Abstract
A 2018 committee report published by the highly respected National Academies of Science, Engineering, and Medicine (the Report) recommends stripping research participants of crucial data privacy rights and discarding decades of carefully deliberated consensus guidelines for the ethical return of results and data from research. This Article traces these disturbing recommendations to three root causes: (1) a statement of task that blocked careful and impartial analysis of a disputed legal matter central to the Report; (2) a piecemeal legal analysis that omitted relevant strands of law; and (3) the inappropriate conflation of two distinct concepts—the return of individual research results (the stated subject of the Report) and privacy-enabling individual access rights, which have a nearly fifty-year legal history long predating the modern debate about return of results. The Report’s recommendations would erect new barriers to the return of results and, simultaneously, dial back a core data privacy right that Americans—including many research participants—currently enjoy. We urge extreme caution in implementing this Report’s flawed recommendations. Congress has elevated the right to see one’s personal information to the status of a civil right in many different data environments. Diminishing individual access in the research context erodes its status as a right more broadly.
Faustian bargain: a pact whereby a person trades something of supreme moral or spiritual importance, such as personal values or the soul, for some worldly or material benefit, such as knowledge, power, or riches…. Faustian bargains are by their nature tragic or self-defeating for the person who makes them, because what is surrendered is ultimately far more valuable than what is obtained, whether or not the bargainer appreciates that fact.1
Introduction: An Assault on Longstanding Rights to See One’s Own Data
For nearly fifty years, federal, state, and global lawmakers have created rights to access one’s own data as a crucial dimension of privacy rights.2 Without the ability to access your data, you cannot spot errors, assess the privacy threat posed by circulation of those data, or determine whether to consent to sharing and secondary uses. In the United States, the Health Insurance Portability and Accountability Act (HIPAA)3 Privacy Rule4 has applied this access right to health information, including research-generated information, for nearly two decades.5 Yet it continues to meet resistance, motivating some states to threaten (and some to enact) data-ownership statutes.6
Meanwhile, on a separate track, commentators since at least 19807 have urged that researchers offer to share with research participants their individual-specific research results and incidental findings in the ethical conduct of research, with endorsement of this practice in consensus reports since 1999.8 While the appropriate scope of return has been debated, the basic importance of return of results and incidental or secondary findings is now widely recognized, funded by the National Institutes of Health (NIH) in many studies, and globally practiced.9 However, this too continues to meet resistance.
Both of these domains raise questions of science, medicine, law, and ethics. Progress requires rigorous analysis on all fronts. Yet progress is now endangered by a 2018 report from the National Academies of Science, Engineering, and Medicine (the Report).10 The Academies, a prestigious and highly influential body that has advised the federal government since the Civil War,11 convened a committee to analyze and issue recommendations on return of results and individual access to data. In a stunning departure from the usually excellent quality of Academies reports, this Report failed to provide a thorough legal analysis, thus dooming the Report’s many legal and regulatory recommendations. Worse, the Report conflated the legally separate domains of HIPAA access and return of results. The damage and danger are real. At a time of great progress toward transparency in research, partnership with research participants, and true engagement with research participant communities, the Report threatens to turn back the clock, endangering long-established privacy rights and stalling return of results.
In the domain of privacy, not only has the Report recommended that regulators gut current privacy rights, but the Report adds fuel to a highly problematic movement to grant individuals ownership rights in their own data—a change that would endanger biomedical research and progress. The metaphor of individual data ownership persists in popular discourse about research ethics and data privacy12 despite fairly wide scholarly agreement that data ownership has serious conceptual and practical flaws.13 A few states recognize property rights14 or have considered doing so15 for certain kinds of data, most notably genetic information.16 At the federal level, however, Congress rejected data ownership as a tool for privacy protection almost fifty years ago17 and instead embraced a civil rights model of data privacy.18 Instead of declaring that people own their data and letting courts elaborate the rights and duties ownership entails, Congress has tried to enunciate a core set of rights people should have when their personal data are stored, used, and shared by others.19
These rights are created by federal privacy statutes, such as the Privacy Act of 1974,20 and by privacy regulations Congress authorized when passing other statutes such as HIPAA and the Genetic Information Nondiscrimination Act (GINA).21 In many respects, they resemble the same “bundle of sticks”22 people would have if they owned their data23 but, technically, they are federal civil rights instead of ownership rights. With this artful strategy, Congress was able to provide a federal floor of privacy protections that somewhat resemble data ownership, without inviting challenges by declaring people “owners” of their own data and without encroaching on the states’ traditional prerogative to establish the limits of property law and regulate relationships such as those between individuals and health care institutions.24
One of the privacy rights Congress has consistently protected, dating back to the early 1970s, is the individual’s right of access to one’s own data—that is, a right for people to inspect and receive copies of personal information that others are storing, using, and disclosing about them.25 Individual control, rather than secrecy, is central to the modern paradigm of data privacy,26 and people obviously have no control if they cannot even see what their data contain or gain access to their records. Privacy-related access mimics the right of ingress that inheres in property ownership—a right to enter and inspect one’s property.
Some data holders, for various reasons, resist having to provide this access, and individual access rights are not always vigorously enforced.27 The Academies’ Report observed that providing individual access to data and results at research laboratories is burdensome for researchers and might reduce their productivity.28 The Report stresses that funds for biomedical research “are precious and require careful and responsible stewardship,” so that letting participants have data access “necessarily requires the diversion of some research resources from the primary goal of the research.”29 In short, honoring people’s right to see their own results and data generated during research is inconvenient.30
This kind of failure to provide access enhances pressure for statehouses to enact data-ownership laws to give people desired control over their data.31 A patchwork of state data-ownership bills, if enacted, would strengthen individual access but could impede the availability of data for research and other socially beneficial uses. Attempts to weaken existing federal individual access rights thus invite serious unintended consequences for biomedical research, which increasingly relies on data as fuel for discovery.
This Article explores how the Academies’ Report, which is entitled, “Returning Individual Results to Research Participants,”32 would affect research participants’ privacy rights while also undermining the ethical practice of returning results and data. The Academies are independent, private bodies that trace their lineage to a congressional charter President Lincoln signed in 1863.33 They appoint expert committees to conduct studies of policy questions that require scientific or medical insights and analysis.34 “The reports of the Academies are viewed as being valuable and credible because of the institution’s reputation for providing independent, objective, and nonpartisan advice with high standards of scientific and technical quality.”35 The Academies describe themselves as “the nation’s pre-eminent source of high-quality, objective advice on science, engineering, and health matters.”36
The sponsor of a study—often a federal agency—works with the Academies to agree on a statement of task (SOT) that defines the scope of work.37 “Most studies are funded by those requesting the advice,” with costs ranging “from about $200,000 to more than $1 million,” which is free of any fees for the subject-matter experts serving on the study committee, because they volunteer their time.38 The majority of studies are paid for by federal agencies.39
The Academies generally follow a policy of self-imposed restraint when recommending changes to federal statutes and regulations. The Academies’ criteria for reports thus state that recommendations calling for the adoption of specific legislation are “[o]f particular concern” and “should be avoided unless specifically called for in the study charge.”40 This approach displays respect for the rule of law and for the Constitution, which entrusts Congress—and the agencies Congress authorizes—to make our federal laws and regulations.
When a study addresses legal questions, the Academies’ “high standards of … technical quality”41 demand the same excellence that the Academies require when analyzing questions of science, engineering, and medicine. This means that reports discussing the law should meet legal professional standards. Those standards require accurate statements of law based on thorough legal research,42 not just when representing clients in a practice setting, but also when providing “law-related services”43 such as writing scholarly articles or National Academies reports.
Something went off track in the Academies’ Report on return of results. The three sponsoring agencies44 for the Report were NIH, the Food and Drug Administration (FDA), and the Centers for Medicare and Medicaid Services (CMS), which administers the Clinical Laboratory Improvement Amendments of 1988 (CLIA)45 regulations that promote the safety of laboratory tests used in clinical care.46 The Report focuses on questions raised by return of individual research results to people participating in studies that involve analysis of biospecimens47 — in other words, studies that include laboratory tests of people’s blood or tissue samples.48
This Report deviates from the Academies’ own standards of quality, restraint in legal recommendations, and respect for the rule of law. It is full of legal content and makes multiple legal recommendations and thus needed to meet the professional standards for legal analysis. Yet it makes statements about federal law that prove false when subjected even to cursory legal research.49 The SOT expressly instructs the committee not to propose any amendments to the CLIA statute,50 yet the Report recommends CLIA regulatory changes that appear unlawful unless Congress amends the CLIA statute.51 A rudimentary requirement of legal due diligence is to vet any proposed regulatory changes to make sure they would not violate current statutes. However, there is no sign this vetting occurred: some recommendations press agencies to take actions beyond their statutory authority, while others awkwardly call for regulations to be amended to do things the regulations already do.52 The Report even presumes to advise one agency—the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), which holds the delegated authority53 to administer the HIPAA Privacy Rule54—to scale back one of HIPAA’s core privacy protections,55 even though OCR was not a study sponsor and the Report provides little evidence that OCR was consulted.56
The Report “achieved consensus on a number of core issues” including a claimed need to “transition away from firm rules, such as those embodied in … the [HIPAA] regulations, that stipulate when [laboratory test] results must or cannot be disclosed toward a process-based approach.”57 The “firm rules” in question include U.S. federal laws, which the Report airily recommends our nation should “transition away from.”58
Part I of this Article asks how this happened. We trace the core problem to the Report’s SOT, which incorporated a disputed legal position advanced by CMS, one of the agencies sponsoring the Report. The SOT recited this position as if it were an established legal truth and instructed the committee not to examine the CLIA statute59 (which, had it been examined, proves otherwise). Working with sponsor-imposed legal “blinders” on, the Report made two assumptions about federal law: first, that the HIPAA Privacy Rule’s individual access right60 is in conflict with the CLIA regulations,61 so that research laboratories will violate CLIA if they comply with HIPAA62 and, second, that the CLIA regulations more broadly bar any reporting of individual-specific research results by non-CLIA-certified research laboratories,63 including established ethical practices such as the return of results and data from research. This Article subjects these assumptions to the analysis that the Academies’ committee was ordered not to provide. Neither assumption withstands legal scrutiny.
Part II of this Article disentangles two concepts that the Report improperly conflated. The first is privacy-related individual access rights, such as those protected by the HIPAA Privacy Rule,64 the federal Privacy Act,65 various state privacy laws,66 and the privacy laws of other jurisdictions such as the European Union.67 The second is the return of an individual’s research results as elaborated in the bioethics and scientific literature and in consensus guidelines developed and widely applied over the past twenty years.68 These concepts do have a superficial similarity: both have the effect of placing individual test results and data into research participants’ hands. This similarity invites authors—including us at times69—to discuss the two in one breath. Here, however, we stress that they are distinct concepts, with different legal histories and rationales that the Academies’ Report failed to acknowledge. This omission, we argue, contributed to a legally flawed set of recommendations.
Part III supplies necessary background on the CLIA statute and regulations—admittedly a dry topic but one that crucially affects research participants’ privacy and ethical rights in research involving laboratory testing. Part IV critiques CMS’s position regarding its jurisdiction to regulate research laboratories under CLIA. Specifically, is the CMS position a permissible interpretation of the CLIA regulations and does it warrant deference? We conclude the answers are “no” and “no.” Part V explains why the Report’s starting assumptions about HIPAA access and the return of results were flawed and then explores how these erroneous assumptions produced problematic recommendations.
What emerges is that the Academies’ Report proposes a sweeping program of regulatory reforms to resolve a presumed regulatory conflict that actually never existed. The Report proclaims support for the ideal of greater participant access to results and data, while recommending policies that would constrict and delay that access. This contradiction may confuse readers on first exposure to this Report. However, careful analysis requires going beyond the Report’s rhetoric to its actual recommendations. The Report champions greater respect for people who participate in research by calling them “research ‘participants,’ rather than research ‘subjects,’”70 yet its recommendations fail to trust these people by protecting their access to their own personal information. The Report urges stripping research participants of established privacy and ethical rights.
The Academies’ Report on return of results struck a Faustian bargain.71 It analyzed a problem under terms that traded away something of supreme importance—the Academies’ 150-year tradition of independence, objectivity, and high standards of technical quality72—and doomed the Report’s legal and policy recommendations.
I. A Troubling Statement of Task
The Report’s SOT states: “Currently, any research laboratory that returns individual-specific research results is regulated by CLIA.”73 This statement assigns controlling weight not to a statute or regulation, but rather to a strange and highly controversial position CMS announced in a lowly PDF file74 posted unsigned on its website on or about December 2014.75 According to this position, research laboratories cannot report individual-specific results unless the results meet clinical standards of quality76— which, according to the PDF file, means that the laboratory must comply77 with CLIA. The Report wrongly characterizes this PDF position as a CMS “interpretation” of the CLIA regulations,78 seemingly unaware that “interpretation” is a legal term of art. Not every opinion or position put forth by a federal agency is a permissible interpretation of the law. We explain how CMS’s position contradicts the clear79 jurisdictional language of the CLIA statute80 and is inconsistent with the plain text of the CLIA regulations.81 Nevertheless, the SOT recites it as an established legal truth.82
The Report admits that CMS’s position is legally controversial, but credits it without any analysis.83 The SOT required this approach, insisting that the committee “not provide any legal interpretation or analysis regarding the scope or applicability of CLIA.”84 This barred the committee from conducting elementary legal research—such as checking what the relevant statute says—that would have readily revealed the error in the SOT.85
The Report recounts how “[t]he sponsors indicated to the committee that it would be appropriate to include in its description of the current regulatory environment for the return of individual research results CMS’s current interpretation of the scope and applicability of CLIA.”86 This was an instruction for the committee to take sides in a legal dispute by describing a contested agency position about the law (the PDF position) as if it really were the law. Accordingly, the Report, in places, ceases to characterize CMS’s position as a disputed agency assertion and instead repeats that position, in the committee’s own voice, as a firm declaration of legal truth.87 Doing so lends the Academies’ reputation to an unexamined and, it turns out, legally flawed assertion.
The Report’s SOT is the legal equivalent of having a sponsor instruct the Academies to conduct a scientific study that assumes Π=6 (instead of 3.14159265359 …),88 and without asking any questions. It might be appropriate in some circumstances for a study to examine a counterfactual hypothetical, if it is consistently described as a hypothetical. For example, a report by the Academies could conceivably state:
The National Aeronautics and Space Administration (NASA) is planning a mission to a distant galaxy where circles are not round and the usual laws of physics do not hold. Accordingly, NASA has engaged the Academies to advise NASA how to operate in an environment where Π=6. The Academies have agreed to perform this study but take no position on whether Π=6.
It is a different matter for study sponsors to instruct a committee of the Academies to “include in its description” of the truth a federal agency’s disputed version of the truth, without “making any comments, analysis, or conclusions regarding the appropriateness of that interpretation.”89 That is what the Academies agreed to do in this Report.
For the Academies to agree to include an agency’s disputed views in the Academies’ own “description of the current regulatory environment,”90 with no fact-checking, makes the Academies a captive mouthpiece for a federal agency under fire. Seemingly, all an embattled agency would need to do in order to advance its version of disputed law or facts would be to enter into a contract with the Academies and set ground rules requiring a report to treat the agency’s side of the dispute as reality. An agency could, for example, instruct the Academies to publish a report that “include[s] in its description”91 that climate change is not real, that smoking does not cause cancer, that nobody in America suffers from hunger or substandard health care, that endangered species are thriving, or that the First Amendment does not protect the freedom of religion. These may seem far-fetched fodder for future Academies reports, but that reaction underscores the importance of scrutinizing the terms an agency imposes. Accepting agency positions and writing them into a committee’s consensus report risks allowing the Academies’ reputation for rigor and independence to be diluted and used to advance contested agency agendas. The potential for mischief is real, especially in an age pundits have christened the “post-truth era.”92
The Academies’ agreement to conduct a study on these terms is concerning, as is the fact that this study proceeded to completion under these strictures. The Academies have procedures in place to correct an SOT that a committee, once it starts work, determines is inadequate.93 Still, the portrait that emerges here is of a sincere and hard-working committee saddled with a deeply troubling SOT. Going forward, the Academies should be very reluctant to bind a committee to a sponsoring agency’s account of the law, especially when that account is mired in known controversy.94 The Academies’ well-earned reputation for rigorous analysis should extend to its legal analysis, not just medicine and science.
II. Distinguishing HIPAA Data Access from the Return of Results
Privacy-related individual access rights, such as the rights central to the HIPAA Privacy Rule,95 arguably were beyond the scope of the Academies’ Report. The Report’s stated subject matter, as indicated in its title, was the return of individual research results. The Report dragged HIPAA’s access right into its scope by accepting CMS’s position that CLIA prohibits the return of results from non-CLIA-certified research laboratories; this seems to imply that CLIA also prohibits HIPAA access.96 The reality is more complicated. HIPAA’s access right differs from the return of results in terms of its history and legal basis, its rationale and purposes, the scope of data disclosure to fulfill those purposes, its administration and enforceability, and the customs and practices surrounding it. By blurring two very different concepts, the Report overreached into subject matter—data privacy law—for which its committee membership was not constituted and which lay outside the jurisdiction of the three agencies sponsoring the Report. This Part highlights key differences between the two concepts.
A. Return of Results: History, Purpose, and Scope
The practice of returning individual research results and incidental or secondary findings97 grew out of ethical and pragmatic concerns elaborated in the bioethics and scientific literature for decades and in consensus guidelines over the past twenty years.98 Beginning in 1999, consensus recommendations have urged researchers to offer some individual-specific findings to research participants.99 Most of these recommendations are based on ethical concepts including respect for autonomy, reciprocity, a limited duty of “ancillary care,” and an ethical duty to warn.100 No statute or regulation expressly commands return of these findings, but commentators have argued that the federal regulations governing research with human participants articulate relevant duties.101 These include the duty to describe all expected risks and benefits in eliciting consent and the duty to include in the consent form, if required by the IRB, “a ‘statement that significant new findings developed during the course of research which may relate to the subject’s willingness to continue participation will be provided to the subject.’”102 While health care professionals providing clinical care may have common law duties to recognize and communicate incidental findings of health significance and have been sued for failure to do so, the potential liability of researchers is less clear.103 Research records may contain detailed information about participants, including genome sequencing104 or imaging results,105 giving rise to an ethical106 and possibly even a common law duty107 to warn participants of findings that suggest a need for follow-up clinical testing and evaluation.
There is ongoing debate about how much of the information generated by research ought to be returned. A number of consensus recommendations distinguish findings that should be offered to participants, those that may be offered in the researcher’s discretion, and those that should not be offered.108 Some commentators confine the first category to results with analytic validity and clinical significance, such as laboratory test results having analytic validity,109 clinical validity,110 and clinical utility111 or actionability.112 This view implicitly grounds “should return” in a duty to warn.
Commentators have long recognized that researchers “may return”—in other words, it is ethically permissible for them to return—a broader set of research findings, even when the clinical significance is unclear.113 The information in question could include test results that warrant further evaluation such as genetic results that require further clinical evaluation or environmental exposure results whose clinical meaning is not yet well understood. Researchers may also offer findings that may be of reproductive or personal importance, such as the participant’s genetic carrier status or genetic risks (such as risk of developing Alzheimer’s disease) even if there is no efficacious treatment currently available. This view treats the return of information as serving broader health, dignitary, and pragmatic purposes beyond a mere duty to warn of clear danger—for example, displaying respect for participants’ autonomy and agency over information that pertain to them, or enhancing their engagement with the research.
