Abstract
The development of large electronic data sets, whether from electronic health records, health registries, or large-scale gene-environment interaction studies, offer unparalleled, innovated opportunities to learn more about human health and disease. However, because these data may be used in unexpected ways without the knowledge or consent of individuals whose data are being used, they also raise critical concerns about protections of individuals against risks. Traditional approaches to protecting research participants and patients may not address new or heightened risks in the “bid data” area.
We conducted legal research to elucidate the web of legal protections afforded research participants in genomic research, including laws governing human subjects research, privacy, consent, discrimination, and use of research participants’ genetic information, with broader implications to data use in other research or in health care settings. It has revealed substantial regulatory activity and variation across the 50 states that may fill known gaps in federal protections. For example, some states go further than the Genetic Nondiscrimination Act (GINA) by extending genetic antidiscrimination statutes to life and disability insurers or to employers with less than 15 employees. In addition, states often explicitly provide remedies, such as statutory damages, attorneys’ fees, and costs that can facilitate enforcement of legal rights not afforded in federal laws. This analysis can inform approaches to data privacy law in the United States and beyond to provide appropriate protections as health systems and scientists seek to harness the promise of big data.
There is now a surfeit of data available resulting from the move to electronic health records and the proliferation of “smart” technologies, from medical devices to consumer wearables, that can provide a steady stream of information about patients’ measurements, status, and activities. Health systems, insurers, governments, and researchers are all seeking ways to harness these data to improve health care delivery and health outcomes.
In some ways, these efforts are no different from the research, quality improvement, and other efforts to learn from patient experiences in the health system. In the United States, health systems, insurers, governments, and researchers routinely access patients’ medical records to support these types efforts. Despite ethical and legal norms of patient privacy, confidentiality of medical records, and informed consent, U.S. law permits much use of patient records for quality improvement or research efforts without patients’ knowledge or consent.1 The rationale has been that such activities poses very low risk to patients, while providing substantial societal benefits from the knowledge gained.2
In other ways, however, the sheer magnitude of available data and the unexpected ways they can be combined raise critical concerns about whether the risks to individuals remain low and whether there are mechanisms available to adequately protect individuals against those risks. Traditional approaches to protecting patients and research participants may not address new or heightened risks in the “big data” era.
We conducted legal research to elucidate the “web” of legal protections afforded research participants in genomic research in the United States. Our analysis of the federal and state laws that protect research participants identified several approaches to protecting participants, gaps in the protections, and specific ways individual states have filled those gaps. Drawing on this research, in this paper, we describe the general approaches to data privacy law in the research context in the United States and then consider which types of protections may be necessary as health systems and scientists seek to take full advantage of the promise of big data.
Types of Risks
Because protections should be responsive to harms, we first considered the potential risks to research participants.3 We identified three major potential risks: use of information without consent, inappropriate access to information, and inappropriate use of information. The latter includes the potential reidentification of individuals from deidentified or aggregate data.
The use of genomic and/or medical information without the participants’ knowledge or consent could be considered a violation of the principle of respect for persons, both by failing to respect individual autonomy and by invading privacy.4 As such, it would be a wrong in and of itself, even if no harm to the individual arises from the use. In the United States, there have been several instances in which research participants have objected to use of their information without their knowledge or consent. In some of these cases, the participants objected to the research itself, as well as the use without consent. 5 These cases have mainly revolved around use of biospecimens in research without consent; they include secondary research use of biospecimens originally collected with consent for research and research use of biospecimens originally collected for non-research use. Despite widespread media attention to some of these cases, including a recent dramatization of the Henrietta Lacks case starring Oprah Winfrey, the public remains largely ignorant of how much research still may be legally conducted without consent.6 The controversy over Facebook’s manipulation of users’ news feeds (which Facebook controls by algorithms) without knowledge or consent to evaluate how the emotional content of those feeds affects users’ posts provide further evidence that the public expects to be asked to consent, even in cases where the regulations do not require it.7
Inappropriate access to information by a third party is the second risk we identified. There are many people who may have legitimate access to and uses for genomic or health information. For example, HIPAA, the federal medical privacy law, permits use of medical information for treatment and payment purposes without written authorization.8 Most individuals want such sharing of information for these purposes. However, individuals also have concerns that others may access their information for other purposes. In some cases, the information may be highly personal or stigmatizing, such that disclosure of the information in and of itself may be considered a wrong.9 Individuals may want to control to whom they disclose certain information. Federal and state genetic and medical privacy laws limit disclosure of genomic and health information without patient authorization, but there are often numerous exceptions, including for research, quality improvement, and peer review. Patients and research participants may not be fully cognizant of how their information may be shared and used without their consent.
