[These are truly excellent replies. Thank you very much, all of you, on behalf of A Concerned Father. I've included replies below from technologists, lawyers, public health specialists, and even one of my students from the class I taught this fall at Case Western University law school. Previous message: http://www.politechbot.com/p-04217.html --Declan] --- Date: Fri, 06 Dec 2002 12:11:37 -0500 To: declanat_private From: "Robert L. Ellis" <rellis@internet-attorneys.com> Subject: Re: FC: Query from a father about genetic privacy and clinical trials Declan, As you know I deal with a lot of privacy issues in my law practice. There are two issues I can see. The first is whether this father can expect an enforceable right to anonymity under the law as it currently exists. The second is whether the law will change so as to strip him later of any anonymity rights he has now (similar to the change in Oregon law disclosing adoption records that birth mothers thought would be sealed forever). The nearest I have gotten to the father's situation in my practice is "in vitro" fertilization contracts. In the jurisdictions where I have done such contracts, there is no governing law, and not even any case law on point, regarding anonymity rights. That's probably the case with this father as well, so chances are that it's not possible to know whether he has an enforceable anonymity right. In our in-vitro contracts we have no choice but to include an except-where-required-by-law clause, since otherwise as the legal situation develops in the future the organization which holds the anonymous records could face the Hobson's choice of either refusing to release records when required by a court order -- and thus facing contempt charges or even criminal prosecution -- or releasing them and having to defend a breach-of-contract suit. Such clauses do not indicate that the organization intends to compromise his anonymity. More important to this father is to ensure that there are solid contractual guarantees as well as internal administrative practices within the clinic to ensure that to the greatest extent possible, personally identifiable information is segregated, protected, disclosed only on a genuine-need-to-know basis, and not used for any other purpose. (Hmm... wouldn't that be nice as a policy for homeland security?) The greatest threat to his anonymity is probably not future changes in law or lawsuits, but inadvertent disclosure or breach of data security. - Bob Ellis --- From: "Baker, Stewart" <SBakerat_private> To: "'declanat_private'" <declanat_private> Subject: RE: Query from a father about genetic privacy and clinical trials Date: Fri, 6 Dec 2002 11:34:04 -0500 Declan, If I were the lawyer for the clinical trial sponsor (I'm not), I would have put language of this sort into the agreement on principle, not necessarily because I expected it to be invoked. Nonetheless, the most obvious circumstance is a subpoena served either by government (typically for law enforcement purposes) or by a private party (trial lawyer claiming the program was negligently run; divorce lawyer for the wife trying to find out who was 'responsible' for the inherited problems of the child). But the father here has not been given a guarantee that he'll have notice and a chance to contest access by the third party. While an absolute guarantee can't be given (a criminal subpoena might have a gag order in it, to prevent a tipoff to the suspect), if he wants to contest access, he should probably ask for an assurance that he'll get notice of any effort to obtain access to his data as promptly as possible and before access is permitted except to the extent such notice is prohibited by law, and only for so long as notice is prohibited. To decide exactly what he needs and whether it will work, though, he needs to talk to a lawyer; it would not be responsible to give legal advice on something this important on a Dear Abby basis. Stewart --- From: "Jack T. Smith" <JSMITHat_private> To: "'declanat_private'" <declanat_private> Subject: RE: Query from a father about genetic privacy and clinical trials Date: Fri, 6 Dec 2002 11:34:55 -0600 Declan, As a member of the IRB for my institution (University of Alabama at Birmingham), I can say that we review protocols that involve storage of human materials for later genetic testing VERY carefully. To the father who wrote the message below. There are a variety of scenarios that might necessitate breaking confidentiality - something goes horribly wrong and they need to contact you, billing inquiries from the federal government, etc. In your Consent Form, there should be several numbers to call if you have questions. I would start with the IRB that approved the protocol you are considering. They should have a local number and a 800 number for your use. Their job is to provide you with whatever information you need and to answer any questions you have. They may even have a web site that can point you to online resources. There are two that I would recommend to you. First is http://www3.cancer.gov/legis/dec01/genetic.html. This site gives brief descriptions and status of legislation in this area. Second is the web site of the Office for Human Research Protections. This office oversees the workings of all the local and group IRBs. Their address is http://ohrp.osophs.dhhs.gov/index.htm. If you would like to write to me, I will be glad to help you in any way possible. Jack T. Smith, Jr. Professor and Associate Director for Public Services Lister Hill Library of the