A New Law to Raise GINA’s Floor in California
Jennifer K. Wagner, J.D., Ph.D., is a solo-practicing attorney in State College, PA, a post-doctoral researcher at the University of Pennsylvania’s Center for the Integration of Genetic Healthcare Technology
Earlier this fall, California Governor Jerry Brown signed SB559 (pdf), the bill referred to as “CalGINA” (i.e., the California Genetic Information Nondiscrimination Act). The bill was double-jointed with AB887 (pdf), the Gender Nondiscrimination Act, which ultimately meant that CalGINA would only take effect if Governor Brown also signed AB887 into law. He did so on October 9, 2011, so both laws are scheduled to take effect on January 1, 2012.
Read the rest of this entry »
Don’t Forget About State Law: Michigan Decision Reminds Health Care Providers of HIPAA Preemption Issue
Phillip C. Ross is a summer associate at Robinson, Bradshaw & Hinson, P.A. and a rising third-year student at Wake Forest University School of Law.
Many health care providers and other individuals and entities who deal with sensitive patient information may assume that if they comply with the Health Insurance Portability and Accountability Act (“HIPAA”), they need not worry further about the proper use or disclosure of patient data. However, a recent Michigan Court of Appeals decision served as a reminder to those individuals and entities that they must not only ensure compliance with HIPAA, but also any state laws that are more demanding than HIPAA.
HIPAA establishes regulations for the use and disclosure of Protected Health Information (“PHI”) held by “covered entities” (pdf) and “business associates.” PHI is any information held by a covered entity related to health status, provision of health care, or payment for health care that can be linked to an individual.
In Isidore Steiner, DPM, PC v. Marc Bonanni, No. 294016 (Mich. Ct. App. Apr. 7, 2011), the Michigan Court of Appeals held that HIPAA acts as a federal “floor” in establishing standards for the privacy of patients’ PHI. Although Bonanni was decided under Michigan law—and thus is not binding on other states—the decision is likely to be consistent among courts in other states.
Is the Genetic Rights Movement Picking Up Steam?
The movement to confer greater legal protection to individuals’ genetic information has added another participant. Last month, we examined newly introduced legislation in Massachusetts which, if passed, would create a “Genetic Bill of Rights,” significantly expanding Massachusetts residents’ personal property and privacy rights in their genetic information. Since then, in what the Council for Responsible Genetics has termed a “groundswell for genetic privacy building in states,” state legislators in both California and Vermont have introduced new legislation that would confer greater protection upon individuals’ genetic information.
What should we make of this three state “groundswell?” Although not identical in scope or substance to the Massachusetts Genetic Bill of Rights (“MA GBR”), both the Vermont and California proposals appear to reflect a concern (shared by the MA GBR) that, at least when it comes to the use and misuse of genetic information, the current system of federal oversight is inadequate. Then again, as the legislative findings section of the California proposal (pdf) puts it, perhaps “the current explosion in the science of genetics” simply “compels legislative action in this area.”
Genetic Bill of Rights Proposed in Massachusetts
On January 21, 2011, the Massachusetts Genetic Bill of Rights (MA GBR) (pdf) was introduced before the Massachusetts state legislature. At its core, the proposed legislation establishes property and privacy rights for genetic information and genetic material, while providing protections designed to shield individuals from genetic profiling and other misuses of genetic information.
Taken as a whole, the legislation, if enacted, would confer upon Massachusetts residents a significantly expanded set of genetic rights than exist under current federal law. Below we examine several of the bill’s most noteworthy proposals.
The MA GBR addresses perceived gaps and limitations in the coverage provided by major federal statutes, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Genetic Information Nondiscrimination Act of 2008 (GINA), and the Constitution of the Commonwealth of Massachusetts, by seeking to place genetic information on a par with medical records.
The MA GBR’s provisions set basic limitations on the use, including the commercial use, of personal genetic information that would go above and beyond the user agreements and privacy policies employed by some commercial services. For example, the MA GBR prohibits the use of genetic information for marketing or determining credit worthiness. With the proliferation of genetic information, particularly in consumer or commercial contexts, such basic limitations would help address concerns about the lack of mandatory restrictions regarding the sale, transfer or other use of personal genetic data.
The Personal Property Theory of Personal Genomes. But the MA GBR goes much further than mere consumer protection reforms. Section 1 of the proposed legislation explicitly declares genetic information to be “the exclusive property of the individual from whom the information is obtained.” (emphasis added)
Surreptitious Genetic Testing: WikiLeaks Highlights Gap in Genetic Privacy Law
The top news story the past two weeks: the release of hundreds of thousands of confidential American diplomatic cables by WikiLeaks. While dissecting diplomatic maneuvering is not a traditional area of expertise for the Genomics Law Report, a pair of cables did catch our eye.
