The genomic testing industry is an edifice built on data transparency: transparent and often unconsented sharing of our genetic information with researchers to fuel scientific discovery, transparent sharing of our test results to help regulators infer whether the tests are safe and effective, and transparent sharing of our health information to help treat other patients on the premise that we gain reciprocity of advantage when each person’s health care is informed by the best available data about all of us. Transparency undeniably confers many social benefits but creates risks to the civil rights of the people whose genetic information is shared. Touted as a major civil rights law at the time of its passage, the Genetic Information Nondiscrimination Act of 2008 (GINA) has endured ten years of criticism that its protections are ineffectual, insufficient, or even unethical and overtly unsafe for the people it aims to protect. At the center of this controversy are provisions of GINA that expand people’s access to genetic information that others store about them—a heavily contested assertion that data transparency implies sharing data not just with third parties, but with the people whose data are being shared. This Article traces the decades-long roots of this assertion and explores pathways to resolve the controversy that engulfs it. It is important to resolve this controversy. As GINA enters its second decade, genomics is finally starting to gain sufficient predictive power to support discriminatory and other nefarious uses that GINA was designed to prevent. We are entering a positive feedback loop in which the genomic research that exposes us to risk of unwanted data disclosures simultaneously fuels discoveries that make such disclosures potentially more damaging.
The Genetic Information Nondiscrimination Act of 2008 (GINA) was born with high expectations. 1 The late Senator Edward Kennedy, who cosponsored the legislation, billed it as “the first major new civil rights bill of the new century.” 2 However, GINA celebrated its tenth anniversary last year amid festering doubt about its significance as a civil rights law. 3 Scholars dismiss GINA as having attacked two problems—genetic discrimination in employment and in health insurance—that, as far as the available evidence shows, never actually existed. 4 GINA fails to address problems, such as genetic discrimination in long-term care insurance, that genuinely trouble people who undergo genetic testing. 5 The centerpiece of GINA’s civil rights protections—an expanded right of transparency allowing individuals to access genetic information that third parties store about them—remains mired in controversy. 6 This Article explores the individual access right GINA created and explains why it is a crucial tool to protect people’s civil rights as genomic testing grows more common and more informative in coming years. A convoluted rulemaking history obscured GINA’s role in creating this important right, 7 and GINA enters its second decade like a misunderstood teenager, struggling to be taken seriously as a civil rights law.
If GINA’s alleged shortcomings caused no widespread harm over the past decade, this fact lends itself to two possible explanations: The first is that GINA addressed frivolous problems that did not matter in 2008 and, by implication, may not matter now. The second is that GINA addressed important problems and was thwarted in its initial attempt to do so, but somehow we lucked out and escaped serious harm, which still awaits unless we take steps now to ensure that GINA’s essential civil rights protections work as Congress intended. I disclose that I lean toward this second view.
Congress enacted GINA during a period of enthusiasm that followed the completion of the Human Genome Project in the year 2000. 8 Those were heady times. When announcing initial results of that project, renowned geneticist Francis Collins declared, “Today, we celebrate the revelation of the first draft of the human book of life,” 9 and President Bill Clinton gushed, “[t]oday, we are learning the language in which God created life.” 10 Scholars of the era likened genetic information to a “future diary” that is “uniquely powerful and uniquely personal” and able to “predict an individual’s … medical future” and foretell the future of one’s family members. 11 People worried that a drop of spit on a discarded coffee cup or a strand of hair they shed on the street might enable others to infer deeply personal secrets: where they came from (for example, is their ostensible father really their father?), 12 their mental defects and behavioral shortcomings, 13 and how and when they will die. 14
GINA, in many respects, was Congress’s response to a mass delusion that genetic information is more informative than, at least to date, it has proved to be. 15 As we now know, and as cooler heads knew back then, “[t]he argument from genetic prophecy is not compelling.” 16 As of 2014, of the roughly 10,000 mutations that each of us has in our genomes, 17 fewer than 130 could be conclusively linked to a clinically significant health impact. 18 Behavioral genetics, after years of explaining practically nothing, 19 is only now beginning to have predictive power, which remains limited. Basic physical traits like height are influenced by hundreds of interacting genes, such that viewing people’s genomes usually reveals little about how tall they are. 20 A 2010 study found that simple metrics, such as a person’s waist circumference, are better at predicting future diabetes risk than genetic “models based on 20 common independently inherited alleles.” 21
If GINA failed in its first decade to save us from genetic discrimination, it may have been a harmless error because the human genome was too poorly understood at the time to lend itself to very many discriminatory uses. 22 If GINA failed, then so did the science, and it all somehow worked out. This does not imply, however, that GINA’s civil rights protections are unimportant: they may simply have been premature.
Genetic science is rapidly gaining power to explain and predict. 23 As it does so, the potential for genetic discrimination and other inappropriate uses of genetic information grows more real than it was ten years ago when Congress enacted GINA. 24 It is no longer “mere theory or science fiction” that a hacker who misappropriates our genetic information will be able to infer personal characteristics such as our height, ethnicity, hair color, eye color, and facial features. 25 The plan for advancing our understanding of the human genome, and thus our ability to draw such inferences, relies on research that uses large datasets of genetic and other personal data, often without individual consent. 26 We are entering a positive feedback loop in which the research that exposes us to risk of unwanted data disclosures simultaneously fuels the discovery process that makes disclosures all the more damaging. 27 As GINA enters its second decade, the civil rights protections it affords are starting to matter. The goal of this Article is to open a debate about possible solutions to controversies that have undercut GINA’s protections during its first decade.
These controversies reflect a clash of competing regulatory paradigms. Passage of GINA expanded the federal regulatory program for genetic and genomic testing. 28 The program had long included consumer health and safety regulations (for brevity, “safety regulations”) that aim to protect the physical health and safety of people who undergo genetic and genomic testing. Examples of safety regulations include the U.S. Food and Drug Administration’s (FDA’s) oversight of in vitro diagnostic testing products, 29 the Centers for Medicare and Medicaid Services’ (CMS’s) oversight of clinical laboratories under the Clinical Laboratory Improvement Amendments of 1988 30 (CLIA) regulations, 31 as well as aspects of federal research regulations that minimize physical safety risks to research participants. 32 GINA added a second layer of regulations: civil rights laws that address the social consequences of genetic testing. 33 For example, GINA bans unjust discrimination, 34 strengthens privacy protections, 35 and protects rights that foster fruitful human interactions, such as the rights to speak freely, 36 to receive information relevant to one’s decisionmaking, 37 to associate and assemble with others, to engage in scientific inquiry, and to participate in political life. 38
The transition to a broader federal regulatory program for genetic testing has not gone smoothly. GINA led to the creation, in 2014, 39 of a federally protected, individual right of access 40 to genetic information stored at laboratories covered by the Health Insurance Portability and Accountability Act of 1996 41 (HIPAA) Privacy Rule, which is a major federal medical privacy regulation. 42 The 2014 Privacy Rule amendments expanded individuals’ access to laboratory-held data, 43 including genetic and genomic information as well as assorted other diagnostic test results that laboratories hold in their files. 44 Insofar as these amendments pertain to genetic information, they were implementing a congressional civil rights mandate stated in GINA. 45 Failing to appreciate this fact, safety regulators and some members of the bioethics and medical communities have opposed HIPAA’s right of access to genomic information, citing safety concerns. 46 These safety concerns are most intense with respect to genomic information generated during research. 47 Research data, for various reasons, may fall short of the quality standard suitable for use in clinical healthcare, but can affect people’s civil rights and they need access to it. 48
The compliance date for HIPAA-covered laboratories 49 to provide access to laboratory-held data was October 6, 2014. 50 Four years later, many individuals face ongoing problems accessing their data. 51 Steven Keating, diagnosed with brain cancer while pursuing Ph.D. studies several years ago, has chronicled his saga to overcome the access barriers this Article discusses. 52 After surgery, he donated his tumor tissue to a research study, assuming he would have access to the genome sequencing results, but he was denied access based on concerns that the research laboratory was not certified under the CLIA regulations. 53 “I wanted to see my sequence and share it with the world to benefit science. Instead, the reward for donating valuable tumor tissue was a legal barrier preventing me from seeing my future.” 54
Genomic research laboratories are caught in a crossfire of conflicting directives from three subagencies within the U.S. Department of Health and Human Services (HHS). The three are: (1) the FDA, which regulates medical devices including some genetic and genomic testing products; 55 (2) the CMS, which regulates clinical laboratories under its CLIA program; 56 and (3) the Office for Civil Rights (OCR), which administers the HIPAA Privacy Rule. 57 Many researchers additionally find themselves squeezed between HIPAA’s apparent directive to grant individual access and an Institutional Review Board (IRB) 58 that considers it unethical to do so under various federal research regulations. 59
This Article ascribes these conflicts to growing pains within an evolving federal regulatory program for genomic testing. 60 As new civil rights protections were added after GINA, they were not adeptly 61 integrated into the fabric of preexisting safety regulations. The first step toward successful integration is to understand that HIPAA’s access right is not a safety regulation and should not be judged as such. 62 Rather, it is a regulation that aims to balance privacy and transparency in a way that allows socially beneficial uses of genomic data while protecting people’s civil rights. 63 It rests on legal precedents that date back to the 1970s and has clear ethical justifications enunciated in studies Congress commissioned at two critical junctures; first, as the modern information age started to unfold in the 1970s and, second, as the Human Genome Project began to bear fruit in the late 1990s. 64
Recent debate about HIPAA’s access right is often couched in bioethical and safety-related terms: Is individual access to genomic data normatively justified, consistent with bioethical standards, and safe? And if not, can consumer safety regulators like FDA and CMS find jurisdiction to block HIPAA access? This Article argues that these are not appropriate questions to ask about a federally protected civil right. Civil rights enjoy a special status in U.S. federal law. Public officials—including safety regulators—are obliged to respect people’s civil rights. 65 The most fruitful way forward is to look for approaches that affirm people’s civil rights while making the exercise of those rights as safe as it possibly can be—recognizing, however, that civil rights have never been cost-free, and autonomous individuals often embrace risks to claim their civil rights. This Article identifies legally workable options for advancing safety, bioethical values, and civil rights simultaneously, so that GINA can achieve its original promise, which was to protect genomic civil rights. 66
After a recent article referred to HIPAA access as a civil right, 67 it drew protests from some scientists and bioethicists who regard such language as provocative. 68 No provocation is intended. Whatever special valence the term “civil right” may have in popular culture, it has a simple dictionary meaning, which is the intended meaning here. 69 Civil rights are legally enforceable rights and protections within the social and political spheres. 70 “Enforceable” means that people whose civil rights are violated can seek redress, such as monetary damages or an injunction to force others to respect their rights. 71 Civil rights are legal creations, protected by laws such as the U.S. Constitution, federal and state statutes, and regulations implementing those statutes. 72
Civil rights differ from natural rights that inhere in the nature of persons, from moral and bioethical claims of right that are not legally enforceable, and from rights incidental to the ownership of property. 73 On this last point, civil rights generally attach to people, not to property. 74 Data ownership, if it existed, would grant rights for owners to use, access, and control their data, but these rights seemingly would evaporate when owners transfer their data to someone else: property rights generally run with the property and pass to the next owner. 75 Jessica Roberts correctly observes that a property right in one’s own genetic information could be designed in a way that affords significant protection of individual rights. 76 Conceivably, genetic data ownership might be defined as including an ongoing right of access to one’s data that endures even after the data are sold or transferred to another person. To date, however, this has not occurred. Several states have enacted laws granting individuals a property interest in their own genetic information, 77 and a few more states have considered such legislation. 78 But such laws are generally vague about what genetic property rights entail, 79 and none provides a right of ongoing access after transfer or sale. 80 Popular discourse about genetic data ownership often draws an analogy to fee simple ownership of a house. 81 The popular conception of home ownership has never included a right for former owners to enjoy ongoing access to sit in the living room after a sale. Thus, it seems unlikely that genetic data ownership, if it existed, would provide an inalienable, enduring right of access to one’s own data wherever the data happened to be stored.
In a similar fashion, a bioethical right of informed consent offers few ongoing protections once consent is improvidently granted to a downstream data user who distributes one’s data carelessly and widely. 82 Withdrawing consent may—but does not always—block recipients’ further use of a person’s data, nor is it an effective way to force privacy, data security, data destruction, and data transfer policies to guard consenters’ civil rights. 83
A law creating data-related civil rights, in contrast, could be drafted in a way that gives people ongoing access to, control over, and protections for their data even when the data are held by others. GINA’s drafters appreciated the limits of consent and ownership as mechanisms to address the concerns people feel about storage, use, and disclosure of their genetic information. 84 GINA instead embraced a civil rights approach. 85 Civil rights are simply a different legal technique for protecting some of the same individual interests that many bioethicists and property theorists also seek to protect. 86
The field of bioethics has always been attentive to civil rights-related issues—for example, privacy, stigmatization and discrimination, and the need to be informed when consenting to uses of one’s data. 87 But bioethical literature rarely frames these issues in the language of civil rights. This may reflect historical factors. The Secretary’s Advisory Committee on Genetic Testing (SACGT), working in the late 1990s while the Human Genome Project was still a work in progress, identified four criteria for assessing the benefits and risks of genetic testing: analytic validity, 88 clinical validity, 89 clinical utility 90 (sometimes called “actionability”), 91 and social consequences. 92 Public comments confirmed that these criteria capture concerns people feel about the safety of genetic testing. 93
The SACGT’s formulation appended social consequences—a focus of civil rights law—to the end of a list of safety-related criteria. 94 This suggested a mindset that civil rights are subordinate to safety or—worse—it suggested a complete blurring of the two as if social consequences are part of the risk/benefit ratio safety regulators should use to assess whether genetic testing is safe. 95 In practice, consumer safety regulators like FDA and CMS have neither the legal authority nor appropriate staffing to address social aspects of technologies they regulate; separate federal agencies administer civil rights regulations. 96
Bioethical discourse about safety and civil rights has been further blurred because the traditional Common Rule 97 (the longstanding federal research regulation, for which 2017 amendments took effect in January 2019) 98 combined both types of regulation. The traditional Common Rule engaged ethics review bodies, known as IRBs, in a safety regulatory function when minimizing the physical risks of research, but in a civil rights function when assessing privacy risks in informational research that stores, discloses, or uses people’s data or when assessing the adequacy of informed consent. 99 These mixed oversight responsibilities perhaps made sense when the Common Rule was drafted in the late 1970s and 1980s because the HIPAA Privacy Rule did not yet exist. 100 The traditional Common Rule—the federal regulation that is most familiar to many bioethicists—was a muddle of safety and civil rights law. 101 This may have suggested that blurring safety and civil rights is normal in regulatory practice when, in fact, it is not.