Health Sciences The University of Alabama at Birmingham 1700 University Blvd. Birmingham, Al 35294 (v)205.934.3306 (F)205.975.8313 (email)jsmithat_private --- Declan, As usual, I'd prefer to comment anonymously. I don't see why he can't ask for clarification about the circumstances under which the law would require disclosure. But presumably it means the data will never be voluntarily turned over. So the hospital is pledging to only turn the data over when there is a court order, subpoena or other compulsory legal process requring disclosure. (If this is a governmental institution I'd ask for assurances that FOIA requests won't apply to this data.) In case there are circumstances where he might want to fight a subpoena and the hospital chooses not to do so, he may want to ask for language providing that he will be notified 10 days (or whatever period) in advance of any such disclosure taking place. That way he would be afforded an opportunity to seek a court order barring disclosure. -A nameless bureaucrat Note: I cannot give legal advice to the public b/c my client is the govt. So this person should contact an attorney of his own if he has questions about his legal rights. --- Date: Fri, 6 Dec 2002 12:25:38 -0500 (EST) From: Sue Blevins <sblevinsat_private> To: jim.harperat_private Cc: declanat_private Dear Jim, The question you forwarded is a VERY important question that many Americans should be asking. This is clearly a thoughtful and intelligent father who would benefit greatly from becoming informed about the serious ramifications of the new Federal Medical Privacy Rule that was required as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). My short answer to this father is that under the new Federal Medical Privacy Rule, he will have NO IDEA how many people will be able to legally access his/families' genetic information. The reason is that under the Federal Medical Privacy Rule, citizens do NOT get an accounting of when and to whom their "personal health information" is disclosed for "routine purposes." For example, if his/families' genetic information was disclosed to an insurance company, he would have NO WAY of finding out about the disclosure under the Federal Rule because the disclosure would be considered a "routine disclosure". The public had been MISLED by HHS in a very big way because HHS is telling the public that they'll get an accounting of nonroutine disclosures under the Federal Medical Privacy Rule. But the public doesn't understand that most disclosures will be considered routine, and thus they'll have no idea how many times their medical information is disclosed and shared with many others. Now, another important fact is that under the Federal Medical Privacy Rule, there are many "permissive" disclosures (such as when required by other laws, say FDA to monitor drug reactions), but the only "required" disclosure is to the Secretary of Health and Human Services (HHS). Thus, Tommy Thompson would be free to access every citizens' personal health information (including genetic information) and redisclose it (without citizens' permission), but citizens' won't get an accounting of those disclosures. So, the bottom line is if this concerned father wants to make sure he can control who has access to his/families' genetic information, he has two options: (1) Modify the "informed consent" form to have it say what he would like it to say. For example, he could say he must give his permission before the genetic information is shared for any purposes whatsoever. He should obtain legal advice from a lawyer specializing in contract law to make sure the contract is valid; or (2) Don't share the genetic information. FYI--A registered nurse who has always been a blood donor told me she is no longer going to donate blood because of the weak Federal Medical Privacy Rule, which by the way, excludes blood donations from the Federal Medical Privcay Rule. In other words, when citizens donate blood, that blood is not covered under the Federal Medical Privacy Rule. Finally, I'd recommend he seriously consider studying the Federal Medical Privacy Rule. Below are a few links that summarize the main points (from the consumer's perspective). I hope this is useful. Sincerely, Sue Blevins, President Institute for Health Freedom sblevinsat_private phone: (202) 429-6610 http://www.forhealthfreedom.org/Publications/privacy/IHFHosts.html http://www.forhealthfreedom.org/Publications/Privacy/TruthAbout.html http://www.forhealthfreedom.org/Publications/privacy/MedPrivFacts.html --- Date: Fri, 6 Dec 2002 14:58:31 -0800 (PST) From: eackermaat_private To: Declan McCullagh <declanat_private> Subject: Re: FC: Query from a father about genetic privacy and clinical trials Greetings Declan, This information may be of use to those concerned about genetic privacy, thanks go to the state of R.I.: http://www.healthri.org/genetics/legislation.htm An excerpt from that page sucinctly states current gentic discrimination law: "Currently, there is no federal legislation to protect the public against genetic discrimination by insurance providers. States have varying genetic discrimination laws." Relatedly, a good example of how disclosure plays out in the courts (in this case without any representation for, or presumably knowledge of, the medical donor/subject) can be found at: http://www.mrsc.org/mc/courts/supreme/117wn2d/117wn2d772.htm Note that even though that court ordered disclosure, the decison was taken very seriously and the identity isn't even now on "public" record. Like