A third risk is inappropriate use of information. This may arise when people have legitimate access to the information, but may use it for other purposes. Genetic and medical privacy laws commonly allow law enforcement to get access to medical records without authorization, although, in some cases, there may be judicial oversight. Individuals may fear that medical information may be used in investigations or prosecutions that could lead to criminal penalties.10 Employers and insurers may legitimately have access to information for one purpose, and the concern is that, once in their hands, it may be used for other purposes. For, example an employer may obtain genetic or health for a claim for worker’s compensation, and use it against the person in promotion or retention decisions. Similarly, an insurer may use genetic or health information to deny or limit coverage or set premiums.
Reidentification of individual participants is a special subset of inappropriate use of information. Significant research may be conducted without consent when it is considered minimal risk because the researchers do not have identifiers or they have taken steps, like coding, to prevent individuals from being readily identified. However, the proliferation of information that is widely available challenges this basic understanding. Researchers have demonstrated in numerous contexts that it is possible to identify individuals in data that has been stripped of direct identifiers based on limited publicly available information.11 While such reidentification may currently be beyond the skills of ordinary citizens, it is a growing risk as reidentification easier as more data becomes readily accessible. In addition, as such information increasingly is perceived as valuable, the incentives to seek data and connect it will also grow.12
Corresponding Types of Protection
We identified three major types of protection that correspond to the risks we identified. These are: consent, which afford individuals some level of control over their genetic information; confidentiality obligations, which respond to concerns about inappropriate access; and laws that limit use of information, which respond to concerns about inappropriate use of information. These latter commonly are antidiscrimination laws, but also include a limited number of laws restricting reidentification of individuals. In addition to these types of protections, states add to these protections by including enforcement mechanisms.
Consent.
Consent has been considered an important mechanism for protecting individual autonomy. Consistent with international norms,13 federal regulations generally require consent to research participation.14 This requirement allows individuals to decide whether to participate in the research after being informed of the research’s purpose and its risks and benefits, among other things.15 Nevertheless, the federal regulations also permit medical records or biospecimen research to be conducted without consent under circumstances, such as using codes instead of identifying information, that minimize risks to participants.16 However, as the examples described above illustrate, the public may be ill-informed about these exceptions to the consent requirements and may object when their information and materials are used without their knowledge and consent.
Our research indicates that federal and state laws allow individuals to exercise control over their information in a variety of ways. For example, in the research context, some states expand federal consent requirements by requiring consent to all research conducted among certain populations or in certain settings17 or requiring consent to genetic research under circumstances that the federal exemptions would not.18 Consistent with general medical privacy laws, including the federal HIPAA law, that require patient authorization to disclose their information, some states require consent before disclosure of genetic information.19 States also impose requirements to obtain consent before conducting genetic testing20 or before retaining genetic information.21 Such consent requirements limit the likelihood the individual’s information will be used without their knowledge or consent. However, many of these provisions have exceptions to them, including for research purposes, which undermine individual control.22
Confidentiality protections.
Confidentiality protections respond to concerns that information may be revealed beyond the needed use. Confidentiality protections come in a variety of forms. Sometimes the provisions are general; they declare the genetic information to be confidential, but do not specify more.23 Some states expand on these general obligations and require those who work with confidential information to sign a document acknowledging their confidentiality obligations.24 While these provisions do not substantively change the confidentiality objections, they may have a practical effect on employees understanding of their obligations. Such confidentiality provisions are consistent with the well-recognized confidentiality obligations within the doctor-patient relationship that were considered to need further specification through the adoption of the federal HIPAA law. Nevertheless, such provisions can serve as evidence of a standard of care to provide claim for breach of confidentiality.
In many cases, states provide more specific confidentiality protections. The consent provisions that grant patients’ and participants’ control over who has access to their information correspondingly impose obligations on those who hold the data to get appropriate consent before disclosing. Under some laws, these obligations apply only to specific types of individuals (e.g., health care providers), whereas other laws apply to the data more generally, regardless of who receives it. Some states further protect confidentiality of genetic information by protecting against compelled disclosure, such as through subpoena, in any legal proceeding.25 These laws typically prohibit disclosure of the identity of the individual, although they may permit disclosure of information that is not identifiable, such as aggregate data. Some states go further, in some cases declaring genetic information inadmissible26 and in others not allowing even discovery of it.27
Limitations on use.