A major goal of the 2017 Common Rule revisions was to disentangle safety and civil rights by ceding civil-rights oversight to the HIPAA regulations and focusing the Common Rule on the physical risks of research—that is, on safety issues. 102 Under the revised Common Rule, uses and disclosures of data that are subject to HIPAA regulation as research, public health, or health care operations will be exempt from the Common Rule. 103 In other words, the Common Rule will no longer regulate these activities. 104 The preamble to the 2017 Final Rule explains that this exemption avoids duplication in cases where data privacy is already protected by HIPAA. 105 This change may help distinguish the concepts of safety and civil rights in future bioethical discourse. Common Rule IRBs will still have residual oversight responsibilities for data privacy in contexts where HIPAA does not apply, so some mixing of responsibilities will continue. 106
The historical blurring of safety and civil rights in bioethics disguised a problem that is glaringly evident after GINA. Safety and civil rights regulations are distinct bodies of law serving different objectives that sometimes call for conflicting policies on particular issues, such as “whether individual access to genomic data should be narrow or broad.” 107 This Article explores how—and why—safety and civil rights collided after GINA and possible ways to reconcile the two.
GINA marked a shift to a more formal federal regulatory structure to address the social consequences of genetic testing. 108 Informal oversight, as opposed to governmental regulation, had long been part of the framework to protect individuals who undergo genetic and genomic testing. In the early 1990s, when Congress established the National Center for Human Genome Research, 109 Congress called for “‘not less than’ 5% of the [National Institutes of Health (NIH)] Human Genome Project budget to be set aside for research on the ethical, legal, and social implications of genomic science.” 110 The resulting Ethical, Legal, and Social Implications (ELSI) research program is estimated to have funded over 480 scholarly research projects costing more than $300 million by 2014. 111 This program has been described as a mechanism through which Congress “legislatively instantiated” its commitment to address the social consequences of genetic and genomic testing. 112 “Instantiate” is not a legal term; it simply means to provide an example or a specific instance. 113 If it seemed that Congress was appointing ELSI scholars to regulate the social consequences of genetic testing, this was just a pleasant scholarly conceit. Congress had other plans.
GINA emerged in 2008 at a critical juncture when genomic testing was maturing from a research pursuit into a vibrant clinical and consumer testing industry that routinely stores, shares, and uses large volumes of personal data in ways that the tested individuals may not even be aware of. 114 GINA is most famous for addressing two narrow problems: genetic discrimination in employment and in health insurance. 115 Its broader significance as a genomic civil rights law lay in two low-key provisions in which Congress defined the types of genetic information that raise civil rights concerns 116 and appointed a federal regulator with broad rulemaking authority to address those concerns. 117
Section 102 of GINA defines the “genetic information” that, in Congress’s view, has the potential to affect people’s civil rights. 118 This definition includes virtually any information that a genetic test may reveal about a person, as well as other genetic information that can be inferred from genetic tests and manifest disease of the person’s family members. 119 GINA’s definition pays no heed to whether the information is reliable or unreliable, clinically significant or not, or whether it was generated in a research or clinical laboratory. 120
This definition opened a gulf between consumer safety regulations and genomic civil rights regulations. Central tenets of safety regulation are that genetic information is potentially dangerous unless it meets quality standards appropriate for clinical health care, 121 and that data generated during research should be shared with individuals only if the information can be confidently traced to the individual and has analytic validity, clinical validity, and/or clinical utility/actionability. 122 Before GINA, there was ongoing debate within the bioethics community about whether individual findings from genetic and genomic research even amount to genetic information. 123 An influential 1999 report by the National Bioethics Advisory Commission opined that “preliminary results do not yet constitute ‘information’ since ‘until an initial finding is confirmed, there is no reliable information’ to communicate to subjects.” 124 The perception that unreliable genetic findings are not genetic information reflects a consumer health and safety regulatory mindset.
GINA recognized that protecting civil rights requires a different mindset. People can be deprived of civil rights based on unreliable as well as reliable information that is attributed to them; indeed, unreliable data are sometimes the most damaging. If somebody else’s data are in your file as a result of a laboratory error, the data obviously are useless and potentially even dangerous from a medical standpoint, 125 but can also affect your civil rights. You could face genetic discrimination if a sicker person’s information is wrongly attributed to you. To discover and correct the error—and protect your civil rights—you need access to the data that are (rightly or wrongly) stored under your name. Variants with uncertain clinical significance (or no clinical significance at all) can imperil a person’s civil rights. For example, the Combined DNA Index System (CODIS) genetic markers that law enforcement agencies use to identify suspected criminals are from noncoding regions of the genome 126 and have no clinical validity or utility whatsoever. 127 Still, if a research laboratory stores people’s CODIS markers in their genome sequencing files, these data later could be used to link them (or one of their family members) to a crime. 128 Worse still, if someone else’s CODIS markers are in their files because of a laboratory mix-up, they could be falsely accused. 129
Section 105 of GINA ordered the Secretary of HHS to place all genetic information held at HIPAA-covered facilities under the protection of the HIPAA regulations. 130 Since it was first promulgated in December 2000, 131 the HIPAA Privacy Rule has provided privacy protections for “health information” (often referred to as protected health information or “PHI,” the information that HIPAA protects). 132 However, the definition of “health information” has changed over time. The 1996 HIPAA statute supplied a definition of this term. 133 The problem with this 1996 definition was that it only seemed to include genetic information that had a well-established relationship to a health condition. 134 Genetic information with analytic validity, clinical validity, and clinical utility seemed to qualify as “health information” and enjoy HIPAA’s privacy protections. 135 This protected, for example, the fact that a person has a genetic variant known to be associated with diabetes, Huntington’s disease, cystic fibrosis, or high blood pressure. But genetic findings lacking clear associations with health conditions were not clearly subject to HIPAA’s privacy protections. 136 Thus, the original Privacy Rule did not seem to protect genetic information bearing on a person’s behavior, intellect, criminal tendencies, athletic prowess, or physical appearance, or the fact that a person has variants for which the significance is not yet understood. 137 This left an important gap in privacy protection as genomic testing grew more common in recent years.
Unlike traditional genetic tests that examine a discrete number of specific genes already known to have a clinically significant relationship to human health, genomic tests scan a large swathe of a person’s genome. 138 Each of us has on the order of three million genetic variants—the modern euphemism for mutations—in our whole genomes (the entirety of our genetic material), and we have about 10,000 variants in our exomes (the roughly 1.5 percent of the genome that contains our genes, manufactures proteins, and influences our physical characteristics). 139 For most of these variants, the clinical validity and utility are not yet known. 140 A 2014 study found that only 90 to 127 variants have a well-established clinical significance based on the science at that time. 141 These clinically significant variants seemingly amount to health information and would have received privacy protection under the original Privacy Rule, but the other 9875 or so variants that each of us carries are not necessarily health-related and did not qualify for privacy protection under that old standard.
Even now, genomic testing is only slowly moving into wide clinical use because it is still rare for health insurers to cover the cost of gene sequencing in clinical settings. 142 As a result, most of the gene sequencing test results currently stored in the United States—and thus in need of privacy protection—were generated during past research studies, and research studies continue to play a large role in generating new genomic information. 143 Data generated during research do not always meet the standards of quality needed for use in clinical health care. 144 These data were at risk of slipping through the protections of the original Privacy Rule—a problem that Congress addressed by passing GINA. 145
There are two ways that research results can fail to meet the standards of quality that are expected of data destined for use in clinical healthcare. First, the data themselves may be of subclinical-quality in the sense of lacking analytic validity, clinical validity, and/or clinical utility/actionability. 146 This situation reflects a substantive problem with data quality: the data, while useful for research, are not sufficiently reliable and well-understood to qualify for use in healthcare settings. Second, the laboratory that generated the data may not have complied with regulatory standards required of laboratories that perform tests as part of clinical healthcare. In particular, some research laboratories do not comply with the federal CLIA regulations. 147 This situation is in the nature of a legal technicality and has only a weak relationship to the data’s substantive quality. 148
Research laboratories can, and often do, produce genomic results that have “clinical quality” in the sense of being analytically valid and having a well-understood clinical validity and utility. 149 Conversely, clinical genomic tests—tests performed at CLIA-compliant clinical laboratories for the purpose of informing healthcare decisions—reveal a lot of subclinical quality information, unsuitable for use in clinical care as a byproduct of detecting the few variants that have known clinical significance. 150 Whether test results have clinical quality or subclinical quality thus is not a function of where the results were generated, that is, at a clinical versus research laboratory.
The fact that a research laboratory complies with the CLIA regulations 151 provides no assurance that the data are of clinical quality. 152 Congress enacted the CLIA statute in response to reports of inaccurate results from tests used in cervical cancer screening, and the CLIA regulations play a useful role in enhancing the safety of laboratory tests used in clinical health care. 153 It is not an indictment of the CLIA regulations to acknowledge that, like all laws, their protections are tailored to the context for which they were designed: in this instance, clinical laboratory testing. 154 These same protections may offer fewer benefits as applied in other contexts. 155 For example, one of CLIA’s most important protections is its requirement for a laboratory to have a scientifically qualified laboratory director. 156 This guards against the possibility that a commercial clinical laboratory might hire a non-scientist business person to oversee its operations. 157 This same protection offers less incremental benefit in research contexts, where other mechanisms—such as grant sponsors’ close scrutiny of the scientific bona fides of grant recipients—generally ensure that the person overseeing a research study has relevant scientific knowledge. 158
Subjecting research laboratories to the CLIA regulations would not necessarily advance the goal of ensuring that test results have clinical quality—that is, that specimens and data are well-identified and results have analytic validity, clinical validity, and clinical utility. 159 The CLIA program only addresses analytic validity, but not clinical validity or utility. 160 The analytic validity of tests at a CLIA-regulated laboratory “is reviewed during its routine biennial survey—after the laboratory has already started testing.” 161 At clinical laboratories that use tests for many years, a biennial validation ensures that patients tested after the second year a new test is introduced will receive an analytically validated test. 162 At CLIA-certified research laboratories that use novel tests during shortterm research projects, CLIA’s biennial survey may or may not happen in time to ensure analytic validity. 163 Adding to concerns about analytic validity, a 2006 report by the United States Government Accountability Office (GAO) documented lax enforcement of CLIA’s proficiency-testing requirement—the process Congress viewed as central to ensuring the analytic validity of laboratory tests. 164 Even if CMS vigorously enforced CLIA’s proficiency-testing requirements at CLIA-certified research laboratories, proficiency testing materials (the well-characterized biospecimens laboratories purchase in order to conduct their proficiency testing) 165 are not available for many genomic tests, and this is especially true of novel tests used in research: “For many genetic conditions that are either rare or for which testing is performed by one or a few laboratories, substantial challenges in developing formal proficiency testing programs have been recognized.” 166 Subjecting research laboratories to CLIA regulation thus may not always ensure analytic validity.
CLIA also offers only modest protection against laboratory mix-ups in which one person’s test samples (biospecimens) or data are mistaken for another person’s. The CLIA regulation calls for accurate sample and record identification, but its requirements are modest:
Laboratories that perform molecular genetic testing for heritable diseases and conditions should ensure that at least two unique identifiers are solicited on these test requests, which should include patient names, when possible, and any other unique identifiers needed to ensure patient identification. In certain situations (e.g., compatibility testing for which donor names are not always provided to the laboratory), an alternative unique identifier is appropriate. 167
CLIA’s sample-identification requirements are disappointingly minimal, and mix-ups occurring at CLIA-regulated clinical laboratories sometimes have tragic consequences. 168 Many non-CLIA-regulated research laboratories implement sample-identification procedures that are as stringent as, if not more stringent than, CLIA’s requirements.
For all of these reasons, CLIA-compliant facilities—whether they are clinical or research laboratories—may or may not produce clinical-quality genomic information. GINA draws no distinction between clinical and subclinical-quality genetic information, between data generated in research settings and clinical settings, between data from CLIA or non-CLIA laboratories, or between information that is correctly or incorrectly attributed to an individual as long as it purports to be the person’s data. 169 This is as it should be because all such information affects a person’s civil rights.