The literature on return of results and incidental or secondary findings has also increasingly acknowledged the importance of recognizing participants’ right to receive their own raw data.114 This may enable participants to follow future progress in understanding data whose meaning is currently unclear. Access can also empower participants to contribute their data to other studies, initiate research studies in partnership with others, and form social networks with similar individuals.115 Surveys show that participants value the return of results and data even when the information is uncertain or lacks clinical significance.116
B. Privacy-Related Individual Access Rights: History, Purpose, and Scope
The HIPAA access right has a distinct history, purpose, and scope. The HIPAA Privacy Rule,117 since it was first finalized in December 2000,118 has always contained an individual access right.119 This is a legally enforceable civil right—specifically, a privacy right—created by federal regulations. Before 2014, however, this right could not be exercised at HIPAA-covered laboratories in all fifty states, because some states had laws limiting individuals’ direct access to laboratory test results, and the federal HIPAA and CLIA regulations were deferring to those state-imposed restrictions.120 On February 6, 2014, CMS joined OCR in promulgating a final rule121 preempting state laws that limit people’s ability to exercise their access rights at HIPAA-covered laboratories.122 This made all HIPAA-covered laboratories subject to the access right.
The Academies’ Report never discussed the history of privacy-related access rights. This omission left a false impression that HIPAA’s access right is some sort of recent innovation, an isolated aberration. To the contrary, HIPAA’s access right rests on a fifty-year history of federal privacy laws that treat individual access to one’s own data as a fair information practice and a core element of data privacy protections.123 Indeed, the importance of individual access to data held by others is so well established, that many states have recognized the same right in various contexts.124
At the federal level, the Privacy Act of 1974 includes a congressional finding that data privacy is a fundamental right protected by the Constitution125 and it describes an individual right to inspect and obtain one’s own data as necessary and proper to protect this privacy right.126 These are enacted congressional findings of fact—not just flowery words Congress put in front of the legislation, but an actual part of the legislation itself, passed by both houses of Congress, signed into law by President Ford, and recorded as statutes in the U.S. Code.127 The Privacy Act expresses Congress’s conviction that access enables the exercise of fundamental Constitutional rights.
The Privacy Act provides privacy protections (including an access right) only for data held in governmental databases—for example, federally held Medicare data—but it commissioned a Privacy Protection Study Commission (PPSC) to recommend protections for data in private-sector environments.128 HIPAA’s access right flows from these PPSC recommendations published in 1977.129 The 1996 HIPAA statute130 required HHS, by 1997, to prepare a report for Congress on federal health privacy protections.131 This 1997 HHS report132 cited and incorporated the PPSC’s 1977 recommendations in its roadmap for the HIPAA Privacy Rule.
The Academies’ Report enumerates the many purposes that return of individual research results serves,133 but omits any discussion of the well-articulated legislative and regulatory purposes served by privacy-related access rights, so we briefly fill this gap here. Return of results and privacy-related access exhibit some overlapping purposes—for example, both display respect for participants’ autonomy and both empower people to form social networks and contribute their data to other research studies—but their foundational purposes are distinct. As noted in the Academies’ Report, the return of results initially grew out of a perceived ethical duty to warn participants when research detects a potential health risk that the participant might otherwise have no way to know.134
In contrast, HIPAA’s access right serves privacy-enabling purposes. These were first articulated in the PPSC’s 1977 report and in the 1997 HHS recommendations to Congress.135 HHS, OCR, and CMS further elaborated the purposes of HIPAA’s access right in the preambles to proposed and final rules creating or expanding that right.136 Readers are referred elsewhere for a detailed discussion of these sources.137 To summarize, the foundational purpose of HIPAA’s access right is to enhance individual privacy protections. Unless people can see the information being stored about them, they cannot assess how much privacy risk the information may pose.138 Are the data embarrassing? Is their storage or circulation a source of concern? Are the data even accurate? Might the data contribute to identity theft? Could the data be used to re-identify the individual? Do the data include elements that might implicate them or a loved one in a crime, as recently happened in the case of the Golden State Killer?139 People can suffer discrimination or stigmatization based on inaccurate data that have been wrongly attributed to them and, without access, a person has little chance of ever detecting and correcting such errors.
Another foundational purpose of privacy-related access rights is to enable people to give valid, informed consent for secondary use of their stored data. In its 1997 privacy recommendations to Congress,140 HHS stressed that the “decision whether to disclose a record may depend on what the record says, and so access to the record is integral to making an informed choice to disclose [information].”141 In this respect, the Privacy Rule holds informed consent to a higher ethical standard than does the Common Rule,142 a major federal research regulation. The Privacy Rule regards people’s authorizations for secondary uses of their stored data as ill-informed, unless they have a way to inspect the data they are being asked to share.143 This concept strikes some people as odd, yet it has considerable merit: When consenting to a third-party use of one’s data, being “informed” does not merely mean knowing how the data will be used; it also means knowing precisely what sort of data one is being asked to release to the third party.
The HIPAA Privacy Rule creates a right for individuals to inspect and make copies of all of the data about themselves that a HIPAA-covered entity (such as a hospital, clinic, or HIPAA-regulated laboratory) has stored in each person’s designated record set (DRS).144 This right is subject only to a few narrow exceptions.145 The “designated record set” is the legal term of art denoting the HIPAA-accessible records about an individual stored at a particular HIPAA-covered facility.146 The DRS includes all records “[u]sed, in whole or in part … to make decisions about individuals.”147 HHS has clarified that this encompasses non-medical as well as medical decision-making and information of a type that the facility uses to make decisions about any individuals, even if that information was not so used when making decisions about the person requesting the data.148
A person’s DRS is not restricted to information that has clinical significance. In ordinary health-care contexts, for example, the DRS will include a wide range of information, including unverified, speculative doctors’ notes in patients’ charts.149 People have a legitimate privacy interest in being able to inspect any information ascribed to them, regardless of its reliability or clinical significance. Uncertain and misattributed data that lack any clinical significance can nevertheless place people’s privacy at risk and subject them to stigma and discrimination. Accordingly, the DRS for laboratory data “includes not only the laboratory test reports but also the underlying information generated as part of the test, as well as other information concerning tests a laboratory runs on an individual.”150 For genomic tests, the DRS could include “the completed test report, the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test.”151
The scope of the HIPAA-accessible DRS is considerably broader than the traditional, more restrictive view of return of results and incidental or secondary findings in service of a duty to warn. It is not, however, all that different from the emerging, broader ethical view of return of results and data in service of values such as respect for research participants’ autonomy and agency over their data.152
Many, though not all, research facilities are subject to the HIPAA Privacy Rule.153 Their research records are subject to HIPAA’s access right on the same basis that clinical records are—that is, if they fit within the definition of the DRS.154 Precisely because HIPAA access includes access to research records, the Privacy Rule has always had an access exception letting research facilities suspend research participants’ access rights temporarily during clinical trials.155 Otherwise, research participants could access their research data while a clinical trial is ongoing and “un-blind” a trial whose validity requires “blinding” during data collection.156 This exception allows research data to be withheld only if the individual agreed to the temporary denial of access when consenting to the research,157 and access must be reinstated upon completion of the clinical trial.158 This exception proves the rule, which is that research results and data held by HIPAA-covered facilities are subject to HIPAA’s access right.
C. Differences in Administration, Customs, and Practices
A number of customs, practices, and guidelines have developed for return of results and data. They are worth noting because they further distinguish this domain from the domain of privacy-related access rights.
As a practical matter, the return of results and data can be initiated by either party—either because an investigator or research institution develops a policy or practice of offering return, or when research participants ask questions. Researchers and their institutions have considerable discretion over whether and how they choose to return results.159 In contrast, HIPAA access is provided at the request of the individual. With only limited exceptions,160 HIPAA-covered entities must provide prompt access upon request.161 Failing to do so can lead to administrative sanctions and civil penalties.162
Ethics review bodies such as Institutional Review Boards (IRBs) play an important oversight role in return of results and data and IRB, or dedicated return-of-results committees, may be involved in establishing policies.163 In contrast, the Privacy Rule does not subject HIPAA access—or any of HIPAA’s other privacy protections—to review or approval by an IRB. IRBs play no role in administering the HIPAA Privacy Rule, except that the Rule does grant covered entities the option of using their IRBs, instead of a special-purpose HIPAA privacy board, to approve waivers of individual authorization for research uses of data.164 Other than that, the legal protections of the HIPAA Privacy Rule are administered by a federal agency, the OCR, rather than by institutional committees. The Privacy Rule creates federally protected civil rights and does not authorize committees to second-guess or interfere with them.
The ethical conduct of return of results is widely perceived to include a responsibility to provide interpretive assistance (for example, genetic counseling) to help participants make sense of the information they receive and understand recommended next steps such as clinical consultation.165 These responsibilities may contribute to the Report’s perception that returning results and data “necessarily requires the diversion of some research resources from the primary goal of the research.”166 In contrast, HIPAA access does not involve interpretive assistance, advice, or counseling. It is a “what’s on file is what you get” right.167 This flows from the fact that privacy-related access rights are tools for managing privacy risks rather than health risks. The goal is to reveal what is on file, not what it means. Data holders can charge a very restricted cost-based fee to cover some of the costs of access—such as mailing and copying costs.168 The Privacy Rule allows data holders at their discretion to provide explanations and interpretive assistance under separate arrangements, if the recipient requests such help and agrees to pay the fee, if any, for such services.169 HIPAA requires data holders to provide information in the DRS, but does not require them to provide advisory services.170
III. The Scope of CMS‘s Jurisdiction to Regulate Research Laboratories
The Academies’ Report opens with an assertion that HIPAA’s access right171 is in conflict with the CLIA regulations172 and repeats this assertion throughout the document.173 By doing so, the Report embraces a dubious position CMS asserted in its 2014 PDF file: that non-CLIA research laboratories reporting individual-specific results violate the CLIA regulations.174 The PDF file pays no attention to why the laboratory is reporting the results: Is it reporting them for use in the individual’s clinical care, or to warn a participant to seek follow-up testing and clinical evaluation of a secondary finding from research, or to comply with HIPAA’s access requirement? According to the PDF position, it makes no difference; the mere act of providing the information triggers jurisdiction under the CLIA regulations.175
The Report characterizes CMS’s PDF file as an “interpretation” of the CLIA regulations—that is, as an interpretative rule176 or general policy statement177 (together, “guidance document”178). The Report seems unaware of the legal implications of characterizing the position stated in the PDF file as an “interpretation.” This characterization, if it were correct, would have important legal consequences. First, it would bear on whether issuing the PDF file was even lawful. Guidance documents do not require notice-and-comment rulemaking179 under the Administrative Procedure Act (APA).180 CMS did not follow notice-and-comment procedures when publishing the PDF file. If it was just an interpretive guidance document, then it was lawful, but if the PDF file was something more—such as an attempt to rewrite the CLIA regulations—it violated the APA. Second, the PDF file might be able to escape judicial review, if viewed as a mere guidance document, because of questions about its finality181 and ripeness.182 If, despite these barriers, the PDF file somehow did come under judicial scrutiny, as guidance documents occasionally do,183 CMS would expect to receive deference under Auer v. Robbins,184 which gives controlling weight to an agency’s interpretation of its own regulations, with only limited exceptions.185
The Academies’ Report obligingly characterized CMS’s position as an “interpretation” of the CLIA regulations, and accorded it controlling weight.186 Whether that was appropriate, however, depends on the jurisdictional provisions of the CLIA statute and regulations, which the committee was forbidden to examine.187 The discussion below supplies the omitted analysis, concluding that the CMS PDF file contradicts the underlying regulation it purports to interpret, attempts to rewrite the CLIA regulations without notice-and-comment rulemaking and, moreover, violates the CLIA statute, and thus cannot be viewed as lawful and controlling.
A. The CLIA Statute’s Jurisdictional Rule
The CLIA statute arose in 1988 when Congress amended188 an earlier statute, the Clinical Laboratory Improvement Act of 1967.189 When the House bill that became the 1967 CLIA statute was reported out of the House Interstate and Foreign Commerce Committee, the Chair of that committee explained that there was no intent to regulate research laboratories:
We intend by this legislation to cover those commercial laboratories which are engaged in the business of examining specimens, and provided an exemption for laboratories not directly involved in this type of operation such as those operated by insurance companies.
In addition, it should be pointed out that the bill does not cover laboratories engaged in research where examination of specimens is directed toward that end rather than to the treatment of patients.190
Congress implemented this intent by enacting the CLIA statute’s jurisdictional provision.191 It states that a facility must comply with CLIA if it fits within CLIA’s definition of a “laboratory,”192 which is:
a facility for the biological, microbiological, serological, chemical, immuno-hematological, hematological, biophysical, cytological, pathological, or other examination of materials derived from the human body [i.e., biospecimens, such as blood, urine, or tissue samples] for the purpose of providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.193
The CLIA statute clarifies that this concept of a “laboratory” denotes a “clinical laboratory.”194 Other laboratory facilities that do not fit this definition are not subject to CLIA. Figure 1 portrays CLIA’s jurisdictional provision: facilities that meet the condition in the white area of Figure 1 are subject to CLIA; those in the shaded area are not. The laboratory’s intent in providing information from laboratory tests is key.
Fig. 1.
CLIA jurisdiction under 42 USC §263a(a)
Laboratory tests provide information in the form of test results and other data such as genome sequence information. CLIA asks, “For what use is the laboratory providing information?” According to the CLIA statute and regulations, a laboratory falls under CLIA if it is “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings”195—in other words, if it is providing information for a list of specific clinical uses (see white area in Figure 1).
CLIA jurisdiction depends not just on what Congress said in 42 U.S.C. § 263a(a), but on what Congress refrained from saying. Two textual omissions are important. The first is that Congress supplied no special, technical definition of the word “for,” which appears in the jurisdictional phrase “providing information for diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”196 Consequently, the word is not a legal term of art and takes its ordinary, everyday meaning.197 The word “for,” according to its primary dictionary meaning, is “a function word to indicate purpose” and “to indicate an intended goal.”198 CLIA jurisdiction thus depends on the laboratory’s purpose or intended goal199 in providing information from a test: Does the laboratory intend for the information to be put to a clinical use (diagnosis, prevention, or treatment, or assessment of health)?
The second and more profound omission is that CLIA supplies no definitions for the terms “diagnosis,” “prevention,” “treatment,” and “assessment of health,” which play a central role in determining the scope of CLIA’s applicability. This omission respects principles of federalism. The federal power to regulate medical practice, a traditional area of state regulation, has been a hot-button issue dating back to the intense legislative debate preceding passage of the 1938 Food, Drug, and Cosmetic Act200 and flaring up most recently in connection with the Affordable Care Act.201 There is little doubt that, under modern law, the federal government has authority to touch medical practice issues incident to its federal medical product and clinical laboratory regulations, but Congress and federal agencies make an effort to respect the states’ role.202 The states, through their medical practice acts, other statutes, and common law, define the scope of medical practice and when it begins and ends.203
The CLIA statute leaves it for the states to determine whether a particular human interaction amounts to diagnosing, preventing, or treating an illness or assessing the person’s health. When revising the CLIA regulations in 1993, the Health Care Financing Administration (HCFA, the earlier name for today’s CMS) affirmed its intent not to regulate laboratories that report results for purposes unrelated to the “patient care context which helps define the scope of the CLIA statute and these regulations.”204 The states, by setting the boundaries of the patient care context, ultimately define the scope of CLIA’s jurisdiction.
To summarize, a laboratory falls under CLIA jurisdiction when it provides information for—in its ordinary, everyday sense of “with the purpose or intended goal of”—“diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings,” as these terms are defined by the relevant states in which these acts occur.205 If the laboratory is providing information for other, non-clinical uses—such as forensic uses or the pursuit of scientific discovery—it is not even a “laboratory”206 under CLIA’s definition, and CLIA does not apply to it. Such a laboratory can operate lawfully without obtaining a CLIA certificate or meeting the conditions to be CLIA-exempt (that is, meeting the conditions required by New York or Washington state).207 Today, some research laboratories voluntarily choose to comply with CLIA, while others maintain non-CLIA status by conducting their analyses for non-clinical uses (such as research) rather than for the clinical uses that trigger jurisdiction under the CLIA statute.
To be clear, the above discussion was merely quoting the CLIA statute (reporting what the statute says), not interpreting it. The Report at times dismissed scholarly works that merely quote statutes as “[r]elying on principles of statutory interpretation.”208 The Report thus embraced a view that “the statute is not the law, but only an [interpretation] of it.”209 By this view, an agency that flouts the plain language of a statute is merely “interpreting” it, and scholars who quote statutes are merely advancing an alternative interpretation.
In reality, what the law is depends on what the law says, with federal statutes sitting near the top of the legal evidentiary hierarchy.210 If you want to know the scope of permissible CMS regulation and actions under CLIA, you have to read the CLIA statute. Astonishingly, the Report’s SOT dismissed the CLIA statute as a source of evidence of what the law is, and instead assumed the CMS PDF file to be controlling without analyzing its fidelity to the statute.211 This should have been a red flag. Until Congress amends the CLIA statute, it is the law. CMS has no authority to take positions in conflict with that law. This fundamental fact is core to any consideration of the topics addressed in the Academies’ Report.
B. Applying CLIA’s Jurisdictional Rule to Research Laboratories—the History
Applying CLIA’s jurisdictional rule to research laboratories raises issues that were considered at the very birth of the current CLIA regulations. HCFA grappled with these complexities during the 1992 rulemaking that drew the contours of today’s CLIA regulations.212 This history is enlightening.
Even though Congress disclaimed intent to regulate research facilities,213 many research laboratories sought further reassurance that they would not fall under the CLIA regulations. To allay these concerns, HCFA initially proposed to have the CLIA regulations embed a research exception within their definition of a regulated laboratory.214 This proposal drew fire, however, because some research laboratories wanted to fall under CLIA jurisdiction.215 A laboratory cannot bill Medicare unless it is CLIA-certified, and these research laboratories wanted “to assure that they can continue to receive reimbursement for tests performed.”216 HCFA responded that “[i]f the results of such ‘experimental’ testing are used for individual treatment of the patient tested, the laboratory would be subject to CLIA requirements.”217 In other words, if a research laboratory plans to bill a health insurer or Medicare for a test, then it clearly is providing information with an intent for clinical use and, under CLIA’s definition, it is a clinical laboratory.
HCFA ultimately concluded that the CLIA statute’s jurisdictional provision “clearly defines the type of facility subject to regulation and is specific with respect to its applicability to facilities that conduct testing for the medical diagnosis, prevention, or treatment of individuals.”218 These words, written after Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc.,219 had profound significance. When Congress clearly speaks to an issue there is no room for federal agencies or courts to interpret the statute; they must simply follow it.220 HCFA understood this legal principle and determined that the statute’s language, being clear, left no room for the CLIA regulations to further interpret the agency’s jurisdiction. Accordingly, HCFA decided that the CLIA regulations should simply repeat—or “parrot”221—the same jurisdictional language that the CLIA statute uses to define a CLIA-regulated “laboratory.”222 Table 1 compares the statutory and regulatory language.
Table 1.
Parroted Jurisdictional Language
| Source | Jurisdiction-triggering conditions: an act + scienter |
|---|---|
|
CLIA Statute 42 U.S.C. § 263a(a) |
A facility becomes subject to the CLIA statute by: “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”223 |
|
CLIA Regulations 42 C.F.R. §§ 493.1, 493.2 |
A facility becomes subject to the CLIA regulations by: “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”224 |
The jurisdictional language is identical: The CLIA statute, at 42 U.S.C. § 263a(a), provides that a facility becomes subject to the CLIA statute by “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”225 The CLIA regulations, at 42 C.F.R. §§ 493.1, 493.2, apply this same rule.226
Both these passages require two conditions to be met, before a laboratory falls under the CLIA regulations. First, the laboratory must perform an act (“providing information”).227 Second, the laboratory must perform this act for an enumerated list of purposes: “for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”228 This second condition amounts to a scienter requirement: it is not merely the act, but the laboratory’s intent when performing the act, that triggers CLIA regulation.