The limits that states impose on use of information generally pertain to anticipated potential misuses. Specifically, because the United States does not have guaranteed health insurance, there were concerns that health insurers might deny coverage based on genetic information. Accordingly, numerous states adopted laws prohibiting health insurers from using genetic information in underwriting decisions, and the federal government later enacted GINA, extending such protection nationwide.28 Some states go beyond GINA’s limited application to prohibit use of genetic information in disability and long term care insurance,29 and one state prohibits use of genetic information in underwriting any type of insurance, including life insurance.30 Another concern is that employers might made adverse employment decisions – such as hiring, firing, or promoting – against individuals based on their genetic information. The federal GINA and similar state laws also prohibit employers’ collection and use of genetic information in employment decisions.31
The state confidentiality laws against compelled disclosure also have some role to play in protecting against inappropriate use, as they prevent third parties from gaining access to information that could be used to harm the individual’s whose information it is. These protections described typically limit disclosure of identifiable information, but often permit the disclosure of information that has been stripped of identifiers. The assumption has been that such information is rendered anonymous, although that assumption has proven faulty, at least for persons with the requisite knowledge and determination. Fuller protection requires restrictions on attempts to reidentify individuals whose data have been revealed. At least one state has such a restriction.32 Such restrictions also have been used in protective orders when data have been ordered disclosed in discovery,33 but such protections are ad hoc, requiring litigants to request them and for a judge to grant them.
Enforcement.
All these protections are further strengthened to the extent that they also provide a mechanism to enforcement the requirements. The federal laws often do not provide a mechanism for individuals to bring claims if they are injured. States more commonly do so. For example, many of the consent provisions also have remedies for failing to get the requisite consent. When states provide a mechanism for bringing a claim, they often also specify that those aggrieved may obtain damages, attorneys’ fees, and costs.34 Several states include legal minimums for damages per claim or per violation. These legal minimums, coupled with attorneys’ fees and costs, make it more likely that an aggrieved individual could bring an action and enforce the protections afforded by law.
Lessons for data-driven health care
Although our analysis focused on genomic research, the protections we studied often applied more generally to medical information. Moreover, the concerns that we identified are equally applicable to genomic research as to use of population-level health data used to develop a data-driven health care system. Accordingly, our analysis coupled with some of the American experiences have lessons for other countries seeking to take advantage of the wealth of genomic and health data being generated.
First, whether to require consent to use patient data is an issue that deserves careful consideration. There are strong scientific reasons to do so, as data will be significantly more representative and complete without requiring consent. Moreover, there are long-standing precedents for conducting such research without consent. Despite general norms regarding consent, United States research law permits research using medical records and biospecimens without consent. In addition, despite general norms of patient confidentiality, United States health care laws generally permit use of records for research and a variety of quality improvement activities. Indeed, some have argued that citizens have an obligation to allow their information to be used in support of learning health systems that benefit all.35 Moreover, individual medical information may be used for numerous, legitimate government functions, such as public health activities, quality oversight, and audits of government spending. Many of the state consent requirements we found pertain to specific contexts – research among vulnerable populations and genetic testing36 – that may not be generalizable to medical information more generally.
Although such unconsented uses of medical and genomic information are ubiquitous, the public is typically unaware of these uses. For example, public messaging regarding HIPAA’s protections have emphasized how it empowers patients,37 not its numerous exceptions. Failing to meet the public’s expectations regarding their health information can lead to negative consequences.38 Indeed, one of the parents who sued after learning her newborn’s’ screening blood spot had been used without her knowledge or consent indicated that she probably would have consented had she been asked.39
This comment points to a way forward without seeking individual consent: better communication about how health information is actually used. Had this parent been told at the outset that her child’s blood spot would be used for research, in addition to her child’s screening, she likely would not have objected. Her support for the research likely would have increased had she been told that research conducted with spots like her child’s made such public health screening – and treatment as necessary – possible. Evidence suggests that, when asked about it, Americans are largely supportive of research and willing to have their information used in it. Educating the public about how their health information might be used in research to improve health and health care delivery and how individuals’ interest will be protected would help set more realistic expectations and convey the benefits of population-based research. It is more respectful to be transparent about the uses of individuals’ information. Such education may also provoke public discussion that could inform efforts to ensure the public’s interests are protected. It also makes it possible to permit meaningful opt-out from participation because individuals are aware that there is a choice to be made.