The first is primarily a curiosity: the allegation that Chinese authorities are spying on deCode Genetics, Iceland’s most prominent genetic research company and provider of the direct-to-consumer genetic testing service, deCODEme. Nobody seems to know exactly what China is looking to gain by clandestinely exploring Iceland’s genetic genealogy. You are welcome to speculate in the comments.
The second raises broader issues: the revelation that the State Department’s ongoing human intelligence collection directives include requests for “biometric information” on key world leaders, including United Nations arms inspectors, the Director General of the World Health Organization (WHO) and key advisors and aides to United Nations Secretary General Ban Ki-moon. A separate cable detailing intelligence collection priorities in Africa’s Great Lakes region clarifies that “biometric information” includes “health [data]…fingerprints, facial images, DNA, and iris scans.”
Not disclosed in the WikiLeaked cables: why the State Department wants the biometric data or whether any have been successfully obtained.
Surreptitious Testing: An Overview. The cables are, however, a reminder that the law surrounding the surreptitious collection and testing of biometric data, including DNA, remains extremely murky.
The Unexpected Impact of Genetics on the Business World
Recent advances in genetic science are remarkable. In 2003 the first full human genome was sequenced after 13 years of work at a cost of over $3 billion. Today, the cost to sequence any individual’s entire genome is approaching $1,000. Genetic tests for specific genes linked to cancer and other diseases exist today and many more are being developed. We hear of a new era of “personalized medicine” in which drugs and therapies will be prescribed based on the individual patient’s specific genes.
All of this may seem to have little direct relevance to companies outside of biotechnology. However, the development of genetic knowledge and technology already has spawned new laws, regulations and patent uncertainties that impact almost all businesses in some way.
Privacy and Nondiscrimination. The federal Genetic Information Nondiscrimination Act of 2008 (GINA) represents the most comprehensive effort to date to regulate the use of genetic information. GINA initially only prohibited health insurers and group health plans from using genetic information to deny coverage or set payment rates. Another section, which just became effective in November 2009, affects all private and public employers with more than 15 employees.
Genomic Privacy and Re-Identification Redux
New research published this week in the Proceedings of the National Academy of Sciences from Loukides et al. offers up a new method for preserving individual privacy while linking genomic and healthcare data. (“Anonymization of electronic medical records for validating genome-wide association studies.”) Daniel Cressey of Nature News and Katharine Gammon of Technology Review have concise (and free) summaries.
As we’ve written earlier (“Back to the Future: NIH to Revisit Genomic Data-Sharing Policy”), the ability to link – and to share – genotype and phenotype data (including medical records, particularly treatment and outcome data) will be essential to the development of the next generation of genomic research. One of the most common ways to link genotype and phenotype data is to combine genomic data with electronic medical records (EMRs). A particular patient’s EMR may contain everything from basic biographical information to family medical history to current diagnoses, including ICD codes. When it comes to associating genes with medical conditions, researchers rely on International Classification of Disease (ICD) codes to categorize individual patients by disease type and search for shared genetic variations that might play a causal role.
Cracking the Codes. Obviously identifying information (e.g., biographical information) is generally required to be removed pursuant to HIPAA regulations. ICD codes, however, are sometimes retained for purposes of genetic association research and, in some circumstances, a set of otherwise anonymous ICD codes pulled from an EMR can be traced backwards to identify the specific individual supplying the codes.
The Texas Newborn Bloodspot Saga has Reached a Sad – and Preventable – Conclusion
Contributed by Ann Waldo, Senior Counsel at Genetic Alliance.
In late February, the state of Texas incinerated 5.3 million newborn bloodspots.
The background – the Genomics Law Report has had several posts (here and here) about the ongoing situation involving 5.3 million newborn bloodspots in a state biorepository in Texas. Often referred to as “residual” bloodspots, these are the tiny dried bloodspots left over after states conduct mandatory screening for specified diseases. State practices regarding retention of the residual bloodspots vary widely, with some destroying them promptly and others storing them indefinitely. Where post-screening use of the bloodspots occurs, the most common use is for quality assurance and quality control of the screening tests. Some states also permit the release of small sets of bloodspots for research.
Any such research must be done in compliance with the federal Common Rule applicable to clinical research and HIPAA, the federal medical privacy law. To simplify these laws’ complex requirements – what researchers must do depends on whether the samples or information will be made available in an identifiable or de-identified form. If a researcher receives identifiable information, then informed consents, privacy authorizations, and Institutional Review Board (IRB) reviews are mandatory. If the researcher receives only de-identified samples or information, no parental consent or privacy authorizations are required, although some states, including Texas, still insist on IRB review.