GINA’s section 105 contains a congressional mandate that genetic information, as defined by GINA, shall be treated as “health information” that is protected by the HIPAA Privacy rule. 170 Even though non-clinically-significant genetic information might not be viewed as health data for other medical and legal purposes (such as Medicare billing), Congress regards it as “health information” for purposes of receiving HIPAA’s privacy protections. 171 Section 105 also orders HHS to amend its HIPAA regulations to place all genetic information stored at HIPAA-covered facilities under the HIPAA protections. 172 On December 28, 2000, the day that HHS promulgated the original Privacy Rule, the Secretary of HHS delegated her HIPAA-related responsibilities to the OCR, which oversees civil rights within HHS. 173 Section 105 thus was a delegation of rulemaking authority to OCR. GINA requires OCR to consult with other agencies like the Department of Labor and Department of Treasury, which have various GINA-related responsibilities, 174 but states that OCR “has the sole authority to promulgate such regulations.” 175 Together, GINA’s sections 102 and 105 are a Congressional delegation of authority for OCR to serve as America’s principal regulator for the protection of genomic civil rights. 176
GINA expressly bans genetic discrimination in two private spheres—employment and health insurance 177 —that Congress clearly can regulate under its commerce power. 178 Yet people’s fears about genetic discrimination extend more broadly to private social relationships that lie outside the reach of federal regulation: will a prospective marriage partner reject you over a recessive variant for offensive body odor, a clinically insignificant but undesirable trait that rational suitors may not wish to bestow on their offspring? The federal government cannot force your lover to marry you in spite of the variant. All it can do is arm people with information that empowers them to negotiate their own, private solutions. GINA embraced this approach to the broader problem of private genetic discrimination.
The HIPAA Privacy Rule already included an individual access right on the day Congress enacted GINA. 179 By placing genetic information under the Privacy Rule, 180 Congress seemingly intended to grant Americans a right of access to their own genetic information stored at HIPAA-regulated facilities. 181 A major challenge in fighting genetic discrimination is that people may never realize they belong to a genetic subclass that is being targeted for discrimination, making it hard to organize resistance to the discrimination. Invidious discrimination based on classifications like gender, sexual preference, race, or national origin is easier for its victims to detect, because people generally know they fall into, or could be perceived as falling into, those classes. Yet who among us knows whether we carry a particular genetic variant that may cause other people—not just employers and insurers, but neighbors and friends—to turn against us?
People can discriminate against us based on our genetic variants only if the people know we possess those variants. For this reason, when our genetic information is stored anywhere, we need privacy protections that limit others’ access to it. Less obvious is the fact that we also need access to the data ourselves, because access to our own data empowers us to detect and address genetic discrimination if it is leveled at us. Individual data access challenges the assertion that good policy will emerge if people are kept behind a Rawlsian “veil of ignorance” 182 so that none of us knows which gene variants we possess and, therefore, none of us knows which forms of genetic discrimination potentially affect us. 183 A foundational assumption of genomic civil rights is that good policies can emerge only from a smart, informed population whose members know where their interests lie. The insistent civil rights assertion of Moses’s “[l]et my people go[!]” 184 translates in the genomic era to “let my people have their data!”
Data privacy is often theorized as a condition in which individuals exercise full control over their own data and who has access to it. 185 GINA did not, by placing genetic information under the HIPAA Privacy Rule, grant people this brand of privacy. One way to protect genomic civil rights would have been to impose a strong consent regime that gave people ironclad control over all uses and disclosures of their genetic information, including control over any downstream redisclosures of their data. 186 Then, individuals could protect their own civil rights by restricting access to their data. 187 The Privacy Rule never embraced this approach. 188 It states a default rule that individuals can control access to their data by signing or refusing to sign “authorizations” (HIPAA’s name for consents), 189 but it enumerates a long list of exceptions to this default rule. 190
The Privacy Rule is widely—and unfairly—criticized for having broken its promise of privacy by allowing people’s data to be shared and used, in many instances, without their consent. 191 In reality, the Privacy Rule never made such a promise. It was designed, from its inception, to serve competing values of privacy and data transparency, giving considerable weight to the latter.
The 1996 HIPAA statute charged HHS with preparing recommendations on health data privacy and submitting them to Congress by 1997. 192 The statute envisioned that Congress would separately enact a national health privacy statute based on these recommendations. 193 The HIPAA statute contained a springing authority for HHS to promulgate the Privacy Rule if Congress had not enacted privacy legislation by August 21, 1999. 194 After reviewing HHS’s recommendations, 195 Congress chose to let HHS proceed with rulemaking—a signal that Congress endorsed the main contours of the 1997 recommendations. 196 Those recommendations unabashedly embraced the view that transparent sharing of health data offers societal benefits that, in some circumstances, outweigh individuals’ desire to control access to their data:
A Federal health privacy law should permit limited disclosures of health information without patient consent for specifically identified national priority activities. We have carefully examined the many uses that the health professions, related industries, and the government make of health information, and we are aware of the concerns of privacy and consumer advocates about these uses. The allowable disclosures and corresponding restrictions we recommend reflect a balancing of privacy and other social values. 197
In addition to disclosures to support medical treatment and healthcare payments, these national priority activities include: (1) supplying data to support regulatory oversight of the healthcare system; (2) allowing access to data for public health activities; (3) supplying data for health research; and (4) supporting data flows authorized by other laws and court orders for law enforcement, court proceedings, and various state governmental purposes. 198 Under the Privacy Rule, individuals have no right to block uses or disclosures of their data for these activities, and alternative, lesser privacy protections apply. 199
The Privacy Rule’s national priority activities map onto categories of transparency that Frederick Schauer once identified. 200 In Schauer’s scheme, “[t]ransparency as regulation” empowers the recipient of information to regulate, monitor, or control the information provider. 201 This concept is exemplified by FDA’s proposal to rely on large genomic databases, populated with data shared by genome testing laboratories, to infer whether their tests have clinical validity. 202 Schauer’s second concept, “[t]ransparency as [e]fficiency,” treats data flows as instrumental to efficient markets 203 and corresponds to the Privacy Rule’s provisions allowing data to flow freely to support treatment and healthcare payment activities. 204 Schauer’s third concept, “[t]ransparency as [e]pistemology,” describes data flows that sustain the creation of nonmarket and public goods, 205 such as scientific discovery, public health, or the capacity of law enforcement agencies and courts to get at the truth. 206 These three concepts portray unconsented data flows as conferring broad benefits on society as a whole. 207 Individuals whose data are shared for the sake of transparency may reap some of these benefits, but many of the benefits presumably flow to others, setting up a potential conflict between privacy and transparency.
Relevant to this conflict, Schauer identified a fourth, and final concept, “[t]ransparency as [d]emocracy,” which describes the sharing of data with members of the public to enable the governed to monitor and manage their government. 208 By this view, individuals’ access to data promotes better governmental decisions by subjecting the government to oversight “by the people,” and, more deeply, it displays respect for public control as an end in itself. 209 In healthcare settings, the phrase “[t]ransparency as [d]emocracy” is inapposite: the healthcare system is in a power relationship—but not governance relationship—with patients and research participants. The term “transparency as respect for autonomy” is more appropriate. The values served by Schauer’s fourth concept of transparency closely resemble the modern bioethical values of respect for autonomy, respect for persons, and informed consent 210 which promote accountability of healthcare providers to individuals, address imbalances of power between patients and medically trained personnel, and foster patient empowerment as an end in itself. 211
The Privacy Rule gives special weight to this fourth type of transparency, 212 granting individuals a legally enforceable right to inspect and receive copies of data that HIPAA-regulated entities store about them. 213 A former HHS Secretary once characterized this right as the “cornerstone of the [HIPAA] Privacy Rule.” 214 Individual data access is the cornerstone, I argue, because—dating back to the dawn of the information age in the early 1970s—the U.S. federal government has embraced this form of transparency as its response to the central dilemma of privacy regulation. Individuals have strong claims for their sensitive data to remain strictly private and subject to their own control. 215 However, honoring those claims would inflict unacceptable costs to society because transparency fosters effective regulation, economic efficiency, and the creation of diverse public goods. 216 Transparency in service of these goals undeniably poses risks to individuals’ civil rights. U.S. federal law embraces a daring and somewhat counterintuitive approach to this dilemma: perhaps the way to address transparency’s risk to individual rights is to provide even more transparency, in this case, in the form of transparency as respect for autonomy. 217 Empowered by access to their own data, individuals can identify forms of discrimination and stigmatization to which they may be susceptible. 218 Armed with this knowledge, they can exercise various other federally protected civil rights, including their First Amendment protected rights to assemble and petition the government for redress of grievances. 219
Embracing this approach, the Fair Credit Reporting Act of 1970 granted people a right to obtain all the information about themselves stored by consumer credit-reporting agencies. 220 In the sphere of health care, the Department of Health, Education, and Welfare Secretary’s Advisory Committee on Automated Personal Data Systems developed a Code of Fair Information Practices in 1973 that stressed, “[t]here must be a way for an individual to find out what information about him is in a record and how it is used.” 221 The Privacy Act of 1974, which governs the privacy of federal health record systems like CMS’s Medicare databases, incorporated this recommendation, enabling access to government-held health data. 222 Before the Privacy Act, individuals sometimes invoked the Freedom of Information Act (FOIA) to obtain access to their own data, 223 but FOIA requests were cumbersome and often yielded incomplete access. 224 The Privacy Act’s more streamlined access right later became the model for HIPAA’s access right. 225
The Privacy Act contains congressional findings that data privacy is a fundamental right protected by the Constitution 226 and that an individual right to inspect and obtain one’s own data is necessary and proper to protect this privacy right. 227 These statements are enacted congressional findings of fact: findings that received majority votes in both houses of Congress and were signed into law by President Gerald Ford and then recorded in the U.S. Code. 228 Enacted congressional findings of legal fact such as these are not binding on the courts, but courts do pay some attention to them and tend to give more weight to congressional findings that expand individual rights, as these do, than to those that reduce people’s rights. 229 The Privacy Act codifies the principle that access to one’s own data is necessary to enable the exercise of fundamental rights.
In the Privacy Act, Congress also established a Privacy Protection Study Commission (PPSC), 230 which issued an influential 1977 report supporting individual access to medical data held by nongovernmental healthcare providers, insurers, and other organizations. 231 Private-sector entities are not covered by the 1974 Privacy Act and thus are not subject to its access right, 232 nor are they subject to FOIA. 233 The United States relies heavily on private-sector healthcare providers and payers, 234 so individual health data access would never be effective without a right of access to privately stored health records. The opportunity to create such a right arose twenty years later, after passage of the HIPAA statute in 1996. 235
The PPSC’s 1977 report recognized that there are compelling reasons to share people’s data, under certain circumstances, without their consent. 236 The PPSC cautioned, however, that if a person’s data—including their research records—cannot be “totally protected against the possibility that individually identifiable information in them will be disclosed for any other purpose, the individual’s concern is obvious and his access right highly relevant.” 237 By this view, individual access is ethically justified not merely because it is instrumental to better clinical health care. It is ethically necessary as a means of protecting people’s civil rights in contexts where people’s data privacy is imperfectly protected—which is to say, in virtually all healthcare and biomedical research contexts. 238
HIPAA’s individual access right serves several stated regulatory objectives. The HHS and its component agencies such as CMS and OCR announced these purposes in various rulemakings creating or amending HIPAA’s access right and in subsequent regulatory guidance documents. 239 Some of the purposes clearly relate to clinical data, rather than research data. For example, helping patients understand their health status and treatment options 240 and helping patients detect instances of misdiagnosis and medical malpractice 241 are pertinent to tests done in the clinical treatment setting. The remaining regulatory objectives, discussed below, are equally relevant to clinical and research data.
The primary purpose of HIPAA’s access right is to force entities that store individually identifiable data to display respect for the individuals’ autonomy. The preamble to the original Privacy Rule cites a “well-established principle” that an individual should have “access rights to the data and information in his or her health record and other health information databases.” 242
The 1979 Belmont Report—a foundational document in American bioethics—declared that “individuals should be treated as autonomous agents.” 243 Legal standards of that decade, such as the 1974 Privacy Act and the 1973 Code of Fair Information Practices, 244 treated access to one’s own information as an obvious appurtenance of autonomy. 245 Subsequent theorizations divorced the concept of individual autonomy from the right of access to information about oneself. 246 My research could not conclusively pinpoint when this shift occurred and others are invited to add their insights.