The preamble to the 1992 final rule makes clear that when research laboratories report individual-specific results without an intent for clinical use, they are not subject to the CLIA regulations: “Several commenters [in that proceeding] noted that research laboratories including National Institutes of Health (NIH) laboratories perform experimental tests on human specimens and may include test information in the patient’s medical record for completeness.”229 These research laboratories were concerned that this reporting of individual-specific results might place them under the new CLIA regulations.230 HCFA concluded this was not the case and, to reassure them, HCFA inserted CLIA’s research exception at 42 C.F.R. § 493.3(b)(2).231 This exception stresses that the CLIA regulations do not apply unless research laboratories “report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.”232 Table 2 compares the research exception to the jurisdictional language of the CLIA statute and regulations.
Table 2.
Parroted language in the CLIA research exception
| Source | Jurisdictional conditions: an act + scienter |
|---|---|
|
CLIA Statute and Regulations 42 U.S.C. § 263a(a); 42 C.F.R. §§ 493.1, 493.2 |
A facility triggers CLIA jurisdiction by: “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”233 |
|
CLIA Research Exception 42 C.F.R. § 493.3(b)(2) |
A facility escapes CLIA jurisdiction if it: “do[es] not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of … individual patients.”234 |
The research exception parrots the same scienter requirement seen in the CLIA statute and regulations: The jurisdictional provisions provide that a facility triggers CLIA jurisdiction by “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”235 The research exception emphasizes that a facility avoids CLIA jurisdiction if it “do[es] not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.”236
The research exception highlights that reporting “patient specific results” (as opposed to providing information more generally) is the act that potentially raises concerns at a research laboratory.237 Yet even if a laboratory reports “patient specific results,” it escapes CLIA regulation if the reporting is for non-clinical purposes.
In the 1992 CLIA rulemaking preamble, HCFA explained that reporting patient-specific experimental test results into a patient’s medical record “for completeness” does not, by itself, violate the research exception and trigger CLIA regulation.238 However, reporting patient-specific results “for individual treatment of the patient tested”239 would cause the laboratory to fall under CLIA. According to HCFA’s interpretation, reporting individual research results into a patient’s medical record for the sake of record-keeping “completeness” does not amount to “treatment” and is not a clinical use, even though the record in question is the person’s medical record.
HCFA’s 1992 interpretation carries considerable legal weight because it appears in the preamble to a final rule in which HCFA was exercising its congressionally delegated authority to promulgate regulations consistent with the CLIA statute’s jurisdictional language, after notice and an opportunity for the public to comment. HCFA’s interpretation thus would be Chevron-eligible under current doctrines.240 Courts following these doctrines would tend to view HCFA’s interpretation as controlling. According to HCFA, it is not the mere act of reporting individual-specific results, but the laboratory’s reason for doing so, that triggers CLIA regulation of a research laboratory. HCFA’s interpretation closely follows the text of the CLIA statute and its scienter requirement.
IV. CMS’s Recent Position on its Jurisdiction to Regulate Research Labs
In its 2014 PDF file CMS asserts far broader jurisdiction to regulate research laboratories than HCFA claimed in 1992 when the agency promulgated the CLIA regulations.241 As recited in the Academies’ Report, CMS’s current position is that “only those facilities performing research testing on human biospecimens that do not report patient-specific results may qualify to be excepted from CLIA certification.”242 By this view, research laboratories operating under CLIA’s research exception243 will fall under the CLIA regulations if they report individual-specific research results for any purpose, including for non-clinical uses. Part IV discusses CMS’s PDF file and concludes that it is contrary to the CLIA statute and regulations and merits no deference.
A. Ambivalence and Statutory Deviations
During 2014, CMS displayed considerable ambivalence about the position expressed in the PDF file. On February 6 of that year, CMS joined OCR, which administers the HIPAA Privacy Rule and GINA’s genetic privacy provisions,244 in promulgating the final rule245 expanding HIPAA’s individual access right to include data stored at HIPAA-covered laboratories. CMS’s participation in that rulemaking is high-quality legal evidence that CMS saw no conflict between HIPAA’s access right and the CLIA regulations on that date. It is presumed that federal regulators are competent and know what is in the regulations they promulgate and would not knowingly issue a new regulation that conflicts with other laws. On February 6, 2014, CMS apparently felt there was no conflict between the HIPAA and CLIA regulations.
Eight months later, with the new laboratory access right set to take effect on October 6, a group of NIH-funded researchers pointed out that HIPAA’s access right seems to include individual access to uninterpreted (raw) data as well as interpreted genomic test results246—a view that OCR subsequently confirmed in a 2016 guidance document.247 At some genomic research laboratories, the prospect of having to provide access to data and results creates various concerns that the Academies’ Report describes: concerns, for example, that participants might be confused by access to potentially unreliable research data,248 and that implementing the access right could be costly and burdensome for researchers and might reduce their productivity.249 The Report emphasizes that funds for biomedical research “are precious and require careful and responsible stewardship,” and allowing participants to have such broad data access requires resources.250 In short, providing HIPAA access might be costly and inconvenient for researchers
Whether motivated by these concerns or others, CMS abruptly reversed course on or about December 2014, posting the PDF file251 on its CLIA web page. The file does not disclose its authorship, leaving it unclear whether it is an official statement by CMS.252 Posting it on CMS’s CLIA web page, however, creates the impression that CMS endorses it. It resembles a guidance document,253 but it has none of the disclaimers with which federal agencies often adorn guidance documents (such as a statement that it is non-binding).254 It seems to state a position that CMS plans to enforce.
The PDF file implies that there is a conflict between the HIPAA and CLIA regulations, thus supplying a pretext for non-CLIA research laboratories to avoid complying with HIPAA’s access right. This asserted conflict has added to confusion. In the face of this alleged conflict, OCR has seemed reluctant to enforce the access right at research laboratories. Enforcement has long been an issue under HIPAA. The weakness of HIPAA’s administrative enforcement structure255 has been particularly evident throughout this CLIA-HIPAA impasse. The Privacy Rule lacks a private right of action allowing citizen lawsuits to enforce its requirements.256 Enforcement depends on OCR. If this Office for Civil Rights goes wobbly on civil rights enforcement, as it did in this instance, it is difficult for research participants to enlist the federal courts to resolve questions of law such as “Is there, or is there not, a conflict between HIPAA and CLIA?”257 An office committed to diligent civil rights enforcement would have carefully scrutinized the CMS assertion of a conflict between HIPAA and CLIA regulations and, if necessary, would have pressed for rapid resolution of this question. Instead, the impasse has dragged on for four years, with research participants frequently denied a core federal privacy right while it festers.258
To those versed in administrative law, the PDF file had all the markings of an embattled agency seeking to appease its regulated industry by blocking an unpopular new regulation.259 A 2006 report by the U.S. Government Accountability Office (GAO) documented prior incidents in which CMS used informal means to circumvent the CLIA statute to reduce regulatory burdens on laboratories.260 In one instance, GAO found CMS had reduced the frequency of proficiency testing at many laboratories from quarterly, as the CLIA statute requires, to three times per year.261 When GAO requested the administrative record on which CMS based this decision, “CMS supplied a brief, undated narrative”262 and justified its deviation from the statute by claiming the “reduced frequency would provide a ‘needed respite’ to both laboratories and proficiency testing providers.”263 “According to CMS’s justification, experts were divided on the appropriate frequency of proficiency testing generally,”264 suggesting an ethos that federal laws can be ignored if expert option disfavors them.
The current situation with HIPAA access evokes the pattern GAO observed. With its “brief, undated” PDF file, CMS effectively granted research laboratories a “needed respite”265 from a burdensome federal law—HIPAA’s laboratory access right—on which researchers, laboratories, and experts are “divided,”266 as the Academies’ Report shows.267 Research participants had no say in whether they wanted a “respite”268 from their federally protected privacy rights. Finally, CMS did not follow the Administrative Procedure Act’s (APA)269 notice-and-comment rulemaking procedures270 or even its guidance publication requirements271 when posting its PDF file, which denied research participants a chance to protest as their newly created access rights were, in practical effect, rescinded.
B. CMS’s Recent Position
The PDF file summarizes CLIA’s research exception in the following manner:
Depending on the circumstances, research testing can be either excepted from CLIA or subject to CLIA. Specifically, testing facilities may qualify to be excepted from CLIA certification if they meet the description of “research laboratories” provided by the CLIA regulation at 42 C.F.R. 493.3(b)(2). In accordance with that regulation, only those facilities performing research testing on human specimens that do not report patient-specific results may qualify to be excepted from CLIA certification.272
However, the regulatory text of CLIA’s research exception at 42 C.F.R. § 493.3(b)(2) actually says:
(b) Exception. These rules [the CLIA regulations] do not apply to components or functions of…
(2) Research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of or the assessment of the health of individual patients … .273
The PDF file interprets this regulation as if it had a period after the phrase “patient specific results,” so that the twenty-one-word clause appearing after that phrase is inoperant and, in effect, deleted. The PDF file explains this deletion by noting:
In most cases, research testing where patient-specific results are reported from the laboratory, and those results will or could be used “for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings” are presumed to be subject to CLIA, absent evidence to the contrary.274
This explanation interprets CLIA’s research exception as giving rise to a rebuttable presumption that any patient-specific results that a laboratory reports “will or could be” misused for a clinical purpose, with the laboratory bearing the burden of proof to rebut the presumption with contrary evidence. The CLIA regulation creates no such presumption or burden of proof, nor does the CLIA statute.275 In a 2017 public statement, a CMS official went farther and suggested that the PDF file’s presumption that all research laboratory reporting is for a clinical purpose is irrebuttable:
CLIA applies when…
Patient specific results are reported from the laboratory to another entity and the results are available and can be used for health care for individual patients.
In general, when patient-specific results are reported from the laboratory, it is assumed that they will or could be used for patient care purposes; therefore, they are subject to CLIA.276
The PDF file—and the above statement—do not merely “interpret” the CLIA regulation; they revise it. An example demonstrates the point: Suppose a law says, “Motor vehicles can be impounded if they are driven for commission of a felony.” The agency responsible for enforcing this law publishes a written policy statement interpreting this as saying, “Motor vehicles can be impounded if they are driven.” In a public speech, an agency official justifies this policy by noting, “In general, when motor vehicles are driven, it is assumed that they will or could be used for commission of a felony; therefore, they are subject to being impounded.” That is not an interpretation of the law; it is a material change of law.
C. Does CMS’s Position Merit Deference?
When an agency interprets its own regulations, courts generally grant it the highest level of deference, variously called Seminole deference, after the 1945 case, Bowles v. Seminole Rock & Sand Co.,277 or Auer deference for a later case that explained it well.278 Some scholars view Auer deference as being even stronger than the Chevron deference agencies often receive when interpreting statutes.279 The rationale for the heightened deference is that the agency that originally wrote a regulation is particularly well qualified to interpret its meaning.280
Under Auer, courts would treat an agency’s interpretation of its regulation as controlling unless that view is “plainly erroneous or inconsistent with the regulation”281 or violates a statute or the Constitution.282 The PDF file, as just described, is inconsistent with the text of the regulation it purports to interpret.283 As the HHS Secretary’s Advisory Committee on Human Research Protections (SACHRP) noted in its own analysis of the situation, CMS’s position “seems at odds with the plain language of the regulation, which prohibits performing a non-CLIA-certified laboratory test for purposes of diagnosing or treating a person, but does not prohibit data releases required by law or for other purposes.”284 This inconsistency precludes Auer deference.
If that were not enough, an additional exception to Auer deference is pertinent. The 2006 case of Gonzales v. Oregon285 recognized an exception to Auer deference when an agency is interpreting a regulation that simply parrots, or incorporates, statutory language.286 The rationale for Auer deference—that the agency is interpreting regulatory language that the agency itself wrote—breaks down when an agency interprets statutory language written by Congress. In this situation, the interpretive question is “not the meaning of the regulation but the meaning of the statute”287 that the regulation copies. The appropriate level of deference would ordinarily be Chevron, but because the PDF was not generated through a notice-and-comment proceeding, the lesser deference described in Skidmore v. Swift & Co.,288 or Skidmore deference, is warranted.289
CMS’s 2014 PDF file falls squarely in this latter exception to Auer deference. The PDF file discusses regulatory language drawn verbatim from the CLIA statute. In one place, it mentions the phrase, “for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients” that appears in the CLIA research exception. Yet the PDF file eliminates this phrase when it states that “only those facilities performing research testing on human specimens that do not report patient-specific results may qualify to be excepted from CLIA certification.”290 The phrase in question came directly from the CLIA statute; it is not CMS’s language to toss away.
Because CMS published the PDF file without notice-and-comment procedures, its interpretation of this statutory language is only eligible for Skidmore deference.291 Under Skidmore, the PDF file would receive respect proportional to its “power to persuade”292 and courts would consider the thoroughness, logic, and expertness of the agency’s interpretation when deciding whether to defer to it.293 The PDF file offers no discussion or explanation of why it is inconsistent with the statute it purports to interpret. Its silence is thuddingly unpersuasive.
Moreover, CMS’s position does not reflect a “fair and considered judgment on the matter in question,” which Justice Scalia once argued (albeit in a dissent) should warrant Chevron deference regardless of whether an agency followed notice-and-comment procedures.294 Far from being a “considered judgment,” CMS’s December 2014 PDF file was a hasty flip-flop reversing a position CMS took ten months earlier when it promulgated the final rule expanding HIPAA’s access right. Moreover, the PDF file contradicts the longstanding HCFA interpretation announced in the original 1992 CLIA rulemaking.295
Finally, the inconsistency between the PDF file and the CLIA statute goes to a matter of special sensitivity: the scope of CMS’s jurisdiction to regulate research laboratories. Congress, by statute, placed a limiting condition on CMS’s jurisdiction: CMS can regulate research laboratories only if they provide information “for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”296 The PDF file assumes that a research laboratory that reports results for any use is doing so for clinical use, because the results “could be” misused by third parties downstream of the point when the laboratory reports them to the individual.297 The surplusage canon of textual construction favors the view that every word of a statute or regulation should be treated as operant, with none ignored.298 As one justice put it, “These words cannot be meaningless, else they would not have been used.”299 The PDF file treats Congress’s scienter requirement as functionally meaningless.
CMS’s position ignores the limiting condition Congress placed on CMS’s jurisdiction, by assuming that condition to be met absent evidence to the contrary. Assuming it to be met removes a crucial constraint that Congress imposed on CMS’s authority to regulate research laboratories. Eskridge and Baer, in their empirical study of case outcomes, found that courts look more harshly on agency statements when the agency “is interpreting its own jurisdiction or authority” rather than statements in which an “agency applies its regulations to a matter of detail, [and] is not interpreting its own jurisdiction or regulatory authority.”300 This again counsels that CMS’s current view of its jurisdiction to regulate research laboratories is suspect.
CMS’s PDF file does not go to a matter of detail. It reflects an agency significantly expanding its jurisdiction and doing so “on the sly”301 by posting an undated PDF file instead of acting openly and transparently through appropriate APA notice-and-comment procedures.302 Note, however, that even if CMS had followed APA rulemaking procedures, agencies cannot do what the PDF file attempts to do. Even with APA rulemaking, agencies cannot amend federal statutes, which only Congress can do.
The position stated in the PDF file does not merit Auer deference. In fact, the PDF attempts to assert regulatory authority over research laboratories that Congress never granted the agency. The Report’s SOT, and the Report itself, erred by assuming the PDF reflects current law.
V. Erroneous Assumptions Produce Flawed Recommendations
The Report bases a sweeping legal reform agenda on an assumption that two federal regulations—the HIPAA Privacy Rule and the CLIA regulations—are in conflict, so that non-CLIA research laboratories cannot provide HIPAA access to individual-specific data without becoming subject to CLIA.303 The Report further assumes that researchers cannot return results from non-CLIA labs without risking the same violation. A basic legal analysis would have proved these assumptions wrong.
A. The Report’s Flawed Assumptions
Complying with HIPAA’s access right causes a HIPAA-regulated research laboratory to fall under CLIA only if the laboratory does so intending to provide data for clinical use.304 A research laboratory reporting data pursuant to a HIPAA access request has intent, first of all, to comply with federal privacy law and, secondarily, to promote the legislative and regulatory objectives the Privacy Rule serves.305 A research laboratory providing information for HIPAA-compliance purposes lacks the scienter—intent to provide data for clinical use—that gives rise to CLIA jurisdiction. If a research laboratory is not otherwise subject to CLIA, the mere act of providing HIPAA access will not cause the laboratory to fall under CLIA.
Similarly, the mere act of returning research results and data will not trigger the need for CLIA compliance. What matters is the laboratory’s purpose in reporting those results and data. If the purpose is to produce results and data for direct use in diagnosis, prevention, treatment, or health assessment, then CLIA is triggered. However, if the laboratory is not providing results and data for these purposes, but as part of the ethical conduct of research, CLIA is not triggered and the CLIA research exception applies.
Congress recognized, as it passed the 1967 CLIA statute, that research activities may or may not cause a laboratory to fall under CLIA. Congress intended for CLIA not to cover “laboratories engaged in research where examination of specimens is directed toward that end” but wanted CLIA to cover research laboratories where testing was directed at “treatment of patients.”306 In some research, especially clinical research,307 laboratories are generating results to be directly used in clinical care and use of a CLIA-compliant laboratory is necessary. However, in other research, the laboratory results are not intended for direct use in clinical care.
Over the past two decades, researchers have worked in close collaboration with ethicists and legal scholars to develop consensus guidelines to ensure appropriate return of results mindful of CLIA requirements.308 It is essential to understand how these guidelines work. They envision three scenarios, corresponding to three separate pathways for the return of results and data from research laboratories.
In the first scenario, a laboratory generates a research result or data intending its direct use in clinical care without any further confirmatory testing at a CLIA-certified clinical laboratory. If this is the case, the research laboratory must comply with CLIA: the laboratory has the scienter that triggers CLIA regulation. Thus, the first pathway for return of results is simply to conduct research using a CLIA-compliant laboratory. That way, if any of the research results raise clinical concerns, they can be freely repurposed for clinical use without violating CLIA, because the research laboratory already complies with CLIA. This is a pathway many research laboratories follow.
As the Academies’ Report notes, however, it is not practical or cost-effective for all research laboratories to comply with CLIA.309 When a non-CLIA research laboratory encounters a finding that raises potential clinical concerns, there are two remaining options. The second pathway for returning results is for the laboratory to arrange confirmatory testing at a CLIA-compliant laboratory before returning the results.310 This second pathway is also widely recognized.311 It ensures that information ultimately returned is from a CLIA-compliant laboratory. Here again, there is no dispute that this pathway achieves appropriate CLIA compliance. The primary objection is that it entails incremental costs for the research laboratory, contributing to the perception that returning results diverts funds from the goals of the research.312
Responsive to this concern, there is a third pathway—the clinical hand-off—which does not require confirmatory testing prior to return. Instead, the research laboratory advises the participant—or the participant’s physician, or both—that a research finding suggests a need for follow-up clinical testing and evaluation. The research laboratory is careful to communicate that the research finding is from a non-CLIA laboratory and requires clinical confirmation in a CLIA-compliant laboratory and clinical evaluation, and stresses that the research findings should not be used in clinical care without that confirmation and evaluation. The research laboratory carefully avoids rendering any diagnosis or making any treatment recommendations based on the research result, leaving that to the clinician.
