clinical purpose and, therefore, would not apply to our circumstances. Neb. Rev. Stat. § 48–236 (2019).
Iowa Code § 729.6 (2019); N.H. Rev. Stat. Ann § 141-H:3 (2018); In addition, Massachusetts law prohibits business entities implementing wellness programs from discriminating against any person in terms of compensation or other benefits on the basis of genetic information. 105 Mass. Code Regs. § 216.012 (2018).
Genetic Information Nondiscrimination Act (Final Rule), 81 Fed. Reg. 31143 (2016); A bill in Congress would alter Gina’s limits on employers’ ability to access genetic and other health information and on the incentives/penalties that can be offered. See Kathy L. Hudson & Karen Pollitz, Undermining Genetic Privacy? Employee Wellness Programs and the Law, 377 New Eng. J. Med. 3 (2017); The bill was discharged by two Committees and, thus, could be considered by the full House. See Actions Overview, Preserving Employee Wellness Programs Act, H.R. 1313, 115th Cong. (2018).
R.I. Gen. Laws § 28–6.7–5 (2018) (“Any contract or agreement, which purports to waive the provisions of this chapter, is null and void as being against public policy”).
Vt. Stat. Ann. tit. 18, §9334 (2018). The statute defines “insurance” as “a policy of insurance regulated under Title 8, offered or issued in this State, including health, life, disability, and long-term care insurance policies, hospital and medical service corporation service contracts, and health maintenance organization benefit plans.” Vt. Stat. Ann. tit. 18, § 9331 (2018).
Colo. Rev. Stat. § 10–3.1104.7 (2018); Cal. Ins. Code § 10140.1 (West 2019); Cal. Ins. Code § 10149 (West 2019).
Colo. Rev. Stat. § 10–3.1104.7 (2018); Md. Code Ann., Ins. § 18–120 (West 2018).
Colo. Rev. Stat. § 10–3.1104.7 (2018) (“Any entity that receives information derived from genetic testing may not seek, use, or keep the information for any nontherapeutic purpose or for any underwriting purposes connected with the provision of group disability insurance or long-term care insurance coverage” where “genetic testing” is defined as “any laboratory test of human DNA, RNA, or chromosomes that is used to identify the presence or absence of alternations in genetic material which are associated with disease or illness.”); Idaho Code §§ 41–1313(3) (2019) (“No person shall discriminate on the basis of a genetic test or private genetic information … for any policy or contract of disability insurance or any health benefit plan”. Genetic test is defined as “the testing or analysis of an identifiable individual’s DNA that results in information that is derived from the presence, absence, alteration or mutation of an inherited gene or genes, or the presence or absence of a specific DNA marker or markers”); Idaho Code § 39–8302 (2019) (“Private genetic information” is defined as “any information about an identifiable individual that is derived from the presence, absence, alteration or mutation of an inherited gene or genes, or the presence or absence of a specific DNA marker or markers, and which has been obtained from a genetic test or analysis of the individual’s DNA or from a genetic test of analysis of a person’s DNA of whom the individual is a blood relative.” Id.
ARIZ. Rev. Stat. Ann. § 20–224 (2019); Mass. Gen. Laws. ch. 175, § 108I (2018) (“No insurer, agent or broker authorized to issue policies against disability from injury or disease or policies providing for long term care in the commonwealth shall practice unfair discrimination against persons because of the results of a genetic test or the provision of genetic information, as defined in this section. For purposes of this section, unfair discrimination means cancellation, refusing to issue or renew, charging any increased rate, restricting any length of coverage or in any way practicing discrimination against persons unless such action is taken pursuant to reliable information relating to the insured’s mortality or morbidity, based on sound actuarial principles or actual or reasonably anticipated claim experience.” “Genetic information [is] a test of human DNA, RNA, mitochondrial DNA, chromosomes or proteins for the purposes of identifying genes, inherited or acquired genetic abnormalities, or the presence of absence of inherited or acquired characteristics in genetic material, which are associated with the predisposition to disease, illness, impairment or other disease process.”); Me. Stat. tit. 24-A, § 2159-C(3) (2019) (Insurers may not unfairly discriminate against an individual on the basis of genetic information or genetic test results in the issuance, withholding, extension, or renewal of policies for life, disability, long-term care, accidental injury, or annuity. “Unfair discrimination” includes “the application of the results of a genetic test in a manner that is not reasonably related to anticipated claims experience.”); N.J. Stat. Ann. § 17B:30–12 (West 2019) (“No person shall make or permit any unfair discrimination against any individual on the basis of genetic information or the refusal to submit to a genetic test or make available the results of a genetic test to the person in the issuance, withholding, extension or renewal of a policy of life insurance, including credit life insurance, an annuity, disability in some insurance contract or credit accident insurance coverage.” “Genetic information” is defined as “information about genes, gene products or inherited characteristics that may derive from an individual or family member” and “genetic test” is defined as a “test for determining the presence or absence of an inherited genetic characteristics in an individual including tests of nuclei acids such as DNA, RNA and mitochondrial DNA, chromosomes or proteins in order to identify a predisposing genetic characteristic”); N.M. Stat. Ann. §§ 24-21-2 through 24-21-3 (2019) (Permits life, disability, and long-term care insurers to use genetic analysis or information, but only “if the use of genetic analysis or genetic information for under writing purposes is based on sound actuarial principles or actual or reasonably anticipated experience” where “genetic information” is defined as “the genetic makeup of an individual or members of an individual’s family” and “genetic analysis” refers to “a test of an individual’s DNA, gene products or chromosomes that indicates a propensity or susceptibility to illness, disease, impairment or other disorders, whether physical or mental; that demonstrates genetic or chromosomal damage due to environmental factors; or that indicates carrier status for disease or disorder”).
Anya E.R. Prince, Insurance Risk Classification in an Era of Genomics: Is A Rational Discrimination Policy Rational?, 96 Neb. L. Rev. 624, 656 (2018) (“[G]iven the current state of clinical knowledge, much genomic information is remarkably unpredictive”).
Wyo. Stat. Ann. §§ 26-19-107, 26-19-306 (2019).
Colo. Rev. Stat. § 10–3.1104.7 (2018) (“Any entity that receives information derived from genetic testing may not seek, use, or keep the information for any nontherapeutic purpose or for any underwriting purposes connected with the provision of group disability insurance or long-term care insurance coverage” where “genetic testing” is defined as “any laboratory test of human DNA, RNA, or chromosomes that is used to identify the presence or absence of alternations in genetic material which are associated with disease or illness”); Md. Code Ann., Ins. § 18–120 (2019) (a long-term care insurer may not “use a genetic test, the results of a genetic test, genetic information, or a request for genetic services to [ ] deny or limit the amount, extent, or kind of long-term care insurance coverage available to an individual; or [ ] charge a different rate for the same long term care insurance” unless “the use is based on sound actuarial principles” where “genetic test” is defined as “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites that detect genotypes, mutations, or chromosomal changes” and genetic information “means information derived from a genetic test”).
Md. Code Ann., Ins. § 18–120 (2019); Mass. Gen. Laws Ann. ch. 175, § 108I (2018) (“No insurer, agent or broker authorized to issue policies against disability from injury or disease or policies providing for long term care in the commonwealth shall practice unfair discrimination against persons because of the results of a genetic test or the provision of genetic information, as defined in this section. For purposes of this section, unfair discrimination means cancellation, refusing to issue or renew, charging any increased rate, restricting any length of coverage or in any way practicing discrimination against persons unless such action is taken pursuant to reliable information relating to the insured’s mortality or morbidity, based on sound actuarial principles or actual or reasonably anticipated claim experience.” “Genetic information [is] a test of human DNA, RNA, mitochondrial DNA, chromosomes or proteins for the purposes of identifying genes, inherited or acquired genetic abnormalities, or the presence of absence of inherited or acquired characteristics in genetic material, which are associated with the predisposition to disease, illness, impairment or other disease process.”); Me. Stat. tit. 24-A, § 2159-C(3) (2019) (Insurers may not unfairly discriminate against an individual on the basis of genetic information or genetic test results in the issuance, withholding, extension, or renewal of policies for life, disability, long-term care, accidental injury, or annuity. “Unfair discrimination” includes “the application of the results of a genetic test in a manner that is not reasonably related to anticipated claims experience.”); N.J. Stat. Ann. § 17B:30–12 (West 2019) (“No person shall make or permit any unfair discrimination against any individual on the basis of genetic information or the refusal to submit to a genetic test or make available the results of a genetic test to the person in the issuance, withholding, extension or renewal of a policy of life insurance, including credit life insurance, an annuity, disability in some insurance contract or credit accident insurance coverage.” “Genetic information” is defined as “information about genes, gene products or inherited characteristics that may derive from an individual or family member” and “genetic test” is defined as a “test for determining the presence or absence of an inherited genetic characteristics in an individual including tests of nuclei acids such as DNA, RNA and mitochondrial DNA, chromosomes or proteins in order to identify a predisposing genetic characteristic”); N.M. Stat. Ann. §§ 24-21-2 through 24-21-3 (2019) (Permits life, disability, and longterm care insurers to use genetic analysis or information, but only “if the use of genetic analysis or genetic information for underwriting purposes is based on sound actuarial principles or actual or reasonably anticipated experience” where “genetic information” is defined as “the genetic makeup of an individual or members of an individual’s family” and “genetic analysis” refers to “a test of an individual’s DNA, gene products or chromosomes that indicates a propensity or susceptibility to illness, disease, impairment or other disorders, whether physical or mental; that demonstrates genetic or chromosomal damage due to environmental factors; or that indicates carrier status for disease or disorder”).
Vt. Sta. Ann. tit. 18, § 9331 (2018). Maryland prohibits underwriting based on specified genetic traits or other traits “that [are] harmless.” Given the named traits, this statute may be limited to carrier status that does not put the individual at risk of the disease. (prohibiting insurers from “refus[ing] to insure or mak[ing] or allow[ing] a differential in ratings, premium payments, or dividends in connection with life insurance and annuity contracts solely because the applicant or policyholder has sickle-cell trait, thalassemia-minor trait, hemoglobin C trait, TaySachs trait, or a genetic trait that is harmless in itself) (emphasis added); Md. Code Ann., Ins. § 27–208(3) (LexisNexis 2018) (prohibiting insurers from “refus[ing] to insure or mak[ing] or allow[ing] a differential in ratings, premium payments, or dividends in connection with life insurance and annuity contracts solely because the applicant or policyholder has sickle-cell trait, thalassemia-minor trait, hemoglobin C trait, Tay-Sachs thalassemia-minor trait, hemoglobin C trait, Tay-Sachs trait, or a genetic trait that is harmless in itself.”); California has a similar provision, Cal. Ins. Code § 10143 (West 2019) (“No insurance company licensed in [California] shall refuse to issue or sell or renew any policy of life or disability insurance … solely by reason of the fact that the person to be insured carriers a gene which may, under some circumstances be associated with disability in that person’s offspring, but which causes no adverse effects on the carrier”).