The Belmont Report’s 1979 declaration of individual autonomy was hedged with a proviso that “persons with diminished autonomy are entitled to protection.” 247 This proviso, however, seemed to envision a rare exception to protect prisoners, children, and others whose circumstances or decisional incompetence make it hard to exercise autonomy. 248 There was no suggestion, in the Belmont Report, that all research participants have diminished autonomy. 249
At some point between 1979 and now, this proviso swallowed the rule that most people are entitled to be treated as autonomous, at least where data access is concerned. A recurring theme in post-1990 ESLI studies is that genetic information is so complex that all who are not medically trained have diminished autonomy and need special protections when confronted with it. 250 These concerns are most intense with respect to one discrete class of individuals—research participants undergoing genomic testing in research laboratories—because research data may be unreliable and lay-people may fail to appreciate the unreliability. 251 Laypeople may suffer anxiety or psychological distress. 252 They may pursue harmful medical treatments to mitigate misunderstood genetic risks. 253 They may waste scarce research and healthcare resources asking follow-up questions and seeking follow-up medical evaluations. 254 They may make bad choices that harm themselves and society. 255
While there is a diversity of bioethical views on this matter, a fairly broad consensus of bioethical opinion favors restricting people’s access to their own genomic data. 256 Research regulators 257 call for ethics review bodies to filter genetic information before it is shared with research participants to assess “what information can be effectively communicated in a manner sensitive to [research] subjects’ health literacy.” 258 “Participant literacy, or lack thereof, causes a great deal of tension in the system.” 259 In a discussion paper, the U.S. National Academy of Medicine (formerly the Institute of Medicine) notes that “analyses of health literacy indicate that, on average, US adults have limited health literacy.” 260 The academy has published too many papers over the past thirty years with “health literacy” in the title to cite them all here. 261
In some strands of modern ELSI scholarship, health illiteracy is seen as diminishing individuals’ autonomy in a way that disqualifies their right of access to their own data. Forty years ago, the Belmont Report conceived autonomy as the capacity of self-determining people to make their own decisions; 262 there was no requirement that they must make good decisions. 263 To borrow Frederick Schauer’s remark about democracy: “[Autonomy], after all, is not about the people necessarily being right, but about the right of people to be wrong.” 264 At some point over the past four decades, a more paternalistic view gained ground. 265
GINA, and the access right it created, reinstated two longstanding principles of U.S. federal law and Belmont-era bioethics: (1) individuals—even those whom an entrenched elite disparages as illiterate—are autonomous individuals, 266 and (2) autonomy implies certain basic civil rights, including a right of access to one’s own genetic information. 267
When first proposing HIPAA’s access right in 1999, HHS noted that “[w]hile the right to have access to one’s information may appear somewhat different from the right to keep information private, these two policy goals have always been closely tied” 268 and the right to inspect and copy one’s data “is a fundamental aspect of protecting privacy.” 269 The Privacy Rule’s preamble notes that individuals’ confidence in the protection of their information requires that they have the means to know what is contained in their records. 270
The existence of stored data contributes to a person’s reidentification risk: the risk that data held in anonymous form elsewhere might be reidentified via cross-correlation with the stored dataset. 271 In an age when reidentification is a growing privacy threat, people need access to all of their stored genetic data, including data from non-CLIA-regulated research laboratories, in order to understand their privacy risks. 272 Even if a laboratory that stores genetic information does not share it, its files may be hacked and, when correlated with external data sets, become a tool for reidentifying people’s data held in deidentified form elsewhere. 273
The National Committee for Vital and Health Statistics, which advises on HIPAA issues, 274 recently noted that HIPAA-covered laboratories that store data in identifiable form can release it to others without individual consent if they first deidentify it according to HIPAA’s rather lax deidentification standards. 275 The laboratory has no duty to provide the individual with an accounting for disclosures of deidentified data, 276 which have “expanded exponentially” in recent years. 277 The Common Rule also allows research data to be disclosed in deidentified form without consent. 278 If a research laboratory releases a person’s deidentified data to a non-HIPAA-covered entity, the information will no longer be subject to HIPAA’s privacy protections even if it is subsequently reidentified, which is increasingly done in order to assemble integrated, longitudinal databases. 279 A non-HIPAA-covered data aggregator, analytics company, or health applications business that receives and reidentifies a person’s data is free—at least as far is HIPAA is concerned—to redisclose it in fully identified form. 280 The whole world potentially has access to your fully identified research-quality genomic data, yet safety regulators and many bioethicists feel you should not have it. 281 GINA took the position that, at least as far as your genetic information is concerned, you deserve access, too.
From the outset, the HIPAA statute was an imperfect vehicle for protecting people’s health data privacy. HIPAA was primarily an insurance statute. 282 HIPAA’s Administrative Simplification provisions 283 authorized HHS to regulate the electronic exchange of information to support payments and administrative transactions among healthcare providers, payers, and healthcare clearinghouses that transmit information electronically when conducting such transactions. 284 HHS’s regulatory authority under the HIPAA statute extended only to these entities (the so-called “HIPAA-covered entities”), which are involved in the payment chain for healthcare services. 285 Privacy was just one aspect of these regulations. 286 HIPAA gave HHS no jurisdiction to regulate the multitude of other private companies and institutions (for example, drug manufacturers, research institutions that provide no healthcare services, companies that sell fitness-tracking devices, direct-to-consumer genetic testing services, and many others) that use and store people’s health data in ways that affect their privacy. 287
Congress knew that the HIPAA statute had not granted HHS the jurisdiction it really needed to be an effective health privacy regulator. 288 For this reason, HIPAA envisioned that Congress would enact follow-on privacy legislation by August 21, 1999. 289 HHS would gain authority to promulgate the HIPAA Privacy Rule only if Congress failed to legislate. 290
Congress’s self-imposed deadline passed, and it fell to HHS to try to regulate using the inadequate powers HIPAA had granted. HHS reluctantly proposed a draft Privacy Rule in 1999. 291 In the preamble, HHS exhorted Congress to pass legislation and expressed frustration that
the proposed regulation does not directly cover many of the persons who obtain identifiable health information from the covered entities…. [W]e are, therefore, faced with creating new regulatory permissions for covered entities to disclose health information, but cannot directly put in place appropriate restrictions on how many likely recipients may use and re-disclose such information. 292
HHS seriously considered “limiting the type or scope of disclosures permitted” but felt forced to allow wide data sharing to promote “key public goals such as research, public health, and law enforcement.” 293
The PPSC’s 1977 recommendations found an ethical duty to provide individual access if privacy protections are too weak to protect against unconsented disclosures of people’s data. 294 Aware that the Privacy Rule was weak and would not protect people against unconsented disclosures of their data, 295 HHS followed the PPSC’s recommendation to include an individual access right. 296 Access is a second-best solution that empowers people to assess the risks to their civil rights so that they can protect their rights as best they can when privacy law fails to do so.
For the vast majority of variants that genomic testing reveals, the clinical validity and utility are unknown. 297 Such data lack clinical significance but are relevant to civil rights. 298 In addition to empowering individuals to detect instances of genetic discrimination, 299 data access enables the exercise of various other federally protected civil rights, including people’s First Amendment rights to assemble and petition the government for redress of grievances. 300
Precision medicine scholar Matt Might has published “how-to” instructions for assembling social networks of people who share genetic variants associated with rare diseases. 301 Sharon Terry, President and CEO of the Genetic Alliance, agrees that access to genetic test information fosters formation of social networks among people who share particular gene variants. 302 This right of assembly has its greatest significance precisely in the circumstance when a person has a variant of unknown clinical significance. 303 Professor Might recounts a compelling story of having a son with a suspected deleterious variant that scientists had never seen before. 304 He used social networking to assemble a group of other people with that same variant, which enabled researchers to clarify the variant’s significance. 305 Groups with a variant of unknown significance also can petition Congress and research funding agencies, such as the NIH, to direct more funding toward clarifying the significance of their variant. 306 These activities are expressly protected by the First Amendment, 307 and policies that limit people’s genomic data access potentially deprive them of federally protected civil rights.
People have civil rights to engage in scientific inquiry themselves and to contribute their data for research by others. OCR noted, in a 2016 guidance document, that HIPAA’s access right makes it possible for people to “directly contribute their information to research.” 308 People wishing to contribute their stored data for use in research often find that the data holder will not cooperate in releasing their data, and HIPAA’s access right empowers individuals to free their data from recalcitrant data-holders for research purposes. 309 Citizen-led groups, empowered by access to their own data, can attract researchers to study their condition. 310 There is also a growing citizen-science movement, and data access fosters this activity. 311 Policies by research funding agencies and professional scientists that block individual data access may reflect a judgment that citizen science is illegitimate, yet people have a right of scientific inquiry that potentially enjoys constitutional protection. 312
Beyond citizen science, some people also desire a new citizen-led bioethics: a framework of data citizenship that gives them a meaningful voice in setting the privacy and data security standards that will govern research uses of their data. 313 The earlier discussion of risks of reidentification and redisclosure of deidentified data sheds light on why many people are disenchanted with the top-down, expert-led “protections” that bioethicists and regulators have fashioned for them. 314 HIPAA access helps foster data citizenship. 315
The remaining objectives of HIPAA’s access right sound in economic and data quality regulation. The Privacy Rule preamble in 2000 notes that access helps people detect and correct errors in their records, 316 which, in the clinical setting, helps avoid medical errors and in research settings helps ensure the integrity of data sets on which scientific conclusions are based. 317
The preamble to the 2014 Privacy Rule amendments notes that individual access to laboratory data promotes “certain health reform concepts” including personalized medicine, participatory medicine, disease management, and prevention. 318 It adds that individual access supports HHS’s goals and commitments regarding widespread adoption of electronic health records. 319
The 2014 preamble emphasizes that individuals “have access to interpretative information on laboratory results from many sources, including the Internet.” 320 This suggests that one of HHS’s goals was to promote economic freedom and foster a competitive market in unbundled genome interpretation services—that is, stand-alone services that help people understand the significance of variants detected by tests performed at other laboratories. 321 Scholars note that denying people access to their genomic data locks them into an ongoing relationship with the same laboratory that administered the test, raising antitrust concerns and denying their economic freedom to seek variant reinterpretation and second opinions from other sources. 322
A final, important role of HIPAA’s individual access right is to reduce pressure for passage of state laws granting individuals ownership rights in their data. Topol and Kish have cited the inadequacies of individual data access as grounds to favor individual data ownership. 323 This frustration reflects, in part, the fact that HIPAA’s access right has not yet been effectively enforced. 324 State data ownership laws could create a national patchwork of requirements that interfere with the assembly of nationally scaled data sets and impede access to data for socially beneficial research and public health activities. 325 Blocking HIPAA access strengthens the case for individual data ownership. HHS did not state this rationale in its Privacy Rule preambles, 326 but the threat of state data ownership laws hangs heavily over the HIPAA access debate.
GINA set a deadline of 2009 to place genetic information under the HIPAA Privacy Rule and, by implication, to make genetic data subject to HIPAA’s individual access right. 327 HHS met the deadline to extend basic privacy protections to all genetic information held at HIPAA-covered facilities through an interim policy, pending final Privacy Rule revisions in 2013. 328 Implementing HIPAA access to laboratory-held genomic data took even longer, until 2014. 329 Creating a federal civil right of access to laboratory data proved difficult because it required HHS to displace state law. 330
The Health Care Financing Administration (HFCA), precursor of today’s CMS, promulgated regulations implementing the 1988 CLIA statute in 1992. 331 Those 1992 regulations, still in effect when the Privacy Rule was first developed, looked to the states to define who was an “authorized person” that could receive laboratory data. 332 States traditionally regulated the practice of medicine, including whether test results should be delivered directly to patients or to their physicians. 333 If a state failed to specify who was authorized to receive laboratory data, CLIA defaulted to a rule that the “authorized person” was the person who ordered the test—usually a healthcare provider rather than the tested individual. 334 Otherwise, state law governed. 335 If HIPAA’s access right required laboratories to release data to individuals, this would violate the laws of some states and, consequently, would violate the CLIA regulations.
HHS, writing in 2000, expressed frustration at this state of affairs 336 but was reluctant to preempt the state laws that were blocking individual access at that time. 337 Executive Order 13132 338 on federalism went into effect on November 4, 1999, one day after HHS first proposed the Privacy Rule. 339 HHS scrupulously complied with it when developing the final Privacy Rule published in December 2000. 340 Executive Order 13132 requires federal agencies to consult with states about new federal regulations, 341 and these consultations revealed that the states were alarmed that the Privacy Rule would preempt state laws. 342 The Privacy Rule was famously contentious: the proposed rulemaking drew over 52,000 public comments. 343 The year 2000 was not an opportune moment for HHS to court avoidable conflicts with the states. 344 Only under GINA’s prodding, eight years later, did HHS finally press forward in addressing state law barriers to HIPAA access. 345
Even under the original, year-2000 HIPAA Privacy Rule, laboratories still had to comply with HIPAA’s access right in states where the term “authorized person” included the tested individual. 346 Moreover, if the individual was the person who ordered the test, laboratories also had to allow HIPAA access. 347 But the laws of many states—and CLIA’s deference to those laws—prevented many Americans from accessing their laboratory-held data. 348
In 2000, HHS expressed hope that people would nevertheless be able to access their laboratory test results: “Although we are concerned about the lack of immediate access by the individual, we believe that, in most cases, individuals who receive clinical tests will be able to receive their test results or reports through the healthcare provider who ordered the test for them.” 349 In other words, HHS hoped that laboratory test results would find their way into physicians’ files where individuals could access them because most physicians are HIPAA-covered and subject to the access right. 350
The shift to genomic testing after 2000 dashed this hope. The vast majority of genomic information—even from clinical genomic tests—lacks clinical significance 351 and is never reported to HIPAA-covered healthcare providers but remains stored at the laboratory. 352 Without a right of access to laboratory-held information, people lack an effective right of access to their genomic information, most of which never leaves the laboratory even when testing is performed at a CLIA-certified clinical lab. 353
Lack of access is an even greater problem for data generated at research laboratories. As already noted, most gene sequencing to date has been performed as part of biomedical research, so research laboratories hold much of the genomic data now in storage. 354 Sequencing produces a vast amount of data about a person’s gene variants, which are the thousands, even millions, of points at which the person’s genes differ from an idealized human reference genome. 355 For most of these variants, nobody yet knows how they affect health, so the variant cannot be interpreted in the sense of explaining its clinical validity or utility (health impact). 356 Even if a variant’s health impact is well understood, research laboratories may not bother to interpret it if the information is irrelevant to the focus of their research. 357 Thus, a study of cystic fibrosis may not take time to interpret nonfocal (unrelated) variants with known associations to diabetes risk. 358 A research lab may interpret just a handful of gene variants relevant to the research, but nevertheless keep files recording all of the person’s variant data: the focal variants interpreted as part of the research, plus other variants that were uninterpreted or uninterpretable. 359
All of this stored information presents potential risks to a person’s privacy and civil rights, and people want access to it. 360 Many (although not all) research laboratories, including those affiliated with large academic medical centers, are subject to the HIPAA Privacy Rule. 361 Yet, under the year-2000 rule, HIPAA access to laboratory data was constrained by state law. 362 As of 2014, HHS found that only nine U.S. states and territories authorized direct individual access to laboratory test reports; seven allowed individual access with a doctor’s approval; twenty-six were silent about individual access, and; thirteen only allowed healthcare providers to access a person’s data. 363
The February 2014 final rule creating HIPAA’s right of access to laboratory data did two things. It eliminated the Privacy Rule’s earlier access exceptions that placed most laboratory data outside HIPAA’s access right, 364 and it made conforming changes to the CLIA regulation permitting laboratories to provide HIPAA access. 365 CLIA’s general reporting rules continue to look to state law to define who is “authorized” to receive laboratory data, 366 but HHS emphasized that the HIPAA Privacy Rule preempts any state law that impairs people’s HIPAA access right. 367
Patients and patient advocates who commented on this rulemaking uniformly supported direct patient access to laboratory test results, citing dignitary, liberty, and even property interests in access to their data. 368 In contrast, comments by physicians emphasized laypeople’s lack of sophistication and the alleged harms they might suffer if granted direct access. 369 State medical practice regulations that block individual access to laboratory data embody these concerns about the public’s scientific illiteracy. 370
GINA, like the Voting Rights Act of 1965, 371 was a federal intervention to displace state laws that were interfering with important civil rights. 372 “Like the right to vote, access to one’s own data is a foundational civil right that empowers people to protect all their other civil rights.” 373 Like the Voting Rights Act, GINA challenged deeply held establishment convictions that people’s civil rights should be curtailed, both for their own good and for the good of society, based on a perception that they are illiterate 374 —in this case, medically and scientifically illiterate.