Second, there needs to be consideration of what protections are needed to protect the information in use. Public willingness to have their information used in data-driven health care will undoubtedly be with the expectation that their information will be protected and the individual risks to them will be minimized. Accordingly, some level of confidentiality protections is necessary. At a minimum, protections should be consistent with protections for medical information generally. However, it is worth considering whether additional protections are warranted because the use will not benefit individuals directly. Given critiques of “genetic exceptionalism,” it is worth discussing whether genetic information should receive additional protections, as we see in some of the U.S. laws regarding genetic testing and information.
In addition to considering confidentiality protections, it is important to consider what protections about inappropriate uses are needed. In doing so, the legal and cultural context must be taken into account. For example, the concerns that resulted in GINA and similar state genetic privacy/antidiscrimination laws arose, in part, because the United States does not have university health insurance. People were concerned that health insurance coverage would be denied or made prohibitively expensive because of genetic information that had not manifested as a disease or condition. Although there is little evidence that insurers did so, they certainly made such underwriting decisions based on other types of health information. In countries with universal health insurance, these particular protections may not be necessary. In contrast, the components of GINA and similar state laws that limit use of genetic information in employment decisions likely have broader relevance across countries.
Third, there needs to be some reflection on legal and cultural context in which these legal protections have been and will be adopted. The United States emphasizes individual preferences and rights. American laws reflect that orientation, and respect for autonomy and individual consent play a central role within American medical ethics. At the same time, there is a long history of discrimination that has resulted in persistent health disparities and distrust of the medical professional and research. The legal protections provide a mechanism for realizing collective benefit, while recognizing and protecting individual interests. The particular approaches adopted in the United States may not be suited for countries with a more communitarian orientation and where there may be more trust in the government. Nevertheless, the general approaches can be helpful and the particular approaches might help stimulate conversation and thinking.
Finally, if protections are afforded, there ought to be some mechanism for enforcement. Again, the type of enforcement should be suited to the legal and cultural context. The granting of an individual right to suit that we found in some state laws may reflect the U.S. legal system’s reliance on the adversarial process. However, whatever approach is taken, it should provide meaningful redress to individuals who suffer harms as a result of their information being used for research to the cause of data-driven health care.
In sum, our research has revealed a variety of ways that the federal and state governments have adopted toward data privacy in the context of genomic research. These include allowing individuals to decide whether their information is used through consent requirements, imposing confidentiality obligations with respect to the data, and prohibiting certain uses. This conceptual framework and the examples presented provide a starting point for considering how to move forward with a data-driven health system.
Acknowledgements:
This work is supported, in part, through a grant from the National Human Genome Research Institute at the U.S. National Institutes of Health (NIH R01-HG-007733), Laura M. Beskow, principal investigator.
Footnotes
The HIPAA Privacy Rule sets minimum national standards regarding confidentiality of patient medical records, although states may adopt stricter requirements. U.S. Department of Health and Human Services, Summary of the HIPAA Privacy Rule, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. These include requirements for written patient authorization to access medical records. But both the federal and state laws permit access to records without authorization for some activities, including peer review, quality improvement, and research (under some conditions). Id. Similarly, federal regulations governing human subjects research typically require consent, but research using medical records may be exempt from the provisions. See 45 C.F.R. 46.101(b)(4) & 111.
Leslie E. Wolf and Bernard Lo, Untapped Potential: IRB Guidance and Ethics on Research with Stored Biological Materials, IRB: Ethics and Human Research 26(4): 1–8 (2004). See also Presidential Commission for the Study of Bioethical Issues. Privacy and Progress in Whole Genome Sequencing. Washington, D.C.; 2012: http://bioethics.gov/node/764.
Because the proposed uses of big data would provide population-based benefit, rather than individual benefit, the potential harms to patients are likely the same as to research participants.
The Value and Importance of Health Information Privacy in Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research (Nass SJ, Levit LA, Gostin LO, editors. Washington (DC): National Academies Press (2009).