Mass. Gen. Laws ch. 175, § 120E (2019) (“No insurer, agent or broker authorized to issue policies on the lives of person in the commonwealth shall practice unfair discrimination against persons because of the results of a genetic test or the provision of genetic information … For purposes of this section unfair discrimination means cancellation, refusing to issue or renew, charging any increased rate, restricting any length of coverage or in any way practicing discrimination against persons unless such action is taken pursuant to relatable information related to the insured’s mortality or morbidity, based on sound actuarial principles or actual or reasonably anticipated claim experience.”); Me. Stat. tit. 24-A, § 2159-C(3) (2019) (Insurers may not unfairly discriminate against an individual on the basis of genetic information or genetic test results in the issuance, withholding, extension, or renewal of policies for life, disability, long-term care, accidental injury, or annuity. “Unfair discrimination” includes “the application of the results of a genetic test in a manner that is not reasonably related to anticipated claims experience.”); N.J. Stat. Ann. § 17B:30–12 (West 2019) (“No person shall make or permit any unfair discrimination against any individual on the basis of genetic information or the refusal to submit to a genetic test or make available the results of a genetic test to the person in the issuance, withholding, extension or renewal of a policy of life insurance, including credit life insurance, an annuity, disability in some insurance contract or credit accident insurance coverage.” “Genetic information” is defined as “information about genes, gene products or inherited characteristics that may derive from an individual or family member” and “genetic test” is defined as a “test for determining the presence or absence of an inherited genetic characteristics in an individual including tests of nuclei acids such as DNA, RNA and mitochondrial DNA, chromosomes or proteins in order to identify a predisposing genetic characteristic”); N.M. Stat. Ann. §§ 24-21-2 through 24-21-3 (2019) (Permits life, disability, and long-term care insurers to use genetic analysis or information, but only “if the use of genetic analysis or genetic information for underwriting purposes is based on sound actuarial principles or actual or reasonably anticipated experience” where “genetic information” is defined as “the genetic makeup of an individual or members of an individual’s family” and “genetic analysis” refers to “a test of an individual’s DNA, gene products or chromosomes that indicates a propensity or susceptibility to illness, disease, impairment or other disorders, whether physical or mental; that demonstrates genetic or chromosomal damage due to environmental factors; or that indicates carrier status for disease or disorder”); Wisconsin’s law prohibits insurers from using genetic information obtained for life insurance in underwriting for any other insurance. Wis. Stat. § 631.89 (2018).
37 Tex. Admin. Code § 195.81(d)(1) (2017) (temporary housing assistance programs for parolees); Cal. Gov’t Code § 12920 (West 2019) (Genetic and other discrimination in housing is “declared to be against public policy”); Cal. Gov’t Code § 12944 (West 2019) (prohibition against discrimination in housing and employment); variety of California laws restricting discrimination in financial transactions, including: Cal. Code Regs. tit. 4, § 7044 (West 2019) (California Health Facilities Financing Authority, Children’s Hospital Program of 2004); Cal. Code Regs. tit. 4, § 7065 (West 2019) (California Health Facilities Financing Authority, Children’s Hospital Program of 2008); Cal. Code Regs. tit. 4, § 7092 (West 2019) (California Health Facilities Financing Authority, the Community Clinic Grant Program of 2005); Cal. Code Regs. tit. 4, § 7124 (West 2019) (California Health Facilities Financing Authority, Investment in Mental Health Wellness Grant Program); Cal. Code Regs. tit. 4, § 8095(k) (West 2019); Cal. Code Regs. tit. 4, § 8102 (West 2019) (California Pollution Control Financing Authority, California Recycle Underutilized Sites (Cal Reuse) Program); Cal. Code Regs. tit. 4, § 8115 (West 2019) (California Pollution Control Financing Authority, Sustainable Communities Grant and Loan Program-Grants); Cal. Code Regs. tit. 4, § 8123 (West 2019) (California Pollution Control Financing Authority, Sustainable Communities Grant and Loan Programs-Loans; and Cal. Code Regs. tit 4, § 9064 (West 2019) (California Educational Facilities Authority, the Cefa Academic Assistance Grant Program); Cal. Gov’t Code § 11135 (West 2019) (prohibiting discrimination based on genetic information (among other characteristics) in “any program or activity that is conducted, operated, or administered by the state or by any state agency, if funded directly by the state, or receiving any financial assistance from the state,” and explicitly includes the “California State University.”); D.C. Mun. Regs. tit. 14, § 4906 (2019) (housing); 14 Del. Admin. Code § 225 (2019) (“any program or activity received approval or financial assistance from or through the Delaware Department of Education”); N.M. Stat. Ann. § 24-21-4 (2019) (housing or lending decisions); Mass. Gen. Laws ch. 151B, § 4 (2019); Exec. Order No. 01.01.2007.16F, 34 Md. Code Regs. 1728 (2019) (state programs); Ohio Admin. Code 5122-14-11 (LexisNexis 2019); Ohio Admin. Code 5122-26-18 (LexisNexis 2019).
D.C. Code § 2–1402.31 (2019) (discrimination law extends to “deny[ing], directly or indirectly, any person the full and equal enjoyment of the goods, services, facilities, privileges); N.M. Stat. Ann. § 24-21-4D (2019); Ohio Admin. Code 5122-30-22 (LexisNexis 2019) (mental health provision).
“A person commits the offense of identity theft if the person fraudulently uses or attempts to fraudulently use identification information of another person, with the intent to obtain credit, property, services, or other benefit.” Iowa Code § 715A.8 (2019).
Vt. Stat. Ann. tit. 18, § 9332 (2019).
See infra table in the Appendix for list of laws with these exceptions.
See, e.g., 410 Ill. Comp. Stat. Ann. 513/22, 30–31 (2019); for further examples, see Appendix.
Ill. Comp. Stat. 513/25 (2019)
See, e.g., Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006) (“HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals …. Because HIPAA specifically delegates enforcement, there is a strong indication that Congress intended to preclude private enforcement.”); Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433, 459 (Sup. Ct. 2014) (“[T]o the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena”).
For the Common Rule, see text accompanying notes 108–109; For GINA, see Pub. L. No. 110–881, § 207, 122 Stat. 881 (2008) and Background Information for EEOC Final Rule on Title II of the Genetic Information Nondiscrimination Act of 2008, U.S. Equal Emp. Opportunity Comm’n, https://www.eeoc.gov/laws/regulations/gina-background.cfm (last visited Dec. 30, 2018) (discussing filing charges with the EEOC and remedies for a violation in paragrpahs 24 and 25, and noting that damages are subject to Title VII’s cap on combined compensatory and punitive damages (excluding past monetary losses) ranges from $50,000 for employers with 15–100 employees to $300,000 for employers with more than 500 employees).
These include Alaska Stat. § 18.13.020 (2018); Ark. Code Ann. § 11-5-404 (2018); Cal. Ins. Code § 10123.35 (West 2019); Cal. Ins. Code § 10140.1 (West 2019); Cal. Ins. Code § 742.407 (West 2019); Cal. Civ. Code § 56.17 (2019); Colo. Rev. Stat. § 10-3-1104.6 (2018); Colo. Rev. Stat. § 10-3-1104.7 (2018); DEL. Code. Ann. tit. 16, § 1208 (2019); Fla. Stat. § 760.40 (2018); Or. Rev. Stat. § 192.541 (2017) (any person); Ga. Code Ann. § 33-54-8 (2019); Mass. Gen. Laws ch. 175, § 108L (2018); 10 Ill. Comp. Stat. 513/40(a) (2019); 740 Ill. Comp. Stat. Ann. 14/1 (2019); Iowa Code § 507B.7 (2019); Iowa Code 715A.8 (2019); Iowa Code 729.6 (2019); Iowa Code § 715A.8 (2019); Iowa Code § 729.6 (2019); Iowa Admin. Code r. 191–15.11(5) (2019); La. Admin Code tit. 37, § 4515 (2019); La. Stat. Ann. § 22:1023 (2018); La. Stat. Ann § 40:3.1 (2018); La. Stat. Ann. § 40:3.1 (2018); Mass. Gen. Laws Ann. ch., 151B, § 4 (2018); See Mass. Gen. Laws Ann. ch. 175, § 108H (2018); See Mass. Gen. Laws Ann. ch. 175, § 108L (2018); See Mass. Gen. Laws Ann. ch. 175, § 120E (2018); Mass. Gen. Laws ch. 176A, §3B (2018); Mass. Gen. Laws ch. 176B, § 5B (2018); Mass. Gen. Laws ch. 176G, § 24 (2017); Me. Stat. tit. 22, § 1711-C (2018); Me. Stat. tit. 5, § 19302 (2018); Minn. Stat. § 181.974.3 (2018); Nev. Rev. Stat. §§ 613.345, .405 (2017); Nev. Rev. Stat. § 629.201 (2017); N.H. Rev. Stat. Ann. § 141-H:6 (2018); N.J. Stat. Ann. § 17B:30–12 (2019); N.J. Stat. Ann. § 10:5–46 (2018); N.M. Stat. Ann. § 24-21-6 (2019); N.Y. Ins. Law § 2615 (McKinney 2019); R.I. Gen. Laws Ann. § 5–37.3–4 (2018); S.C. Code Ann. § 38-93-90 (2018); S.D. Codified Laws § 60-2-20 (2019); Tex. Lab. Code § 21–403(e) (2017); Tex. Occ. Code Ann. § 58.001 et seq. (2017); Utah Code Ann. §§ 26-45-105 (West 2017); Utah Admin. Code r. R398–1 (2019) (newborn screening only); Utah Code § 26-23-6 (West 2018); Va. Code Ann. § 40.1–28.7:1 (2018); Vt. Stat. Ann. tit. 18, §9334 (2018); Vt. Stat. Ann. tit. 18, § 9335 (2018); See Wash. Rev. Code Ann. § 70.02.005(2019).
Colo. Rev. Stat. § 10-3-1104.6 (2018); Colo. Rev. Stat. § 10-3-1104.7 (2018); Ga. Code Ann. § 33-54-8 (2019); Ind. Code § 27-4-1-4 (2018); Ind. Code § 27-8-26-1 (2018); Iowa Code § 507B.4(h) (2019); Iowa Code § 715A.8 (2019); Iowa Code § 729.6 (2019); Iowa Code § 729.6 (2019); Iowa Admin. Code r. 191–15.11(5) (2019); Mass. Gen. Laws ch. 151B, § 4 (2018); see Mass. Gen. Laws ch. 175, § 108 (2018); Mass. Gen. Laws ch. 175, § 120E (2018); Mass. Gen. Laws ch. 176A, § 3B (2018); Mass. Gen. Laws ch. 176B, § 5A (2018); Mass. Gen. Laws ch. 176G, § 24 (2018); Mo. Rev. Stat. § 375.1303 (2018); S.C. Code Ann. §§ 38-93-10 (2018); Vt. Stat. Ann. tit. 18 §§ 9334, 9335 (2018).
15 U.S.C. § 45.
A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority, FED TRADE COMM’N (July 2008), https://www.ftc.gov/about-ftc/what-wedo/enforcement-authority.