According to the CMS position, all three scenarios constitute a clinical use of research data, so the third scenario, which conveys research findings to trigger a CLIA-compliant clinical evaluation, violates CLIA. This is simply incorrect. As explained earlier,313 the CLIA statute and regulations defer to state law to define the scope of clinical care. State law recognizes a distinction between referring a patient for clinical care and providing clinical care.314 Under state law, an activity is medical practice only if there is a provider–patient relationship and clinical care is taking place within the scope of that relationship.315 Physician–patient relationships are contractual in nature: “the express or implied consent of the physician is required” in order for a physician–patient relationship to come into being, and “the physician must take some affirmative action with regard to treatment of a patient for the relationship to be established.”316 Even assuming the researcher happens to be a physician, returning results for the narrow purpose of making a clinical referral does not involve the critical treatment step: “A physician-patient relationship is not established by the mere act of a physician agreeing to see a patient at a later time or suggesting that the patient contact another physician.”317 Reporting a research result for the purpose of referring a person for clinical testing and evaluation is not itself a clinical use,318 and therefore does not give rise to CLIA compliance obligations.
Thus the CLIA statute and regulations, properly understood, already allow all three pathways. It is the CMS PDF file that has gone off track. The agency—in effect—assumes that federalism does not exist and that CMS itself, rather than the states, has authority to decide what is and is not a clinical use of test results. That is incorrect. When promulgating the CLIA regulations,319 HCFA also expressed its intent “to allow States to determine who is authorized to order tests.”320 Congress has not authorized CMS to preempt state law in this area, and Congress certainly has not authorized CMS to preempt state law by posting informal PDF files.321 Under state law, it does not constitute clinical care for a non-CLIA-compliant research laboratory to provide information for the purpose of recommending follow-up clinical testing.322
B. Recommendations on Data Privacy
The Report assumes a HIPAA-CLIA regulatory conflict that does not exist and then proposes sweeping changes to the Privacy Rule to resolve the imagined conflict.323 Table 3 summarizes three of the Report’s recommendations that raise particular concerns.
Table 3.
Legally problematic privacy recommendations in the Academies’ Report324
| Rec. 12A | “[T]he Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) should define the DRS to include only individual research results generated in a CLIA-certified laboratory or under the externally accountable quality management system for research laboratories (see Recommendation 2).”325 |
| Rec. 12B | “OCR should require all HIPAA-covered entities that conduct research on human biospecimens to develop a plan that is reviewed and approved by the IRB for the release of individual research results in the designated record set to participants in a responsive manner when required under HIPAA.”326 |
| Rec. 12C | “CMS should revise CLIA regulations such that when there is a legal obligation under the HIPAA access right to return individual research results, a laboratory will not be considered in violation of CLIA and need not obtain CLIA certification before satisfying this legal obligation.”327 |
The Report’s Recommendation 12C is that “CMS should revise CLIA regulations such that when there is a legal obligation under the HIPAA access right to return individual research results, a laboratory will not be considered in violation of CLIA and need not obtain CLIA certification before satisfying this legal obligation”328 This recommendation strangely calls for CMS to amend the CLIA regulation to make the regulation say what it currently already says. A more appropriate recommendation would be for CMS to revise its PDF file to bring it into harmony with CMS’s existing CLIA regulations and with the CLIA statute.329
Recommendation 12B suggests that “OCR should require all HIPAA-covered entities that conduct research on human biospecimens to develop a plan that is reviewed and approved by the IRB for the release of individual research results in the designated record set to participants in a responsive manner when required under HIPAA.”330 This would embroil IRBs in administering the Privacy Rule and would mark a major, fundamental change to Congress’s overall scheme of federal privacy enforcement, which relies on administrative enforcement by OCR rather than on IRBs.331 HIPAA access is a legally enforceable privacy right, with only narrow grounds for a covered entity to deny a person’s request for HIPAA access.332 HHS has stated that it intends for covered entities to invoke these access exceptions “rarely, if at all.”333 IRBs are often staffed by personnel who work for the research institution that is storing people’s data and may prefer not to release it to them. The Academies’ Report emphasizes that many institutions view HIPAA’s privacy protections as costly and burdensome.334 Recommendation 12B takes a vested federal legal right and reduces it to a right that can be denied, on a case-by-case basis, based on ethical review by potentially conflicted private actors. A legal right so restricted is no longer a legal right.
Recommendation 12B also is at odds with the 2017 Common Rule revisions335 effective in January 2019.336 A major goal of the 2017 Common Rule revisions was to disentangle research safety regulation from data privacy regulation.337 The revised Common Rule focuses IRB oversight on the physical risks of research.338 The Common Rule—and its IRBs—no longer will provide oversight for HIPAA-regulated uses and disclosures of data for research, public health, and health-care operations.339 This is to avoid duplication in cases where data privacy is already protected by HIPAA.340 HHS devoted more than six years of rulemaking effort to reduce IRBs’ role in privacy oversight, for which HHS considers IRBs poorly qualified.341 The Academies’ Report recommends upending that effort and embroiling IRBs in administering the HIPAA Privacy Rule342—a role they have neither the time nor the special knowledge to fulfill.
Recommendation 12A is surpassingly problematic from a legal standpoint. It states that “the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) should define the DRS to include only individual research results generated in a CLIA-certified laboratory or under the externally accountable quality management system for research laboratories (see Recommendation 2).”343 This recommendation calls on OCR to violate three federal statutes: GINA’s privacy provisions344 and sections of the Public Health Service Act345 and the Social Security Act346 that GINA introduced. Recommendation 12A, in effect, is a call for Congress to repeal the genetic privacy protections that Congress mandated under GINA. It calls on OCR to take steps that are unlawful, unless the statutes are repealed.
It is unclear how the Academies got into this awkward position. The Academies’ Report included an appendix that discusses GINA’s antidiscrimination provisions347—a puzzling inclusion in a report about giving people their own data, because people do not discriminate against themselves. The Report never discussed GINA’s privacy provisions, which were highly pertinent to the Report’s subject matter because they shaped today’s HIPAA access right.348 By enacting GINA, Congress recognized that storing genetic information can place people’s privacy and civil rights at risk even if the information is uncertain or lacks clinical significance. The Public Health Service Act, as amended by GINA, defines “genetic information” very broadly as including all information and raw data from genetic tests conducted on an individual or the individual’s family members, including from tests conducted in research settings.349 This definition indisputably includes non-clinically-significant test results and raw data in addition to clinically significant findings.350
GINA’s Section 105 ordered HHS to place all such information under HIPAA’s privacy protections and amended the Social Security Act to include a Congressional mandate that genetic information, as defined by GINA’s broad definition, “shall be treated as health information” for purposes of the HIPAA Privacy Rule.351 Thus, Congress deemed non-clinically-significant genetic information and data to be “health information” for purposes of receiving protection under the HIPAA Privacy Rule, even though such information and data might not be regarded as “health information” in other legal contexts such as Medicare billing or state medical practice regulations.
Recommendation 12A seeks to reverse GINA’s mandate to place all “genetic information,” as defined by the Public Health Service Act, under HIPAA’s privacy protections, which include HIPAA’s access right. This is not something OCR can do through regulations. Only Congress could make such a change, which seems unlikely. GINA is recent legislation—from 2008—passed by overwhelming margins in both houses of Congress; GINA passed the Senate by a vote of 95-0352 and the House by a vote of 414-1.353 Discussion in the Senate and House before those votes confirms that Congress viewed GINA’s privacy provisions as an important element of the overall legislation.354 This dispels any suggestion that Congress somehow passed GINA’s privacy provisions inadvertently in the course of enacting GINA’s larger antidiscrimination package.355 After the House and Senate voted to enact GINA, the statute has continued to enjoy strong bipartisan support. President George W. Bush signed GINA into law in 2008,356 and the Obama administration labored from 2009 to 2014 to craft regulations to implement GINA’s genetic privacy mandate, including an individual right of access to genetic information held at HIPAA-covered laboratories. Recommendation 12A asks OCR to ignore this mandate.
A final problem is that the Report ignores HIPAA’s interaction with state privacy laws. The HIPAA Privacy Rule sets a federal floor of medical and genetic privacy protections: state laws providing “more stringent” privacy protections are not preempted by HIPAA.357 HIPAA regards a state privacy law as “more stringent” if it grants individuals greater access to their own data than the Privacy Rule provides.358 Some states provide individual access rights as part of their privacy laws,359 and a few states have passed data-ownership laws360 which, under common law principles, seemingly imply an individual right of access to the owned res (the data).
Weakening HIPAA’s access right—as the Academies’ Report recommends—would not necessarily liberate research laboratories from having to respond to individual access requests. Instead, it might increase the number of state access provisions that qualify as more stringent than HIPAA’s access right. This, in turn, could increase laboratories’ regulatory compliance burdens. Instead of a uniform, national regime of individual data access under HIPAA, laboratories might be forced to comply with a complex patchwork of un-preempted state access requirements.
C. Recommendations on the Return of Results and Data
Recommendations for return of research results have been published for twenty years, beginning with the recommendations of the presidentially appointed National Bioethics Advisory Commission in 1999.361 Remarkably, the Academies’ Report fails to consider the full set of recommendations germane to its focus,362 return of results from research involving human biospecimens. Moreover, the Report mischaracterizes the recommendations already in print. In a particularly egregious example, the Report attempts to depict its work as a rejection of past recommendations and a new effort to prioritize what research participants value:
In a notable departure from the approaches of past expert groups, the committee has chosen to deemphasize the respective influences of clinical and personal utility in decisions regarding the return of individual research results by focusing more inclusively on results that have “value to participants,” with the understanding that the value of a result from the perspective of the participant might entail either clinical utility or personal utility or both and may also arise from the result having personal meaning … .363
This characterization of past expert reports is incorrect. Multiple past expert reports have emphasized the importance of assessing the value of a result from the perspective of the participant. For example, well-known recommendations produced by an NIH-supported project group state:
We show respect for research participants’ objective welfare as well as their subjective interests by including [incidental findings] of likely health or reproductive importance to the participant… .
… [W]e define “utility” to include information that a research participant is likely to find important, even if clinicians cannot use that information to alter the participant’s clinical course … . This rejects an approach to utility grounded solely in what a clinician would find useful.364
Based on this inadequate analysis, the Report makes multiple recommendations on return of results that do not advance participants’ interests in access to results and data, but instead create roadblocks as well as raising serious legal problems. Three of the more problematic recommendations are shown in Table 4.
Table 4.
A subset of problematic recommendations on return of results in the Academies’ Report365
| Rec. 2 | NIH should lead an interagency effort … to develop an externally accountable quality management system for non-CLIA-certified research laboratories testing human biospecimens.366 |
| Rec. 3 | To provide confidence in the quality of research test results disclosed to participants, institutions and their IRBs should permit investigators to return individual research results if: A. testing is conducted in a CLIA-certified laboratory; or B. results are not intended for clinical decision making in the study protocol … and testing is conducted under the externally accountable quality management system for research laboratories once established (see Recommendation 2); or C. results are not intended for clinical decision making in the study protocol … and the IRB determines that 1. the probability of value to the participant is sufficiently high and the risks of harm are sufficiently low to warrant return; 2. the quality of the laboratory analysis is sufficient to provide confidence in the result to be returned, as determined by a review process independent of the laboratory; and 3. information will be provided to the participant(s) regarding limits on test validity and interpretation … .367 |
| Rec. 12D | CMS should revise CLIA regulations to allow research results to be returned from a non-CLIA-certified laboratory when they are not intended for clinical decision making in the study protocol … and the laboratory conducts its testing under the quality management system with external accountability or the IRB has approved the return of results (as described in Recommendation 3).368 |
Taken together, these recommendations would have the effect of reducing the return of results below levels allowed under current ethical guidelines. Recommendation 2 calls on the NIH to lead an effort to develop a “quality management system,” or QMS, for “non-CLIA-certified research laboratories testing human biospecimens.”369 The Report envisions the QMS would play a pivotal role in determining whether participants can receive return of results from non-CLIA-compliant research laboratories.370 The Report’s Recommendation 3 thus urges that research results be returned only when generated by a CLIA-compliant laboratory, produced by a laboratory that complies with a QMS that does not yet exist, or approved by an IRB.371
The Report claims to champion return of results to research participants.372 Yet Recommendation 3 creates roadblocks to return from non-CLIA laboratories. The recommendation would allow return from a non-CLIA laboratory if the laboratory complies with the QMS or if the IRB approves the return (subject to various restrictions).373 This would have the practical effect of restricting return more narrowly than current consensus guidelines allow.374 Also, it conditions return on the success of future efforts to create the QMS, which is far from assured and may take years to complete, leaving return of results from non-CLIA research laboratories in limbo. Under current guidelines, a non-CLIA research laboratory can return results subject to pathways 2 and 3 discussed above—that is, by seeking confirmation of the results to be returned at a CLIA-certified lab, or by a clinical hand-off for clinical confirmation and evaluation.375 Moreover, it is lawful to return results and data from a non-CLIA laboratory for non-clinical uses (such as to enable participants to contribute their data to other research studies). The Report suggests that these perfectly lawful and ethical current practices should be put on hold, pending implementation of the QMS or IRB approval “case-by-case.”376
In addition to creating these practical roadblocks to return of results, the Report seeks to alter the law itself. Recommendation 12D calls on CMS to “revise the CLIA regulations to allow research results to be returned from a non-CLIA-certified laboratory” if it complies with the QMS or if an “IRB has approved the return of results (as described in Recommendation 3).”377 This recommendation presents a number of legal problems.
The Report indicates that CLIA statutory amendments lay outside the committee’s statement of task.378 However, it would not be lawful for CMS to implement Recommendation 12D, unless Congress first amends the CLIA statute. CMS lacks the authority to impose requirements on research laboratories that are not currently subject to CLIA. Congress would need to amend CLIA’s jurisdictional provisions, in order for CMS to have such authority.
Moreover, CMS has no authority to rely on a QMS or IRB approval in circumstances in which CLIA compliance is already required. The QMS program in Recommendation 2 is in the nature of a “CLIA-Lite” program, designed to be less onerous for research laboratories than regular CLIA certification would be. The current CLIA statute does not recognize such an alternative: if a laboratory falls within CLIA’s jurisdiction, then the only way to comply with CLIA is to comply with CLIA. The CLIA statute envisions just two ways to comply: either obtain a CLIA certificate,379 or else meet the criteria to be CLIA-exempt.380 CLIA exemption is only available to laboratories in certain states (currently New York and Washington) that have state licensing requirements that HHS has determined are equivalent to CLIA.381 Recommendation 12D calls for CMS to create a new exemption for laboratories that comply with the QMS or follow the report’s IRB-review policies.382 CMS lacks statutory authority to create new exemptions from the CLIA statute’s compliance requirement. Only Congress can create new exemptions from CLIA’s requirement that CLIA-regulated laboratories must obtain a CLIA certificate. Once again, Recommendation 12D is not lawful without CLIA statutory amendments.
When research laboratories do provide information intended for direct use in clinical care without further confirmation, they need to comply with CLIA. CLIA-Lite compliance is insufficient to ensure patient safety in that scenario. Recommendation 12D would allow research laboratories to return research results, even for immediate use in clinical care, if they comply with the QMS system or obtain IRB approval. This would violate the current CLIA statute and set a lower standard of patient safety than is required in pathways 1-3 of the current guidelines (as all three of the currently recognized pathways would generate CLIA-compliant results before those results were used in clinical care).
Finally, the Report recommends that NIH lead development of the QMS.383 Yet this new quality system is envisioned as a massive effort to govern the conduct and quality of all research involving human biospecimens. The proposal reaches far beyond return of results and far beyond laboratories conducting NIH-funded research. The QMS and the Report’s recommended CLIA amendments would affect privately funded, commercial research laboratories as well as NIH-funded laboratories. However, the National Institutes of Health, which was a sponsor of the Report, is not the right entity to govern the laboratories whose research it funds plus competing laboratories in the private sector. NIH has an obvious conflict of interest. In addition, NIH has no authority under the current CLIA statute and regulatory scheme to govern the quality of private laboratories that receive no NIH funds and to apply a QMS as a condition of return of results. Finally, NIH is not the appropriate entity to govern consumer safety in laboratory practice, as NIH would ultimately bear the costs of imposing more stringent safety standards on its funded researchers. Congress has entrusted CMS to serve as the consumer-safety regulator.
Conclusion
Despite CMS’s menacing PDF file, some research laboratories have continued to respect the rights of research participants by providing HIPAA access and offering return of research results according to established ethical guidelines.384 This response has required three things: (1) an unwavering commitment to research participants’ rights and to strong data privacy protections; (2) courage; and (3) access to qualified legal counsel.
Agency guidance documents, such as the PDF file, have no binding legal force independent of the regulations they interpret or implement.385 A laboratory with qualified counsel would know that guidances are non-binding and is likely to know when a guidance misstates the law, as the PDF file does. This does not imply, however, that such a laboratory will necessarily resist an erroneous agency position statement. A non-binding guidance often induces “grudging compliance, ‘even when the doubts as to the lawfulness of the [guidance] are substantial.’”386 The practical reality is that even a flawed guidance document “still establishes the law for all those unwilling to pay the expense, or suffer the ill-will of challenging the agency in court.”387 When this happens, the guidance is said to be “practically binding”388 even though it is not legally binding in the sense that the agency would be able to enforce it.389
The practical binding effect of a flawed guidance, such as CMS’s PDF file, may be even more pronounced in the case of research laboratories, staffed by scientists without training in the law, who are driven by the quest for scientific truth and funded by grants that include no budget for legal counsel. Research laboratories may comply out of a mistaken belief that anything a regulator says must be the law.
One of the most unfortunate aspects of the Academies’ Report is that it undercuts the reasoned positions of laboratories that have done their homework, analyzed the law, and courageously continued to honor research participants’ rights. The Academies’ Report has exacerbated the confusion in an already confused legal landscape by reciting CMS’s position as if it were legally correct and following instructions from the study sponsors “to include in its description of the current regulatory environment for the return of individual research results the CMS’s current interpretation of the scope and applicability of CLIA.”390
We urge policymakers, investigators, and institutions to exercise extreme caution in implementing the regulatory recommendations of this Report. This Article has tried to fill some of the gaps in legal analysis that produced a set of flawed—and, in some cases, unlawful—recommendations. Further case-specific legal due diligence is advisable before acting on the regulatory recommendations of this Report.
The root causes of this problem included a flawed statement of task that misstated federal law and constrained the committee’s ability to conduct a thorough, complete, and professional legal analysis. This Report represents a rare deviation from the Academies’ usual, rigorous policies surrounding the preparation of reports. This Article strives to illuminate the root causes in the hope that shedding light on what happened might help keep it from happening again. Agreeing to abstain from analyzing a highly disputed position asserted by an agency sponsoring a committee report endangers the quality of the report, the persuasiveness of its recommendations, and ultimately the Academies’ reputation. Legal analysis, like medical and scientific analysis, demands rigor. In law, as in mathematics, Π does not equal 6.
The harm of these recommendations extends beyond the narrow context—biomedical research—on which the Academies focused their Report. In an unbroken line starting with the Fair Credit Reporting Act of 1970 and extending through GINA in 2008, Congress has consistently treated the individual right of access to one’s own data as a foundational civil right—a core privacy protection that enables people to exercise many other rights including some enjoying constitutional protection. By advancing a view that privacy rights can be discarded when they grow burdensome, costly, or detrimental to productivity, the National Academies’ Report sows confusion about what rights are and why they matter. This confusion, emanating from so respected a source, diminishes Americans’ privacy rights more generally.
A recent article on the front page of the New York Times illustrated the pivotal importance of honoring rights of access to one’s personal information. The article discussed the plight of China’s Uighurs, subjected to unconsented genetic testing as a tool of social control:
The authorities called it a free health check. Tahir Imin had his doubts. They drew blood from the 38-year-old Muslim, scanned his face, recorded his voice and took his fingerprints. They didn’t bother to check his heart or kidneys, and they rebuffed his request to see the results.