In 1959, the U.S. Supreme Court noted that nineteen states had laws requiring people to prove literacy before they could vote. 375 The right to vote is a federally protected civil right, 376 but states administer the process of voter registration. 377 Literacy tests have a certain rationale. In the nineteenth century, a Massachusetts literacy test was said to “insure an ‘independent and intelligent’ exercise of the right of suffrage.” 378 Literacy and intelligence are not necessarily correlated, but literacy does promote informed voting “in our society where newspapers, periodicals, books, and other printed matter canvass and debate campaign issues.” 379 An ethical person could conclude that letting illiterate people vote may lead them to make bad choices that harm themselves and society. In Lassiter v. Northhampton County Board of Elections, the Supreme Court did not “sit in judgment on the wisdom” of state literacy tests, and held that they were not, in themselves, unconstitutional. 380
Justice Douglas, writing for the Court in Lassiter, spotted a problem and invited plaintiffs to raise it in future federal proceedings. 381 Literacy testing, however well-motivated it may sometimes be, can have discriminatory impacts that divest entire classes of people of important civil rights. 382 Several years later, Congress addressed this problem in the 1965 Voting Rights Act, which was “designed to attack the clear moral wrong of deliberate disfranchisement in the Jim Crow South.” 383 It did not single out Southern states, but it instead applied a two-pronged test. 384 States were covered by the legislation if they applied a literacy test and had total voter turnout (across all races) below 50 percent in the 1964 presidential election. 385 These covered states—which happened to be in the South—were placed under “federal receivership, with every change in any aspect of voting subject to pre-approval by either the [U.S. Department of Justice] or the U.S. District Court for the District of Columbia.” 386
The federal government thus stepped in to correct state laws that were divesting people of federally protected civil rights based on their perceived literacy. 387 Like today’s scientific literacy standards that seemingly can be met only if a person has advanced training in medicine or science, 388 the literacy tests at issue in the Voting Rights Act were highly contrived to favor voter qualification of an entrenched elite. 389 The Voting Rights intervention was effective. 390 The percentage of African American adults registered to vote rose from 19.3 percent in March 1965 to 51.6 percent by September 1967 in Alabama and, in Mississippi, the figure rose from 6.7 percent to 59.8 percent in two years. 391
In a tragic echo of the Voting Rights Act, the individual access right GINA created has elicited a strong resistance that—as the remainder of this Article explores—has included instances of public officials acting under the color of law to block the newly created civil right. 392 The Article concludes, however, that this resistance is not willful, but rather it is the product of misunderstanding about what the access right is. The access right is judged as if it were a consumer health and safety regulation, when in fact it is a civil rights law. 393
The core of the conflict relates to the breadth of HIPAA’s access right. This makes it necessary to offer a brief introduction to the mechanics of the access right. The Privacy Rule was first promulgated in December 2000 394 and, after minor revisions in 2002, 395 took effect on a phased schedule in 2003-2004. The Privacy Rule has always included an individual access right. 396 The basic mechanics of this access right have not changed over the years and are summarized below. GINA led to Privacy Rule amendments in 2013 397 and 2014. 398 The summary below highlights differences between the original access right and the post-GINA access right in effect since 2014.
HIPAA’s individual access right is a legally enforceable civil right arising under 45 C.F.R. § 164.524. 399 With limited exceptions, HIPAA-covered entities must provide access in response to an individual’s request within thirty days with one 30-day extension permissible if the covered entity provides a written explanation. 400 Failure to provide access can lead to administrative enforcement action and civil penalties. 401 Entities that are not HIPAA-covered are not required to provide access. 402
The Privacy Rule provides very narrow grounds for a covered entity to deny HIPAA access. 403 HHS intends for covered entities to invoke these access exceptions “rarely, if at all.” 404 They include, for example, exceptions for data held by correctional facilities and data that would divulge confidential information about third parties. 405 There are reviewable grounds for a covered entity to deny access to data that would endanger the “life or physical safety” of the requesting person or another party, 406 but HHS construes this access exception very narrowly (for example, suicide risk qualifies, but mere emotional distress or psychosocial harm do not). 407
There is also a limited research exception to HIPAA access. 408 Some research facilities, including many of those affiliated with large academic medical centers, are subject to the HIPAA Privacy Rule. 409 Their data files are subject to HIPAA’s access right. 410 HIPAA’s access right has always—ever since the Privacy Rule was finalized in December 2000 411 —allowed access to both research and clinical data as long as the data are stored at a HIPAA-covered facility. Precisely for this reason, the Privacy Rule has always had an access exception allowing research sites to suspend research participants’ access rights temporarily during a clinical trial. 412 Otherwise, research participants could access their data and “un-blind” the trial. 413 This exception allows research data to be withheld temporarily and only if the individual agreed to the denial of access when consenting to the research. 414 Access must be reinstated upon completion of the research, 415 so data from completed studies can never qualify for this exception.
The original Privacy Rule did not require HIPAA access to data held by CLIA-regulated and CLIA-exempt laboratories 416 located in states where direct individual access to laboratory data would violate state law. 417 HHS interpreted this exception as also encompassing data held by research laboratories that operate under CLIA’s research exception. 418 The 2014 Privacy Rule revisions eliminated these exceptions, and HIPAA-covered clinical and research laboratories are now subject to HIPAA’s access right. 419
Individuals have a right of access to their “designated record set” (DRS), 420 which HHS modeled on the “system of records” to which individuals have access under the Privacy Act of 1974. 421 The Privacy Rule defines the DRS as:
A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. 422
The term “record” refers to “any item, collection, or grouping of information that includes protected health information [PHI] and is maintained, collected, used, or disseminated by or for a covered entity.” 423
There is no requirement for covered entities to provide interpretive assistance to help people understand the significance of their data. 424 Thus, the HIPAA access right is a data-only right: what the covered entity has on file is what you get. HIPAA’s access right does not, however, include psychotherapy notes or data compiled in anticipation of civil, criminal, or administrative legal proceedings. 425
The accessible DRS only includes data that is “maintained” by or for the HIPAA-covered entity. 426 Data cease to be part of an individual’s DRS if the covered entity discards or destroys the data. 427 The HIPAA Privacy Rule does not itself impose any record-retention requirement. 428 Moreover, the DRS only includes data that can be clearly identified as relating to the individual. 429 This is implicit in the definitions that “records” include PHI, and PHI is “individually identifiable” information. 430 Data stored in de-identified form are no longer part of a person’s DRS. 431
Under the original Privacy Rule, genomic information was PHI only to the extent it was health information. 432 If clinically significant test results had been reported into medical records held by a person’s healthcare providers, those results were PHI and were accessible via HIPAA access requests to the healthcare provider. 433
GINA required “genetic information,” broadly defined, to be placed under the Privacy Rule. 434 In 2013, 435 HHS complied with this directive by changing the Privacy Rule’s definition of PHI to include “genetic information” as defined by GINA. 436 This amendment vastly expanded the amount of genetic information that was considered PHI and hence part of an individual’s DRS. Post-GINA, a person’s DRS includes virtually any genetic testing data a HIPAA-covered entity has on file, regardless of whether the data are clinically significant or have analytic validity, clinical validity, or clinical utility, and regardless of whether the laboratory has reported it to a healthcare provider. 437
Regulations and bioethical standards historically have been mutually reinforcing given their shared goal of protecting individuals. The formalization of genomic civil rights regulations after GINA exposed a rift between the two. The rift concerns how safety and civil rights should be prioritized if the two come into conflict.
Three days before HIPAA’s right of access to laboratory data “went live” on October 6, 2014, FDA published two draft guidances proposing to expand FDA’s oversight of laboratory-developed tests—a category that includes many tests used in genomic research. 438 One of the drafts suggested that research laboratories would need to obtain an Investigational Device Exemption (IDE) from FDA if experimental “test results are returned to patients without confirmation by a medically accepted diagnostic product or procedure.” 439 To be clear, FDA long has had the power to require an IDE when investigational devices (those that have not been cleared or approved by FDA) 440 are used in studies that pose “significant risk” for the research subjects. 441 For example, FDA can require an IDE if research uses an experimental test as the basis for making decisions that affect research participants’ safety. 442 An example would be using experimental test results to assign participants to receive one or another cancer drug during a clinical trial “without confirmation of the diagnosis by another, medically established diagnostic product or procedure.” 443
It thus was not surprising that FDA’s 2014 draft guidance stated that FDA can sometimes require IDEs when experimental genomic tests are used in research. 444 The surprise lay in its suggestion that merely allowing research subjects to exercise their HIPAA access rights might be a “significant risk” activity that triggers the need for an IDE. 445 This was all the more surprising because HIPAA access is a “data-only” right that merely allows access to data (such as uninterpreted variant data) that a laboratory holds in its files; HIPAA does not require laboratories to provide any interpretive assistance or make any statements about the clinical significance of the data. 446 In the years leading up to the 2014 draft guidance, FDA officials had signaled that the agency would not view “data-only” direct-to-consumer testing services—those that provide variant data without making interpretive statements—to be medical devices that FDA can regulate. 447
The 2014 draft guidance did not clearly state that HIPAA access would trigger the need for an IDE, yet it raised the possibility. 448 FDA later elected not to finalize the draft guidance, to the relief of research laboratories. 449 HIPAA sets a thirty-day deadline, extendable once to sixty days, for laboratories to provide HIPAA access when an individual requests it. 450 Timely access is mandatory, with only limited exceptions. 451 Obtaining an IDE can take many months. 452 Complying with both demands would have been impossible.
CMS joined OCR in promulgating the February 2014 final rule on laboratory data access, 453 implying that CMS saw no conflict between the HIPAA and CLIA regulations at that time. Shortly after the new access right took effect, however, CMS published a portable data format (PDF) file 454 on its main CLIA web page. 455 This PDF file suggests that research laboratories operating under CLIA’s research exception 456 will violate the CLIA regulations if they comply with HIPAA’s access right. 457 The PDF file does not disclose its authorship, leaving it vague whether it is an official statement by CMS or merely an analysis by an unnamed CMS staff member. 458 It was never published in the Federal Register, as the Administrative Procedure Act (APA) 459 requires when federal agencies issue an interpretative rule or general policy statement (together, “guidance document”). 460 Nevertheless, its prominent display on CMS’s main CLIA web page conveys the impression that CMS endorses it. It has created a perceived conflict of regulations that has had the practical effect of blocking individuals’ HIPAA access rights at some research laboratories. 461
The position expressed in CMS’s PDF file contradicts the plain text of the CLIA statute and the CLIA regulations. 462 The scope of CLIA’s applicability is mind-numbing subject matter but merits a brief discussion because people’s civil rights depend on it.