Bob Cohen, Right to Private Action Under State Consumer Protection Act – Preconditions to Action, 117 AM. L. REP.5th 155, § 2[a] (2004); Of the states listed in supra note 239, the following specifically authorize individual actions: see Ga. Code. Ann. § 33-54-8 (2019); Ga. Code. Ann § 10-1-399(d) (2019) (pursuant to Ga. Code Ann. § 10-1-399(d) (2019), which authorizes treble damages (for intentional violations), equitable relief, and “irrespective of the amount in controversy” attorney’s fees and costs); Mass. Gen. Laws Ann. ch. 151B, § 4 (2016); See Mass. Gen. Laws Ann. ch. 175 § 108H; Mass. Gen. Laws ch. 175, § 108L (2018); Mass. Gen. Laws Ann. ch. 175, § 120E (2018); Mass. Gen. Laws ch. 176A, §3B (2018); Mass. Gen. Laws ch. 176B, § 5B (2018); Mass. Gen. Laws ch. 176G, § 24 (2017) (pursuant to Mass. Gen. Laws Ann. Ch. 93A, § 9, which authorizes the greater of actual damages or twenty-five dollars, double or treble damages (for willful or knowing violations), equitable relief, attorney’s fees and costs); S.C. Code Ann. § 38-93-90 (2018) (pursuant to S.C. Code Ann. § 39-5-140 (2018), which authorizes treble damages (for willful or knowing violations), equitable relief, attorneys fees and costs); Indiana expressly provides that it does “not create a cause of action other than an action by: (1) the commissioner to enforce his order; or (2) a person … to appeal an order of the commissioner.” The remainder are silent, although some, like Vermont authorize an individual cause of action within the statute we considered. See Vt. Stat. Ann. tit. 18, §§ 9334, 9335 (2018).
Ky. Rev. Stat. Ann. § 61.933 (West 2018) (authorizing the state attorney general to bring an action against an agency or third party for a violation); Other states authorize attorneys general or district attorneys to enforce the acts. See, e.g., Kan. Stat. Ann. § 72–6220 (2019); Idaho Code Ann. § 39–8304 (2019); Mass. Gen. Laws ch. 111 § 70G (2018); N.M. Stat. Ann. § 24-21-6 (2019); Or. Rev. Stat. § 192.545 (2019). Others place the authority with the state official that oversees insurers. See, e.g., Ala. Code §27-53-3 (2018); Ind. Code Ann. § 27-4-1-4 (2018) (declaring a violation of Ind. Code Ann. § 27-8-26 as an “unfair trade practice”); Mo. Rev. Stat. § 375.1309(2) (2018); N.J. Stat. Ann. § 17B:30–12 (2019); Ohio Rev. Code Ann. § 1751.65(C) (West 2019); Ohio Rev. Code Ann. § 1751.65 (2019); Ohio Rev. Code Ann. § 3901.491C (2019); Ohio Rev. Code Ann. § 3901.501C (2019); Tex. Ins. Code § 84.002(a) (2017). Some states classify violations as crimes see, e.g., N.D. Cent. Code § 23–01.3–09 (2019); Or. Rev. Stat. § 192.543 (2019); S.C. Code Ann. § 44-37-30 (2018); Tenn. Code Ann. §§ 68-5-506(a), (b)(2) (2019); Wis. Stat. § 942.07 (2018); Wis. Stat. § 943.201 (2018).
See, e.g., ALASKA Stat. § 18.13.030 (2018) (it is a misdemeanor to knowingly collect, analyze, retain, or disclose DNA in violation of the chapter); N.D. Cent. Code § 23–01.3–09 (2019) (making knowing disclose of protected information a misdemeanor).
See Robert L. Haig, Business and Commercial Litigation in Federal Courts 131, n.14 (4th ed. 2016) (describing statutory damages as “an automatic measure of recovery to plaintiffs regardless of injury or profits “where proof of damages or discovery of profits is difficult or impossible”) (quoting Business Trends Analysts, Inc. v. Freedonia Group, Inc., 887 F.2d 399, 406, 12 U.S.P.Q.2d 1457 (2d Cir. 1989)).
Id. at 130–131.
R.I. Gen. Laws § 5–37.3–4 (2018) (health care providers and facilities; Utah Code Ann. §§ 26–45-105 (West 2017); Va. Code Ann. § 40.1–28.7:1 (2018) (employer); Vt. Stat. Ann. tit. 18, § 9335 (2018) (insurers and employers).
410 Ill. Comp. Stat. 513/40(a) (2019) (health insurers and employers); Ark. Code Ann. § 22-66-320(e) (2018) (health insurers); Colo. Rev. Stat. § 10-3-1104.6 (2018); Colo. Rev. Stat. § 10-3-1104.7 (2018) (health, disability, and long-term care insurers); Ga. Code Ann. § 33-54-8 (2019) (health insurers); Iowa Code § 729.6 (2019) (health insurers and employers); Mass. Gen. Laws ch. 111, § 70G (2018); Me. Stat. tit. 22, § 1711-C (2018) (health care facilities and providers); Minn. Stat. § 181.974.3(4) (2018) (employers); N.M. Stat. Ann. § 24-21-6 (2019) (any person); Or. Rev. Stat. § 192.541(1) (2019) (any person); R.I. Gen. Laws § 28–6.7–3 (2018) (employer); S.C. Code Ann. § 38-93-90 (2018) (health insurers); Utah Code Ann. §§ 26-45-105 (2017) (insurers and employers); Vt. Stat Ann. tit. 18, § 9335 (2018) (any person); See Wash. Rev. Code § 70.02.005 et seq. (2019) (applying heath care providers).
Ga. Code Ann. § 33-54-8 (2019); Iowa Code § 715A.8 (2019); Iowa Code § 729.6 (2019); La. Stat. Ann. § 22:1023 (2018); La. Admin. Code tit. 37, §4515 (2018); Mass. Gen. Laws ch. 151B, § 4 (2018); Minn. Stat. § 181.974.3(3) (2018); N.H. Rev. Stat. Ann. § 141-H:6 (2018); N.M. Stat. Ann. § 24-21-6 (2019); Nev. Rev. Stat. § 629.201 (2019); R.I. Gen. Laws Ann. § 28–6.7–3 (2019) (to prevailing applicant or employee); S.D. Codified Laws § 60-2-20 (2019); Utah Code Ann. §§ 26-45-105 (2018); Va. Code Ann. § 40.1–28.7:1 (2018); Vt. Stat. Ann. tit. 18, § 9335 (2018). This number also includes the states who provide attorneys’ fee to prevailing party infra note 165.
Cal. Civ. Code § 56.17 (West 2019); Ga. Code Ann. § 33-54-8 (2019); Iowa Code § 715A.8 (2019); Iowa Code § 729.6 (2019); La. Stat. Ann. § 22:1023 (2018); La. Admin. Code tit. 37, §4515 (2018); Minn. Stat. § 181.974 (2018); N.H. Rev. Stat. Ann. § 141-H:6 (2018); N.M. Stat. Ann. § 24-21-6 (2019); Nev. Rev. Stat. § 629.201 (2019); R.I. Gen. Laws. Ann. § 28–6.7–3 (2019); S.D. Codified Laws § 60-2-20 (2019); Va. Code Ann. § 40.1–28.7:1 (2019); Vt. Stat. Ann. tit. 18, § 9335 (2018).
See Colo. Rev. Stat. § 10-3-1104.6 (2018); See Colo. Rev. Stat. § 10-3-1104.7 (2018); 410 Ill. Comp. Stat. 513/40(a)(3) (2019); 740 Ill. Comp. Stat. Ann. 14/1 (2019); Or. Rev. Stat. § 192.541(6) (2019) (although an award to the defendant may be made “only if the court finds that the plaintiff had no objectively reasonable basis for asserting a claim or for appealing an adverse decision of the trial court); R.I. Gen. Laws § 5–37.3–4 (2018) (contrast R.I. Gen. Laws Ann. § 28–6.7–3 (2018) which refers to the prevailing applicant or employee, excluding the employer from recovery); S.C. Code Ann. § 38-93-90 (2018); See Wash. Rev. Code Ann. § 70.02.005 et seq. (2019) (applying to costs).
Fla. Stat. § 760.40 (2018); N.J. Stat. Ann. § 10:5–48 (West 2018) (Both states’ laws apply the notice requirement to “a person” who requires, requests, or receives the results of genetic testing. In keeping with our analytic approach discussed in we interpret such broad statutes to potentially apply to researchers and biobanks because neither the statutory provision nor the definition of genetic testing is limited to clinical or diagnostic settings).
Fla. Stat. § 760.40 (2018).
See supra text accompanying notes 161–166.
See, e.g., Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html (last visited Mar. 26, 2019) (stating, “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research”).
Anna Middleton et al., Potential Research Participants Support the Return of Raw Sequence Data, 52 J. Med. Genetics 571, 572–73 (2015) (reporting survey results that 62% of participants would like to access their raw sequence data in a genomic study); see also Adrian Thorogood et al., APPLaUD: Access for Patients and Participants to Individual Level Uninterpreted Genomic Data, 12 Hum. Genetics 7, 8 (2018) (listing research projects returning individual access to genomic data).
See, e.g., Thought Leader supra note 51; McGuire et al., supra note 49, at 28; Kristin E. Clift et al., Patients’ Views on Incidental Findings from Clinical Exome Sequencing, 4 Applied & Translational Genomics 38, 40 (2015); Joon-Ho Yu et al., Attitudes of Genetics Professionals Toward the Return of Incidental Results from Exome and Whole-Genome Sequencing, 95 AM. J. Hum. Genetics 77, 77 (2014); Susan M. Wolf, The Past, Present, & Future of the Debate Over Return of Research Results & Incidental Findings, 14 Genetics Med. 355 (2012).
There has been substantial debate about return of research results because there is no such legal obligation under the Common Rule. See, e.g., Susan M. Wolf, Return of Individual Research Results & Incidental Findings: Facing the Challenges of Translational Science, 14 Annu. Rev. Genomics Hum. Genet. 557 (2013) [hereinafter Return of Individual Research].
45 C.F.R. § 164.524(a)(2)(iii) (2018). The regulations allow covered entities to deny an individual access to his or her health information while it is being used in research, but only if the research includes treatment (e.g., a clinical trial, not research only involving the individual’s information) and the individual has agreed to the denial of access as part of the consent to participate in the research and the covered entity informs the individual that the right of access will be reinstated at the completion of research. Thus, the “research exception” to the obligation to provide individuals access to their information would not likely apply to genomic research that does not involve treatment; There has been substantial debate about return of research results because there is no such legal obligation under the Common Rule. See also Barbara J. Evans, HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights, 102 Am. J. Hum. Genetics 5, 5 (2018) (discussing the applicability of HIPAA’s right of access to research laboratories that store genomic data, including the research exception under the Clinical Laboratory Improvement Act (CLIA) for certain laboratories that do not report individual-specific results for clinical purposes, and arguing that individuals have a civil right to their genomic data).
42 U.S.C. § 2000ff-5(b) (2008).
The relevant portion of the statute, which in various sections specifically addresses research, provides that “An individual or an individual’s representative, promptly upon request, may inspect, request correction of and obtain genetic information from the records of the individual.” Or. Rev. Stat. § 192.537(7).
