Monday, April 30, 2012

Legislatures Race to Define Rights and Obligations Relating to Genetic Information: Avoiding Another Bearder



California is the latest state to take steps toward defining permissible uses and restrictions relating to obtaining, retaining, and sharing individuals’ genetic information.  Senator Alex Padilla recently introduced Senate Bill 1267, the Genetic Information Privacy Act, designed to protect individuals against surreptitious testing of their genetic material without consent.  SB 1267 is a comprehensive piece of legislation which would require a specific authorization to obtain, analyze, or disclose genetic information unless otherwise exempted or allowed by law (exemptions include activities such as newborn screening, duties of the medical examiner, using some types of data for research, and law enforcement uses).  The legislation also contains a civil penalty structure for violations and provides a private right of action for aggrieved individuals who suffer economic, bodily, or emotional harm proximately caused by such violations. 

California’s legislation classifies genetic information within a privacy framework and seeks to increase individual control by requiring the individual to understand the purposes of how the information will be used and stored, as well as which entities have access to the information.  Other states such as Alabama, Massachusetts, South Dakota, and Vermont have introduced similar legislation that govern the collection, retention, and sharing of DNA, genetic information, and or genetic test results.  These states differ in their comprehensiveness and scope- from South Dakota’s paragraph long House Bill 1260 to Alabama’s extensive eleven page House 78.

Unlike California, these states seek to classify DNA, genetic information, and or genetic test results within a property law framework rather than under the umbrella of privacy, which carries distinct legal requirements for transfer, use, and retention.   As legislatures race to define individual rights within existing  legal concepts, they should be well aware of property law’s limitations at upholding individual autonomy while appropriately and efficiently defining permissible research uses depending on how the legislature crafts the language of the statute. 

As we witnessed in the progression of the Bearder v. Minnesota litigation (related to collecting, retaining, and disseminating newborn blood spots) even if a law is seemingly clear, individuals, clinicians, and investigators still may face confusion over relevant terminology and obligations relating to the meaning of key terms and the scope of consent exemptions.  (Blogs and article on that topic here.) Specifically, will these statutes govern the collection, use, and dissemination of genetic information after the analysis of a genetic test using a blood sample or will the language broadly address collecting blood samples, DNA, and genetic test information?  Public health officials, investigators, and individuals have vehemently disagreed over the meaning and scope of these terms and when consent is required.  Individuals have claimed immense injury to privacy and dignity when public health officials and investigators collect, retain, and disseminate their blood samples without consent, while public health officials and investigators decried setbacks to research efforts after they were legally ordered to destroy their improperly obtained blood samples. 

Last November, the Minnesota Supreme Court clarified its state Genetic Privacy Act, holding that an individual’s blood sample contains biological information and biological information falls within the definition of genetic information.   That is, any statutory references to genetic information also applies to blood samples.  It appears that the majority adopted the Plaintiffs' argument  that a blood sample contains DNA and the structure of DNA is genetic information, which means statutory requirements governing the collection, use, storage, and dissemination of genetic information necessarily include blood samples.   

Although this seminal holding is jurisdictionally limited, defining the meaning and scope of biological specimen, blood sample, DNA, and genetic information requires painstaking semantic precision.  Furthermore, the concurrence/dissent in Bearder demonstrates even keen legal minds apply varying logic to interpret terminology and arrive at starkly divergent conclusions.  Defining these terms becomes even more pressing should this or similar state legislation pass because it carries the compliance incentive of a penalty structure for violation.  Legislators should take note of litigation in this area and aim to meticulously and unambiguously define relevant terminology so individuals, public health officials, and investigators can understand their interrelated rights, obligations, and statutory exemptions.  

--Katherine Drabiak-Syed

Monday, April 16, 2012

Privacy and Security Considerations for Emerging Health Information Exchanges: Notes from Utah and New York

Earlier this month the Utah Department of Health issued a press release describing a cyber attack on its server, in which hackers removed information for approximately 780,000 individuals. According the Department of Health, the information contained personal records of individuals within the state, including Medicaid and Children’s Health Insurance Plan recipients.

Permutations of this scenario- whether hacking into a computer server, losing a USB key, or a stolen laptop- are all familiar news headlines announcing a security breach of individuals' health and personal information. Human error and human opportunism make it likely that we will continue to see such information breaches in the future, despite steps to mitigate potential security threats.

As states begin to develop legislation and promulgate rules to govern their electronic health information exchanges (HIE), they should carefully balance residual security and privacy risks with the potential promises of a functional HIE when determining policies relating to how a system enters an individual’s electronic health record (EHR) and what portion of the EHR the state enters into the HIE.

Last month, the New York Civil Liberties Union (NYCLU) issued a report, Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange, which articulated numerous privacy, security, and functional concerns with the state’s emerging HIE. Currently, New York employs a blanket consent procedure for record access and enrolls patients of participating providers into the state's regional health information organizations (RHIOs). 

Among numerous concerns, NYCLU’s Report highlights two distinct issues with this approach:

(1) New York does not provide a mechanism for patients to limit sharing stigmatizing sensitive information such as substance abuse records or mental health treatment if they consent to participate in the exchange; and

(2) Although physicians must obtain consent to view patient information in the exchange, participating providers enter patient medical information into the exchange without patient consent and patients cannot opt-out of the record locator system.

The Office of the National Coordinator for Health Information Technology’s HIT Policy Committee has asserted that a form of granular control over health data can protect the confidentiality of narrow categories of sensitive health information while fostering patient autonomy, promoting trust in medical providers, and building confidence in the growing use of HIT. Although too much data segmentation or exclusion options could confuse patients and undermine the purpose of the HIE as a comprehensive record system, some groups, such as the NYCLU, argue that existing state law requires the capacity for granular control over statutorily identified categories of sensitive medical information. This assertion serves as a reminder that each state contains varied protected categories of sensitive medical information as well as different standards defining additional measures relating to sharing and accessing this information. Earlier this month, the New York Department of Health and the New York eHealth Collaborative established the State Health Information Network of New York Policy Committee to examine these and numerous other concerns over the state’s current policies and procedures governing the exchange.

Patients may also be wary of the security of their identifying records available in the HIE registry system, as a breach could reveal both personal information and the entirety of the patient’s medical records that providers have entered into the HIE. A breach of the HIE would not only invade the patient’s abstract notion of privacy over sensitive information, but could also expose the patient to quantifiable concrete harms such as identity theft, fraud, and the costs associated with investigation and mitigation.

Some victims involved in major medical security breaches have asserted that once information such as social security numbers, patient demographic information, and medical records are accessible in a breach, victims face an imminent and continuing risk arising from the security breach itself regardless of whether an outside party has used the information. Currently, some courts have ruled that even where a third party steals media containing patient information, if the victims cannot prove that a third party actually accessed or used the information, then claims for future financial harm arising from a security breach are insufficient to constitute an actionable injury. To address these legitimate concerns, jurisprudence should evolve with the recognition that potential third party use of this information may be difficult to identify and costly to monitor. Further, months may pass following the initial breach before victims notice fraudulent activity, such as in the substantial TRICARE data breach.

State legislatures should remain cognizant of both patients' desire for privacy and their corresponding wish to limit access to sensitive medical information as well as security concerns from both accidental as well as intentional breaches of patient information during the initiation or expansion of the state's HIE .
-Katherine Drabiak-Syed