Just about everyone interested enough in genomics and the law to read this post will know that the American Civil Liberties Union waged a long and ultimately successful legal campaign to invalidate Myriad Genetics’ patent claims to isolated BRCA genes, mutations of which are linked to breast and ovarian cancer. Now the ACLU has launched a second front, this time attacking Myriad’s post-patent business model of maintaining its vast and unique database of genotype-phenotype associations as a trade secret. GLR reported on that evolving strategy two years ago.
The new ACLU attack has, thus far, received modest attention in the scientific press, and some of what has been reported is inaccurate. In this post I will briefly review what has actually happened and then try to sort out fact from fiction in the reportage. The bottom line is that the federal government has not created new stealth regulations dealing with the disclosure of genomic data to patients. It has, however, used the practice of governance-by-guidance to make significant new policy, which is problematic enough in its own right.
The ACLU Complaint
On May 19, 2016, two ACLU lawyers filed an administrative complaint with the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) on behalf of four people who have cancer or a family history of the disease. The four people obtained genetic testing from Myriad in an effort to assess their hereditary cancer risk. In February 2016, each wrote to Myriad requesting all of the genomic data that Myriad had compiled on them, including raw sequencing data and lists of all variants that Myriad had identified, even those classified as benign. As authority for obtaining the data, the requests cited the HIPAA Privacy Rule, the relevant portion of which is set out in 45 Code of Federal Regulations (CFR) § 164.524, entitled “Access of Individuals to Protected Health Information.” The requesting parties claimed that all of this information was part of their “Designated Record Set,” the compilation of health information to which HIPAA guarantees patient access.
In a reply dated March 11, 2016, Myriad contested the requesting parties’ broad definition of Designated Record Set, citing the same authority—45 CFR § 164.524—and provided a partial disclosure. Then, on May 18, 2016, the day before the complaint was filed, Myriad sent a further response to each request, this time providing comprehensive BRCA variant information. Significantly, Myriad’s letter cited ongoing discussions with OCR, and described the new response as an effort “to voluntarily provide you additional information.” According to a report in the online adjunct to Science, Myriad’s about-face came after the ACLU announced an upcoming press conference dealing with the dispute.
In the normal litigation context, this concession would have “mooted” the case—the complainants got the relief they were seeking, so there would be no need to litigate further. Here, however, the ACLU is pressing on, requesting that the HHS OCR investigate Myriad’s “past and continuing HIPAA violations” and that it make a formal determination that patients have a right to the genetic information that these complainants sought. There is no word yet on how OCR will respond. Myriad has expressed frustration with the ACLU’s failure to drop the complaint after it provided the information sought.
The Legal Issues
Science reported that the ACLU’s complaint was based on “a new regulation promulgated by HHS this past January,” and that this new regulation “was quietly posted on an HHS blog”—so quietly, in fact, that Myriad missed it entirely and was thus “taken aback” when it received the identically worded letters from the ACLU’s clients. This is pretty much true, but the inaccuracies are highly significant. They are also surprising, given Science’s stature and authority.
The first problem is that the “new regulation” at the center of the dispute (45 CFR § 164.524) is in fact an old one. It was first promulgated in 2000 and has been in its present form since early 2014. The regulation itself is a very general statement about patients’ access to their health information and does not even include the morpheme gen- (linguistic aside: a morpheme is the smallest unit of a language that can carry meaning); thus, there is no mention of genes, genetics, or genomics.
What is actually new is HHS’s interpretation of this regulation, whichthe federal bureaucracy refers to as guidance. “Guidance” (or “guidance document”) has no firm legal definition, but it is typically a statement about how the agency issuing it (HHS, in this case) will interpret and enforce a regulation, and thus has great practical significance for those being regulated. (The American Association of Law Libraries has a useful summary). And it is true that, as Science reported, this guidance about access to genomic information was posted on a blog that’s hard to find even if you’re looking for it. Even a large, wealthy, and litigious company such as Myriad might plausibly have missed it.
This guidance, unlike the underlying regulation, does contain the morpheme gen-, albeit buried in the FAQs. It says this:
Does an individual have a right under HIPAA to access from a clinical laboratory the genomic information the laboratory has generated about the individual?
Yes. An individual has a right under the HIPAA Privacy Rule to access, upon request, PHI about the individual in a designated record set maintained by or for a clinical laboratory that is a covered entity. The designated record set includes not only the laboratory test reports but also the underlying information generated as part of the test, as well as other information concerning tests a laboratory runs on an individual. For example, a clinical laboratory that is a HIPAA covered entity and that conducts next generation sequencing (NGS) of DNA on an individual must provide the individual, upon the individual’s request for PHI concerning the NGS, with a copy of the completed test report, the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test.The answer to that question is a bit complicated.
Does the Regulation/Guidance Distinction Make Any Difference?
The bottom line is that the regulation in question, 45 CFR § 164.524, is silent on the question of returning full gene variant information and other genomic data to the patient. But HHS OCR’s “quietly posted” guidance takes the very explicit position that the regulation—as OCR interprets it–does require such disclosure. So isn’t the effect the same? In the guidance, OCR announces that it will enforce the regulation as if it did expressly require full genomic disclosure. Enforcement can include charging defaulters with HIPAA violations.