DEL. Code Ann. tit. 16, § 1204 (2012) (“An individual promptly upon request, may inspect, request correction of and obtain genetic information from the records of that individual”); Nev. Rev. Stat. §§ 629.121, 629.141 (2017) (“A person who takes a genetic test may inspect or obtain any genetic information included in the records of the test” where genetic test is “a test … to determine the presence of abnormalities or deficiencies, including carrier status, that … [a]re linked to physical or mental disorders or impairments or … [i]ndicate a susceptibility to illness, disease, impairment or any other disorder, whether physical or mental”); N.J. Stat. Ann. § 10:5–46 (West 2018) (“An individual or individual’s representative, promptly upon request, may inspect, request correction of and obtain genetic information from the records of the individual unless the individual directs otherwise by informed consent …”); S.D. Codified Laws § 34-14-22 (2019). Although these statutes do not mention genetic testing for research purposes, they define genetic tests or information broadly, so that they may be interpreted as applying to research tests. That other states limit their definitions of genetic tests or information to tests done for clinical purposes supports this interpretation. See, e.g., Mich. Comp. Laws § 333.17020(8)(e) (2018); Cal. Ins. Code § 10148 (West 2019) (“The insurer shall notify an applicant of a test result by notifying the applicant or the applicant’s designated physician”); Minn. Stat. § 72A.139 (2019) (“The life insurance company or fraternal benefit society shall notify an individual of a genetic test result by notifying the individual or the individual’s designated physician”).
Fla. Stat. § 760.40 (2018).
See, e.g., Md. Code Ann., Health-Gen. § 13–109 (2018) (refers to “unambiguous diagnostic results”); 10A N.C. Admin. Code § 47c.0105 (2019); See Wash. Rev. Code Ann. § 70.02.005 et seq. (2019).
For newborn screening programs, see, e.g., Ariz Rev. Stat. Ann. § 12–2802A (2019); Cal. Health & Safety Code § 124975 (2019); Md. Code Ann., Health-Gen. § 13–111 (2018). For other contexts, see, e.g. Mich. Comp. Laws. §§ 333.5431(1)-(2) (2018); Neb. Rev. Stat. § 71–519 (2019); S.C. Code Ann. Regs. 61–80 (2018); Nev. Rev. Stat. § 207.310(3) (2019); Nev. Rev. Stat. § 193.140–50 (2019). For other contexts, see, e.g., Mich. Comp. Laws §§ 333.17020, 333.17520 (2018) (limited to MDs and genetic tests, defined as a test for clinical purposes); Minn. Stat. § 72A.139 (2019) (limited to life insurance); N.J. Stat. Ann. § 17B:30–12 (2019) (limited to life or disability insurance); Tex. Lab. Code § 21.4032 (2017); Tex. Ins. Code § 546.101 (2017); Tex. Occ. Code Ann. § 58.001 et seq. (2017) (limiting application to insurance, labor, and occupations, respectively).
DEL. Code Ann. tit. 16, § 1204 (2019) (“An individual promptly upon request, may inspect, request correction of and obtain genetic information from the records of that individual”); N.J. Stat. Ann. § 10:5–46 (2019); Or. Rev. Stat. § 192.537(7) (2019) (“An individual or an individual’s representative, promptly upon request, may inspect, request correction of and obtain genetic information from the records of the individual”).
See, e.g., Genetic Information Nondiscrimination Act Guidance (2009), U.S. Dep’t Health & Hum. Serv. (Mar. 24, 2009), https://www.hhs.gov/ohrp/regulations-and-policy/guidance/guidance-on-genetic-information-nondiscrimination-act/index.html (noting that “GINA has implications regarding the actual or perceived risks of genetic research and an individual’s willingness to participate in such research,” and its relevance to consent, as well as the evaluation of the risks of the study); Wash. Rev. Code Ann. § 70.02.100 (2019).
. See Evans, supra note 259, at 5–6.
See Return of Individual Research, supra note 258, at 3, 9–10.
Thought-Leader., supra note 51.
Although researchers may have an ethical obligation to destroy a sample when a participant withdraws consent, the regulations do not require it. See supra text accompanying notes 94–95.
Or. Rev. Stat. § 192.527(4) (2019).
Or. Rev. Stat. § 192.537(5) (2019).
N.J. Stat. Ann. § 10:5–46 (2018).
Nev. Rev. Stat. § 629.161 (2019). Like the Oregon law, there are exceptions for criminal investigations and court orders, as well as when necessary for the medical record or authorized or required by state or federal law.
See, e.g., S.C. Code Ann. §44-37-30 (2018).
ALASKA Stat. § 18.13.010 (2018).
Colo. Rev. Stat. § 10-3-1104.6 (2018); Colo. Rev. Stat. § 10-3-1104.7 (2018); Ga. Code Ann. § 33-54-1(1) (2019).
Fla. Stat. § 760.40 (2018).
La. Stat. Ann. § 22:1023 (2018); La. Admin. Code tit. 37, §4515 (2018).
Thomas W. Merrill, Property and the Right to Exclude, 77 Neb. L. Rev. 730, 730 (1998) (citing the Supreme Court’s opinion in Kaiser Aetna v. U.S., 444 U.S. 164, 176 (1979), as famously stating that “one of the most essential sticks in the bundle of rights that are commonly characterized as property” is “the right to exclude others.”); see also Jessica L. Roberts, Progressive Genetic Ownership, 93 Notre Dame L. Rev. 1105, 1129 (2018) (identifying three limited property entitlements a person may have in their DNA: the right to exclude, the right to access, and the right to commercialize).
Greenberg v. Miami Children’s Hosp. Research Inst., Inc., 264 F. Supp. 2d 1064, 1075 (S.D. Fla. 2003).
Peerenboom v. Perlmutter, No. 2013-CA-015257 (Fla. Cir. Ct. 2017).
Roberts, supra note 281, at 1110.
Id. at 1164–1167.
45 C.F.R. §§ 160, 164 (2018).
A HIPAA covered entity is: “(1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” 45 C.F.R. § 160.103 (2018).
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. 45 C.F.R. § 160.103 (2018).
Protected Health Information (PHI) is “individually identifiable health information … that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.” 45 C.F.R. § 160.103 (2018).
45 C.F.R. § 164.502 (2018).
45 C.F.R. § 164.524(a), 164.526(a), 164.528(a)(1) (2018).
45 C.F.R. § 164.302–318 (2018).
45 C.F.R. § 164.506(c) (2018).
45 C.F.R. § 164.512 (2018).
45 C.F.R. § 160.102–103 (2018); see also When is a Researcher Considered to be a Covered Health Care Provider Under HIPAA?, U.S. Dep’t Health & Hum. Serv. (Nov. 27, 2006), https://www.hhs.gov/hipaa/for-professionals/faq/314/when-is-a-researcher-considered-a-covered-health-care-provider-under-hipaa/index.html.
See When Does a Covered Entity Have Discretion to Determine Whether a Research Component of the Entity is Part of Their Covered Functions, and Therefore, Subject to the HIPAA Privacy Rule?, U.S. Dep’t of Health & Hum. Serv. (Mar. 14, 2006), https://www.hhs.gov/hipaa/for-professionals/faq/315/when-does-a-covered-entity-have-discretion-to-determine-covered-functions/index.html.
Individually identifiable health information is: “information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 45 C.F.R. § 160.103 (2018).
Under the Privacy Rule, information is considered de-identified and thus beyond the Privacy Rule’s reach if the information “does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.” 45 C.F.R. § 164.514(a) (2018). Information that is stripped of eighteen identifiers is considered de-identified (e.g., name, birthdate, zip Codes, addresses, social security numbers, medical record numbers, etc.). 45 C.F.R. § 164.514(b)(2) (2018); This safe harbor for de-identification would apply to genetic or genomic information that has been demonstrated to be re-identifiable without use of a Code or breaching data security. See supra text accompanying notes 20 and 22.
45 C.F.R. § 164.404 (2018).
42 U.S.C. § 1320d–6 (2010) (authorizing criminal penalties); 45 C.F.R. § 160.400–426 (2018) (authorizing civil penalties).
Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006) (“HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals …. Because HIPAA specifically delegates enforcement, there is a strong indication that Congress intended to preclude private enforcement”).
Conn. Gen. Stat. § 38a-999a (2019) (“No person shall disclose individually identifiable medical record information … with the malicious intent to damage an individual’s reputation or character.”); Colo. Rev. Stat. Ann. § 18-4-412(1), (3) (2019) (criminal penalties for “any person who … steals or discloses to an unauthorized person a medical record or medical information, or who, without authority, makes or causes to be made a copy of a medical record or medical information”); 210 Ill. Comp. Stat. Ann. 85/6.17 (2018) (any person who “willfully or wantonly discloses hospital or medical record information” is guilty of a misdemeanor); Me. Stat. tit. 22, § 1711-C (2018) (Aggrieved individual may bring a civil action “against a person who has intentionally unlawfully disclosed health care information” for equitable relief, costs, and a forfeiture or penalty (not to exceed $5,000, but may increase to $10,000 for health care practitioners and $50,000 for health care facilities if sufficient evidence that constitutes general business practice); Minn. Stat. Ann. § 144.298 (2019) (providing a person who “negligently or intentionally requests or releases a health record in violation of sections 144.291 to 144.297” is liable for “compensatory damages caused by an unauthorized release or an intention, unauthorized access, plus costs and reasonable attorney fees”); Minn. Stat. Ann. § 144.293 (2019) (“A provider, or a person who receives health records from a provider, may not release a patient’s health records to a person without [patient consent or specific legal authorization]”); Nev. Rev. Stat. § 439.590(1) (2019) (Except as otherwise authorized by HIPAA, “a person shall not use, release or publish: (a) individually identifiable health information from an electronic health record or a health information exchange for a purpose unrelated to the treatment, care, well-being or billing of the person who is the subject of the information; or (b) Any information contained in an electronic health record or retained by or retrieved from a health information exchange for a marking purpose.”); S.D. Codified Laws § 34-14-1, 34-14-3 (2019); Tex. Health & Safety Code Ann. § 181.151 (West 2018) (“A person may not reidentify or attempt to reidentify an individual who is the subject of any protected health information without obtaining the individual’s consent or authorization if required under this chapter or other state or federal law.”); Wis. Stat. § 146.84(2)(a), (b) (2018) (“Whoever does any of the following may be fined not more than $25,000 or imprisoned for not more than 9 months or both: … 2. Discloses confidential information with knowledge that the disclosure is unlawful and is not reasonably necessary to protect another … (b) Whoever negligently discloses confidential information in violation of s. 146.82 is subject to a forfeiture of not more than $1,000 for each violation.”); Wis. Stat. § 610.70 (2018) (“Any person who knowingly and willfully obtains information about an individual from an insurer or insurance support organization under false pretenses may be fined not more than $25,000 or imprisoned for not more than 9 months or both.” They “shall be liable to the individual for actual damages to that individual, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees”); Wis. Stat. § 146.84(1)(b) (2018) (“Any person … who violates s. 146.82 or 146.83 [regarding confidentiality of patient health care records] in a manner that is knowing and willful shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees”).
See, e.g., Fla. Stat. § 395.3025(7)(a) (2019) (“If the content of any record of patient treatment is provided under this section, the recipient, if other than the patient or the patient’s representative, may use such information only for the purpose provided and may not further disclose any information to any other person or entity, unless expressly permitted by the written consent of the patient”); Tex. Occ. Code Ann. § 159.005(e) (West 2017) (“A person who receives information made confidential by this subtitle may disclose the information only to the extent consistent with the authorized purposes for which consent to release the information is obtained.”); Va. Code Ann. § 32.1–127.1:03.A.3 (2018) (“No person to whom health records are disclosed shall redisclose or otherwise reveal the health records of an individual, beyond the purpose for which such disclosure was made, without first obtaining the individual’s specific authorization to such redisclosure”); Wis. Stat. § 146.82(2)(a)11 (2018) (“A person to whom a [health care] report or record is disclosed under this subdivision may not further disclose the report or record, except to the persons, for the purposes, and under the conditions specified in § 48.981(7)”).