the "concerned father" indicated, in court, there is generaly serious consideration & some proceedural safeguarding, the disclosures people need to worry about are the low-or non-paying data handling jobs... Ethan Ackerman (just Ethan Ackerman) --- Date: Fri, 6 Dec 2002 11:23:15 -0500 (EST) From: "J.D. Abolins" <jda-irat_private> To: Declan McCullagh <declanat_private> cc: gbat_private Subject: Re: FC: Query from a father about genetic privacy and clinical trials I can't answer the concerned father's question with the expertise of an attorney. The comments below are general observations only. The father is pointing to a tension in law and medicine. From some law enforcement and public safety concerns there's an interest in knowing details of certain medical records. From medical view, anonymity or psuedonymity can be a life saver. For example, the lack of knowledge by a blood recipient of the donors' identity is a great help in encouraging honesty by donors in answering health and life practices questionaires. To illustrate, I'll use a fictional scenario where a fellow is about to undergo surgery and he wants to get blood from those family members who have compatible blood types. Now if each member of the family with compatible blood types knows that the recipient is expecting to receive blood from them, a disqualification might lead to difficult questions. Therefore, there is the temptation to lie in response to questions that indicate a risk of blood borne diseases. Perhaps the tests done on the blood will catch the presence of pathogens in time; perhaps, the donor was recently infected and is not detectable. That's why those questionaires are so important. The effectiveness of the questionaires is strongly linked to confidentiality of the answers. In medical research, there are similar privacy interests. If research subjects are unlikely to cooperate or to volunteer because of the possibility of disclosure beyond the purposes of the medical research and unintended consequences. (E.g.; a future law allows police access to genetic info to facilitate DNA dragnets; insurers and employers get the info and lock out people with certain genetic sequences; etc.) Some approaches to medical research may get around the privacy concerns by, say, requiring all people to be tested and cataloged, mandating access to all genetic info (along the lines of what's being done in Iceland), or blowing away expectations of medical/genetic privacy altogether (perhaps by arguing that one's genes are a public, not a private resource). MIT Technology Review a couple of years ago interviewed one of the people involved in the Iceland's contract to allow access to its people's genetic info. The interviewed person quipped to the effect <paraphrased>: "You and I enjoy 20th Century level of medical care because our parents and grandparents did not have medical privacy. If you insist up strong medical privacy, your children and grandchildren will be doomed to a 20-th Century level of medical in the 21st-Century." (What's not mentioned is that there might not have been legislated medical privacy in earlier days but there was much practical privacy.) I'll try to dig up that article and send you the quote and the citations. J.D. Abolins Meyda Online -- Infosec & Privacy Studies Web site: http://www.MeydaOnline.com --- From: "frank20" <frank20at_private> To: <declanat_private> References: <5.1.1.6.0.20021206110209.026898e8at_private> Subject: Re: Query from a father about genetic privacy and clinical trials Date: Fri, 6 Dec 2002 11:35:13 -0600 'Concerned Father' has every reason to be concerned. The protection of 'Individually Identifiable Health Information' (IIHI) (often also referred to as 'Personal or Private Health Information' (PHI)) is off sufficient concern that regulations under the Health Insurance Portability and Accountability Act (HIPAA) have been approved and will soon (during 2003) go into effect. The new Privacy regulation essentially defines IIHI / PHI as health data that can be directly connected to an individual (based on name, address, or any of some 18 demographic identifiers) and establishes strict rules (backed by both criminal and civil penalties) for storage, transfer, sharing, release, etc of such IIHI/PHI. Under the rules, for example, the 'health data' itself, when 'de-identified' (i.e., all the info connecting the data to a specific individual), can be shared for research purposes; When the health data is coupled with all or part of the data that identifies an individual, it can only be shared under specific circumstances, through specified channels, all intended to ensure that the situation envisioned by 'Concerned Father' don't happen. Unfortunately, the regulations promulgated under HIPAA will not be applied to every member of the healthcare community...at least as currently written. Essentially, the 'reach' of the Government is limited to situations where electronic transfer of such information happens. This means that there are 'covered entities' to whom the rules will apply...the rest are outside the HIPAA regs. As a general rule, most healthcare providers, payers, and claims processors now handle insurance claims electronically. These folks are thereby 'covered entities' and will have to comply with the new regulations. This means, for 'Concerned Father', that if he were admitted to a typical Hospital and underwent tests that showed the genetic marker of concern, that info is reasonably safe from release to other agencies. (I say reasonably