“They said, ‘You don’t have the right to ask about this … .’”391
Even in the United States, many individuals, after consenting to genomic research, still encounter barriers to seeing their test results and data. Like the Uighurs in China, they are frequently told, “You don’t have the right to ask about this.” Access to one’s own personal information is an essential right protected by multiple statutes Congress has enacted since 1970. The recent Report of the National Academies undermined rights that are protected by American law and crucial to the ethical conduct of research.
Acknowledgments
Preparation of this Article was funded by National Institutes of Health (NIH), National Human Genome Research Institute (NHGRI), National Cancer Institute (NCI) grant R01HG008605 on “LawSeqSM: Building a Sound Legal Foundation for Translating Genomics into Clinical Application.” The content is solely the responsibility of the Authors and does not necessarily represent the official views of NIH, NHGRI, NCI, or other participants in the LawSeqSM project. Professor Evans received additional funding from the University of Houston Law Foundation. Neither Author has conflicts of interest to disclose.
References
- 1.Faustian Bargain, Encyclopedia Britannica (emphasis added), https://www.britannica.com/topic/Faustian-bargain [https://perma.cc/SG95-TUM3].
- 2.See infra Section II.B.
- 3.Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C. (2012)).
- 4.See 45 C.F.R. pts. 160, 164 (2018).
- 5.See infra Section II. B.
- 6.See infra note 14.
- 7.See Reilly Philip, When Should an Investigator Share Raw Data with the Subjects?, IRB, Nov. 1980, at 4, 5. [PubMed] [Google Scholar]
- 8.See Nat’l Bioethics Advisory Comm’n, Research Involving Human Biological Materials: Ethical Issues and Policy Guidance 71–72 (1999). For discussion of subsequent consensus recommendations, see infra text accompanying note 68.
- 9.See discussion infra Section II.A.
- 10.Nat’l Acads. of Scis., Eng’g, & Med., Returning Individual Research Results to Participants: Guidance for a New Research Paradigm (Botkin Jeffrey R. et al. eds.,2018) [hereinafter Report]. [PubMed]
- 11.See History of the National Academies, Nat’l Acads. Sci., Engineering, & Med., http://www.nationalacademies.org/about/history/index.html [https://perma.cc/EA2B-PBFD].
- 12.See Lipton Jacqueline, Information Property: Rights and Responsibilities, 56 Fla. L. Rev. 135, 141 (2004) (noting that references to ownership “will likely stick” in public discourse about data privacy, because the concept of property is widely familiar to people and captures aspirations people harbor about being able to control access to their data). [Google Scholar]
- 13.See, e.g., McGuire Amy L. et al. , Who Owns the Data in a Medical Information Commons?, 47 J.L. Med. & Ethics 62, 62–63 (2019) (discussing practical and legal pros and cons of individual data ownership). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 14.See, e.g., Stat Alaska. § 18.13.010(a)(2) (2018); Colo. Rev. Stat. § 10-3-1104.7(1)(a) (2018); Fla. Stat. § 760.40(2)(a) (2018); Ga. Code Ann. § 33-54-1(1) (2018); see also Seth Axelrad, State Statutes Declaring Genetic Information to be Personal Property, http://www.aslme.org/dna_04/reports/axelrad4.pdf [https://perma.cc/3DSY-NSX7] (discussing state data ownership statutes).
- 15.See, e.g., H.B. 1220, 84th Leg., Reg. Sess. (Tex. 2015); H.B. 1260, 87th Leg. Assemb., Reg. Sess. (S.D. 2012); H.B. 2110, 82d Leg., Reg. Sess. (Tex. 2011).
- 16.See, e.g., Wagner Jennifer K. & Vorhaus Dan, On Genetic Rights and States: A Look at South Dakota and Around the U.S., Privacy Rep. (Mar. 20, 2012), http://www.genomicslawreport.com/index.php/2012/03/20/on-genetic-rights-and-states-a-look-at-south-dakota-and-around-the-u-s/ [https://perma.cc/JX9U-NJ97] (discussing genetic data ownership laws). [Google Scholar]
- 17.See infra notes 125–26 and accompanying text (discussing Congress’s finding that the federal Privacy Act enables the exercise of constitutionally protected civil rights).
- 18.See Evans Barbara J., HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights, 102 Am. J. Hum. Genetics 5, 5–6 (2018); [DOI] [PMC free article] [PubMed] [Google Scholar]; Hudson Kathy L. et al. , Keeping Pace with the Times—The Genetic Information Nondiscrimination Act of 2008, 358 New Eng. J. Med. 2661, 2662 (2008) (characterizing the Genetic Information Nondiscrimination Act of 2008 as civil rights legislation); [DOI] [PubMed] [Google Scholar]; see also Annas George J. et al. , GINA, Genism, and Civil Rights, 22 Bioethics ii, iii (2008) (“Senator Judd Gregg has termed GINA ‘the first civil rights bill of the 21st Century,’ a phrase often quoted by the Senate's main sponsor of the bill, Senator Olympia Snow and others, and endorsed by the American Civil Liberties Union as well.”). There is a long history of using medical research generally and genetics specifically as instruments of discrimination by race and ethnicity. See generally Dorothy Roberts, Fatal Invention: How Science, Politics, and Big Business Re-create Race in the Twenty-First Century (2012); Harriet A. Washington, Medical Apartheid: The Dark History of Medical Experimentation on Black Americans from Colonial Times to the Present (2006). For a recent report from China showing the importance of access to one’s own research data and results in order to protect against discrimination and abuse, see Sui-Lee Wee, China Uses DNA to Track Its People, With the Help of American Expertise, N.Y. Times (Feb. 21, 2019), https://www.nytimes.com/2019/02/21/business/china-xinjiang-uighur-dna-thermo-fisher.html [https://perma.cc/ASM5-8VSN]. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 19.See infra notes 125–26 and accompanying text (discussing the enacted findings of fact Congress included in the Privacy Act of 1974).
- 20.Pub. L. No. 93–579, 88 Stat. 1896 (codified as amended at 5 U.S.C. § 552a (2012)).
- 21.Pub. L. 110–233, 122 Stat. 881 (2008) (codified as amended in scattered sections of 26 & 42 U.S.C.).
- 22.See Roberts Jessica L., Progressive Genetic Ownership, 93 Notre Dame L. Rev. 1105, 1129 (2018) (tracing the history of the “bundle of sticks” characterization of the set of entitlements that ownership provides). [Google Scholar]
- 23.Evans Barbara J., Much Ado About Data Ownership, 25 Harv. J.L. & Tech. 69, 74 (2011) (noting that HIPAA’s privacy rights are “strikingly similar” to rights inherent in ownership). See generally Roberts, supra note 22 (characterizing privacy-related access rights as functionally similar to ownership interests). [Google Scholar]
- 24.As discussed above, a few states have created property rights in certain types of data such as genetic information. See, e.g., Roberts, supra note 22, at 1128 n.160 (listing five states—Alaska, Colorado, Florida, Georgia, and Louisiana that treat genetic information as the property of the person the data describe); id. at 1128 n. 161 (listing states that have considered genetic data ownership legislation); supra notes 14, 15 and accompanying text. However, many more states have rejected individual ownership of medical or genetic information in favor of creating strong individual access rights as an aspect of state privacy law. See, e.g., Individual Access to Medical Records: 50 State Comparison, Health Info. & L., www.healthinfolaw.org/comparative-analysis/individual-access-medical-records-50-state-comparison [https://perma.cc/9S33-WWUP].
- 25.See supra notes 20–24 and accompanying text.
- 26.Schwartz Paul M., Internet Privacy and the State, 32 Conn. L. Rev. 815, 820 (2000). [Google Scholar]
- 27.See, e.g., Lye Carolyn T. et al. , Assessment of U.S. Hospital Compliance with Regulations for Patients’ Requests for Medical Records, [J]AMA Network Open (Oct. 5, 2018), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2705850 [https://perma.cc/R386-XHG6] (providing empirical data demonstrating the difficulty individuals experience exercising their HIPAA access rights); see also Steven Keating, Curiosity, Serendipity, and a Brain Tumor, MIT Tech. Rev. (Dec. 20, 2016), https://www.technologyreview.com/s/602914/curiosity-serendipity-and-a-brain-tumor/ [https://perma.cc/KG6M-MLPT] (chronicling the author’s difficulty obtaining access to his own genomic test results from research). [Google Scholar]
- 28.Report, supra note 10, at 59, 73–74, 124, 165–66.
- 29.Id. at 59.
- 30.See Inconvenient, Oxford Dictionaries, https://en.oxforddictionaries.com/definition/inconvenient [https://perma.cc/D8UA-A273] (defining “inconvenient” as “[c]ausing trouble, difficulties, or discomfort”). For an example of a regulation recognizing narrow circumstances in which access can be temporarily suspended, see 45 C.F.R. § 164.524(a)(2)(iii) (2018) (noting that there are limited circumstances in which access can be suspended—when providing research participants access to their own data and results during conduct of a clinical trial could “un-blind” the trial and invalidate the research—and providing a narrow exception allowing access to be suspended temporarily during the trial and requiring access to be reinstated once the trial is complete). However, the Report’s argument that access is burdensome and might reduce research productivity is made far more broadly than this HIPAA limited exception envisions. See Report, supra note 10, at 59, 73–74, 124, 165–66.
- 31.See, e.g., Kish Leonard J. & Topol Eric J., Unpatients—Why Patients Should Own Their Medical Data, 33 Nature Biotechnology 921, 922 (2015) (arguing that individual ownership of data would serve important interests not being served by current rights of access and control); [DOI] [PubMed] [Google Scholar]; Topol Eric J., The Big Medical Data Miss: Challenges in Establishing an Open Medical Resource, 16 Nature Revs. 253, 253 (2015) (calling for data ownership). [DOI] [PubMed] [Google Scholar]
- 32.See Report, supra note 10.
- 33.Who We Are, Nat’l Acads. Sci., Engineering, & Med., http://www.nationalacademies.org/about/whoweare/index.html [https://perma.cc/9S9P-W6RJ].
- 34.See Guidelines for the Review of Reports of the National Academies of Sciences, Engineering, and Medicine, Nat’l Acads. Sci., Engineering, & Med., http://www.nationalacademies.org/nasem/na_067075.html [https://perma.cc/VX47-QL6B] (“The rationale for any findings, conclusions, and recommendations should be fully explained in the report. This explanation might include references to the literature, analysis of data, or a description of the pros and cons of the range of alternatives and the reasons for preferring a particular option.”).
- 35.See Our Study Process, Nat’l Acads. Sci., Engineering, & Med., http://www.nationalacademies.org/nasem/na_064188.html [https://perma.cc/AL6W-GW9N].
- 36.See What We Do, Nat’l Acads. Sci., Engineering, & Med., http://www.nationalacademies.org/about/whatwedo/index.html [https://perma.cc/V4BA-N6J5].
- 37.Nat’l Acads. of Scis., Eng’g, & Med., Working with the National Academies: A Guide for Prospective Study Sponsors (n.d.), http://www.nationalacademies.org/site_assets/groups/nasite/documents/webpage/na_069619.pdf [https://perma.cc/4AR9-AUW8].
- 38.Id.
- 39.See Our Study Process, supra note 35; see also Nat’l Acads. of Scis., Eng’g, & Med., 2017 Report to Congress 59 (2017) (showing 78% federal funding of the Academies’ studies in 2017, the latest year available).
- 40.Nat’l Acads. of Scis., Eng’g, & Med., 2017 Report to Congress 59 (2017) (“Of particular concern are recommendations calling for organizational changes or budgetary increases within government agencies, for adoption of specific legislation … .”). [Google Scholar]
- 41.See Our Study Process, supra note 35.
- 42.See Model Rules of Prof’l Conduct r. 1.1, 4.1 (Am. Bar Ass’n 1983) (explaining the requirements for diligent research and accuracy in the delivery of professional legal services).
- 43.Id. at r. 5.7 (explaining professional responsibilities when delivering law-related services).
- 44.See Report, supra note 10, at 2.
- 45.Pub. L. No. 100-578, 102 Stat. 2903 (codified as amended at 42 U.S.C. § 263a (2012)).
- 46.See 42 C.F.R. pt. 493 (2018).
- 47.See Report, supra note 10, at 7–8 (conceiving “research results” broadly as including results of the research analysis, incidental or secondary findings, as well as raw data such as genomic sequences generated during a study); id. at 8 (defining individual research results as results that “are specific to one participant” as opposed—for example—to aggregate results that describe a group of study participants).
- 48.See id. at 2, 7 (providing examples of research studies that are within the Report’s scope).
- 49.See infra Parts III–V.
- 50.Report, supra note 10, at 9 (“[T]he committee was not asked to make recommendations to Congress regarding changes to the CLIA law.”). [Google Scholar]
- 51.See infra notes 370–83 and accompanying text.
- 52.See infra Part V.
- 53.See Delegation of Authority to OCR to Implement/Enforce HIPAA Privacy Rule, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/delegation-of-authority/index.html [https://perma.cc/SQ3X-8Y3P] (citing Statement of Delegation of Authority, 65 Fed. Reg. 82,381 (Dec. 28, 2000)); see also Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-233, § 105(b), 122 Stat. 881, 905 (delegating responsibility to implement GINA’s privacy mandate to HHS and, by implication, to OCR based on the earlier subdelegation of HHS’s HIPAA responsibilities to OCR).
- 54.45 C.F.R. pts. 160, 164 (2018).
- 55.See Report, supra note 10, at 269–70 (calling on the Office for Civil Rights (OCR) to revise its HIPAA regulations); discussion infra Section IV.B (discussing the impact of these proposed changes).
- 56.See Report, supra note 10, app. at 279–87 (not mentioning OCR as a source of input); id. app. at 289–94 (not listing OCR as having provided input during Public Sessions); id. app. at 311 n. 106 (citing a conversation with a former OCR official who was no longer employed by the agency at the time of writing, but citing no contact with currently serving OCR officials).
- 57.Id. at x.
- 58.Id.
- 59.See discussion infra Part I.
- 60.See 45 C.F.R. § 164.524 (2018) (providing an individual right to inspect and receive copies of certain data stored by HIPAA-covered facilities).
- 61.42 C.F.R. pt. 493.
- 62.See Report, supra note 10, at 1–2 (“Recent significant changes to federal regulations have promoted transparency and allowed individuals greater access to their clinical and research test results. These changes include the elimination of the laboratory exclusion from the [HIPAA] privacy rule and revisions to the Common Rule that require prospective participants to be told during the consent process whether clinically relevant individual research results will be returned. On the other hand, the Clinical Laboratory Improvement Amendments of 1988 (CLIA) bars laboratories that are not CLIA certified from reporting individual research results. This creates a dilemma … .”); id. at 28 (referring to “[t]he current absolute prohibition of the return of results from non-CLIA-certified laboratories”); id. at 250 tbl.6-2 (stating that a non-CLIA-certified laboratory has a “[l]egal obligation[]” to make “[m]andatory disclosure under HIPAA (but act of disclosure then requires laboratory to become CLIA certified”)—in other words, the required act of providing access to data under HIPAA will trigger CLIA jurisdiction for laboratories that would not otherwise be subject to the CLIA regulations). But see id. app. at 315 tbl.C-4 (including, in a similar statement by the Committee’s legal consultant, an important proviso that this statement was true “according to CMS”—a proviso that does not appear in the Report’s version of the table at 250 tbl.6-2).
- 63.See id. at 28 (referring to “[t]he current absolute prohibition of the return of results from non-CLIA-certified laboratories”).
- 64.See, e.g., 45 C.F.R. § 164.524.
- 65.Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896.
- 66.See, e.g., California Consumer Privacy Act, 2018 Cal. Legis. Serv. 3 (West) (“[I]t is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights[, including] … [t]he right of Californians to access their personal information.”); id. at 3–4 (amending Part 4 of Division 3 of the Civil Code to add § 1798.100(d), which provides individuals with a right of access to their data).
- 67.See, e.g., Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC, art. 15, 2016 O.J. (L 119) 1, 43.
- 68.See, e.g., Nat’l Bioethics Advisory Comm’n, supra note 8 (presenting recommendations from a presidential commission); Bookman Ebony B. et al. , Reporting Genetic Results in Research Studies: Summary and Recommendations of an NHLBI Working Group, 140 Am. J. Med. Genetics Part A 1033, 1033 (2006) (presenting a set of consensus guidelines); [DOI] [PMC free article] [PubMed] [Google Scholar]; Wolf Susan M. et al. , Managing Incidental Findings in Human Subjects Research: Analysis and Recommendations, 36 J.L. Med. & Ethics 219, 219, 242 (2008) [hereinafter Wolf et al., Managing Incidental Findings in Human Subjects Research] (same); [DOI] [PMC free article] [PubMed] [Google Scholar]; Caulfield Timothy et al. , Research Ethics Recommendations for Whole-Genome Research: Consensus Statement, 6 PLoS Biology 430, 432–33 (2008) (same); [DOI] [PMC free article] [PubMed] [Google Scholar]; Fabsitz Richard R. et al. , Ethical and Practical Guidelines for Reporting Genetic Research Results to Study Participants: Updated Guidelines from a National Heart, Lung, and Blood Institute Working Group, 3 Circulation Cardiovascular Genetics 574, 574 (2010) (same); [DOI] [PMC free article] [PubMed] [Google Scholar]; Wolf Susan M. et al. , Managing Incidental Findings and Research Results in Genomic Research Involving Biobanks and Archived Data Sets, 14 Genet. Med. 361, 361, 363 (2012) [hereinafter Wolf et al., Managing Incidental Findings and Research Results in Biobanks] (same); [DOI] [PMC free article] [PubMed] [Google Scholar]; Jarvik Gail P. et al. , Return of Genomic Results to Research Participants: The Floor, the Ceiling, and the Choices in Between, 94 Am. J. Hum. Genetics 818, 818 (2014) (same); [DOI] [PMC free article] [PubMed] [Google Scholar]; Wolf Susan M. et al. , Returning a Research Participant’s Genomic Results to Relatives: Analysis and Recommendations, 43 J.L. Med. & Ethics 440, 440 (2015) [hereinafter Wolf et al., Returning Genomic Results to Relatives] (same). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 69.See Wolf Susan M. & Evans Barbara J., Return of Results and Data to Study Participants, 362 Sci. 159, 160 (2018) [hereinafter Wolf & Evans, Return of Results]’, [DOI] [PubMed] [Google Scholar]; Wolf Susan M. & Evans Barbara J., Defending the Return of Results and Data, 362 Sci. 1255, 1256 (2018) [hereinafter Wolf & Evans, Defending Return of Results], [DOI] [PubMed] [Google Scholar]
- 70.Report, supra note 10, at 269. [Google Scholar]
- 71.See supra note 1 and accompanying text.
- 72.See Our Study Process, supra note 35.
- 73.Report, supra note 10, at 5 box S-2 (reciting the Report’s statement of task).
- 74.Ctrs. for Medicare & Medicaid Servs., Research Testing and Clinical Laboratory Improvement Amendments of 1988 (CLIA) Regulations, U.S. Dep’t of Health & Hum. Servs., https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/Research-Testing-and-CLIA.pdf [https://perma.cc/9XBH-SUXP].
- 75.Clinical Laboratory Improvement Amendments (CLIA), Ctrs. for Medicare & Medicaid Servs., https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/index.html?redirect=/CLIA/ [https://perma.cc/9ENV-ZNZL].