Henrietta Lacks’s story is probably the best know, as a result of Rebecca Skloot’s best selling book The Immortal Life of Henrietta Lacks. Mrs. Lack, a young African-American woman, underwent surgery for her cervical cancer at Johns Hopkins Hospital in 1951. Tissues samples removed at the time of surgery were used for research without her knowledge or consent and developed in one of the first successful cell lines. Named HeLa, they have since been in use in research worldwide. Her family lived in poverty with limited access to health care, unaware of their mother’s legacy. Although the book and other media focused attention on such unconsented research, it remains legal. Laura M. Beskow, Lessons from HeLa Cells: The Ethics and Policy of Biospecimens, Annu. Rev. Genom. Hum. Genet. 17: 395–417 (2016). Another recent case that received media attention is that of the Havasupai, a small Native American tribe who live near the Grand Canyon. They had given blood samples to an Arizona State University research to conduct diabetes research, a condition that affected the tribe. Unbeknownst to them, the samples were also used in research offensive to them, including research on inbreeding, schizophrenia, and migration. The latter conflicted with the Havasupai’s origin story. The Havasupai sued the researchers and ASU for the misuse of their samples and for their return. Although legally permissible, ASU settled the suit, apologized to the Havasupai, and agreed to collaborate with the tribe on health, education, and economic development issues. Michelle M. Mello and Leslie E Wolf, The Havasupai Indian Tribe case – Lessons for Research Involving Stored Biological Samples, New. Engl. J. Med. 363(3): 204–207. Parents in Minnesota and Texas sued after learning that their newborns’ blood spots had been used in research. See Adam Doerr, Newborn Blood Spot Litigation: 70 Days to Destroy 5+ Million Samples, Genomics Law Report, February 2, 2010, available at https://www.genomicslawreport.com/index.php/2010/02/02/newborn-blood-spot-litigation-70-days-to-destroy-5-million-samples/; Allison M. Whalen, That’s My Baby: Why the State’s Interest in Promoting Public Health Does Not Justify Residual Newborn Blood Spot Research Without Parental Consent, Minn. L. Rev. 98: 419–453 (2013).
The U.S. Department of Health and Human Services proposed requiring consent for use and storage of biospecimens in its Notice of Proposed Rule Making, but abandoned that proposal in the final version of the revised human subjects regulations. [Cites] In response to lawsuits, Texas and Minnesota now require consent to store and use DNA obtained for newborn screening for treatable genetic conditions for research.
David Gorski, Did Facebook and PNAS violate human research protections in an unethical experiment?, June 30, 2014, http://www.sciencebasedmedicine.org/did-facebook-and-pnas-violate-human-research-protections-in-an-unethical-experiment/; John Kleinsman and Sue Buckley, Facebook Study: A Little Bit Unethical But Worth It?, J. Bioethical Inquiry, 12(2): 179–182 (2015).
U.S. Department of Health and Human Services, Summary of the HIPAA Privacy Rule, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
For example, information about sexually transmitted diseases, mental health, and substance abuse are generally considered sensitive. Accordingly, this type of information is sometimes afforded special confidentiality protections [Cites]. Similarly, under 2013 amendments to HIPAA, patients may restrict their health insurer’s access to treatment information for which they pay case. The amendment recognized that some individuals may avoid care because of privacy concerns. Jim Pyles, The Right to Obtain Restrictions under the HIPAA/HITECH Rule: A Return to Ethical Practice of Medicine, ABA Health eSource, vol. 9, issue 9 (2013) available at https://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_1305_pyles.html.
Although this may seem unlikely, there have been cases in which law enforcement has used such data for investigations. See, e.g., Debra Cassens Weiss, Data on man’s pacemaker led to his arrest on arson charges, ABA Journal, February 6, 2017 available at http://www.abajournal.com/news/article/data_on_mans_pacemaker_led_to_his_arrest_on_arson_charges; Debra Cassens Weiss, Murdered woman’s Fitbit data inconsistent with husband’s story, policy say, ABA Journal, April 25, 2017, available at http://www.abajournal.com/news/article/murdered_womans_fitbit_data_was_inconsistent_with_husbands_story_police_say; Eli Rosenberg, Family DNA Searches Seen as Crime-Solving Tool, and Intrusion on Rights, New York Times, January 27, 2017, available at https://nyti.ms/2kctzAH.