Cal. Civ. Code § 56.20 (2019) (“Each employer who receives medical information shall establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information.” Further, “[n]o employer shall use, disclose, or knowingly permit its employees or agents to use or disclose medical information which the employer possesses pertaining to its employees without the patient having first signed an authorization … permitting such use or disclosure.” Finally, the medical information “may be used only for the purpose of administering and maintaining employee benefit plans, including health care plans and plans providing short-term and long-term disability income, workers’ compensation and for determining eligibility for paid and unpaid leave from work for medical reasons.”); See, e.g., Conn. Gen. Stat. § 31–128f (2019) (“No individually identifiable information contained in the personnel file or medical records of any employee shall be disclosed by an employer to any person or entity not employed by or affiliated with the employer without the written authorization of such employee”).
Cal. Civ. Code § 56.10 (2019) (providing medical information may be disclosed to researchers for “bona fide research purposes” but “no information so disclosed shall be further disclosed by the recipient in a way that would disclose the identity of a patient or violate this part”); Colo. Rev. Stat. § 27-65-121 (2018) (permits sharing of mental health information for research provided researchers “sign an oath of confidentiality” and no identifying information is disclosed); Mass. Gen. Laws ch. 176A, § 14B (2018); Mass. Gen. Laws ch. 176B, § 20(f) (2018) (health care facilities may disclose patient information for research with notice to patient of such research and agreement to “maintain the confidentiality of all identifiable patient information”); Tenn. Code Ann. § 56-7-124 (2019) (“[a]ny third party vendor or contractor, as well as any other entity that gains access to [medical] information to perform [research], will be bound to comply with all applicable state and federal laws and regulations regarding vigilant protection of the confidential information”);Tex. Occ. Code Ann. § 159.004(3) (West 2017) (patient information may be disclosed to “qualified personnel for research … but the personnel may not directly or indirectly identify a patient in any report of the research, audit, or evaluation or otherwise disclose identity in any manner”); Wis. Stat. § 610.70 (2018) (insurance information may be shared for research provided “any materials that allow for the identification of an individual must be returned to the insurer or destroyed as soon as reasonably practicable, and no individual may be identified in any actuarial, research, accreditation, or auditing report.”); Wis. Stat. § 146.82(2)(a)(6) (2018) (to researchers affiliated with the health care provider if also “provides written assurances … that the information will be used only for the purposes for which it is provided to the researcher, the information will not be released to a person not connected with the study, and the final product of the research will not reveal information that may serve to identify the patient whose records are being released under this paragraph without the informed consent of the patient”); Wyo. Stat. Ann. § 35-2-609 (2018) (hospital information may be disclosed for research provided there are “reasonable safeguards to protect the information from redisclosure;” and “reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project;” and has “procedures to remove or destroy at the earliest possible opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention”).
Wis. Stat. § 146.82(5)(c) (2018) (“Notwithstanding sub. (1) an entity that is not a covered entity may redisclose a patient health care record it receives under this section only under the following circumstances: 1. The patient or person authorized by the patient provides informed consent for the redisclosure. 2. A court of record orders the redisclosure. 3. The redisclosure is limited to the purpose for which the patient health care records was initially received.”); N.Y. Mental Hyg. Law § 33.13 (2018) (information disclosed “shall be kept confidential by the party receiving such information and the limitations on disclosure in this section shall apply to such party.”); N.Y. Pub. Health Law § 18 (2018) (Patient information disclosed “should be kept confidential by the party receiving such information and the limitations on such disclosure in this section shall apply to such party”).
Ark. Code Ann. § 4-110-103 (2018); Mass. Gen. Laws ch. 66A, § 2 (2018) (“Each holder maintaining personal data shall … (c) not allow any other agency or individual not employed by the holder to have access to personal data unless such access is authorized by statute or regulations … or is approved by the data subject”); Or. Rev. Stat. § 646A.604 (2018) (“[A] person that owns or licenses personal information shall provide to the Attorney General within a reasonable time at least one copy of any notice the person sends to consumers or to the person’s primary or functional regulator in compliance with this section or with other state or federal laws or regulations that apply to the person as a consequence of a breach of security”); Or. Rev. Stat. § 646A.602 (2018) (personal information is defined as “[a] consumer’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired: [social security, driver’s license, passport number, financial or credit card account numbers plus access Code, biometric information used to identify a person in a transaction] (vi) A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; and (vii) Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer”).
Ark. Code Ann. § 4-110-101 (2018).
Ark. Code Ann. § 4-110-101 (2018).
A list of laws is on file with the authors.
See Mo. Code Regs. Ann. tit. 19, § 10–33.010 (2018) (no uses beyond that specified in agreement); 186 Neb. Admin. Code § 4–007 (2018) (“Any de-identified data … asked for by and furnished to a researcher may not be intentionally re-identified in any manner”); N.H. Code Admin. R. Ann. He-C 1504.05(d) (2018) (“The principal investigator shall … [n]ot seek to ascertain or disclose the identity of patients or employers or other group purchasers revealed in the data set for any purposes except as approved as part of the study”); Utah Code Ann. § 63G-2-202 (2018) government agent must “require the removal or destruction of the individual identifiers associated with the records as soon as the purpose of the research project has been completed.”).
See Thought-Leader, supra note 51.
45 C.F.R. § 164.514(a) (2018).
Erika Check Hayden, Privacy Loophole Found in Genetic Databases, Nature (Jan. 17, 2013), https://www.nature.com/news/privacy-loophole-found-in-genetic-databases-1.12237.
Tex. Health & Safety Code Ann. § 181.151 (West 2018) (“A person may not reidentify or attempt to reidentify an individual who is the subject of any protected health information without obtaining the individual’s consent or authorization if required under this chapter or other state or federal law”).
45 C.F.R. §§ 164.502(d), 514(a)-(b) (2018); See also, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Health Info. Privacy, https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html (last visited Feb. 7, 2019).
A list of laws is on file with the authors.
Cal. Civ. Code § 1798.24 (West 2019).
Cal. Health & Safety Code § 103865 (West 2019); See also Neb. Rev. Stat. § 81–666 (2018) (explicitly permitting sharing of patient-identified data with approved researchers); Neb. Rev. Stat. § 81–669 (2018) (“All case-specific and patient-identifying data furnished and any findings or conclusions resulting from such data shall be privileged communications which may not be used or offered or received in evidence in any legal proceeding of any kind, and any attempt to use or offer any such information, findings, conclusions, or any part thereof, unless waived by the interested parties, shall constitute prejudicial error resulting in a mistrial in any such proceeding”).
45 C.F.R. § 164.508(a)(1) (2018).
See, e.g., Cal. Civ. Code § 56.10 (West 2019) (“Except to the extent expressly authorized by a patient, enrollee, or subscriber, or as provided by subdivisions (b) and (c), a provider of health care, health care service plan, contractor, or corporation and its subsidiaries and affiliates shall not intentionally share, sell, use for marketing, or otherwise use medical information for a purpose not necessary to provide health care services to the patient.”) (emphasis added); Cal. Health & Safety Code § 123148 (West 2019); Conn. Gen. Stat. § 38a-478o(b) (2019) (“No managed care organization shall sell, for any commercial purpose the names of its enrollees or any identifying information concerning enrollees.”); Mont. Code Ann. § 33-19-307 (2018); DEL. Code Ann. tit. 16, § 1211 (2019) (restricting the State from using protected health information for commercial purposes).
The question of whether HIPAA’s right to access health information extends to genomic research results has been in the literature, it has not been decided. See, e.g., Jennifer Dreyfus and Mark Sobel, Concern about Justifying the Release of Genomic Data as a Civil Right, 103 Am. J. Hum. Genetics 163, 165 (2018); see, e.g., Barbara J. Evans, Response to Dreyfus and Sobel, 103 Am. J. Hum. Genetics 166, 167 (2018).
Cal. Health & Safety Code § 123148 (West 2019); Conn. Gen. Stat. § 207-c(b) (2019); N.H. Rev Stat. Ann. §§ 332-I:2(I)(b)-(c) (2019).
DEL. Code Ann. tit. 16, § 1212 (2018).
N.H. Rev. Stat. Ann. § 151:21(X) (2018).
104 Mass. Code Regs. 27.17 (2018); 10A N.C. Admin. Code 47B.0103 (2019); 12 Va. Admin. Code § 30-20-90 (2018) (Medicaid “client”); Ala. Code § 22-56-4 (2018); ALASKA Admin. Code tit. 7, § 12.534(a); See ARIZ. Admin. Code § R9-21-209 (2019); see, e.g., Cal. Civ. Code § 56.10 (2019); see, e.g., Cal. Civ. Code § 56.10 (West 2019); Colo. Rev. Stat. § 25-1-801 (2019); Colo. Rev. Stat. § 25-1-801 (2019); Conn. Gen. Stat. § 19a-490b (2019); Conn. Gen. Stat. § 20–7c (2006); D.C. Code § 7–1202.02(a) (2009); See DEL. Code Ann. tit. 24, § 1761A (2019); Fla. Stat. § 395.3025(1) (2019); Fla. Stat. § 394.4615(1–2) (2019); Wash. Admin. Code § 284–04-500 (2018); 2008 Ga. Laws 1680; Ga. Code Ann. § 37-3-166(7) (2019); Ga. Comp. R. & Regs. 290-4-6-.05 (2019); Ind. Code Ann. § 16-39-1-1 (2018); See Me. Stat. tit. 22, § 1711-B (2018); Minn. Stat. Ann. § 144.292 (2019); Minn. Stat. Ann. § 144.651 (2019); Mo. Rev. Stat. § 338.100 (2018); N.C. Gen. Stat. Ann. § 122C-53 (2018); N.H. Rev. Stat. § 322-I:3(I) (2018); Neb. Rev. Stat. § 71–8505 (2019); Nev. Rev. Stat. § 439.591 (2019); Nev. Rev. Stat. § 629.061 (2019); Or. Rev. Stat. § 179.505 (2019); Tenn. Code Ann. § 63-2-101 (2019); Tex. Occ. Code Ann. § 159.006 (West 2017); See, e.g., Va. Code Ann. § 32.1–127.1:03 (2019); Wash. Admin. Code 284-04-500 (2018); See, e.g., Wis. Stat. § 51.30 (2018); Wyo. Stat. Ann. § 35-2-607 (2019).
215 Ill. Comp. Stat. Ann. 5/1009 (2019); ARIZ. Rev. Stat. Ann. § 20–2108 (2019); ARIZ. Rev. Stat. Ann. § 20–2110 (2019); Cal. Civ. Code § 56.107 (West 2019); Colo. Rev. Stat. § 10-16-1003 (2018) (health insurance); Conn. Gen. Stat. § 38a-983 (2019); Ga. Code Ann. § 33-39-9 (2019); Mass. Gen. Laws ch. 175I, § 8(a) (2018); Md. Code Ann., Ins. § 14–138 (2018); Mont. Code Ann. § 33-19-301 (2018); Wis. Stat. § 610.70 (2018).