Thus, with respect to predicting how OCR will act, the regulation/guidance distinction makes no difference at all. It might make a difference, however, to a court charged with adjudicating an alleged violation. When an agency establishes a formal regulation, it goes through an elaborate rulemaking process (“rule” and “regulation” are interchangeable in this context) whose elements are specified by a federal statute called the Administrative Procedure Act. (Here’s HHS’s explanation of rulemaking). In most cases, the agency seeking to promulgate a rule gives notice of its intent, publishes the proposed rule, solicits public comments, and then announces and publishes the final rule. The final rule is initially published in the Federal Register and then inserted in an appropriate place in the Code of Federal Regulations—no stealthy promulgation of new regulations in obscure blogs. Parties interested in regulations always monitor the Federal Register. An example of the rulemaking process that some readers may be familiar with is the ongoing revision of the federal government’s Common Rule for the treatment of human subjects in medical research.
All of these procedural requirements create a presumption in favor of the validity of a regulation. If an agency has the authority (derived from a Congressional statute) to regulate the area in question, adheres to the rulemaking process, and has substantial evidence to back up its position, a court is very unlikely to invalidate the regulation or an agency decision based on the regulation. Moreover, if the issue in dispute is dealt with unambiguously in the regulation, a court will have no need to get into interpretation.
Guidance, by contrast—as this case illustrates—can come out of the blue, with no advance notice or opportunity for public comment. As a result, guidance lacks the features that cause courts to defer to rules formally adopted. Courts are thus more open to a challenge to the validity of the agency’s position. In addition, the need for guidance presumes a need to interpret the underlying regulation, and a court may choose to second-guess the agency’s view. All of this means that an affected party—someone like Myriad in this instance—has a stronger motive to challenge guidance and a significantly greater chance of success than in the case of a rule.
The Controversy over Governance-by-Guidance
Reasonable minds can differ about the better outcome of the present case. I personally think patients should have access to all of the genomic data that the testing company has—that is, I think HHS is right on the merits. However, there can be no doubt that governance-by-guidance is extremely controversial as a general practice. My own view is that the regulatory state goes too far when it decides difficult questions by stealth, with no clear legislative mandate nor any of the protective and participatory mechanisms of formal rulemaking. Myriad might be wrong on the merits here, but it would be justified in objecting to the process.
Governance-by-guidance has come under particularly sharp attack in two current contexts. One is the Department of Education’s 2011 “Dear Colleague” letter (a form of guidance) to universities and other recipients of federal funds concerning the handling of sexual harassment and sexual violence complaints. The letter lays out a number of very detailed requirements, including this one about the standard of proof in student misconduct proceedings:
[I]n order for a school’s grievance procedures to be consistent with Title IX standards, the school must use a preponderance of the evidence standard (i.e., it is more likely than not that sexual harassment or violence occurred). The “clear and convincing” standard (i.e., it is highly probable or reasonably certain that the sexual harassment or violence occurred), currently used by some schools, is a higher standard of proof. Grievance procedures that use this higher standard are inconsistent with the standard of proof established for violations of the civil rights laws, and are thus not equitable under Title IX.
Here again, there are arguments to made in favor of both standards of proof, as well as for “beyond a reasonable doubt,” the criminal law standard. However, given the extraordinary importance of these grievance procedures—on the one hand, a heinous crime might go unpunished; on the other, an innocent person’s life could be ruined—it seems the height of bureaucratic arrogance to resolve the standard of proof question by fiat.
A second example involves the Food and Drug Administration’s oversight of laboratory-developed tests (LDTs), including genetic tests (see previous GLR commentary on this issue). An LDT is an in vitro diagnostic test that is designed, manufactured, and used within a single laboratory. For years, the FDA has taken the position that it has the authority to regulate LDTs as “medical devices,” but has declined to do so in the exercise of its “enforcement discretion.” Now, the FDA has changed its mind and is on the verge of implementing a new oversight and enforcement program—not through new regulations, but via guidance. To be fair, the FDA has announced its proposed policy change and received extensive comment from affected parties. Nonetheless, an array of critics (including the high-profile lawyers hired by the American Clinical Laboratory Association) have challenged the authority of the FDA to make such a significant change without going through formal rulemaking. Even a humble citizen like me might ask, why didn’t they? What are they afraid of? Are they hiding something?
As I said earlier, I’d prefer that patients have access to all of their genomic data. But at the same time I’m profoundly uneasy about governance-by-guidance, in this or any other consequential context. A big part of the problem is Congress (surprised?). For years, in areas as disparate as health and finance, Congress has passed broad, vague statutes and then left all the hard work of detailed interpretation and application to administrative agencies. Now the agencies are becoming similarly lazy, avoiding the heavy lifting of the rulemaking process in favor of often-casual guidance. Governance-by-guidance also permits the back-door assertion of power that agencies may not actually have.
A common executive branch justification for governance-by-guidance is that if Congress won’t do its job, someone has to find a way to protect the public. True enough in the abstract, perhaps, but it’s not a sufficient justification for avoiding legal requirements that are themselves based in the Constitution’s separation of powers doctrine. Here as elsewhere, at least in my view, the ends do not justify the means.