- 76.See Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 77.This Article uses the term “CLIA-compliant” to refer, jointly, to two types of laboratories: (1) laboratories that comply with CLIA by obtaining a CLIA certificate (CLIA-certified laboratories), and (2) laboratories that are CLIA-exempt as a result of being licensed by a state whose laboratory requirements CMS has determined are equal to or more stringent than CLIA’s requirements, and the state licensure program has been approved by CMS. Two states—New York and Washington—currently meet those conditions. List of Exempt States Under the Clinical Laboratory Improvement Amendments (CLIA), Ctrs. for Medicare & Medicaid Servs., https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/ExemptStatesList.pdf [https://perma.cc/2G59-HW5G]. CLIA-exempt laboratories comply with CLIA by complying with their relevant state-licensing requirements. See id.
- 78.Report, supra note 10, at 28 (“CMS’s interpretation of CLIA blocks any laboratory from returning a test result if the laboratory is not CLIA certified … .”). [Google Scholar]
- 79.See Regulations Implementing the Clinical Laboratory Improvement Amendments of 1988 (CLIA), 57 Fed. Reg. 7002, 7011 (Feb. 28, 1992) (to be codified in scattered sections of 42 C.F.R.) (determining, in a notice and comment proceeding conducted by the Health Care Financing Administration (HCFA), which was the former name for the agency now known as CMS, that “CLIA clearly defines the type of facility subject to regulation”).
- 80.42 U.S.C. § 263a(a) (2012).
- 81.See discussion infra Parts III and IV; see also Sec’y’s Advisory Comm. on Human Research Prots., Attachment C: Return of Individual Results and Special Consideration of Issues Arising from Amendments of HIPAA and CLIA, HHS.gov, www.hhs.gov/ohrp/sachrp-committee/recommendations/2015-september-28-attachment-c/index.html [https://perma.cc/KJ26-CL5C] (finding the CMS position “at odds with the plain language of the [CLIA] regulation”).
- 82.See Stinson v. United States, 508 U.S 36, 45 (1993) (“As we have often stated, provided an agency’s interpretation of its own regulations does not violate the Constitution or a federal statute, it must be given ‘controlling weight unless it is plainly erroneous or inconsistent with the regulation.’” (quoting Bowles v. Seminole Rock & Sand Co., 325 U.S. 410, 414 (1945))); see also 1 Richard J. Pierce, Jr., Administrative Law Treatise § 6.4 (5th ed. 2010) (“Stinson is consistent with many opinions issued both before and after Stinson.”). [Google Scholar]
- 83.See Report, supra note 10, at 9 (noting that legal scholars question this interpretation). [Google Scholar]
- 84.Id. at 7 box S-2 (quoting the statement of task).
- 85.Id. at 9 (“[T]he committee was advised that making any comments, analysis, or conclusions regarding the appropriateness of that [CMS] interpretation would be beyond what was intended in the Statement of Task.”).
- 86.Id.
- 87.See supra note 62 and accompanying text.
- 88.See Purewal Sarah Jacobsson, A Brief History of Pi, PCWorld (Mar. 13, 2013, 3:28 PM), https://www.pcworld.com/article/191389/a-brief-history-of-pi.html [https://perma.cc/F88A-47CA] (explaining that Pi, also denoted Π, is the ratio of a circle’s circumference to its diameter).
- 89.Report, supra note 10, at 9. [Google Scholar]
- 90.Id.
- 91.Id.
- 92.See, e.g., Hayes Chris, Chris Hayes Reviews Michiko Kakutani’s Book about our Post-Truth Era, N.Y. Times; (July 18, 2018), https://www.nytimes.com/2018/07/18/books/review/michiko-kakutani-death-of-truth.html [https://perma.cc/GN9X-MDA3]. [Google Scholar]
- 93.See Nat’l Acads. of Scis., Eng’g, & Med., Getting to Know the Committee Process 5 (2005), http://www.nationalacademies.org/site_assets/groups/nasite/documents/webpage/na_069620.pdf [https://perma.cc/JMN2-8WA6] (“The charge to the committee—developed before committee members are selected—is the formal statement of the questions to be addressed by the study. This statement defines the study’s scope and issues to be examined. If a committee finds in the course of its work that this description is inadequate, the charge can be formally modified through petition to the Executive Committee of the National Research Council’s Governing Board.”). [Google Scholar]
- 94.Report, supra note 10, at 9 (noting that there was legal controversy). [Google Scholar]
- 95.See 45 C.F.R. § 164.524 (2018) (providing individuals a right of access to certain information about themselves stored at HIPAA-covered facilities).
- 96.See Report supra note 10, at 28; see infra this Part (discussing the breadth of access under HIPAA’s access right). [Google Scholar]
- 97.Incidental or secondary findings are generally understood as findings from research that have potential clinical or reproductive relevance to the individual but are beyond the scope of the research aims. Wolf et al. , Managing Incidental Findings in Human Subjects Research, supra note 68, at 219. Secondary findings may be deliberately sought, while incidental findings typically are not. See Presidential Comm’n for the Study of Bioethical Issues, Anticipate and Communicate: Ethical Management of Incidental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts 25–28 (2013), https://bioethicsarchive.georgetown.edu/pcsbi/sites/default/files/FINALAnticipateCommunicate_PCSBI_0.pdf [https://perma.cc/5J6A-S3DC]. Some commentators use the two terms interchangeably. See Medically Actionable Secondary or Incidental Results, CSER, https://www.ashg.org/education/csertoolkit/medicallyactionable.html [https://perma.cc/7F5P-8RGM]. [Google Scholar]
- 98.See, e.g., Nat’l Bioethics Advisory Comm’n, supra note 8; [Google Scholar]; Reilly, supra note 7; sources cited supra note 68 (citing additional guidelines). [Google Scholar]
- 99.See sources cited supra note 68.
- 100.For discussion of the ethical bases of return of research results and incidental or secondary findings, see, for example, Wolf et al., Managing Incidental Findings in Human Subjects Research, supra note 68, at 227–33 and Wolf et al., Managing Incidental Findings and Research Results in Biobanks, supra note 68, at 367–69. The Academies’ Report includes an Appendix D addressing the ethical bases for return of results. Report, supra note 10,app. at 339–56. Unfortunately, the Appendix evaluates that literature by asking whether it supports claims that the literature does not actually aim to support. For example, the Appendix says, “the focus here is limited to a narrow, fundamental question: When, if ever, is returning results … morally imperative for all human subjects research … ?” Id. app. at 340. However, the literature on return of results and incidental or secondary findings generally focuses on when results should, may, or should not be returned—not on whether they must be returned, much less across all human subjects research. See, e.g., Wolf et al. , Managing Incidental Findings in Human Subjects Research, supra note 68, at 219–20; [Google Scholar]; Fabsitz et al. , supra note 68; [Google Scholar]; Wolf et al. , Returning Genomic Results to Relatives, supra note 68. [Google Scholar]
- 101.See, e.g., Wolf Susan M. et al. , The Law of Incidental Findings in Human Subjects Research: Establishing Researchers’ Duties, 36 J.L. Med. & Ethics 361, 366 (2008); [DOI] [PMC free article] [PubMed] [Google Scholar]; Wolf et al. , Managing Incidental Findings in Human Subjects Research, supra note 68, at 227. [Google Scholar]
- 102.See Wolf et al. , Managing Incidental Findings and Research Results in Biobanks, supra note 68, at 227–28 (quoting 45 C.F.R. § 46.116 (2007); and also quoting 21 C.F.R. § 50.25(b)(5) (2007)). These provisions remain operative. [Google Scholar]
- 103.See Clayton Ellen Wright & McGuire Amy L., The Legal Risks of Returning Results of Genomics Research, 14 Genetics Med. 473, 475 (2012); [DOI] [PMC free article] [PubMed] [Google Scholar]; Pike Elizabeth R. et al. , Finding Fault? Exploring Legal Duties to Return Incidental Findings in Genomic Research, 102 Geo. L. J. 795, 795 (2014); [PMC free article] [PubMed] [Google Scholar]; Wolf et al. , Managing Incidental Findings and Research Results in Biobanks, supra note 68, at 219; [Google Scholar]; Wolf et al. , supra note 101, at 362; [Google Scholar]; Wolf Susan M., The Role of Law in the Debate over Return of Research Results and Incidental Findings: The Challenge of Developing Law for Translational Science, 13 Minn. J.L. Sci. & Tech. 435, 435–37 (2012) [hereinafter Wolf, The Role of Law]. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 104.See Jarvik et al. , supra note 68, at 818 (discussing research use of genome sequencing). [Google Scholar]
- 105.See U.S. Dep’t of Health & Human Servs., Secretary’s Advisory Committee on Human Research Protections (SACHRP Day 2), NIH.gov (May 26, 2017, 8:30 AM), https://videocast.nih.gov/PastEvents.asp?c=111 [https://perma.cc/6LVP-K5W7] (noting the potential for X-rays and MRIs to produce incidental findings during research).
- 106.See Report, supra note 10, at 60–61 (noting that “it might be argued that the research team has a ‘duty to warn’ or ‘duty to rescue’ the participant as he or she is in a position to prevent serious harm at little or no personal cost and the participant might otherwise not discover the condition in time,” and commenting that these duties “were originally legal concepts … and they are now also seen as referring to an ethical obligation” (footnotes omitted)); see also sources cited supra note 103. [Google Scholar]
- 107.See, e.g., Wolf, The Role of Law, supra note 103, at 435–37 (noting concerns about potential liability for failure to return results); [Google Scholar]; Clayton & McGuire, supra note 103, at 475 (noting concerns, despite the absence of statutory duties to return research results and a lack of lawsuits to date that found a tort duty to return such results). [Google Scholar]
- 108.See, e.g., Wolf et al. , Managing Incidental in Human Subjects Research, supra note 68, at 235 tbl.5; [Google Scholar]; Fabsitz et al. , supra note 68, at 576; [Google Scholar]; Wolf et al. , Managing Incidental Findings and Research Results in Biobanks, supra note 68, at 372 tbl.4; [Google Scholar]; Jarvik et al. , supra note 68, at 823. [Google Scholar]
- 109.See Sec’y’s Advisory Comm. on Genetic Testing, Enhancing the Oversight of Genetic Tests: Recommendations of the SACGT 15 (2000) (defining analytical validity as how accurately and consistently a test measures the property or characteristic it is intended to measure).
- 110.Id. at 15 n.11 (defining “clinical validity” as how well the test results correlate to the presence or absence of a clinical condition or predisposition).
- 111.Id. at 15 n. 12 (defining “clinical utility” in terms of whether a test provides information that has value in identifying effective treatment or preventive strategies).
- 112.See Fabsitz et al. , supra note 68, at 575 (“Actionable means that disclosure has the potential to lead to an improved health outcome; there must be established therapeutic or preventive interventions available or other available actions that may change the course of the disease.”). [Google Scholar]
- 113.See, e.g., Holm Ingrid A. & Taylor Patrick L., The Informed Cohort Oversight Board: From Values to Architecture, 13 Minn. J.L. Sci. & Tech. 669, 676 (2012) (supporting disclosure of information even if its clinical significance is uncertain but requiring that it be analytically valid); [PMC free article] [PubMed] [Google Scholar]; Wolf et al. , Managing Incidental Findings and Research Results in Biobanks, supra note 68, at 231 (noting that some definitions of “clinical utility” focus narrowly on health outcomes while others recognize utility if results are important to the individuals and families involved); Sec’y’s Advisory Comm. on Human Research Prots., Attachment B: Return of Individual Research Results, HHS.gov, https://www.hhs.gov/ohrp/sachrp-committee/recommendations/attachment-b-return-individual-research-results/index.html [https://perma.cc/2X73-M5Z4] (last reviewed July 21, 2016) (defining “individual research results” broadly to include information that may have no clinical or reproductive significance) (“SACHRP would like to stress that the individual results do not have to be of clinical value to the subjects in order for return to be considered. Even if the results are not clinically relevant, the pure intellectual curiosity of the subjects is sufficient reason to return the results absent other reasons not to return them.”). [Google Scholar]
- 114.See, e.g., Evans Barbara J. et al. , Regulatory Changes Raise Troubling Questions for Genomic Testing, 16 Genet. Med. 799, 799–803 (2014) (discussing the individual right of access to one’s own data and implications for return of results); [DOI] [PMC free article] [PubMed] [Google Scholar]; Lunshof Jeantine E. et al. , Raw Personal Data: Providing Access, 343 Sci. 373, 373 (2014) (“The possibility for research participants to access their raw data is a basic requirement for a just and reciprocal relationship … .”); Adrian Thorogood et al., APPLaUD: Access for Patients and Participants to Individual Level Uninterpreted Genomic Data, Hum. Genomics (2018), https://humgenomics.biomedcentral.com/track/pdf/10.1186/s40246-018-0139-5 [https://perma.cc/37NV-D6FQ] (supporting “a default right of participants to access their own individual-level genomic data upon request”). [Google Scholar]
- 115.Wolf & Evans, Return, supra note 69, at 159. [Google Scholar]
- 116.See, e.g., Parker Lisa S., Returning Individual Research Results: What Role Should People’s Preferences Play?, 13 Minn. J.L. Sci. & Tech. 449, 456 (2012) (“What appears rather consistent across most of these studies is the finding that a substantial proportion of people express a desire for receiving research results.”) and [Google Scholar]; see Bollinger Juli et al. , Public Preferences Regarding the Return of Individual Genetic Research Results: Findings from a Qualitative Focus Group Study, 14 Genet. Med. 451 (2012) (articulating the interests served by individual access to results and data); [DOI] [PMC free article] [PubMed] [Google Scholar]; Thorogood Adrian et al. , APPLaUD: Access for Patients and Participants to Individual Level Uninterpreted Genomic Data, 12 Hum. Genom. 7 (2018) (articulating the same); [DOI] [PMC free article] [PubMed] [Google Scholar]; Ohayon Jennifer L. et al. , Researcher and Institutional Review Board Perspectives on the Benefits and Challenges of Reporting Back Biomonitoring and Environmental Exposure Results, 153 Environ. Res. 140 (2017) (articulating the same). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 117.45 C.F.R. pts. 160, 164 (2018).
- 118.See generally Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,462 (Dec. 28, 2000) (to be codified at 45 C.F.R. pts. 160, 164) (promulgating the HIPAA Privacy Rule and including the access right at 45 C.F.R. § 164.524).
- 119.45 C.F.R. § 164.524.
- 120.See Evans Barbara J., The Genetic Information Nondiscrimination Act at Age 10: GINA’s Controversial Assertion that Data Transparency Protects Privacy and Civil Rights, 60 Wm. & Mary L. Rev. 2017, 2067–68 (2019) (providing a detailed review of the relevant government documents and advisory reports, and tracing the regulatory history of these restrictions). [PMC free article] [PubMed] [Google Scholar]
- 121.CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. 7290, 7290 (Feb. 6, 2014) (to be codified at 42 C.F.R. pt. 493, 45 C.F.R. pt. 164).
- 122.Id.
- 123.See, e.g., Fair Credit Reporting Act of 1970, Pub. L. No. 90-321, 84 Stat. 1128 (codified as amended at 15 U.S.C. § 1681 (2012)) (authorizing the collection and storage of people’s financial and credit data without their consent to facilitate a well-functioning credit market and, in return, granting individuals specific civil rights including a right of access to their data); see also U.S. Dep’t of Health, Educ., & Welfare, Pub. No. (OS) 73-94, Report of the Secretary’s Advisory Committee on Automated Personal Data Systems: Records, Computers, and the Rights of Citizens xx (1973) (announcing an influential Code of Fair Information Practices (FIPs) based on five principles, one of which is that “[t]here must be a way for an individual to find out what information about him is in a record and how it is used”); Fred H. Cate, The Failure of Fair Information Practice Principles, in Consumer Protection in the Age of the ‘Information Economy’ 343, 345–46 (Jane K. Winn ed., 2006) (tracing subsequent development of FIPs, including access rights, after the 1973 HEW Code of FIPs); Privacy Act of 1974, Pub. L. No. 89-554, 80 Stat. 383 (1966) (codified as amended at 5 U.S.C. §§ 552(a), (d) (2012)) (providing an individual right of access to data held in governmental databases, including governmentally held Medicare data); Privacy Prot. Study Comm’n, Personal Privacy in an Information Society 67 (1977) (treating individual access rights as a core privacy protection in a Privacy Act-commissioned report that heavily influenced the subsequent development of the HIPAA Privacy Rule); U.S. Dep’t of Health & Human Servs., Confidentiality of Individually Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, Pursuant to Section 264 of the Health Insurance Portability and Accountability Act of 1996 (Sept. 11, 1997), https://aspe.hhs.gov/report/confidentiality-individually-identifiable-health-information [https://perma.cc/2V9X-XFAV] [hereinafter HHS, HIPAA Recommendations] (citing the Privacy Protection Study Commission’s Report and calling for individual access rights in the report to Congress that set the roadmap for the HIPAA Privacy Rule).
- 124.See, e.g., Minn. Stat. § 13.04(3) (2018); Assemb. B. No. 375, 2018 Assemb., Reg. Sess. (Cal. 2018).
- 125.See 5 U.S.C. § 552a note (2012) (“The Congress finds that … [t]he right to privacy is a personal and fundamental right protected by the Constitution of the United States[,] and … it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information … .”).
- 126.Id. (including, as a core element of data privacy protection, safeguards that “permit an individual to gain access to information pertaining to him … to have a copy made of all or any portion thereof, and to correct or amend such records”).
- 127.See Faigman David L., Constitutional Fictions: A Unified Theory of Constitutional Facts 129 (2008) (pointing out that Congressional findings of fact can include facts about the law); [Google Scholar]; Araiza William D., Deference to Congressional Fact-Finding in Rights-Enforcing and Rights-Limiting Legislation, 88 N.Y.U. L. Rev. 878, 881–82 (2013) (discussing enacted Congressional findings of legal fact, such as the ones in the Privacy Act, and noting that while such findings are not, strictly speaking, binding on the courts, courts do give some weight to them and tend to give more weight to congressional findings that expand individual rights, as the Privacy Act findings do, than to those that reduce people’s rights). [Google Scholar]
- 128.5 U.S.C. §§ 552(a), (d).
- 129.See generally Privacy Prot. Study Comm’n, supra note 123 (providing a set of recommendations, commissioned by Congress, for protecting individuals’ data privacy in the post-1970s information economy).
- 130.See Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C. (2012)).
- 131.Id. § 264(b).
- 132.See HHS, HIPAA Recommendations, supra note 123. [Google Scholar]
- 133.See generally Report, supra note 10, at 59–92 (discussing the return of individual research results). [Google Scholar]
- 134.See id. at 60–61.
- 135.See Privacy Prot. Study Comm’n, supra note 123, at 3; [Google Scholar]; HHS, HIPAA Recommendations, supra note 123. [Google Scholar]
- 136.See Evans, supra note 120, at 2055 (providing a detailed review of the relevant government documents and advisory reports). [Google Scholar]
- 137.Id. at 2056–57.
- 138.Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918, 59,980 (proposed Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160, 164) (noting, in the preamble to the proposed Privacy Rule, that the right to inspect and copy one’s data “is a fundamental aspect of protecting privacy”).
- 139.See Kolata Gina & Murphy Heather, The Golden State Killer is Tracked Through a Thicket of DNA, and Experts Shudder, N.Y. Times; (Apr. 27, 2018), https://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html [https://perma.cc/YUY9-4H4W]. [Google Scholar]
- 140.See HHS, HIPAA Recommendations, supra note 123. [Google Scholar]
- 141.Id.
- 142.See 45 C.F.R. pt. 46, subpart A.
- 143.Cf. id. (providing no individual right of access to one’s own data under the Common Rule). Revisions to the Common Rule that went into effect on January 21, 2019 exacerbate this problem by allowing for “broad consent” to secondary uses, so that individuals may not know the content of their dataset released for secondary uses or the uses to which those data will be put. 45 C.F.R. § 46.116(a), (d) (allowing broad consent to be obtained in lieu of traditional informed consent).