215 Ill. Comp. Stat. 5/1009 (2019) (insurance information); 62 Pa. Cons. Stat. § 1407-C(b), (c) (2018) (state health information exchange); ARIZ. Rev. Stat. Ann. § 20–2108 (2019) (insurance information); Ga. Code Ann. § 33-39-9(a)(4) (2019) (insurance information); Mont. Code Ann. § 33-19-302 (2018) (insurance information).
12 Va. Admin. Code § 30-20-90 (2018); 215 Ill. Comp. Stat. 5/1009 (2019) (insurance information); Colo. Rev. Stat. § 10-16-1003 (2019) (health care coverage cooperative); Conn. Agencies Regs. § 17a-581-59 (2019) (Psychiatric Security Review Board); Conn. Gen. Stat. § 31–128f (2019) (applying to employee personnel files or medical records); Conn. Gen. Stat. § 38a-983 (2019) (insurance institution, agent or insurance support organization); Ga. Code Ann. § 33-39-9(a)(4) (2019) (insurance institution, agent, or insurance support organization); Ga. Comp. R. & Regs. 290-4-6-.05 (2019) (mental health and substance abuse facilities); Mass. Gen. Laws ch. 175I, § 8(b) (2018) (insurance institution, insurance representative, or insurance support organization); Mass. Gen. Laws ch. 175I, §9(a) (2018) (“factual error[s]” or “any misrepresentation or misleading entry” in insurance institution, insurance representative, or insurance support organization); Mass. Gen. Laws ch. 66A, § 2 (2018); Me. Stat. tit. 22, § 1711-B (2018) (treatment records); Mo. Code Regs. Ann. tit. 13, § 70–1.020 (2018); Mont. Code Ann. § 33-19-307 (2018); Mont. Code Ann. § 50-16-545 (2018) (health care provider); Tenn. Code Ann. § 68-11-312 (1996) (hospital record); Wash. Admin. Code § 284-04-500(6) (all health insurers); Wis. Stat. Ann. § 610.70 (2019) (applying to insurers); Wis. Stat. § 610.70 (2018) (insurers).
Minn. Stat. § 144.293 (2019) (allowing patients to exclude their information from a health information exchange); Ohio Rev. Code Ann. § 3705.33 (West 2019) (allowing parents to request removal of identifying information from birth defects information system); Wis. Stat. § 146.82(2)(a)(5) (2018) (allowing private pay patients to deny access to their records for research by submitting an annual request); N.H. Rev. Stat. Ann. § 332-I:3(VI) (2018) (allowing individual to opt out of sharing name, address, and protected health care information through the health information organization); N.H. Rev. Stat. Ann. § 332-I:4(II)(a) (2018) (allowing individual to opt out of allowing health care provider or business associate to use protected health information for fundraising); Nev. Rev. Stat. § 439–538(2) (2019) (“A covered entity that makes individually identifiable health information available electronically … shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities, except” as required by HIPAA or state law or if a Medicaid or CHIP recipient.); Nev. Rev. Stat. § 439.591 (2019) (requiring consent to retrieve health care records from a health information exchange and notice of breach); Nev. Rev. Stat. § 449.112(c)-(d) (2019) (granting medical facility patients the right to “(c) refuse to participate in any medical experiments conducted at the facility. (d) retain his or her privacy concerning the patient’s program of medical care” (Medical experiments is not defined)).
ARIZ. Rev. Stat. Ann. § 20–2118 (2019) (a person whose insurance information is disclosed in violation of §§ 20–2108 through 20–2110 may sue for appropriate equitable relief); Cal. Civ. Code § 56.101 (West 2019) (“Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36”); Cal. Ins. Code § 791.20 (West 2019) (“[A]ny person whose rights are violated [by insurance institution, agent or insurance-support organization] may apply to any court of competent jurisdiction, for appropriate equitable relief” and for actual damages sustained.); Conn. Gen. Stat. § 38a-988a(b) (2019) (An individual who is harmed by an insurer may “bring an action for equitable relief, damages or both” and may recover “double damages, costs and reasonable attorneys’ fee”); Ga. Comp. R. & Regs. 290-4-6-.07 (2019) (allowing mental health patient whose confidentiality to bring suit in appropriate court); Mass. Gen. Laws ch. 175I, § 20(a) (2018) (may seek appropriate equitable relief for a violation by insurance institution, insurance representative or insurance-support organization); Mass. Gen. Laws ch. 176B, § 17 (2018) (stating that “the commissioner, the attorney general, any district attorney or aggrieved party” may bring claim for equitable relief for a violation by a medical service corporation); Me. Stat. tit. 22, § 1711-C (2018) (Aggrieved individual may bring a civil action “against a person who has intentionally unlawfully disclosed health care information” for equitable relief, costs, and a forfeiture or penalty (not to exceed $5,000, but may increase to $10,000 for health care practitioners and $50,000 for health care facilities if sufficient evidence that constitutes general business practice); Mich. Comp. Laws § 550.1406(4) (2018) (“A member may bring a civil action for damages against a health care corporation for a violation of this section and may recover actual damages or $200.00, whichever is greater, together with reasonable attorneys’ fees and costs”); Minn. Stat. § 144.298 (2019) (providing a person who “negligently or intentionally requests or releases a health record in violation of sections 144.291 to 144.297” is liable for “compensatory damages caused by an unauthorized release or an intention, unauthorized access, plus costs and reasonable attorney fees”); Mont. Code Ann. § 33-19-407(1–2) (2018) (suit may be brought for injunctive relief against an insurance institution, insurance producer or insurance-support organization for violation of confidentiality); Mont. Code Ann. § 50-16-553 (2018); Mont. Code Ann. § 50-16-817 (2018) (“A person aggrieved by a violation of this part may maintain an action for relief” including for enforcement, damages, and reasonable attorney’s fees. “[I]f the violation results from willful or grossly negligent conduct, the aggrieved person may recover not in excess of $5,000, exclusive of any pecuniary loss.”); N.H. Rev. Stat. Ann, § 332-I:6 (2018) (“An aggrieved individual may bring a civil action … and, if successful, shall be awarded special or general damages of not less than $1,000 for each violation, and costs and reasonable legal fees” (applies to medical records disclosure)); Or. Rev. Stat. § 746.680 (2019) (a person whose insurance information is disclosed in violation of Or. Rev. Stat. § 746.607 (2019) may sue for equitable relief and actual damages, and costs of the action and attorney fees may be awarded to the prevailing party); See Tenn. Code Ann. § 68-11-1503(c) (2019) (“Any violation of this section shall be an invasion of the patient’s right to privacy”); Tenn. Code Ann. § 68-11-1504 (2019) (“The penalties and injunctions available under this chapter shall apply to this part. Civil actions for damages for invasion of privacy shall also be available to a person for violations of this part.”); Tex. Health & Safety Code § 241.156(a) (West 2017) (“A patient aggrieved by a violation of this subchapter relating to the unauthorized release of confidential health care information may bring an action for: (1) appropriate injunctive relief; and (2) damages resulting from the release.”); Wis. Stat. § 146.84(1)(c) (2018) (“An individual may bring an action to enjoin any violation of s. 146.82 or 146.83 or to compel compliance [with those sections] and may, in the same action, seek damages”); Wis. Stat. § 610.70 (2018) (“Any person who knowingly and willfully obtains information about an individual from an insurer or insurance support organization under false pretenses” shall be “liable to the individual for actual damages to that individual, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees.”); Wis. Stat. § 146.84(b) (2018) (“Any person … who violates s. 146.82 or 146.83 [regarding confidentiality of patient health care records] in a manner that is knowing and willful shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees”); (“Any person … who negligently violates s. 146.82 or 146.83 shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $1,000 and costs and reasonable actual attorney fees”); Wyo. Stat. Ann. § 35-2-616 (2018) (with respect to medical records, “A person aggrieved by a violation of this act may maintain an action for relief as provided in this section.”).
Conn. Gen. Stat. § 38a-988a (2019) (allowing an individual to recover “double damages”); N.H. Rev. Stat. Ann. § 332-I:6 (2018) (providing for special or general damages of not less than $1,000 per violation); Wis. Stat. § 610.70 (2018) (providing for exemplary damages up to $25,000); Wis. Stat. § 146.84 (2018) (providing for exemplary damages up to $25,000).
Md. Code Ann., Health-Gen. § 4–307(k)(2) (LexisNexis 2018).
See Conn. Gen. Stat. § 38a-999a (2019); Me. Stat. tit. 22, § 1711-C (2018); Minn. Stat. § 144.298.2(4) (2019); Okla. Stat. Ann. tit. 63, § 1–502.2 (2019); S.D. Codified Laws § 34-14-3 (2019); Wis. Stat. § 610.70 (2018); Wis. Stat. § 146.84(1)(b) (2018); Wis. Stat. § 146.84(1)(bm) (2018); See also Haw. Code R. § 11-93-37 (2018) (failing to confidentially maintain certain medical records, such as psychiatric records (§ 11-93-29, Psychiatric Services), is a misdemeanor).
See, e.g., Colo. Rev. Stat. § 18-4-412 (2019) (“Any person who, without proper authorization, knowingly obtains a medical record or medical information with the intent to appropriate the medical record or medical information to his own use or to the use of another, who steals or discloses to an authorized person a medical record or medical information, or who, without authority, makes or causes to be made a copy of a medical record or medical information commits theft of a medical record or medical information.”); Mont. Code Ann. § 50-16-551 (2018); Minn. Stat. § 144.298.2(4) (2018); Neb. Rev. Stat. § 81–674 (2018) (“Any private or public entity, individual, or approved researcher who wrongfully discloses confidential data obtained from the medical record and health information registries or uses such information with the intent to deceive shall be guilty of a Class IV misdemeanor ….”); Nev. Rev. Stat. Ann. § 439.590(3) (2019) (“A person who accesses an electronic health record or a health information exchange without authority to do so is guilty of a misdemeanor and liable for any damages to any person that result from the unauthorized access.”); Wis. Stat. § 146.84(2)(a)-(b) (2018) (“Whoever does any of the following may be fined not more than $25,000 or imprisoned for not more than 9 months or both: 1. Requests or obtains confidential information under § 146.82 or 146.83(1c) or (3f) under false pretenses. 2. Discloses confidential information with knowledge that the disclosure is unlawful and is not reasonably necessary to protect another … (b) Whoever negligently discloses confidential information in violation of s. 146.82 is subject to a forfeiture of not more than $1,000 for each violation”).
Mass. Gen. Laws Ann. ch. 118I, § 16 (2018) (providing that “unauthorized access to or disclosure” of health information through the statewide health information exchange is subject to fines or penalties); N.H. Code Admin. R. Ann. Dept of Health & Hum. Services He-P 3012.07 (2018) (“Persons who fraudulently request [birth control program] data shall be subject to the penalty for unsworn falsifications in accordance with RSA 641:3”); N.H. Code Admin. R. He-P 3012.07(e) (2018) (“Persons who fraudulently request [cancer registry] data shall be subject to the penalty for unsworn falsifications in accordance with RSA 641:3”); Wis. Stat. § 610.70 (2018); (“Any person who knowingly and willfully obtains information about an individual from an insurer or insurance support organization under false pretenses may be fined not more than $25,000 or imprisoned not more than 9 months or both. (b) Any person who knowingly and willfully obtains information about an individual from an insurer or insurance support organization under false pretenses shall be liable to the individual for actual damages to that individual, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees”).