The current CLIA statute copied its jurisdictional provision from earlier legislation, the Clinical Laboratory Improvement Act of 1967. 463 The CLIA framework has always been directed at clinical laboratories that perform tests to support patient care in clinical healthcare settings, rather than at research laboratories that perform tests to advance scientific discovery. 464 The statute implements this intent through its jurisdictional provision, which states that CLIA only applies to laboratories that perform tests for the purpose of “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.” 465 Two points stand out about this provision: first, it is intent-based and, second, it is an artful exercise in federalism. 466
On this first point, CLIA does not supply a special definition for the word “for,” so the word takes its ordinary meaning. 467 The primary meaning of “for” is as “a function word to indicate purpose” and “to indicate an intended goal.” 468 To fall under CLIA, a laboratory must do two things: it must perform an act (“providing information”) and possess scienter: namely, the laboratory must act with intent for the information to be used in clinical health care (“diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings”). 469 CLIA’s intent-based jurisdictional scheme closely resembles the approach Congress took in FDA’s jurisdictional provisions, which ask whether a manufacturer intends its product for clinical use, when deciding whether the product is an FDA-regulated “drug” or “device.” 470
On the second point, states have long been concerned about federal intrusions on their authority to regulate the practice of medicine. 471 State medical practice acts, regulations, and common law define the scope of medical practice and when it begins and ends. 472 Honoring longstanding principles of federalism, CLIA does not define the terms “diagnosis,” “prevention,” “treatment,” and “assessment of health.” 473 Instead, CLIA leaves it for the States to decide the meaning of these terms and, hence, the scope of CLIA’s applicability within their jurisdictions. 474
The CLIA regulations draw their jurisdictional language directly from the CLIA statute. 475 This was a deliberate choice by CMS’s predecessor, the Health Care Financing Administration (HCFA), as it updated the regulations after passage of the 1988 CLIA statute. 476 During that rulemaking, research laboratories expressed divergent concerns, with some wanting reassurance that they would not be CLIA-regulated while others wanted to have CLIA-regulated status. 477 In its proposed rule, HCFA tried to interpret the statute’s definition of a “laboratory” so as to clarify which research laboratories would fall under CLIA. 478 The final rule, however, rejected this approach in favor of simply “parroting” the statute’s definition of a regulated “laboratory.” 479 HCFA stated that the statute “clearly defines the type of facility subject to regulation and is specific with respect to its applicability.” 480 In the post-Chevron 481 world, HCFA felt Congress had clearly spoken to the issue, leaving no room for the regulations to add anything. 482
HFCA did clarify one important point by inserting a research exception in the CLIA regulations. 483 Recall that CLIA’s basic rule is that a laboratory falls under the CLIA regulations by “providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.” 484 The research exception interprets and narrows the phrase “providing information” 485 to highlight one particular type of information that it is potentially problematic for research laboratories to provide: patient-specific test results. The research exception states that a research laboratory escapes CLIA jurisdiction if it “do[es] not report patient specific results for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of individual patients.” 486 This stresses that reporting “patient-specific results” is the act that may cause a research laboratory to fall under CLIA, but only if the laboratory does so with the required scienter. 487 Providing patient-specific results for nonclinical uses is permitted and will not cause a research laboratory to fall under CLIA. Providing other types of research information—such as sharing aggregate, deidentified research results for an entire group of participants—also is permitted, by this view.
The crucial point here is that the research exception parrots the statute’s scienter requirement verbatim. 488 This is why there is no conflict between HIPAA access and CLIA’s research exception: When responding to an individual’s request for HIPAA access, a research laboratory is supplying information with the goal of complying with federal privacy law. 489 This privacy law serves various enumerated civil-rights and economic regulatory policy objectives discussed earlier, rather than the clinical purposes that trigger CLIA regulation. 490 It is hard to make out how the mere act of providing HIPAA access could subject a research laboratory to CLIA regulation.
CMS’s 2014 PDF file advances an alternative view. It suggests that a research laboratory falls under the CLIA regulations if it reports patient-specific results for any reason. 491 It states that CMS will presume a research laboratory to be subject to CLIA if it reports patient-specific results and “those results will or could be used” for clinical purposes. 492 By this view, the laboratory’s intended use for the data is irrelevant; what matters is the potential for data to be misused by other parties after the laboratory reports it. A research laboratory will be CLIA-regulated if it reports patient-specific data that could be misused for clinical care by other parties such as physicians, genetic counselors, or the individual.
This view strays too far from the text of CLIA regulations to be lawfully implemented through a guidance document. 493 The 2014 PDF file does not merely interpret, but amends, the CLIA research exception. 494 Agencies can amend their regulations only after notice and public comment, and they must publish the amended regulation in the Federal Register at least thirty days before it takes effect. 495 CMS did not heed these APA requirements. Moreover, the policy CMS announced in its 2014 PDF file seemingly cannot be legitimated via rulemaking because it is inconsistent with the jurisdictional scheme of the CLIA statute itself, which only Congress can amend. 496 Nevertheless, the PDF file has had the practical binding effect of depriving many research participants of their HIPAA access rights. 497
In a 2016 guidance document, OCR carefully sidestepped confrontation with CMS. 498 The guidance described HIPAA’s access right accurately, but it placed key parts of the discussion under a heading that created a false impression that HIPAA’s right of access to genomic data may only apply at clinical laboratories, as opposed to research laboratories. 499 As already discussed, HIPAA’s access right never has—and still does not—draw any distinction between research and clinical laboratories as long as they are HIPAA-covered facilities. 500 Precisely because the access right applies to research data, HIPAA provides an exception that allows a temporary delay in access to research data during clinical trials. 501 Elsewhere in the 2016 Access Guidance, OCR correctly described this narrow research exception, 502 and, in 2017 public statements, an OCR official reiterated that this is the only access exception that specifically applies to research data. 503
OCR’s artfully ambiguous guidance avoided a confrontation with CMS, but it perpetuated widespread confusion. A large class of individuals—people whose genomes were sequenced in HIPAA-covered research labs—has endured ongoing deprivation of a federally protected civil right: their right of access under the HIPAA Privacy Rule. 504
Civil rights enjoy a special status in U.S. federal law, exemplified by Section 242 of Title 18 of the U.S. Code, which makes it a crime for a public official acting under color of law to willfully deprive people of rights protected by the Constitution or laws of the United States. 505 The Department of Justice explains that “under color of law” includes actions public officials take within their lawful authority as well as “acts done beyond the bounds of that official’s lawful authority, if the acts are done while the official is purporting to or pretending to act in the performance of his/her official duties.” 506 It is not necessary to show that the act was “motivated by animus toward the race, color, religion, sex, handicap, familial status or national origin of the victim.” 507
The HIPAA access right is a law of the United States that enables various genomic civil rights, including some—like the right of assembly and right to petition the government—that are protected by the Constitution. 508 Other regulators—including safety regulators—cannot use powers they have (or feign powers they do not have) to interfere with it. Access to one’s own genetic information held at HIPAA-covered laboratories is, after GINA, a federally protected civil right. 509
Nothing in this discussion is meant to suggest that federal safety regulators have violated Section 242, at least not yet. It is a criminal statute best known as a tool for prosecuting racist sheriffs in the Jim Crow South. 510 FDA appreciated that constitutionally sensitive issues were at stake and deferred action on the 2014 draft guidance that would have interfered with HIPAA access. 511 CMS, in publishing its 2014 PDF file, did take action under the color of law, 512 and this action has had the practical effect of depriving people of a civil right. However, section 242, because it is a criminal statute, has a scienter requirement. 513 It requires a willful deprivation. 514 Safety regulators that have acted to block HIPAA access appear to have mistaken it for an ill-advised consumer health and safety regulation that needed to be blocked. Being mistaken is not equivalent to being willful. HIPAA’s access right is indeed a bad safety regulation because it is not a safety regulation at all. It is a civil rights regulation.
As the impasse dragged into its fourth year, three federal agencies enlisted the prestigious National Academies of Science, Engineering, and Medicine (the “Academies”) to prepare a report on the appropriate sharing of data generated during research with research participants (the “Report”). 515 The Report’s three sponsors were FDA, CMS, and the NIH which is a major source of funding for genomic research; OCR, which administers HIPAA’s access right, was not a sponsor. 516 The Academies are highly influential private bodies that have advised the federal government on science and medical policy issues since 1863. 517 Many view them as “the nation’s pre-eminent source of high-quality, objective advice on science, engineering, and health matters.” 518 “[R]eports of the Academies are viewed as being valuable and credible because of the institution’s reputation for providing independent, objective, and nonpartisan advice with high standards of scientific and technical quality.” 519
This Report is a rare deviation from the Academies’ usually high standards for quality and rigor. 520 The Report’s Statement of Task (SOT)—the set of instructions that the Academies and sponsors agree upon prior to a study 521 —recites the flawed position CMS advanced in its PDF file as if it were a widely accepted truth: “Currently, any research laboratory that returns individual-specific research results is regulated by CLIA.” 522 The Report notes that CMS’s position is controversial, but adopts it anyway. 523 The SOT required this: it ordered that the study must “not provide any legal interpretation or analysis regarding the scope of applicability of CLIA.” 524 In other words, do not look at the CLIA statute or ask whether CMS’s PDF file correctly states the law. 525 The Report notes that the “sponsors indicated to the committee that it would be appropriate to include in its description of the current regulatory environment for the return of individual research results the CMS’s current interpretation of the scope and applicability of CLIA.” 526 This was an instruction for the committee to take CMS’s side in an ongoing legal dispute. It is heartbreaking to see our nation’s trusted Academies agree to these terms.
The Report opens with a statement that HIPAA’s access right is in conflict with the CLIA regulations and repeats this allegation throughout the Report. 527 This posits a regulatory conflict that does not actually seem to exist. 528 The Report then offers recommendations to resolve the alleged conflict. Most notably, Recommendation 12A calls on OCR (which was not a study sponsor and had not requested the Academies’ advice) to redefine the Privacy Rule’s individually accessible DRS “to include only individual research results generated in a CLIA-certified laboratory or under the externally accountable quality management system for research laboratories (see Recommendation 2).” 529 The problem with this recommendation is that it is unlawful: It calls on OCR to violate GINA’s privacy provisions and portions of the Public Health Service Act and the Social Security Act that GINA introduced. 530
The Report implicitly recommends repeal of GINA’s privacy provisions: it would be unlawful for OCR to implement the regulatory changes suggested in Recommendation 12A unless Congress repeals GINA’s genetic privacy provisions, which passed by a vote of 95-0 in the Senate 531 and 414-1 in the House. 532 In 2017, the latest year for which figures are available, the Academies received 78 percent of their funding doing studies for federal agencies, 533 and the Report in question was 100 percent federally funded. 534 It is distressing to see the public’s funds spent on a study that seeks to strip Americans of genetic privacy protections that Congress, by decisive margins, enacted as part of GINA. A congressional investigation into what went wrong here would not be out of order.
Lost in the recent debate is the notion that individual data access is essential to the legitimacy and vitality of the biomedical research enterprise. This notion has deep roots extending back to the 1977 PPSC report and to the 1997 recommendations for Congress that HHS prepared pursuant to the HIPAA statute. 535 The ethical principles they identified grow ever more important in the current age when biomedical discovery depends on research uses of people’s sensitive health and genetic information. This Section aims to revive these ethical principles, now often forgotten.
The PPSC and HHS ethical analyses can be summarized as follows: If our society recognizes an ethical requirement for people to consent to secondary uses of their data, then an individual access right is necessary to ensure valid, informed consents. 536 On the other hand, if our society lets people’s data be used in research without their express consent, 537 people will need an individual access right in order to protect their civil rights. 538 Either way, ethical principles weigh in favor of granting individuals a right of access to research data held at HIPAA-covered facilities.
In its 1997 recommendations to Congress, HHS anticipated that many research facilities would focus strictly on research and not be involved in the provision of health care. 539 In current terminology, many research institutions would not be HIPAA-covered entities. 540 Data generated at such facilities would not be subject to the access right. 541 HHS recognized, however, that some research involves the provision of clinical health care and takes place at academic medical centers subject to the access right. 542 HHS stated its belief that “a right to see one’s own record, properly managed, need not impair research.” 543 HHS recognized just one exception: situations where individual access would “un-blind” a clinical trial. 544 Apart from that narrow research exception, HHS felt HIPAA-covered facilities should provide individual access to research data on the same basis as clinical data. 545
The underlying ethical concern was that, without an access right, people could not grant valid consents for their data to be used in the growing field of informational research: “[the] “decision whether to disclose a record may depend on what the record says, and so access to the record is integral to making an informed choice to disclose [information].” 546 An individual access right, in HHS’s view, enabled secondary uses of research-quality data by making valid consents possible. 547 This concern is rarely voiced today, and some research bioethicists recommend restricting individual access to research data. 548 This perhaps reflects a world where individual consent is so frequently waived that obtaining valid consent seems a quaint historical concern. 549
The PPSC, writing in 1977, foresaw just such a dystopian world. In discussing individual access to data collected for research, 550 PPSC felt that individual access to research data may not be warranted if the information is not used to make decisions about the individual and if the information “cannot be … disclosed in individually identifiable form for any other purpose.” 551 PPSC stressed, however, that if research records are not “totally protected against the possibility that individually identifiable information in them will be disclosed for any other purpose,” individual access is “highly relevant.” 552
The PPSC thus articulated the concern that, forty years later, drove Congress to enact sections 102 and 105 of GINA: data that lack clinical significance may nevertheless have civil rights significance, subjecting people to a risk of unjust discrimination and other adverse social consequences if inappropriately disclosed. 553 Individual access to research-quality data empowers people to protect their civil rights in situations where researchers and research funding agencies, in their quest to share and use data for secondary purposes and to assemble large-scale research data commons, 554 pursue data sharing practices that place individuals’ privacy at risk.
PPSC split third-party access and individual access Solomonically. PPSC concluded that unconsented research use of people’s data is sometimes ethically justified, but it maintained that individual access is the civil rights quid pro quo for policies that allow such research without informed consent. 555 Those policies endanger people’s civil rights in order to advance socially beneficial research and public health uses of their data. If protecting people’s civil rights through rigorous consent requirements would chill scientific discovery, then at least empower people to try to protect their civil rights as well as they can by granting them access to their own data. They have a right to know what may be shared without their consent.