- 144.45 C.F.R. § 164.524(a)
- 145.Id.
- 146.See 45 C.F.R. § 164.501 (“Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.”); see also id. § 160.103 (treating genetic information as health information for purposes of the Privacy Rule); id. § 164.501 (“[T]he term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.”). The content of a person’s DRS may vary from one HIPAA-covered entity to the next; for example, the person’s primary care physician may have different records on file than does a hospital or laboratory with which the person has done business. The person’s DRS, at a given HIPAA-covered facility, consists of records that that facility maintains about the individual, so long as the records fall within the definition of “designated record set.”
- 147.Id. § 164.501.
- 148.See Evans et al. , supra note 114, at 800 (relying on guidance HHS provided in the preamble to the rulemaking that initially implemented HIPAA’s access right at 45 C.F.R. § 164.524). [Google Scholar]
- 149.Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, HHS.gov, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html [https://perma.cc/9S7L-3QEP] (last updated Feb. 25, 2016).
- 150.Id.
- 151.Id.
- 152.See supra Section III. A; see also Wolf Susan M., Return of Individual Research Results and Incidental Findings: Facing the Challenges of Translational Science, Annu. Rev. Genom. Hum. Genet. 557, 561, 573 (2013) (“Return of results is the next frontier in the challenge of treating those people whose data and specimens make research possible as … . indispensable partners in the research enterprise and people with a real stake in learning individual findings of significance.”). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 153.See Evans et al. , supra note 114, at 801 (explaining situations in which research laboratories may become HIPAA-covered entities). [Google Scholar]
- 154.See 45 C.F.R. § 164.501 (2018) (providing the definition of a DRS).
- 155.See id. § 164.524(a)(2)(iii); see also Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, supra note 149 (summarizing this exception as allowing access to be delayed if the requested information is “in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress, provided the individual agreed to the temporary suspension of access when consenting to participate in the research”).
- 156.An example would be a placebo-controlled randomized clinical trial, in which participants learning during data collection whether they are in the placebo arm of the trial could invalidate the results.
- 157.45 C.F.R. § 164.524(a)(2)(iii).
- 158.Id.
- 159.See discussion supra Section II. A (noting, for example, that there is a category of results that “may” be returned, which leaves decisions to the investigator’s or institution’s discretion).
- 160.See 45 C.F.R. §§ 164.524(a)(2), (3) (enumerating non-reviewable and reviewable grounds for denial of access).
- 161.See id. § 164.524(b)(2) (providing for access within 30 days, with up to one thirty-day extension possible if the covered entity provides a written explanation).
- 162.See Sebelius v. Uplift Med., PC, No. RWT 11CV2168, 2012 WL 8251345, at *1, *4 (D. Md. Aug. 30, 2012) (enforcing civil fines of $4.3 million for denial of timely HIPAA access by forty-one patients, or approximately $100,000 per denied patient).
- 163.See, e.g., Wolf, supra note 152, at 558. [Google Scholar]
- 164.45 C.F.R. § 164.512(i).
- 165.See Report, supra note 10, at 195 (discussing the importance of communications with persons receiving return of results and providing examples of some of the practices that researchers and institutions have followed). [Google Scholar]
- 166.Id. at 59.
- 167.See CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. 7290, 7293 (Feb. 6, 2014) (to be codified at 42 C.F.R. pt. 493, 45 C.F.R. pt. 164) (“Finally, we clarify that this final rule does not require that laboratories interpret test results for patients. Patients merely have the right to inspect and receive a copy of their completed test reports and other individually identifiable health information maintained in a designated record set by a HIPAA-covered laboratory.”).
- 168.45 C.F.R. § 164.524(c)(4).
- 169.Id.; see also id. § 164.524(c)(3)(ii).
- 170.See CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. at 7293.
- 171.See 45 C.F.R. § 164.524.
- 172.See 42 C.F.R. pt. 493; see also Report, supra note 10, at 2 (saying that recent changes to the HIPAA Privacy Rule expanded individuals’ access to their clinical and research test results, but that CLIA “bars laboratories that are not CLIA certified from reporting individual research results,” creating a “dilemma”). [Google Scholar]
- 173.See sources cited supra note 62.
- 174.Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 175.See discussion infra Sections IV.B, IV.C.
- 176.See Administrative Procedure Act (APA), Pub. L. No. 89-554, 80 Stat. 383 (1946) (codified as amended in scattered sections of 5 U.S.C.) (providing an exception, at 5 U.S.C. § 553(b)(3)(A), to the APA’s notice-and-comment requirement when agencies issue “[interpretive] rules, general statements of policy, rules of agency organization, procedure, or practice,” which scholars refer to collectively as non-legislative rules). This exception applies unless another statute, such as the agency’s enabling statute, provides otherwise. 5 U.S.C. § 553(b)(3).
- 177.Id.
- 178.See Croston Sean, Recent Development, The Petition is Mightier than the Sword: Rediscovering an Old Weapon in the Battles Over ‘Regulation by Guidance,’ 63 Admin. L. Rev. 381, 382 (2011) (defining “guidance documents” as “those official ‘statement[s] of general applicability and future effect, other than [regulations]’ that set forth ‘a policy on a statutory, regulatory, or technical issue or an interpretation of a statutory or regulatory issue” (alterations in original) (quoting The Office of Management and Budget, Final Bulletin for Agency Good Guidance Practices, 72 Fed. Reg. 3432, 3434 (Jan. 25, 2007) (drawing on the Administrative Procedure Act’s definition of a “rule” at 5 U.S.C. 551(4) in developing this definition)); see also Mark Seidenfeld, Substituting Substantive for Procedural Review of Guidance Documents, 90 Tex. L. Rev. 331, 334 n.14 (2011) (using “guidance documents” to refer collectively to policy statements and interpretive rules). [Google Scholar]
- 179.5 U.S.C. § 553(b), (c) (2012) (requiring that agencies issuing new legislative rules—such as a new regulation or an amendment to an existing one—must follow notice and public comment procedures and publish the rule in the Federal Register at least 30 days before it takes effect).
- 180.Administrative Procedure Act (APA), Pub. L. No. 79-404, 60 Stat. 237 (1946) (codified as amended in scattered sections of 5 U.S.C.).
- 181.See 5 U.S.C. § 704 (providing for review of “final agency action”).
- 182.Mendelson Nina A., Regulatory Beneficiaries and Informal Agency Policymaking, 92 Cornell L. Rev. 397, 411–12 (2007). [PubMed] [Google Scholar]
- 183.See, e.g., Appalachian Power Co. v. EPA, 208 F.3d 1015, 1023, 1028 (D.C. Cir. 2000) (voiding an agency’s guidance document on the basis that the guidance amounted to a regulatory revision that should have been promulgated according to notice-and-comment procedures).
- 184.519 U.S. 452 (1997).
- 185.Id. at 461.
- 186.See, e.g., Report, supra note 10, at 46, 103, 124 (treating the PDF position as an agency “interpretation” of the CLIA regulations). [Google Scholar]
- 187.Id. at 46.
- 188.See Clinical Laboratory Improvement Amendments of 1988, Pub. L. No. 100-578, 102 Stat. 2903 (codified as amended at 42 U.S.C. § 263a (2012)).
- 189.Pub. L. No. 90-174, 81 Stat. 536 (current version at 42 U.S.C. § 263(a)).
- 190.See 113 Cong. Rec. 26,006 (1967) (statement of Rep. Harley O. Staggers).
- 191.42 U.S.C. § 263a(a).
- 192.Id.
- 193.Id.; see also 81 Stat. 536 (showing the language of the 1967 version of 42 U.S.C. § 263a(a), which was the same as the current jurisdictional provision, except that it used the term “health of, man” instead of the more modern “health of human beings”).
- 194.42 U.S.C. § 263a(a).
- 195.Id. (emphasis added); see also 42 C.F.R. §§ 493.1, 493.2 (2018) (applying the CLIA regulations to facilities that meet the definition of “laboratory” set out in 42 U.S.C. § 263a(a)).
- 196.42 U.S.C. § 263a(a) (emphasis added).
- 197.Antonin Scalia & Bryan A. Garner, Reading Law: The Interpretation of Legal Texts 69 (2012) (describing the “Ordinary-Meaning Canon” which provides that “[w]ords are to be understood in their ordinary, everyday meanings—unless the context indicates that they bear a technical sense” (emphasis omitted)).
- 198.See For, Merriam Webster Dictionary, https://www.merriam-webster.com/dictionary/for (stating, as the primary definition of the word “for”: “la—used as a function word to indicate purpose” and “b—used as a function word to indicate an intended goal”).
- 199.CLIA’s focus on the laboratory’s intent, unsurprisingly, is reminiscent of the approach Congress followed when defining the Food and Drug Administration’s (FDA’s) jurisdiction to regulate drugs and medical devices. See 21 U.S.C. § 321(g)(1) (2012) (defining “drugs” that FDA has jurisdiction to regulate); id. § 321(h) (defining FDA-regulated devices, including diagnostic devices). These statutes base FDA’s jurisdiction on the manufacturer’s intended use of the products. A laboratory’s purpose or intent may seem like interior, psychological phenomena that would be hard for a regulator to infer, but U.S. federal agencies routinely draw such inferences in their day-to-day decision-making, based on objective facts such as what the regulated party did and said and the circumstances in which they acted. See, e.g., 21 C.F.R. § 801.4 (listing objective data FDA considers in inferring whether a device is “intended” for clinical use).
- 200.Pub. L. No. 75-717, 52 Stat. 1040 (codified as amended at 21 U.S.C. §§ 1–2252 (2012)); see Hoffman Joel E., Administrative Procedures of the Food and Drug Administration, in 2 Fundamentals of Law and Regulation: An In-Depth Look at Therapeutic Products 13, 17–24 (David G. Adams et al. eds., 1999) (discussing the legislative debate in the late 1930s); [Google Scholar]; see also Legal Status of Approved Labeling for Prescription Drugs, 37 Fed. Reg 16,455, 16,503 (Aug. 15, 1972) (to be codified at 21 C.F.R. pt. 130) (discussing, in the preamble to a proposed rulemaking, Congress’s legislative intent in passing the Food, Drug, and Cosmetic Act). [Google Scholar]
- 201.Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of 42 U.S.C.).
- 202.See Adams David G., The Food and Drug Administration’s Regulation of Health Care Professionals, in 2 Fundamentals of Law and Regulation, supra note 200, at 423 (noting that FDA, as a matter of policy, “has traditionally taken the position that it does not regulate the practice of medicine or pharmacy and has generally avoided regulatory actions that would directly restrict or interfere with professional service to patients.”). [Google Scholar]
- 203.46 Am. Jur. 2d Existence of Physician and Patient Relationship §§ 3, 5, 6, 9 (2019); see also Blake Patrick D., Note, Redefining Physicians ‘ Duties: An Argument for Eliminating the Physician-Patient Relationship Requirement in Actions for Medical Malpractice, 40 Ga. L. Rev. 573, 601 (2006). [Google Scholar]
- 204.Health Care Finance Administration, Preamble to revised final CLIA regulations, 58 Fed. Reg. 5,215, 5,218–19 (Jan. 19, 1993).
- 205.42 U.S.C. § 263a(a) (2012).
- 206.Id.; see also 42 C.F.R. § 493.2 (2018) (adopting the same definition in the CLIA regulations).
- 207.See supra note 77 and accompanying text.
- 208.See, e.g., Report, supra note 10, at 316. [Google Scholar]
- 209.See Scalia & Garner, supra note 197, at 397 (criticizing the mistaken view that “[t]he statute is not the law, but only evidence of it”). [Google Scholar]
- 210.See, e.g., Coxe Pennington v., 6 U.S 33, 52 (1804) (“That a law is the best expositor of itself.”). [Google Scholar]
- 211.See, e.g., Report, supra note 10, at 7 box S-2 (quoting the Report’S SOT, which provides that “[t]he committee will also not provide any legal interpretation or analysis regarding the scope or applicability of CLIA”). [Google Scholar]
- 212.See Regulations Implementing the Clinical Laboratory Improvement Amendments of 1988 (CLIA), 57 Fed. Reg. 7,002, 7,002–16 (Feb. 28, 1992) (codified in scattered sections of 42 C.F.R.).
- 213.See supra note 190 and accompanying text.
- 214.See Regulations Implementing the Clinical Laboratory Improvement Amendments of 1988 (CLIA), 55 Fed. Reg. 20,896, 20,917 (proposed May 21, 1990) (codified as amended at 42 C.F.R. § 493.2) (defining “laboratory” at 42 C.F.R. § 493.2 which added to the statutory language at 42 U.S.C. § 263a(a)).
- 215.Regulations Implementing the Clinical Laboratory Improvement Amendments of 1988, 57 Fed. Reg. at 7015.
- 216.Id.
- 217.Id.
- 218.Id. at 7014.
- 219.467 U.S. 837 (1984).
- 220.See id. at 842–83 (“If the intent of Congress is clear, that is the end of the matter; for the court, as well as the agency, must give effect to the unambiguously expressed intent of Congress.”).
- 221.See 1 Pierce, supra note 82, § 6.11, at 527 (discussing “parroting” regulations that merely incorporate language taken from a statute).
- 222.See 42 C.F.R. § 493.2 (2018) (following Congress’s definition of “laboratory” verbatim in the text of the current CLIA regulation).
- 223.42 U.S.C. § 263a(a) (2012) (emphasis added).
- 224.Id. (emphasis added).
- 225.Id.
- 226.See 42 C.F.R. § 493.2.
- 227.42 U.S.C. § 263a(a); 42 C.F.R. § 493.2.
- 228.42 U.S.C. § 263a(a); 42 C.F.R. § 493.2.
- 229.Id. Regulations Implementing the Clinical Laboratory Improvement Amendments of 1988 (CLIA), 57 Fed. Reg. 7002, 7015 (Feb. 28, 1992) (to be codified in scattered sections of 42 C.F.R.).
- 230.Id.
- 231.See id. (“In the proposed rule at § 493.2 under the definition of ‘laboratory’ we indicated that ‘laboratories that perform research testing on human specimens, but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of an individual patient are not considered laboratories under CLIA.’ However, this exception was not included in § 493.3, ‘Applicability.’ Thus, we have amended this section to reflect this exception for research laboratories.”).
- 232.42 C.F.R. § 493.3(b)(2).
- 233.42 U.S.C. § 263a(a) (2012) (emphasis added); see also 42 C.F.R. § 493.2 (stating the same).
- 234.42 C.F.R. § 493.3(b)(2).
- 235.42 U.S.C. § 263a(a); see also 42 C.F.R. § 493.2 (stating the same).
- 236.42 C.F.R. § 493.3(b)(2).
- 237.See id.
- 238.See id.
- 239.Clinical Laboratory Improvement Amendments of 1988, 57 Fed. Reg. 7015 (Feb. 28, 1992) (to be codified at 42 C.F.R. pt. 493).
- 240.See generally United States v. Mead Corp., 533 U.S. 218 (2001) (addressing the applicability of judicial deference under Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc. to statements agencies make during notice-and-comment rulemaking and in less formal settings).
- 241.See Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 242.Report, supra note 10, at 9 (quoting Ctrs. for Medicare & Medicaid Servs., supra note 74). [Google Scholar]
- 243.See 42 C.F.R. § 493.3(b)(2).
- 244.See Delegation of Authority to OCR to Implement/Enforce HIPAA Privacy Rule, supra note 53; see also Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-233, § 105(b), 122 Stat. 881, 905 (delegating responsibility to implement GINA’s privacy mandate to HHS and, by implication, to OCR based on the earlier subdelegation of HHS’s HIPAA responsibilities to OCR).
- 245.CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. 7290, 7290 (Feb. 6, 2014) (to be codified at 42 C.F.R. pt. 493, 45 C.F.R. pt. 164).
- 246.See Evans et al. , supra note 114, at 801. [Google Scholar]
- 247.Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, supra note 149.
- 248.See Report, supra note 10, at 71, 204, 211, 218. [Google Scholar]
- 249.See id. at 73.
- 250.Id. at 59 (stating that allowing participants to have such broad data access “necessarily requires the diversion of some research resources from the primary goal of the research”).
- 251.Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 252.See id.
- 253.See supra note 178.
- 254.See Mendelson, supra note 182, at 401 n.17 (noting that including such disclaimers in guidance documents has been more systematic since 2000, when several agencies were criticized for failure to make clear whether their statements were intended to be non-binding/nonlegislative versus binding/legislative); see also H.R. Rep. No. 106-1009, at 8–9 (2000) (leveling such criticisms). [Google Scholar]
- 255.See HHS, HIPAA Recommendations, supra note 123 (expressing concern, in a report to Congress, that the HIPAA statute’s lack of a private right of action would undermine protections under the HIPAA Privacy Rule and calling on Congress to enact new health privacy legislation containing a private right of action, which Congress did not do). [Google Scholar]
- 256.See 45 C.F.R. § 160.306 (2018); see also Banks Acara v., 470 F.3d 569, 571–72 (5th Cir. 2006) (holding, in the first federal appellate decision to address this issue, that the Privacy Rule does not create a private right of action). [Google Scholar]
- 257.See Mendelson, supra note 182, at 423–24 (discussing the difficulties regulatory beneficiaries—such as research participants—face in challenging agencies that fail to protect their rights). [Google Scholar]
- 258.See, e.g., Lye et al. , supra note 27 (providing empirical data demonstrating the difficulty individuals experience exercising their HIPAA access rights); [Google Scholar]; see also Keating, supra note 27 (chronicling the difficulty obtaining access to one’s own genomic test results from research); [Google Scholar]; McGowan K, The Man Who Dissected His Own Brain, Wired (Feb. 11, 2016, 12:00 AM), https://www.wired.com/2016/02/the-man-who-dissected-his-own-brain/ (interviewing Keating) [https://perma.cc/TB82-C8FL].
- 259.CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. 7290, 7290 (Feb. 6, 2014) (to be codified at 42 C.F.R. pt. 493, 45 C.F.R. pt. 164).
- 260.See U.S. Gov’t Accountability Office, GAO-06-416, Clinical Lab Quality: CMS and Survey Organization Oversight Should be Strengthened (2006).
- 261.See id. at 33.
- 262.Id. at 52.
- 263.Id.
- 264.Id. at 34.
- 265.Id. at 52.
- 266.Id. at 34.
- 267.See supra notes 248–50 and accompanying text.
- 268.U.S. Gov’t Accountability Office, supra note 262 at 52. [Google Scholar]
- 269.Administrative Procedure Act, ch. 324, 60 Stat. 237 (1946) (codified at 5 U.S.C. §§ 551–59, 701–06, 1305, 3105, 3344, 4301, 5335, 5372, 7521 (2012)).
- 270.5 U.S.C. § 553(b), (c).
- 271.See id. § 553(b)(3)(A) (providing an exception to the APA’s notice-and-comment requirement for interpretive rules/guidance documents). But see id. § 552(a)(1)(D) (requiring interpretative rules to be published in the Federal Register).
- 272.Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 273.42 C.F.R. § 493.3(b)(2) (2018).
- 274.Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 275.See supra text accompanying Part III, fig. 1.
- 276.Dryer Karen, Return of Genetic Results in the All of Us Research Program (Day 2), Nat’l Insts. of Health (Mar. 7, 2017, 8:00 AM), https://videocast.nih.gov/summary.asp?Live=21887&bhcp=1 (1:16:55). [Google Scholar]
- 277.325 U.S. 410 (1945). Seminole Rock was cited and followed more recently in Auer v. Robbins, 519 U.S. 452, 461 (1997).
- 278.See, e.g., Clarke Conor, Note, The Uneasy Case Against Auer and Seminole Rock, 33 Yale L.& Pol’y Rev. 175, 175 (2015). [Google Scholar]
- 279.See Hanah Metchis Volokh, The Anti-Parroting Canon, 6 N.Y.U. J.L. & Liberty 290, 292 n.5 (2011) (citing scholars who hold this view, but noting that it is not universally held).