45 C.F.R. § 164.404(a)(1) (2018); 45 C.F.R. § 164.406(a) (2018).
45 C.F.R. § 164.404 (2018).
Wis. Stat. § 134.98 (2018).
See Va. Code Ann. § 32.1–127.1:05 (2019) (requiring notice of breach of confidentiality of medical information to “the Office of the Attorney General, the Commissioner of Health, the subject of the medical information, and any affected resident of the Commonwealth without unreasonable delay”).
Ark. Code Ann. § 4-110-105 (2018) (applying to “any person or business that acquires, owns, or licenses computerized data that includes personal information”); Or. Rev. Stat. § 646A.604 (2018) (applies generally to “a person that owns or licenses personal information”).
Nass et al., Beyond the Hipaa Privacy Rule: Enhancing Privacy, Improving Health Through Research 80–81 (2009).
We specifically focused on disability discrimination laws in our searches. In an effort to cabin the scope of our research, we did not examine non-health related discrimination laws, such as civil rights laws that protect against discrimination based on race, gender, religion, national origin, or sexual orientation, except to the extent such law explicitly included disability within its protections.
Mark A. Rothstein, GINA, the ADA, and Genetic Discrimination in Employment, 36 J.L., Med, & Ethics 837, 839 (2008) [hereinafter Genetic Discrimination].
42 U.S.C. § 12102 (2018); See generally Dale Larson, Unconsciously Regarded as Disabled: Implicit Bias and the Regarded-As Prong of the Americans with Disabilities Act, 56 UCLA L. Rev. 451, 466 (2008) (describing the 2008 ADA amendments and how they reinstated earlier broad interpretations for the regarded-as prong to protect against adverse actions motivated by “prejudiced attitudes, such as myths, fears, ignorance, or stereotypes concerning disability”); Clayton, supra note 15 (noting that the regarded-as prong of the ADA’s disability definition, “has received much less attention than the first two, may significantly expand the protection provided by the ADA”); Prior to the adoption of GINA, the EEOC settled a case under the ADA in which the Burlington Northern and Santa Fe Railway Company genetically tested employees. Then EEOC Commissioner, Paul Miller, stated that “employers should be aware of the EEOC’s position that the mere gathering of an employee’s DNA may constitute a violation of the ADA.” EEOC and BNSF Settle Genetic Testing Case under Americans with Disabilities Act, U.S Equal Emp. Opportunity Comm’n (May 8, 2001), https://www.eeoc.gov/eeoc/newsroom/release/5-8-02.cfm.
Larson, supra note 345, at 460–461 (describing the climate in which the ADA was drafted and the focus on affording protections against “negative attitudes” and disability); However, there is uncertainty about how far the regarded-as prong would reach and may hinge on whether an employer believes the participant is currently disabled because of a genetic mutation or only at risk of future disability see, e.g., Sharona Hoffman, Big Data and the Americans with Disabilities Act, 68 Hastings L. J. 777, 779 (contending that the ADA “does not stretch to cover individuals who are perfectly healthy at present but whom an employer suspects of being at risk of serious ailments later in life based on big data analysis”); Nevertheless, persistent public misunderstandings of genetics and genomics suggest that some may “regard” those with certain genetic mutations as disabled see Rebecca Burr Carter, et al., Young Adults’ Belief in Genetic Determinism, and Knowledge and Attitudes towards Modern Genetics and Genomics: The PUGGS Questionnaire, 12 Plos One 1, 24 (Jan. 23, 2018); Angela D. Lanie et al., Exploring the Public Understanding of Basic Genetic Concepts, 13 J. Genet. Couns. 1, 5 (2004).
These disability discrimination laws also provide protections should a participant experience a manifest disability at some point in the future. However, because such events would be tangential to the research, we do not discuss these.
Genetic Discrimination, supra note 344, at 839.
In adopting the ADA, Congress acknowledged the Nation’s goal “to assure equality of opportunity, full participation, independent living, and economic self-sufficiency for” individuals living with disabilities. 42 U.S.C. § 12101(a)(7) (2018).
Informational and Technical Assistance on the Americans with Disabilities Act, U.S. De’t of Just. Civ. Rights. Div., https://www.ada.gov/ada_intro.htm (last visited Dec. 30, 2018).
42 U.S.C. § 12102 (2018).
42 U.S.C. § 12102 (2018).
42 U.S.C. § 12188 (2015) (regarding private suits).
The ADA: Your Employment Rights as an Individual with a Disability, U.S. Equal Emp. Opportunity Comm’n (Mar. 21, 2005), https://www.eeoc.gov/facts/ada18.html.
Individuals’ Right Under HIPPA to Access Their Health Information 45 C.F.R. §164.524, U.S. Dep’t of Health & Hum. Services, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html (last visited Feb. 7, 2019) (“Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research”); Insurance, Accommodating Disabilities. Bus. Mgmt. Guide (CCH) ¶ 10,225, 2015 WL 8400563 (2018).
In some cases, state laws merely reiterate the obligation to comply with federal discrimination laws, whether by their own programs or by contractors. See, e.g., 12 Colo. Code Regs. § 2509–7:7.604 (2019) (requiring that child welfare services comply with the ADA, Civil Rights Act, Age Discrimination Act, and the Rehabilitation Act); 121 Mass. Code Regs. 2.210 (2018) (contractors of the Massachusetts Office of Refugees and Immigration must comply with the ADA and other federal discrimination laws). In this section, we focus on those laws that establish independent state law obligations.
Ark. Code Ann. § 16-123-107 (2018); Colo. Rev. Stat. § 24-34-402(1)(a) (2019); Haw. Rev. Stat. Ann. § 378–2(a)(1) (2018); Haw. Admin. Rules § 12-46-183 (2018); 820 Ill. Comp. Stat. 105/4 (2019) (wages); Ind. Code § 22-9-5-1 (2018); 910 Ind. Admin. Code 3-3-1 (2019); Iowa Code § 216.6(1)(a) (2019); Ky. Rev. Stat. Ann. § 18A.140 (2019) (state employees in “classified” (or merit) service); Ky. Rev. Stat. Ann. § 207.170(2) (West 2019); La. Stat. Ann. § 23:323 (2018); Me. Stat. tit. 5, §4571 (2018) (the “opportunity for an individual to secure employment without discrimination … is declared a civil right”); Me. Stat. tit. 5, §4572 (2018); 2018 Md. Code Ann. Adv. Legis. Serv. § 20–606 (LexisNexis); 2018 Md. Code Ann. Adv. Legis. Serv. § 20–610 (interns); Mich. Comp. Laws. 37.1202 (2018); Minn. Stat. § 363A.08 (2019); Mo. Rev. Stat. § 213055(1) (2018); Mont. Code Ann. § 49-1-102 (2019); Mont. Code Ann. § 49-2-303 (2019); Nev. Rev. Stat. § 284.150 (2019) (state employment); Nev. Rev. Stat. § 613.330 (2019) (private employment); N.H. Rev. Stat. Ann. §§ 354-A6, A7(I)-(II) (2018); N.C. Gen. Stat. § 168A-5 (2019); N.D. Cent. Code § 14-02.4-01, 02.4-03 (2018); Ohio Rev. Stat. Ann. § 4112.02 (LexisNexis 2019); Okla. Admin. Code § 455:10-3-5(A) (2019) (state employment); Or. Rev. Stat. §§ 659A.006, 659A.109, 659A.019, 659A.112, 659A.142 (2019); 43 Pa. Cons. Stat. § 953 (2018); 43 Pa. Cons. Stat. § 955 (2018); S.D. Codified Laws § 20-13-10 through 20-13-13 (2019); 23-100 Miss. Code R. § 3.2 (LexisNexis 2018) (Medicaid program); Tex. Lab. Code Ann. §§ 21.051, 21.052, 21.053 (2017) (employer, employment agency, and labor organizations); Utah Code Ann. § 34A-5-106(a)(i) (LexisNexis 2018); Va. Code Ann. § 51.5–41 (2018); Va. Code Ann. § 2.2–3900 (2018) (Virginia Human Rights Act (public business)); W. Va. Code § 5-11-9 (2018); W. Va. Code R. § 77-1-4 (2018); Wis. Stat. § 111.321 (2018); Wyo. Stat. Ann. § 27-9-105 (2019) (applying to employers generally); Wyo. Admin. Cod. §5084–7 (2019); Rules of Professional Conduct Rule 2–400 (Cal. State Bar Ass’n 2018) (employment in law practice); Cal. Gov’t Code § 19702 (2019) (state employment); Conn. Gen. Stat. § 31–40y (2019) (internships); Fla. Stat. § 1000.05 (2018) (employees of state K-20 education system); Ga. Code Ann. § 45-19-29 (2019) (applying to apprenticeship and other training and retraining programs); Minn. R. 7520.0350 (2019) (public safety employment; Minn R. 9575.0090 (2019) (Department of Human Services); 23–100 Miss. Code R. § 3.2 (2019) (Medicaid program); Miss. Code Ann. § 73-30-1 (2019); 30–2501 Miss. Code. R. §1:2 (LexisNexis 2019) (Mississippi Board of Massage Therapy); 203–6.2 Miss. Code R. § 30–2 (LexisNexis 2019) (Mississippi Interior Designer Advisory Commission); Neb. Rev. Stat. § 23–2531 (2019) (civil service system).
Ark. Code Ann. § 16-123-102 (2018) (9 employees or more); See Colo. Rev. Stat. § 24-34-401 (2018) (“every … person employing persons”, excluding “religious organizations or associations, except such organizations or associations supported in whole or in part by money raised by taxation or public borrowing”);
Haw. Rev. Stat. § 378–1 (2018) (1 or more employees, but not the US government); 48 Ill. Comp. Stat. § 105/3 (2019) (1 or more employees); Iowa Code § 216.2(7) (2019) (“every … person employing employees”); Ky. Rev. Stat. Ann. § 207.130 (West 2019) (eight or more employees); Ind. Code § 22-9-1-3 (2016); Me. Stat. tit. 5, § 4553 (2018) (“any number of employees”, but does not include non-profit religious or fraternal corporations or associations); Mich. Comp. Laws § 37.1201(b) (2018) (1 employee or more); Minn. Stat. § 363A.03 (2019) (defining employer as 1 employee or more); Mo. Rev. Stat. § 213.010(6) (2019) (Six employees or more “but does not include corporations and associations owned or operated by religious or sectarian organizations” or the U.S., corporations wholly owned by the U.S., certain departments and agencies of D.C., Indian tribes, and certain bona fide private membership clubs); Mont. Code Ann. § 49-2-101 (2018) (applying to places with one employee or more “but does not include fraternal, charitable, or religious association or corporation if the association or corporation is not organized either for private profit or to provide accommodations or services that are available on a non-membership basis”); N.H. Rev. Stat. Ann. § 354-A:2(7) (2018) (Six employees or more but does not include “an exclusively social club, or fraternal or religious association or corporation, if such club, association, or corporation is not organized for private profit”); N.D. Cent. Code § 14-02.4-02 (2019) (1 or more employees); N.J. Stat. Ann. § 10:5–5 (2018) (1 or more employees); Ohio Rev. Code Ann. § 4112.01A (LexisNexis 2019) (4 employees or more); 43 PA. Cons. Stat. § 954b (2018) (4 employees or more); Or. Rev. Stat. § 659A.106 (2019) (6 or more employees but “do[es] not apply to the Oregon National Guard”); S.D. Codified Laws § 20-13-1 (2019) (hires or employs “any employee”); Wis. Stat. Ann. § 111.32 (2018) (applying to places with at least one employee but does not include certain social clubs or fraternal societies); Wyo. Stat. Ann. § 27-9-102 (2019) (two or more employees but does not include religious organizations or associations); Md. Code, State Government § 20–601 (2018) (defining “employer” as 15 employees or more but does not include certain bona fide private membership clubs); Nev. Rev. Stat. §§ 613.310, 613.320 (2019) (15 employees or more but does not include “any religious corporation, association or society with respect to the employment of individuals of a particular religion to perform work connected with the carrying on of its religious activities”); N.C. Gen. Stat. § 168A-3 (2019); Tex. Lab. Code Ann. § 21.002 (2017) (15 employees or more); Utah Code Ann. § 34A-5-102(1)(i) (LexisNexis 2017) (15 employees or more but does not include certain religious entities, certain entities constituting an affiliate or wholly owned subsidiary of certain religious entities, or the Boy Scouts of America); La. Rev. Stat. §23:302 (2018); Va. Code Ann. §40.1–2 (2018); Va Code Ann. § 51.5–40, 41 (2018); Va. Code Ann. § 2.2–3903B (2018).