because, unless you have the Security and Privacy controls of a Hospital inspected / vetted by someone you know and trust, how can you really be sure?) The real problem is going to be situations where IIHI/PHI is collected by entities that are 'not covered' and thus not subject to the regulations at all. Example 1: Your employer has an on-site clinic to handle minor accidents / health problems that occur at work. You do not pay for treatment...in fact, nothing done by the Doctor or Nurse or their staff defines them as a 'Covered Entity'. In this case, whatever personal health information is collected is 'protected' only by the medical staff's conscience and whatever rules the State where the clinic is may have. It is likely perfectly legal for the clinic to share its information on you with the employer who underwrites the clinic...or anyone else. Example 2: Situation referenced by 'Concerned Father', you are asked to participate in a study, perhaps underwritten by an insurance company or a pharmaceutical firm. You don't 'pay' for anything, etc., and organization, again, doesn't fit criteria of a 'Covered Entity'. Again, level of protection 'guaranteed is low. Depending on rules of State where study is conducted, self-imposed rules of organization doing study, conscience of study managers, etc, your 'protection' may range from 'great' to 'non-existent'. And, once more, it will be really hard for an individual to know what the real situation is. Please note that (1) I am not a lawyer; (2) I have been working with HIPAA and its implications for IT for quite some time; and (3) I have am in a situation like that of 'Concerned Father', as I have children with similar medical conditions. You can find out a lot more on this subject by looking into HIPAA at the CMS site dedicated to this subject (http://cms.hhs.gov/hipaa/ ) Frank J. Hannaford --- From: "Crawford, William" To: "'Declan McCullagh '" <declanat_private> Subject: RE: Query from a father about genetic privacy and clinical trials Date: Fri, 6 Dec 2002 14:38:14 -0500 Not a lawyer, but I have been involved with the IT aspects of this for a while, and asked a few questions around the office to confirm my previous understanding: The data protections surrounding clinical trial data are, in general, very good, and enforced by Federal law. Unblinding a trial, i.e. revealing the names of participants, rather than the ID numbers that are used through the course of the clinical research process, requires a subpoena. The NIH interns won't have access, certainly (having met some of them, I can assure it). Patients are generally identified within systems by number only. Of course, there are always risks, as when any secret is shared more broadly than between yourself and the cat, but the penalties for distributing this data are quite high and the barriers, both legal and technical, are are very extensive. The FDA maintains some good resources on this at www.fda.gov, although you have to dig around. Will (www.williamcrawford.info, rather than my email address above, if you share this; thanks). --- Date: Fri, 6 Dec 2002 15:34:30 -0500 From: Mathias Wegner <mwegnerat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: Query from a father about genetic privacy and clinical trials Please pass this along to The Concerned Father The Alliance of Genetic Support Groups has more information than you can shake a stick at, and it almost certainly has onformation on the particular disease and on situations like the one described. If the webiste doesn't have the info you need, the helpline will (or a referal to someone who does know). www.geneticalliance.org Mathias --- Date: Fri, 6 Dec 2002 15:41:30 -0800 (PST) From: Eugene Strupinsky <estrupinat_private> Subject: Re: FC: Query from a father about genetic privacy and clinical trials To: declanat_private Declan, As a law student who's done well in Bioethics last year, I'll chime in with the following: The most important question is what the hospital (or whoever is conducting the study) thinks the privacy restriction means. This depends on state laws and the practices of the hospital. Will the hospital disclose names to a curious insurance company? (We'd like to think not) What are the 'sunshine laws' of the state? If the hospital means "as required by law as compelled on individual bases," will it disclose during civil discovery or upon a criminal subpoena or warrant? If this is the case, at least the Parent will have notice and an opportunity to consult with their own lawyer. Parent's concern is understandible, and I would recommend sitting down with the hospital's attorney and possibly their own to go over the agreement. That's just what you have to do with contracts. Eugene Strupinsky --- From: codeheadat_private To: Declan McCullagh <declanat_private> Date: Fri, 6 Dec 2002 16:29:47 -0800 Declan, Obviously IANAL, although I recently did a paper on potential cryptogaphic protection for an individual's genome--controllable by the individual, of course. Here's the current status: 1. Several bills have been introduced in the House and Senate in the U.S. that usually have the following common characteristics: (a) the same protection for genetic records as for other medical data; (b) prohibition against health insurance companies forbidding them from refusing insurance based on genomic information; (c) prohibition against employers against hiring/firing on genomic grounds. None of these bills has ever passed both houses. It's my opinion that they never will if the pressure of public opinion doesn't overwhelm the insurance lobby's pressure. (Perhaps I should mention that some European government have passed relatively strong genetic privacy legislation, but like most privacy laws that get passed in European countries, the government is generally exempt.) 