- 280.Id. at 291.
- 281.See Robbins Auer v., 519 U.S 452, 461 (1997) (quoting Robertson v. Methow Valley Citizens Council, 490 U.S. 332, 359 (1989)). [Google Scholar]
- 282.Stinson v. United States, 508 U.S 36, 45 (1993) (“As we have often stated, provided an agency’s interpretation of its own regulations does not violate the Constitution or a federal statute, it must be given ‘controlling weight unless it is plainly erroneous or inconsistent with the regulation.’” (quoting Bowles, 325 U.S. at 410)); see also 1 Pierce, supra note 82, § 6.4, at 439 (“Stinson is consistent with many opinions issued both before and after Stinson.”). [Google Scholar]
- 283.42 C.F.R. § 493.3(b)(2) (2018).
- 284.See Sec’y’s Advisory Comm. on Human Research Prots., supra note 81. [Google Scholar]
- 285.546 U.S. 243 (2006).
- 286.Id. at 256–58; see Volokh, supra note 279, at 292 (discussing this so-called “anti-parroting canon”); see also 1 Pierce, supra note 82, at § 6.11, 527–29 (“The Gonzales majority recognized that the rule the agency purported to interpret was not literally a parroting rule.”). [Google Scholar]
- 287.Gonzales, 546 U.S at 257. [Google Scholar]
- 288.323 U.S. 134 (1944).
- 289.See id. at 140 (“The weight of such a judgment in a particular case will depend upon the thoroughness evident in its consideration, the validity of its reasoning, its consistency with earlier and later pronouncements, and all those factors which give it power to persuade, if lacking power to control.”). See generally United States v. Mead Corp., 533 U.S. 218 (2001) (addressing the applicability of judicial deference under Chevron U.S.A., Inc. v. Natural Resources Defense Council to statements agencies make during notice-and-comment rulemaking and in less formal settings).
- 290.Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 291.See 1 Pierce, supra note 82, § 6.4, at 435 (noting that “the Chevron test does not apply to interpretive rules” that are exempt from the notice and comment procedure of APA § 553).
- 292.Skidmore, 323 U.S at 140. [Google Scholar]
- 293.Id.
- 294.1 Pierce, supra note 82, § 6.4, at 436.
- 295.See supra Part III.
- 296.42 U.S.C. § 263a(a) (2012); 42 C.F.R. § 493.2 (2018).
- 297.See Ctrs. for Medicare & Medicaid Servs., supra note 74. [Google Scholar]
- 298.Scalia & Garner, supra note 197, at 174. [Google Scholar]
- 299.United States v. Butler, 297 U.S 1, 65 (1936). [Google Scholar]
- 300.Eskridge William N. Jr.& Baer Lauren E., The Continuum of Deference: Supreme Court Treatment of Agency Statutory Interpretations from Chevron to Hamdan, 96 Geo. L.J. 1083, 1130 (2008). [Google Scholar]
- 301.Anthony Robert A., Interpretive Rules, Policy Statements, Guidances, Manuals, and the Like—Should Federal Agencies Use them to Bind the Public?, 41 Duke L. J. 1311, 1323, 1379 (1992). [Google Scholar]
- 302.5 U.S.C. § 553(b)–(c) (2012).
- 303.See Report, supra note 10, at 250 tbl.6-2 (stating that a non-CLIA-certified laboratory has a legal obligation to make “[m]andatory disclosure under HIPAA (but act of disclosure then requires laboratory to become CLIA-certified)”—in other words, the required act of providing access to data under HIPAA will trigger CLIA jurisdiction for laboratories that would not otherwise be subject to the CLIA regulation).
- 304.See discussion supra Parts III & IV.
- 305.See discussion supra Part II.
- 306.113 Cong. Rec. 26,006 (1967) (statement of Rep. Harley O. Staggers).
- 307.See Burke Wylie M. et al. , Return of Results: Ethical and Legal Distinctions Between Research and Clinical Care, 166C Am. J. Med. Genetics Part C: Seminars Med. Genetics 105, 107 (2014) (explaining that the scope of clinical practice is a matter of state law, and that states generally do not regard it as clinical care to recommend that a person should seek clinical care or to make a referral to clinical care). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 308.See supra note 68 and accompanying text.
- 309.See Report, supra note 10, at 102–03. [Google Scholar]
- 310.See id. at 104.
- 311.See, e.g., id. at 104, 164.
- 312.See id. at 164.
- 313.See supra Part III.
- 314.See Burke et al. , supra note 307. [Google Scholar]
- 315.See Kohlman Richard J., Existence of Physician and Patient Relationship, 46 Am. Jur., POF 2d 373, § 3 (Feb. 2019); [Google Scholar]; see also Evans Barbara J., Minimizing Liability Risks Under the ACMG Recommendations for Reporting Incidental Findings in Clinical Exome and Genome Sequencing, 15 Genet. Med. 915, 917 (2013) (noting that physician–patient relationships have an agreed scope, e.g., cardiologists are not responsible for a patient’s orthopedic care unless the patient and physician agree to such an expansion of scope). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 316.61 Am. Jur. 2d Physicians, Surgeons, Etc. § 130 (2019).
- 317.Id. (footnote omitted).
- 318.See id.
- 319.Regulations Implementing the Clinical Laboratory Improvement Amendments of 1988 (CLIA), 57 Fed. Reg 7002, 7015 (Feb. 28, 1992) (to be codified in scattered sections of 42 C.F.R.). [PubMed] [Google Scholar]
- 320.See id. at 7013.
- 321.See id.
- 322.See 61 Am. Jur. 2d Physicians, Surgeons, Etc. § 130 (2019).
- 323.See Report, supra note 10, at 1–2, 267.
- 324.Id. at 267.
- 325.Id. at 30, 267.
- 326.Id.
- 327.Id.
- 328.Id. at 267.
- 329.Although the Report ends up criticizing “[t]he current absolute prohibition on the return of research results from non-CLIA-certified laboratories,” it presumes this prohibition to reflect the current regulations and recommends changing the regulations to eliminate the assumed, but non-existent, prohibition. Id. at 248.
- 330.Id. at 267.
- 331.See discussion supra Part II.
- 332.See 45 C.F.R. § 164.524(a)(2)–(3) (describing non-reviewable and reviewable grounds for denial of access).
- 333.See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918, 59,980–82 (Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160, 164) (discussing exceptions to HIPAA’s access right in the 1999 preamble to the proposed Privacy Rule).
- 334.See Report, supra note 10, at 249. [Google Scholar]
- 335.See Federal Policy for the Protection of Human Subjects, 82 Fed. Reg 7149 (Jan. 19, 2017) (to be codified at 45 C.F.R. pt. 46). [PubMed] [Google Scholar]
- 336.See also Federal Policy for the Protection of Human Subjects: Delay of the Revisions to the Federal Policy for the Protection of Human Subjects, 83 Fed. Reg 2885, 2885 (Jan. 22, 2018) (extending the effective date of the new Common Rule until July 19, 2018); [Google Scholar]; Federal Policy for the Protection of Human Subjects: Six Month Delay of the General Compliance Date of Revisions While Allowing the Use of Three Burden-Reducing Provisions During the Delay Period, 83 Fed. Reg. 28,497, 28,497 (June 19, 2018) (further delaying implementation until Jan. 21, 2019). [Google Scholar]
- 337.See Federal Policy for the Protection of Human Subjects, 82 Fed. Reg at 7151. [PubMed] [Google Scholar]
- 338.See, e.g., Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators, 76 Fed. Reg 44,512, 44,514 (July 26, 2011) (to be codified in scattered sections of 21 and 45 C.F.R.) (discussing the benefits of reducing Common Rule oversight of privacy risks in HIPAA-regulated informational research); [Google Scholar]; Federal Policy for the Protection of Human Subjects, 80 Fed. Reg 53,933, 53,938 (Sept. 8, 2015) (same). [Google Scholar]
- 339.Federal Policy for the Protection of Human Subjects, 82 Fed. Reg at 7261–62. This regulation adopted a new provision at 46.104(d)(4)(iii) of the Code of Federal Regulations, which provided: Except as described in paragraph (a) of this section, the following categories of human subjects research are exempt from this policy: … (4) Secondary research … (iii) The research involves only information collection and analysis involving the investigator’s use of identifiable health information when that use is regulated under 45 CFR parts 160 and 164, subparts A and E, for the purposes of ‘health care operations’ or ‘research’ as those terms are defined at 45 CFR 164.501 or for ‘public health activities and purposes’ as described under 45 CFR 164.512(b)… .” [Google Scholar]; Id.
- 340.See id. at 7194 (“HIPAA also provides protections in the research context for the information that would be subject to this exemption (e.g., clinical records), such that additional Common Rule requirements for consent should be unnecessary in those contexts… . This provision introduces a clearer distinction between when the Common Rule and the HIPAA Privacy Rule apply to research in order to avoid duplication of regulatory burden. We believe that the HIPAA protections are adequate for this type of research, and that it is unduly burdensome and confusing to require applying the protections of both HIPAA and an additional set of protections.”).
- 341.See Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators, 76 Fed. Reg. at 44,516 (“IRB review or oversight of research posing informational risks may not be the best way to minimize the informational risks associated with data on human subjects. It is not clear that members have appropriate expertise regarding data protections.”).
- 342.See Report, supra note 10, at 267. [Google Scholar]
- 343.Id. at 269.
- 344.See Pub. L. No. 110-223, §§ 102, 105, 122 Stat. 881 (2008).
- 345.Pub. L. No. 78-410, 58 Stat. 682 (1944) (codified as amended at 42 U.S.C. §§ 201–300mm-61 (2012)).
- 346.Pub. L. No. 74-271, 49 Stat. 620 (1935) (codified as amended at 42 U.S.C. §§ 301–1397mm).
- 347.Report, supra note 10, app. at 333–37. [Google Scholar]
- 348.See discussion infra Section V.B.
- 349.See Pub. L. No. 110-223, § 102, 122 Stat. 881 (amending the Public Health Service Act at 42 U.S.C. § 300gg-91(d)(16) to define “genetic information” very broadly as including “with respect to any individual, information about – (i) such individual’s genetic tests, (ii) the genetic tests of family members of such individual, and (iii) the manifestation of a disease or disorder in family members of such individual” and further including “genetic services, [and] participation … [in] genetic [research]”); see also 42 U.S.C. § 300gg-91(d)(17)(A) (2012) (defining “genetic test” as “mean[ing] an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes” and thus clearly including non-clinically-significant information, such as raw genomic data, within the scope of information included in GINA’s definition of “genomic information); id. § 300gg-91(d)(18) (defining “genetic services” as including “genetic test[s]” and “genetic counseling (including obtaining, interpreting, or assessing genetic information)” and “genetic education,” such that information from testing, assessing, and counseling occurring during the course of genetic research is included in GINA’s broad definition of “genetic information.”).
- 350.See Pub. L. No. 110-223, § 102, 122 Stat. 881.
- 351.See id. § 105 (adding a new § 1180 to the Social Security Act, 42 U.S.C. § 1320d-9, providing that “[t]he Secretary shall revise the HIPAA privacy regulation” so that “[g]enetic information shall be treated as health information described in section 1320d(4)(B),” which was the section of the Social Security Act added by the 1996 HIPAA statute in which Congress defined the “health information” that is subject to HIPAA’s privacy protections).
- 352.154 Cong. Rec. 6841 (2008).
- 353.Id.
- 354.See 154 Cong. Rec. 6831 (2008) (statement of Sen. Kennedy) (noting the dangers of genetic privacy violations and presenting evidence that “72 percent of Americans think laws are needed to protect genetic privacy”); id. at 6832 (statement of Sen. Enzi) (noting the importance of both privacy and data security protections); id. at 6834 (statement of Sen. Snowe) (noting that the HIPAA regulations offer a framework for communication of information); see also id. at 7516 (statement of Rep. Miller) (emphasizing that Title I of GINA not only prevents discrimination in health insurance based on genetic information but “also protects the privacy of this personal information”); id. at 7517 (statement of Rep. Langevin) (“[T]he importance of … safeguarding the right to privacy cannot be overstated.”); id. at 7518 (statement of Rep. Speier) (stating that the passage of GINA “is a strong step toward protecting sensitive genetic information, but no journey is completed in just one step” and calling for further work to “address[] the underlying problems not fixed by this bill so we can truly protect Americans’ privacy”).
- 355.Moreover, even if Congress somehow enacted GINA’s privacy provisions by mistake, it is a well-settled canon of statutory construction that the enacted text of a statute determines the law, regardless of what legislators allegedly intended to do. See, e.g., Scalia & Garner, supra note 197, at 369–90; see also Michael B.W. Sinclair, Guide to Statutory Interpretation 103 (2000) (“[O]ur legislatures speak only through their statutes; statutes are their only voice; statutes are law; extrinsic materials are not.”).
- 356.President Bush Signs the Genetic Information Nondiscrimination Act of 2008, NHGRI (Mar. 17, 2012), https://www.genome.gov/27026050/president-bush-signs-the-genetic-information-nondiscrimination-act-of-2008 [https://perma.cc/M4A4-5H7C].
- 357.See 45 C.F.R. § 160.203(b) (2018) (providing that the HIPAA Privacy Rule does not preempt state privacy laws that are “more stringent” than the Privacy Rule).
- 358.See id. at § 160.202 (defining “[m]ore stringent” as including state laws that “permit[] greater rights of access” than the Privacy Rule provides (emphasis omitted)).
- 359.See, e.g., California Consumer Privacy Act, 2018 Cal. Legis. Serv. 3–4 (West).
- 360.See, e.g., Alaska Stat. § 18.13.010(a)(2) (2018); Colo. Rev. Stat. § 10-3-1104.7(1)(a) (2018); Fla. Stat. § 760.40(2)(a) (2018); Ga. Code Ann. § 33-54-1(1) (2018).
- 361.See Section II.A.
- 362.Relevant consensus recommendations that the Academies’ Report fails to consider include, but are not limited to: Nat’l Cancer Inst., NCI Best Practices for Biospecimen Resources 38 (2016), https://biospecimens.cancer.gov/bestpractices/2016-NCIBestPractices.pdf [https://perma.cc/VB52-4PNC]; [Google Scholar]; Beskow Laura M. et al. , Informed Consent for Population-Based Research Involving Genetics, 286 JAMA 2315 (2001); [DOI] [PubMed] [Google Scholar]; Caulfield et al. , supra note 68; [Google Scholar]; Clayton Ellen Wright et al. , Informed Consent for Genetic Research on Stored Tissue Samples, 274 JAMA 1786 (1995). This list does not include relevant guidelines from outside the United States, including from prominent international organizations. For discussion of international guidelines, see, for example, Bartha M. Knoppers et al., Return of Genetic Testing Results in the Era of Whole-Genome Sequencing, 16 Nature Revs. Genetics 553 (2015); [DOI] [PubMed] [Google Scholar]; Knoppers Bartha M. et al. , The Emergence of an Ethical Duty to Disclose Genetic Research Results: International Perspectives, 14 Eur. J. Hum. Genet. 1170 (2006); [DOI] [PubMed] [Google Scholar]; Zawati M’an et al. , Incidental Findings in Genomic Research: A Review of International Norms, 9:1 GenEdit 1 (2011). [Google Scholar]
- 363.Report, supra note 10, at 151 (first emphasis added). [Google Scholar]
- 364.Wolf et al. , Managing Incidental Findings and Research Results in Biobanks, supra note 68, at 232 (emphasis added). Subsequently, Fabsitz et al. , supra note 68, at 577–78, recommended that, “Investigators may choose to return individual genetic results to study participants if … [t]he investigator has concluded that the potential benefits of disclosure outweigh the risks from the participant’s perspective … .” Id. (second emphasis added). That paper explained, “Researchers may choose to return individual results related to reproductive risks, personal meaning or utility, or health risks … .” Id. at 578. A subsequent article drives the point home. See Wolf et al., Managing Incidental Findings in Human Subjects Research, supra note 68, at 372 tbl.4 (showing that both Wolf et al., Managing Incidental Findings and Research Results in Biobanks, supra note 68, and Fabsitz et al., supra note 68, urged assessing value “from the participant’s perspective”); id. at 373 (“[T]he core question, as we suggested in our prior project’s article, is whether return offers strong net benefit from the contributor’s perspective.” (emphasis added) (footnote omitted)). [Google Scholar]
- 365.See Report, supra note 10, at 1–37 (summarizing all recommendations). [Google Scholar]
- 366.Id. at 17.
- 367.Id. at 17–19.
- 368.Id. at 30.
- 369.Id. at 17.
- 370.Id. at 96–97.
- 371.Id. at 17–19.
- 372.See, e.g., id. at 10–11.
- 373.See id. at 17–19, 121–24.
- 374.Wolf & Evans, Return of Results, supra note 69; [Google Scholar]; Wolf & Evans, Defending Return of Results, supra note 69. [Google Scholar]
- 375.See discussion supra Section V.A.
- 376.See Report, supra note 10, at 80–81. [Google Scholar]
- 377.Id. at 30.
- 378.Id. at 9 (noting that the committee that drafted the report “was not asked to make recommendations to Congress regarding changes to the CLIA law”).
- 379.42 U.S.C. § 263a(b) (2012).
- 380.Id. § 263a(p)(2).
- 381.See Dep’t of Health & Human Servs., List of Exempt States Under the Clinical Laboratory Improvement Amendments (CLIA), https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/ExemptStatesList.pdf [https://perma.cc/7PV2-33SK].
- 382.See Report, supra note 10, at 30, 267–68. [Google Scholar]
- 383.See, e.g., id. at 17 (“NIH should lead an interagency effort including nongovernmental stake-holders to develop an externally accountable quality management system for non-CLIA-certified research laboratories testing human biospecimens.”).
- 384.Id. app. at 318 (“[T]here is anecdotal evidence that institutional policies prohibiting the return of results generated by research laboratories are being overruled in some instances. For example, a qualitative interview study of 31 IRB professionals at six sites across the United States reported two cases in which research test results that could not be confirmed in CLIA-certified laboratories were nevertheless reported to individual research participants… . Although additional instances have been noted in the literature, the frequency with which these decisions are being made in practice is unclear.” (footnotes omitted)).
- 385.Seidenfeld, supra note 178, at 347 (“This [lack of independent legal force] means that a person who is alleged to have violated an agency’s regulatory law must be shown to have violated the underlying statute or legislative rule [i.e., regulation] that the agency is implementing; it is not sufficient for the agency to demonstrate that the person violated [the guidance document].”). [Google Scholar]
- 386.Croston, supra note 178, at 387 (alteration in original) (quoting William Funk, A Primer on Nonlegislative Rules, 53 Admin. L. Rev. 1321, 1340 (2001)). [Google Scholar]
- 387.Mendelson, supra note 182, at 400 (quoting Todd D. Rakoff, The Choice Between Formal and Informal Modes of Administrative Regulation, 52 Admin. L. Rev. 159, 167 (2000)). [Google Scholar]
- 388.See Anthony, supra note 301, at 1315. [Google Scholar]
- 389.See Appalachian Power Co. v. EPA, 208 F.3d 1015, 1021 (D.C. Cir. 2000) (“[A]n agency’s [guidance document] can as a practical matter, have a binding effect. If an agency acts as if a document issued at headquarters is controlling in the field, if it treats the document in the same manner as it treats a legislative rule … [and] if it leads private parties … to believe that [the agency] will [apply the policy expressed in the document], then the agency’s document is for all practical purposes ‘binding.’”).
- 390.Report, supra note 10, at 9. [Google Scholar]
- 391.Wee, supra note 18. [Google Scholar]