The PPSC’s 1977 recommendations also played a role in early development of the Common Rule. 556 The National Research Service Award Act of 1974 established a National Commission for the Study of Ethical Problems in Medicine and Biomedicine to guide development of the Common Rule. 557 The National Commission’s recommendations, published in 1978, 558 incorporated the PPSC’s views on research that uses existing data and biospecimens. 559 The Commission embraced the PPSC’s advice that unconsented third-party use of people’s data and specimens is sometimes ethically justified, 560 but it ignored PPSC’s proviso that unconsented secondary use, if allowed, gives rise to an ethical duty to grant people access to their data. 561
After reviewing the Commission’s recommendations, Congress enacted the National Research Act of 1978, 562 which authorized the Secretary of HHS to promulgate the Common Rule, 563 subject to a constraint that HHS should either follow the Commission’s recommendations or else explain why the Secretary was rejecting them. 564 The Common Rule traditionally has allowed unconsented access to people’s data and biospecimens for use in research without granting them an individual access right. 565 By the PPSC’s reckoning, this is unethical. 566 The Common Rule amendments that took effect in January 2019 have partly addressed this lapse by deferring to the HIPAA Privacy Rule to regulate many uses of data and biospecimens to which the Common Rule previously applied. 567 The Privacy Rule faithfully implements the PPSC’s principle that if researchers can obtain your data without your consent, then you should have access, too.
Lost in the recent debate is the fact that the 2013 and 2014 rules that expanded the Privacy Rule’s access right were implementing a congressional civil rights mandate given in GINA. 568 This fact is indeed difficult to spot in the preamble to the 2014 final rule that created HIPAA’s right of access to laboratory test results. The 2014 amendments went beyond what GINA required and provided access to nongenetic as well as genetic laboratory test results. 569 GINA, of course, only addressed genetic information.
The 2014 HIPAA amendments, in fact, rest on three sources of statutory authority. First, the Administrative Simplification provisions of the 1996 HIPAA statute arguably already empowered OCR to require individual access to PHI stored at HIPAA-covered laboratories and to include genetic information within HIPAA’s definition of PHI. 570 Second, any uncertainty about that fact was resolved in 2008 by GINA’s mandate for OCR to include genetic information within HIPAA’s definition of PHI and to place it under the Privacy Rule’s protections. 571 Third, the American Recovery and Reinvestment Act of 2009 (ARRA) 572 included the Health Information Technology for Economic and Clinical Health (HITECH) Act. 573 HITECH established a federal advisory committee on health information technology policy, which recommended expanding individuals’ access to their own laboratory-held data, including nongenetic as well as genetic test results. 574
The 2014 preamble discussed the HITECH and HIPAA statutes at some length, but it did not mention GINA. 575 The reason for this omission was that GINA’s major directive—to place genetic information under the Privacy Rule’s protections—had already been implemented in a separate rulemaking the prior year. 576 The 2014 amendments simply expanded HIPAA’s access right to include laboratory-held PHI, which already included genetic information following those 2013 amendments. 577 The Obama Administration’s HHS department had shepherded HIPAA’s expanded access right through a contentious rulemaking process extending over three years and two presidential terms 578 and justifiably viewed it as an important civil rights accomplishment. 579 It was perhaps only human for the preamble to highlight its link to the HITECH Act, enacted shortly after Mr. Obama took office in 2009, while downplaying the role of the Bush-era GINA statute.
Insofar as the HIPAA access right includes genetic information, OCR acted under three sources of statutory authority: its general authority to regulate under HIPAA, amplified by a congressional mandate to regulate under GINA, confirmed by recommendations developed under HITECH. 580 The individual’s civil right of access to genetic information has one of the most unimpeachable statutory pedigrees of any U.S. federal regulation: Congress thrice authorized it. Safety regulators wishing to block this right would need to address their concerns to Congress.
The way forward lies in crafting policies that preserve people’s civil right of access while making access as safe and as ethical as it can be. The following ideas are offered simply as examples to stimulate further discussion and debate.
CMS has suggested that research laboratories must comply with the CLIA regulation, if they provide HIPAA access. 581 Subjecting research laboratories to CLIA regulation would add costs and regulatory compliance burdens without necessarily improving substantive data reliability. As already discussed, CLIA does not address clinical validity or utility. 582 CLIA also may fail to ensure analytic validity at laboratories that conduct novel genomic tests for which proficiency testing materials do not exist or at laboratories whose use of a research test is too brief to be captured by CLIA’s biennial survey/inspection process. 583 Requiring CLIA certification may address a legal technicality, but it does not ensure that data from research laboratories meet bioethicists’ concept of clinical-quality data.
There is a deeper problem with prospective compliance. If a laboratory previously operated under CLIA’s research exception, it may hold stores of past research data. These past stores of data can never be brought into compliance with the CLIA regulations, even if the laboratory follows CLIA requirements prospectively. The laboratory seemingly faces costly and burdensome OCR enforcement actions if it fails to honor individual’s HIPAA access rights with respect to its old data, or a CMS enforcement action if it does. 584 Individuals need access to old as well as new data to protect their civil rights. Any workable solution therefore must support access to past as well as future research data.
Stored data only raise civil rights concerns for as long as they remain in storage. For this reason, a person’s HIPAA-accessible DRS only includes information that is “maintained” by or for the HIPAA-covered entity. 585 Data cease to be part of an individual’s DRS if the covered entity discards or destroys the data. 586 If safety regulators and bioethicists determine that individual access to research data poses serious risks to research participants, one ethical solution would be to require research laboratories to destroy data after research has been completed. This solution runs counter to the desire to maintain data for socially beneficial secondary uses, but it must be mentioned as a possible pathway to protect research participants’ civil rights while simultaneously protecting their safety.
If HIPAA access poses unacceptable risks to research participants, another possible solution is to protect their civil rights by implementing strong privacy protections that prevent their data from being used without their permission.
HIPAA’s access right only applies at HIPAA-covered facilities. 587 Many genomic research laboratories have HIPAA-covered status as a result of being affiliated with, or being a business associate of, an academic medical center that provides health care. 588 There are various legal and organizational options for structuring research activities to avoid becoming HIPAA-covered. If HIPAA’s access right poses unacceptable safety risks to research participants, one option would be to restructure activities so that genomic research is only carried out at non-HIPAA laboratories.
If research data were placed outside HIPAA’s privacy protections, an alternative privacy framework seemingly would need to be created to address privacy risks of genomic research. The HIPAA Privacy Rule is merely a set of general privacy protections designed for use in contexts other than genomic research. Its privacy protections are inherently weak 589 and widely criticized. 590 It should not be difficult to develop specially tailored privacy policies that better address the concerns people feel about genomic research. These policies might include, for example, policies addressing the difficulties of deidentifying genomic data and managing reidentification risks; placing meaningful restrictions on downstream uses and redisclosure; requiring robust individual authorization for secondary uses and more restrictive conditions on the granting of waivers of individual authorization; and providing more transparency about downstream use and storage of data than HIPAA’s weak accounting framework provides. These specially tailored policies could be implemented by moving genomic research to non-HIPAA laboratories and then requiring the laboratories to comply with the policies as a condition of research funding or publication in high-impact journals.
In designing such policies, the original ethical analyses of the PPSC and HHS have continued relevance. 591 According to the PPSC, a right of individual access would be ethically unnecessary if records were “totally protected against the possibility that individually identifiable information in them will be disclosed for any other purpose.” 592 However, HHS cautioned that people can grant valid consents for secondary uses of their records only if they know what the records contain. 593 Herein lies the rub: any privacy policy that eliminates the ethical need for individual access seemingly needs to be even more stringent than the HIPAA Privacy Rule is. Such a policy therefore may make secondary research uses of data and the creation of research data commons even harder than they currently are, although it might be possible to create a highly secure “sharing space” within which genomic researchers could share data under an agreed set of highly rigorous data security standards.
CLIA regulations are sometimes seen as protecting against mix-ups in which one person’s data or biospecimens are mistaken for another’s. One concern about allowing HIPAA access to data from non-CLIA research laboratories is that people may obtain copies of data that are not even their own. As already noted, CLIA’s sample and record identification requirements are modest, and many research laboratories already implement procedures that are equally if not more stringent. 594 Forcing research laboratories to comply with CLIA may add little value, in terms of avoiding mix-ups. A better way to address this concern may be through HIPAA’s own access procedures.
By definition, HIPAA’s DRS—the dataset an individual is entitled to access—only includes data if the data are “about” the individual. 595 Data erroneously attributed to an individual are not rightly part of the DRS to which the individual has a HIPAA access right. 596 It is well within OCR’s discretion to set standards to ensure the integrity of each person’s DRS. OCR could, for example, publish a guidance stating that a research laboratory’s data should only be regarded as traceable to the individual, and therefore part of the individual’s accessible DRS, if the laboratory used the individual’s name and one other unique identifier for purposes of sample and record identification—in other words, procedures equivalent to what CLIA requires. 597
Requiring CLIA-equivalent sample and record-tracking procedures is not the only, or necessarily the best, policy solution that OCR could adopt. Suppose, for example, a research laboratory used name only, without recording a second unique identifier, when it generated and stored a person’s genomic data in the past. Should these data be excluded from the person’s DRS, denying the person’s important civil right of access to the data? With genomic data, the variant data themselves uniquely identify the individual; nobody else has that same set of variants. 598 Years later, when the person requests HIPAA access, it would be a simple matter to retest a small sample of the person’s variants—for example, the thirteen CODIS markers, which the FBI uses to identify suspected criminals with a high degree of confidence 599 —to ensure that the data stored under the person’s name are, in fact, the person’s own data. Such a procedure would resolve any lingering concerns about the potential for mix-ups at research laboratories that failed to follow CLIA-equivalent sampling and record-tracking procedures in the past, while preserving people’s civil right of access to their data.
A final point is that people’s civil rights can be affected when data are wrongly identified to them, and HIPAA access is valued as a mechanism to help people detect and correct instances where mis-identification has occurred. 600 In most situations, people do not actually need to obtain a copy of data that have been wrongly stored in their files; they simply need to have the wrongly attributed data removed from their files. An OCR guidance addressing accurate identification of data to be included in individuals’ DRS should provide that any data found to be erroneously attributed to the individual should be promptly removed or destroyed.
Blocking access is an extreme way to address the safety concerns that access raises. Safety regulators have a duty under federal law to craft more nuanced solutions that address safety concerns without blocking civil rights.
An example may help put things in perspective. Suppose, hypothetically, that there is strong evidence that an FDA-approved drug causes an unusually high rate of serious injuries to members of a specific racial group. FDA’s enabling statute authorizes the agency to impose “elements to assure safe use” (restrictions on use, sale, and distribution) to address serious drug safety problems. 601 One way to address the safety concern would be to impose restrictions that block members of the affected racial group from obtaining the drug. Yet doing so would violate their civil rights. Even if FDA had strong evidence that every single member of the group would be injured by the drug, it is ultimately for patients and their physicians to decide whether the potential benefits outweigh the risks. FDA has other tools at its disposal to address safety risks without violating people’s civil rights: the FDA can require a warning in the drug’s labeling; 602 it can require Medication Guides at the point of sale to inform consumers about the risk; 603 it can send “Dear Doctor” letters warning physicians; 604 it can use the power of publicity to alert the public to the problem; 605 it can order postmarketing studies or clinical trials to better clarify the risk. 606 Title 18, section 242 of the U.S. Code requires safety regulators to pursue civil-rights-preserving options such as these instead of broadly denying the rights of an entire class of consumers.
The same is true of HIPAA access. Regulators have many tools at their disposal to address safety concerns without blocking the right. They can require research laboratories to disclose that data provided under HIPAA’s access right may be unreliable or even misattributed to the individual. They can require stern warnings that the data are being provided only for civil rights purposes and must not be used for making medical decisions. They can send “Dear Doctor” letters advising clinicians that patients may approach them with low-quality HIPAA access data and instructing clinicians to resolve any doubts about the source or quality of genetic information in favor of retesting. They can engage state medical practice boards in developing disciplinary sanctions for physicians who act on genetic findings without confirming the source of those findings. It is entirely foreseeable that people, despite all warnings, may seek interpretation of variants included in their HIPAA access files. Safety regulators can develop publicly available quality scores for genomic interpretation services to help steer people to the more reliable ones. They can initiate public education campaigns to help the public understand the limitations of research-quality data. But they cannot, consistent with federal civil rights law, block people’s access right.
Subclinical-quality test results cannot lead to inappropriate medical procedures unless healthcare providers cooperate in providing such care. In a world where individuals have access to subclinical-quality information from various sources, healthcare providers occupy an uncomfortable position as gatekeepers, responsible for denying imprudent follow-up care yet fearing potential liability for their failure to provide such care. 607 At the heart of this dilemma is the absence of a well-defined standard of appropriate follow-up care in the situation where a worried, but asymptomatic, patient arrives at a physician’s office with genetic test results but no other clinical indication or history suggestive of disease.
In many instances, such patients may not meet criteria for insurance reimbursement of confirmatory testing or follow-up evaluation, so uncertain data may be the only data available. 608 Consumer safety regulators like FDA and CMS, cannot, by themselves, ensure that genetic information is “safe” because safety is, in large part, a medical practice issue. There is a need for medical practice regulators and state legislators to engage with the problem of establishing an appropriate standard of care in this situation. For example, when is it appropriate for a physician to decline to assist a patient in interpreting data of dubious provenance or quality? Under what circumstances does a patient’s refusal (or financial inability) to pursue follow-up testing and evaluation absolve a physician of liability? What are the limits of a physician’s—and the healthcare system’s—responsibility to respond to requests for interpretive services when the underlying data were not reported for clinical use? Are there more efficient institutional solutions for responding to the natural curiosity individuals feel upon receiving access to their data?
It is unfair to portray safety regulators as the sole force opposing HIPAA access. It is costly and troublesome to set up an administrative apparatus to receive and track individuals’ requests for access, locate their data, and deliver the data within HIPAA’s tight thirty-day time frame. 609 Even commercial data holders complain of the associated financial burdens. 610 Many research laboratories may have welcomed the apparent conflict between safety and civil rights regulations, which has provided a pretext not to provide HIPAA access.