2. Some legal protection, which I consider to be relatively weak, exists because of regulatory case law. In the late 90s, Burlington- Northern decided to test all employees coming down with carpal tunnel syndrome for a genetic trait that causes the disease in a minority of cases. They then fired all people who tested positive for this gene. The EEOC eventually ruled that all of the firings were illegal, and set up a doctrine that people could not be denied hiring or be fired because of genes. Some legal experts question the capability of the EEOC to set such a policy, and this may be headed eventually for a showdown in the courts. Frankly, like other private information, whether your correspondent decides to give out such information is dependent on how much he trusts the researchers. While I don't realistically expect that most researchers will roll over nearly as easily as say, AOL, when asked for information, it's important to recognize that many of them do not have the budgets to support the legal defense of somebody else's genetic privacy. To be fair, let me point out that medical researchers go to great lengths to protect privacy, and generally only one or a few people out of many ever have access to identifying information. However, accidents do happen, such as the case a couple of years ago when a medical database at University of Washington medical school was hacked and thousands of names were revealed. A few states have passed laws to protect genetic privacy, but they are by far the exception. Your correspondent may wish to do further research on his own state's laws to see what kind of coverage he has. The only real protection anybody has right now as far as their genome goes is "security by obscurity" and, as cypherpunks know, simply not giving out the information in the first place. It costs so much to sequence somebody's genome--$400K is the best rate I've found--that it's simply not economic for anyone to go fishing. However, looking for a single gene out of 40,000 or so is often much, much cheaper. It's the testing by interested parties for a few genes that will become controversial in the next few years, the equivalent of the urine test. In any case, the sequencing of all of a person's genome should be down to under $1,000 in 10 years. That's cheap enough that almost any health or life insurance company, and most employers, would find this economical. (Potential marriage partners may want a peek, too, just as some are now purchasing credit records and background checks on prospective mates.) Within 5 years after that, sequencing will be cheap enough to use as biometric identification, and the potential for abuse by both public and private entities will be very high. Declan, I personally am unwilling to gamble on what future law will come about to protect genetic privacy. I'm very hesitant to depend on protection that is weak now and could change at any time, recognizing that there's a lot of money and influence behind those interests who really would like to know that kind of information-- and be able to use it. If I really, really wanted to participate in the trial, I'd consider not using my true name. The researchers don't need it anyway, as long as they can compile data over time, and don't lose track of their subjects. Or I would simply hold off on joining the trial and wait for the technology to develop to the point where I could anonymously take advantage of it. This is not much comfort for this man, and it's unfortunate that no good mechanism currently exists that provides for individual-controlled genetic privacy. Emily S. (who spent the last two weeks doing gene splicing of e.coli to confer some lovely multiple antibiotic resistance on them--I just hope I never ingest one of those beauties. And yes, I'm becoming a biopunk.) --- From: "Thomas Leavitt" <thomasleavittat_private> To: <declanat_private> Subject: Re: Query from a father about genetic privacy and clinical trials Date: Fri, 6 Dec 2002 18:07:00 -0800 Declan, It is worth pointing out that under a "single-payer" health insurance system, accompanied by reasonable forms of social security (structural forms that spread the risk out over the entire population and age spectrum, thus preventing "free riders" from opting out when they can expect to healthy, and opting in when not), the primary motivations for this gentleman's concerns would simply not be operative - if everyone is insured and legally entitled to reasonable care, then not being able to obtain health insurance, etc. is simply not an issue. It is not economically efficient for society as a whole for these individuals (and others in similar situations), to exclude themselves from the research pool or deliberately remain ignorant of their future risks as a means of self-protection. As genetic research proceeds, this will become more and more of an issue - "single payer" health insurance may not be the solution; I appreciate there is substantial debate about that, but I think it is clear that the current structure under which the health of American citizens is protected has substantial flaws when confronted with issues of this sort. Regards, Thomas Leavitt ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 23:15:48 PST