See Leslie E. Wolf, Lauren A. Dame, Mayank J. Patel, Brett A. Williams, Jeffrey L. Austin, Certificates of Confidentiality: Protecting human subject research data in law and practice, Minnesota Journal of Law, Science & Technology, 14(1): 11–87 (2013) (http://purl.umn.edu/144219) and citations therein at 76–78 for a examples of reidentification from information; Leslie E. Wolf, Advancing Research on Stored Biological Materials: Reconciling Law, Ethics, and Practice, Minn. J. Law, Sci. & Tech. 11(1): 99–156 (2010) at 133–135 for discussion of reidentification of biospeciments.
There have been numerous reports of hacking attempts, including ransoming of data, in the United States and elsewhere. See, e.g., James Swann, FBI Committed to Helping Health-Care Industry Fight Cybercrime, BNA’s Health Care Daily Report, May 9, 2017; Casey Harber, FDA, industry fear wave of medical-device hacks, The Hill, April 10, 2017 available at http://health.usnews.com/health-care/articles/2017-05-11/ransom-seeking-hackers-targeting-hospital-data; Mary Elizabeth Dallas, Ransom-Seeking Hackers Targeting Hospital Day, U.S. News and World Report, May 12, 2017 available at http://health.usnews.com/health-care/articles/2017–05-11/ransom-seeking-hackers-targeting-hospital-data.
The first provision of the Nuremberg Code, often considered one of the first codes of research ethics, is: “The voluntary consent of the human subject is absolutely essential.” The text of the Numeberg Code is available at https://history.nih.gov/research/downloads/nuremberg.pdf. It has no exceptions to this requirement.
See, e.g., 45 C.F.R. 46.111(a)(4) and 46.116. Some have begun to challenge this conception, suggesting there may be an obligation to participate in some forms of research and, in minimal risk research that allows for learning health care systems, such research can be conducted without consent. See, e.g., Ruth R. Faden, Tom L. Beauchamp, and Nancy E. Kass, Informed Consent, Comparative Effectiveness, and Learning Health Care, New Engl. J. Med. 370: 766–768 (2014).
See, e.g., 45 C.F.R. 46.116(a) & (b).
Such research may be exempt from the regulatory requirements or may be conducted under a waiver of the consent requirement. 45 C.F.R. § 46.101(b)(4) and 45 C.F.R. § 46.116(d). See Leslie E. Wolf, Advancing Research on Stored Biological Materials: Reconciling Law, Ethics, and Practice, Minn. J. Law, Sci. & Tech. 11(1): 99–156 at 127–133 (2010) for a discussion of how these regulatory requirements may be applied. The U.S. Department of Health and Human Services has promulgated revised regulations which continue to allow such research to be conducted without consent. Federal Policy for the Protection of Human Subjects, 82(12) Fed. Reg. 7149 (January 19, 2017). The revisions currently are under review by the Trump administration. Jeanne Baumann, Trump Administration Seen Unlikely to Change Human Research Rule, Health Care on Bloomberg Law, May 26, 2017 https://www.bna.com/trump-administration-seen-n73014451606/.
See, e.g., Ala. Code § 22–56-4 (mental health services); N.Y. Comp. Codes R. & Regs. Tit. 14 § 815.11 (substance abuse programs).
See, e.g., Ore. Rev. Stat. § 192.531 et seq.
See, e.g., Alaska Stat. Ann. § 18.13.010; Cal. Civil Code § 56.17; and Fla. Stat. Ann. § 760.40.
See, e.g., Alaska Stat. Ann. § 18.13.010, Del. Code. Ann. Tit. 16 § 1202; Iowa Code Ann. § 729.6, and Vt. Sta. Ann. Tit. 18, § 9332.
See, e.g., La. Rev. Stat. Ann. 22:1023, 37 La. Admin. Code Pt. XIII, 4545; N.J. Stat. Ann. § 10:5–46; N.M. Stat. Ann. § 24–21-1 et seq.; Nev. Stat. Ann. § 629.101 et seq..
Other common exceptions include for law enforcement or public health purposes, as well as with a court order.
See, e.g., Colo. Rev. Stat. Ann. § 10–3-1104.6 and Ga. Code Ann. § 33–54-1- et seq.
See, e.g., R.I. Gen. Laws Ann. § 5–37.3–4. HIPAA requires worker training on confidentiality obligations. Department of Health and Human Services, Summary of the HIPAA Privacy Rule, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (citing 45 C.F.R. § 160.103 and 45 C.F.R. § 164.530(b)).