A list of these laws is on file with the authors.
States that limit use of disability in insurance underwriting broadly or for disability or life insurance, which we consider particularly relevant, include: Cal. Ins. Code § 10401 (disability insurance for discrimination of insureds “in same class”); 215 Ill. Comp. Stat. 5/236 (2019) (life insurance “unless the rate differential is based on sound actuarial principles and a reasonable system of classification and is related to actual or reasonably anticipated experience directly associated with the disability); Md. Code Ann., Ins. § 27–501 (LexisNexis 2018) (insurer generally on the basis of physical handicap or disability, “except by the application of standards that are reasonably related to the insurer’s economic and business purposes”); N.Y. Ins. Law § 4224 (McKinney 2019) (Life insurance or accident and health insurance, “except where the refusal, limitation or rate differential is permitted by law or regulation and is based on sound actuarial principles or is related to actual or reasonably anticipated experience” and with requirement to “notify the insured or potential insured … the specific reason or reasons for such refusal, limitation or rate differential”); Or. Rev. Stat. § 746.015 (2019) (insurance generally based on physical disability, unless underwriting standards or rates “is based on sound actuarial principles or is related to actual or reasonably anticipated experience”). Relevant to genomic information if these states apply the modern definition of disability, which includes the “regarded-as” prong. See 054-00-028 Ark. Code R. § 3 (LexisNexis 2018) (life insurance, annuities, and disability insurance based on physical or mental impairment, except where the “refusal, limitation or rate differential is based on sound actuarial principals or is related to actual or reasonably anticipated experience”); Kan. Stat. Ann. § 40–2.109 (2018) (life insurance, life annuity, or disability coverage “unless the rate differential, or refusal to provide, is based on sound actuarial principles or is related to actual or reasonably anticipated experience); Mo. Code Regs. Ann. tit. 20, § 100–2.200 (2018) (based on physical or mental impairment, “except where the refusal, limitation or rate differential is based on sound actuarial principles or is related to actual or reasonably anticipated experience”); Utah Admin. Code r. R590-129-4 (2018) (insurance generally). Finally, a few states apply to specific types of insurance: Cal. Ins. Code § 10119.6 (West 2019) (infertility treatment); Md. Code Ann., Ins. § 27–502 (LexisNexis 2018) (surety insurer); Minn. Stat. § 176.201 (2018) (worker’s compensation insurance); 40 PA. Cons. Stat. § 991.2003 (2018) (automobile insurance, provided does not impair ability to operate a motor vehicle); 27 R.I. Gen. Laws. §§ 27-1-39, 27-2-23 (2019) (casualty, fire, home owners, accident and health, marine, or automobile insurance); See Tex. Ins. Code Ann. § 3502.053 (West 2017) (mortgage guaranty insurance). A list of states that specifically apply to health insurance is on file with the authors.
See, e.g., Ark. Code § 16-123-107 (2018); La. Stat. Ann. § 49:146 (2018); N.J. Stat. Ann. § 10:5–12.5(b) (2018); Ohio Rev. Code Ann. § 4112.021 (LexisNexis 2019); Minn. Stat. § 181.935(a) (2018).
See, e.g., 11 R.I. Gen. Laws § 11-24-4 (2019); 016–14 Ark. Code. R. § 002–1078 (2018); Md. Code Regs. 07.03.01.10 (2018); Md. Code Regs. 07.03.03.23 (2018); Md. Code Regs. 07.03.07.15 (2018); Md. Code Regs. 07.03.16.19 (2018); Md. Code Ann., Ins. § 27–502 (LexisNexis 2018); Md. Code Ann., State Gov’t § 20–610 (LexisNexis 2018); N.J. Admin. Code § 4A:7–2.2 (West 2019); Or. Admin. R. 407-005-0030(1) (2019); 10 Colo. Code Regs. § 2506–1:4.070.2 (2019); 40 Tex. Admin. Code § 813.53 (West 2018); 40 Tex. Admin. Code § 849.52 (West 2018); Cal. Gov’t Code § 19702 (West 2019); Minn. R. 7520.0350 (2019); Minn. R. 9575.0090 (2019); N.Y. Exec. Law § 296-a (McKinney 2018); Ohio Admin. Code § 5120-9-04 (LexisNexis 2019); Okla. Stat. tit 25.21, § 5.1501 (2019); Okla. Admin. Code § 365:10-5-143 (2019); Or. Admin. R. 943-005-0030(1) (2019); Or. Admin. R. 943-005-0030 (2019); 11 R.I. Gen. Laws Ann. § 42-51-10 (2019); 1–7 Wyo. Code R. §5084–7 (LexisNexis 2019); see also 16 Del. Admin. Code 5100–1006 (2018) (imposing requirement to provide information about non-discrimination statutes and policies, how to file a discrimination complaint, and refer to the online civil rights complaint); 016–14 Ark. Code. R. § 004–1068.5.2 (2018); Cal. Gov’t Code § 12931 (West 2019) (department may provide assistance to communities and persons therein in resolving dispute relating to discriminatory practices).
Mich Comp. Laws § 750.147a (2018) ($200 or actual damages, whichever is greater for discrimination in credit transactions); N.Y. Exec. Law § 296-a (McKinney 2018) (compensatory damages to the person aggrieved for discrimination in credit transactions); Ohio Rev. Code Ann. § 4112.021 (LexisNexis 2019) (may award “compensatory and punitive damages of not less than one hundred dollars” for discrimination in credit transactions).
See, e.g., Ark. Code Ann. § 16-123-107 (2019) (for intentional acts of discrimination; also authorizes punitive damages. Damages are limited based on the size of the employer (under 14 limited at $15,000, > 15–100 limited to $50,000, >100–200 limited to $100,000, >201–500 limited to $200,000, and >500 limited to $300,000); Mich Comp. Laws § 750.147a (2018) (authorizing costs and reasonable attorney’s fees to “prevailing party”); Minn. Stat. § 181.935 (2018) (authorizes damages, costs, attorney’s fees, equitable relief); Ohio Rev. Code Ann. § 4112.021 (LexisNexis 2019) (authorizes attorney’s fees, court costs, and equitable relief in addition to damages for discrimination in credit transactions).
Md. Code Ann., Ins. § 27–502 (LexisNexis 2018) (surety insurance); Nev. Rev. Stat. § 645.321 (2019) ($500 for the first offense; second offense risks license in real-estate transactions); N.Y. Exec. Law § 296 (LexisNexis 2019) (fine of no more than $10,000); Mont. Code Ann. § 49-2-602 (providing for fines up to $1,000 or imprisonment in instances of housing discrimination due to intimidation or interference). The following states specify that the behavior is a misdemeanor without specifying the penalty within the terms of the statute we identified: Ind. Code. § 35-46-2-2 (2018) (making discrimination in jury selection a Class A misdemeanor); Minn. Stat. § 176.201(2) (2018); Nev. Rev. Stat. § 207.310(3) (2019); Nev. Rev. Stat. § 193.140–50 (2019).
Me. Stat. tit. 24-A, § 2159-C(3) (2019); N.J. Admin. Code § 13:44G-10.7 (West 2018); N.J. Admin. Code § 4A:7–3.1 (West 2018); Nev. Rev. Stat. § 610.185 (2019); Nev. Rev. Stat. § 645.321 (2019); 93 Neb. Admin. Code § 15–003 (2018); 2019 N.Y. Laws § 220-E; N.Y. Lab. Law § 239(4) (McKinney 2019); Ohio Admin. Code 5120-9-04 (LexisNexis 2019); Or. Admin. R. 943-005-0030 (2018); Iowa Admin. Code r. 371-4.25.173 (2019).
See, e.g., U.S. Dep’t of Health and Hum. Serv. , Genetic Information Nondiscrimination Act Guidance (2009), available at https://www.hhs.gov/ohrp/regulations-and-policy/guidance/guidance-on-genetic-information-nondiscrimination-act/index.html (noting that “GINA has implications regarding the actual or perceived risks of genetic research and an individual’s willingness to participate in such research,” and its relevance to consent, as well as the evaluation of the risks of the study).
See supra text accompanying notes 173 (for consent to genetic testing) and 185 (for disclosure of genetic information).
See supra text accompanying note 214.
See supra notes 219–229 and accompanying text.
See supra notes 21 to 23 and accompanying text.
See supra notes 238–239 and accompanying text, describing how twenty-seven states provide a private right of action and eight states allow individual enforcement under state unfair and deceptive trade practices Laws.
See text accompanying note 331, describing sixteen states that provide private rights of action for violations of the state medical privacy Laws.
See supra Table 2 describing eight states’ statutory damages provisions.
See supra note 252 and accompanying text.
See supra text accompanying notes 273–275.
See supra text accompanying notes 277–285.
Del. Code. Ann. tit. 16, § 1201 (2019).
45 C.F.R. § 46.116 (2019) (“No informed consent, whether oral or written, may include any exculpatory language through which the subject is made to waive or appear to waive any of the subject’s legal rights, or releases or appears to release the investigator, the sponsor, the institution, or its agents from liability for negligence”).
Natalie Ram, Assigning Rights and Protecting Interests: Constructing Ethical and Efficient Legal Rights in Human Tissue Research, 23 Harv. J.L. & Tech. 119, 161–166 (2009).
See Louise Slaughter, Genetic Information Non-Discrimination Act, 50 Harv. J. Legis. 41, 53–54, 59 (2013) (describing the legislative decision to exclude these types of insurance from GINA); Jessica D. Tenenbaum & Kenneth W. Goodman, Beyond the Genetic Information Nondiscrimination Act: Ethical and Economic Implications of the Exclusion of Disability, Long-Term Care and Life Insurance, 14 Personalized Med. 153 (2017).
See Slaughter, supra note 381, at 54; Tenenbaum & Goodman, supra note 381.