See, e.g., Del. Code tit. 16 § 1205 410 Ill. Comp. Stat. Ann. 513:1 et seq.
See., e.g., Ark. Code Ann. § 20–35-103
410 Ill. Comp. Stat. Ann. 513:1 et seq.
See, e.g., Ga. Code Ann. § 33–54-1 et seq.; Haw. Rev. Stat. § 431:10A-118, Haw. Rev. Stat. § 431:10A-404.5, Haw. Rev. Stat. § 431:1–607, Haw. Rev. Stat. § 431:2–404.5, Haw. Rev. Stat. § 432D-26; Kan. Stat. Ann. § 40–2259; Ky. Rev. Stat. Ann. § 304.12–085; R.I. Gen. Laws Ann. § 27–18-52, R. I. Gen. Laws Ann. § 27–18-52.1, R.I. Gen. Laws Ann. § 27–19-44, R.I. Gen. Laws. Ann. § 27–19-44.1, R.I. Gen. Laws Ann. § 27–20-39, R.I. Gen. Laws Ann. § 27–20-39.1, R.I. Gen. Laws Ann. § 27–41-53, R.I. Gen. Laws. Ann. § 27–41.53.1; S.C. Code Ann. § 38–93-10 et seq.; S.D. Codified Laws § 58–1-25, S.D. Admin. R. 20:06:39:47 −20:06:39:52, S.D. Admin. R. 20:06:40:34 & 20:06:40:35; Tenn. Code Ann. § 56–7-2701 et seq.; Tex. Ins. Code Ann. § 546.001 et seq.; Va. Code Ann. § 38.2–3450, Va. Code Ann. § 38.2–508.4; Wis. Stat. Ann. § 631.89. Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. 110–233, 122 Stat. 881 (2008). GINA provides a federal floor, so any state law provisions that are stricter than GINA remain in force. Perry W. Payne, Jr., Melissa M. Goldstein, Hani Jarawan, Sara Rosenbaum, Health Insurance and the Genetic Information Nondiscrimination Act of 2008: Implications for Public Health Policy and Practice, Public Health Rep. 124(2); 328–331 (2009).
See, e.g., Colo. Rev. Stat. Ann. § 10–3-1104.7 (group disability and long-term care insurance).
Vt. Stat. Ann. Tit. 18 § 9334.
Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. 110–233, 122 Stat. 881 (2008) and see, e.g., D.C. Code § 2–1402.11; Idaho Code Ann. § 39–8301 et seq.; 410 Ill. Comp. Stat. Ann. § 513:1 et seq.; Kan. Stat. Ann. § 44–1009; Wis. Stat. Ann. § 111.372
410 Ill. Comp. Stat. Ann. 513:1 et seq.
See Leslie E. Wolf, Lauren A. Dame, Mayank J. Patel, Brett A. Williams, Jeffrey L. Austin, Certificates of Confidentiality: Protecting human subject research data in law and practice, Minnesota Journal of Law, Science & Technology, 14(1): 11–87 (2013) (http://purl.umn.edu/144219) (discussion of legal cases, particularly the products liability cases and “Other Available Protections” section beginning at 65).
See, e.g., Alaska Stat. Ann. § 18.13.020, Colo. Rev. Stat. Ann. § 10–3-1104.6 & 1104.7, La. Rev. Stat. Ann. § 22:1023, and N.H. Rev. Stat. § 141-H:1 et seq.
See, e.g., Ruth R. Faden, Tom L. Beauchamp, and Nancy E. Kass, Informed Consent, Comparative Effectiveness, and Learning Health Care, New Engl. J. Med. 370: 766–768 (2014).
Because of its predictive nature, genetic information has been perceived differently than other medical information. As a result, there is a so-called genetic “exceptionalism” incorporated into these laws, although some have questioned its appropriateness. See, e.g., James P. Evans and Wylie Burke, Genetic exceptionalism. Too much of a good thing? Genetics in Medicine, 10: 500–501 (2008).
See, e.g., U.S. Department of Health and Human Services, Your Rights Under HIPAA, https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
As described above, controversies have arisen when actions have been conflicted with public expectations.
J. Scott Applewhite, Debate over blood samples from babies, USA Today, February 8, 2010 available at https://usatoday30.usatoday.com/news/health/2010-02-08-baby-blood_N.htm.