HHS estimated that laboratories nationwide would collectively incur costs of up to $3.2-63 million to provide HIPAA access during the first year of implementation with these figures trending downward over time, but still $1-60 million during the fifth year. 611 It is plausible that genomic research laboratories may bear a disproportionate share of these costs: they hold a large share of the genomic data now in existence, 612 and genomic data tend to be viewed as interesting and perhaps worth the effort of filing access requests.
Research laboratories often are funded by grants lasting just several years. Grants do not include a budget line item for staffing a HIPAA access office—not even while the grant is active and certainly not after it concludes. These costs would come out of a grant’s fixed allowance for facilities and administrative costs, 613 which institutions may prefer to use for other things, such as building new laboratories. Research laboratories and the grant sponsors that fund them may regard HIPAA’s access right as an unfunded federal civil rights mandate that dilutes limited research budgets. Congress, by enacting GINA, created genomic civil rights, and Congress may need to revisit the question of how to fund the costs of making individual data access work.
As GINA enters its second decade, its civil rights protections are more important than they were ten years ago: people’s genomic data are widely used in research, often without their consent; bioinformatics algorithms grow more efficient at reidentifying deidentified data; and progress of genetic science is expanding the range of privacy-invasive inferences that can be drawn when data are wrongly shared or misappropriated.
The right of autonomous individuals to inspect and receive copies of stored data about themselves has deep roots in U.S. federal law and rests on firm ethical principles set out in two studies commissioned by the U.S Congress. Congress reaffirmed these principles in the GINA statute, which requires people’s genomic information to receive the full protection of the HIPAA Privacy Rule, including its individual access provision.
Recent resistance to HIPAA’s access right appears to be based on well-intentioned confusion about the nature of the access right. It is the product of a congressional civil rights mandate given in GINA and, as such, it deserves compliance and respect. If individuals’ access to their own genetic data raises valid concerns about costs or safety, then these concerns unquestionably need to be addressed. But they must be addressed in ways that preserve people’s civil rights, always bearing in mind that civil rights have never been free, or free of risk.
Thanks to Misha Angrist, Mad Price Ball, Ellen W. Clayton, Andrea M. Downing, Gail P. Jarvik, Steven Keating, Sandra Park, Barbara Prainsack, Mark A. Rothstein, Tania Simoncelli, Michael Stebbins, Jennifer Wagner, John Wilbanks, Susan M. Wolf and participants in the 2017 Triangle Privacy Research Hub/UNC/Duke Conference on Refining Privacy to Improve Health Outcomes and the 2017 Patients as Partners in Research Workshop cosponsored by the Broad Institute of Harvard/MIT, the Biden Cancer Initiative, and the Emerson Collective, as well as members of the NIH/NHGRI-funded LawSeq™ Project for thoughtful suggestions about this project. This research was supported in part by NIH/NHGRI/NCI award 1R01HG008605, with past support from awards UO1HG006507 and UO1HG007307, and additional support from the University of Houston Law Foundation. All views expressed are those of the author and not necessarily those of the funders.
The author has no conflicts to disclose.
1. Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-233, 122 Stat. 881 (codified as amended in scattered sections of 26, 29, and 42 U.S.C.).
2. Hudson Kathy L. et al., Keeping Pace with the Times—The Genetic Information Nondiscrimination Act of 2008 , 358 New Engl. J. Med. 2661 , 2662 (2008). [PubMed] [Google Scholar]
3. See Roberts Jessica L., Preempting Discrimination: Lessons from the Genetic Information Nondiscrimination Act , 63 Vand. L. Rev. 439 , 441 (2010). [Google Scholar]
4. See, e.g., id. (“While some examples do exist, both GINA’s advocates and adversaries agreed that scant evidence indicated a significant history of genetic-information discrimination.”).
5. See Triangle Privacy Research Hub, Genomics, Precision Medicine, and Privacy—Refining Privacy to Improve Health Outcomes Symposium , YouTube ( Nov . 8, 2017), https://www.youtube.com/watch?v=zpgXeSZWnmk [https://perma.cc/NZU4-BVCM]. Misha Rashkin’s statement, which can be found at 00:19:00, discusses some of the deficiencies of gina.
6. See Evans Barbara J., Commentary, HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights , 102 Am. J. Hum. Genetics 5 , 5–8 (2018) (summarizing this controversy briefly); see also infra Part VII.A (explaining the controversy in detail). [PMC free article] [PubMed] [Google Scholar]
7. See infra Part VIII.A (explaining the complex rulemaking history that obscured the provenance of the access right GINA created).
8. See Press Release, White House, Remarks by the President, Prime Minister Tony Blair of England (Via Satellite), Dr. Francis Collins, Director of the National Human Genome Research Institute, and Dr. Craig Venter, President and Chief Scientific Officer , Celera Genomics Corporation, on the Completion of the First Survey of the Entire Human Genome Project ( June 26, 2000), http://www.ornl.gov/sci/techresources/Human_Genome/project/clinton2shtml [https://perma.cc/JGS5-AA2N]. [Google Scholar]
11. Annas George J. et al., Drafting the Genetic Privacy Act: Science, Policy, and Practical Considerations , 23 J.L. Med. & Ethics 360 , 360, 365 (1995). [PubMed] [Google Scholar]
12. See Lowe Georgia et al., How Should We Deal with Misattributed Paternity? A Survey of Law Public Attitudes , 8 AJOB Empirical Bioethics 234 , 234 (2017), https://www.tandfonline.com/doi/pdf/10.1080/23294515.2017.1378751?needAccess=true [https://perma.cc/2N6S-JVNS] (discussing “misattributed paternity, where the assumed father is not the biological father” and noting it is an incidental finding encountered in genetic testing). [PMC free article] [PubMed] [Google Scholar]
13. Kulynych Jennifer & Greely Henry T., Clinical Genomics, Big Data, and Electronic Medical Records: Reconciling Patient Rights with Research When Privacy and Science Collide , 4 J.L. & Biosciences 94 , 98 (2017) (noting the growing body of knowledge linking genetics with some mental and behavioral characteristics). [PMC free article] [PubMed] [Google Scholar]
14. See Annas et al., supra note 11 , at 360 (discussing the presumed predictive power of genetics as a “future diary”). [Google Scholar]
15. See Murray Thomas H., Genetic Exceptionalism and “Future Diaries”: Is Genetic Information Different from Other Medical Information? , in Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic Era 60 , 61 (Rothstein Mark A. ed., 1997) (citing the past belief, circa 1995, that genetic information is “uniquely powerful”); supra notes 8-11 and accompanying text. [Google Scholar]
16. Murray, supra note 15, at 64.17. Kohane Isaac S. et al., Taxonomizing, Sizing, and Overcoming the Incidentalome , 14 Genetics Med . 399 , 403 (2012). [PMC free article] [PubMed] [Google Scholar]
18. Dewey Frederick E. et al., Clinical Interpretation and Implications of Whole-Genome Sequencing, 311 JAMA 1035 , 1040 (2014). [PMC free article] [PubMed] [Google Scholar]
19. See, e.g., Roisman Glenn I. & Fraley R. Chris, The Limits of Genetic Influence: A Behavior-Genetic Analysis of Infant-Caregiver Relationship Quality and Temperament , 77 Child Dev . 1656 , 1658, 1663 (2006) (finding that “the role of genetic variation among infants is trivial,” and questioning the “ubiquity of heritability effects in all domains of psychological inquiry”). [PubMed] [Google Scholar]
20. See Is Height Determined by Genetics? , U.S. Nat’l Libr. Med. ( Nov . 13, 2018), http://ghr.nlm.nih.gov/primer/traits/height [https://perma.cc/R8YZ-8BG5] (noting that more than 700 gene variants have been discovered that influence height and that more discoveries are expected). [Google Scholar]
21. See Talmud Philippa J. et al., Utility of Genetic and Non-Genetic Risk Factors in Prediction of Type 2 Diabetes: Whitehall II Prospective Cohort Study, 340 BMJ b4838 (2010), http://www.bmj.com/content/340/bmj.b4838 [https://perma.cc/8C8K-4732]. [PMC free article] [PubMed] [Google Scholar]
22. See Murray, supra note 15 , at 64–65 (commenting in the mid-1990s and noting the weakness of genetic “prophecy”). [Google Scholar]
23. See, e.g., Kulynych & Greely, supra note 13 , at 104. [Google Scholar] 24. See id. at 96 (noting the expanding predictive power of genetic testing). 25. Id. at 100.26. See id. at 105 (predicting increased exposure of sensitive information, including genetic information, to privacy risks as a result of research that relies on large datasets).
28. See infra Part VI.29. See 21 U.S.C. § 321(h) (Supp. IV 2016) (defining FDA-regulated devices); 21 C.F.R. § 809.3(a) (2018) (defining in vitro diagnostic products, a category of medical devices that includes genetic and genomic testing products).
30. See Clinical Laboratory Improvement Amendments of 1988, Pub. L. No. 100-578, 102 Stat. 2903 (codified as amended at 42 U.S.C. § 263a).
31. 42 C.F.R. § 493 (2018).32. See, e.g., 45 C.F.R. § 46.111(a)(1) (2018) (requiring Institutional Review Boards (IRBs) overseeing research under the Common Rule to ensure that “[r]isks to subjects are minimized”); see also 21 C.F.R. § 56.111(a)(1) (2018) (imposing this same requirement on IRBs reviewing FDA regulated research); 21 C.F.R. §§ 312, 812 (2018) (outlining FDA’s investigational new drug and investigational device exemption regulations, which protect research participants from exposure to unreasonable levels of risk from experimental drugs and devices used in research).
33. Buchwalter James et al., Definition and Nature of Civil Rights , 14 C.J.S. § 1 (2018) (“A civil right refers to rights arising under federal and state civil rights laws and the federal and state constitutions, embracing the rights due from one to citizen to another, pertaining to a person by virtue of citizenship in a state or community.”).
34. See infra Part III. 35. See infra Part IV.B. 36. See infra Part IV.D. 37. See infra Part IV.B. 38. See infra Part IV.D.39. CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports , 79 Fed. Reg 7290 ( Feb . 6, 2014) (codified at 42 C.F.R. pt. 493 and 45 C.F.R. pt. 164). [PubMed] [Google Scholar]
40. 45 C.F.R. § 164.524 (2018).41. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29 and 42 U.S.C.).
42. 45 C.F.R. pts 160, 164.43. See CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports , 79 Fed. Reg at 7290. [PubMed] [Google Scholar]
44. See infra Part VI.B.2. 45. See infra Part VIII.A. 46. See infra Part VII. 47. See infra Part VII.A.1. 48. See infra Part II.49. See 45 C.F.R. § 160.102 (2018) (providing that the HIPAA regulations, including the Privacy Rule, apply to healthcare providers such as physicians, clinics, hospitals, laboratories and various other entities, such as insurers, that transmit “any health information in electronic form in connection with a transaction covered by this subchapter [the Administrative Simplification provisions of HIPAA]” and to their business associates); see also id. § 160.103 (defining the terms “covered entity” and “business associate”).
50. CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports , 79 Fed. Reg 7290 , 7292 ( Feb . 6, 2014) (codified at 42 C.F.R. pt. 493 and 45 C.F.R. pt. 164). [PubMed] [Google Scholar]
51. See, e.g., Keating Steven, Can a Hospital “Share” Button Save Us? , Genome Mag . ( Mar . 13, 2017), http://genomemag.com/can-a-hospital-share-button-save-us/ [https://perma.cc/E2ZQ-G54R]; [Google Scholar] see also Lye Carolyn T. et al., Assessment of U.S. Hospital Compliance with Regulations for Patients’ Requests for Medical Records , JAMA Network Open ( Oct . 5, 2018), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2705850 [https://perma.cc/8J9J-QKM3] (providing empirical data demonstrating the difficulty individuals experience exercising their HIPAA access rights). [PMC free article] [PubMed] [Google Scholar]
53. See Keating, supra note 51 . [Google Scholar]58. An Institutional Review Board is a private ethics review body that oversees the ethical conduct of research at institutions regulated by the Federal Policy for the Protection of Human Subjects (Common Rule) . See 45 C.F.R. § 46.101(a) (2018).
59. See supra note 32 (listing examples of federal research regulations that prescribe the use of IRBs).
60. See infra Part VII. 61. See infra Part VII. 62. See Evans, supra note 6 , at 5. [Google Scholar]63. See generally Evans Barbara J., The Interplay of Privacy and Transparency in Health Care: The HIPAA Privacy Rule as a Case Study , in Transparency in Health and Health Care in the United States: Law and Ethics (Lynch Holly Fernandez, Cohen I. Glenn, Shachar Carmel & Evans Barbara J. eds., forthcoming 2019) (reviewing HHS’s efforts, when designing the Privacy Rule, to balance socially beneficial data uses with the individual’s interest in privacy).
64. See infra Part VII.B. 65. See, e.g., 18 U.S.C. § 242 (2012); see also infra Part VII.A. 66. See infra Part VIII. 67. See Evans, supra note 6 . [Google Scholar]68. See, e.g., Dreyfus Jennifer C. & Sobel Mark E., Concern About Justifying the Release of Genomic Data as a Civil Right , 103 Am. J. Hum. Genetics 163 , 163–65 (2018) (expressing concern, in a letter to the editor, about characterizing HIPAA’s access right as a civil right). [PMC free article] [PubMed] [Google Scholar]
69. See, e.g., Civil Rights, Black’s Law Dictionary (10th ed. 2014) (defining “civil right” as “Any of the individual rights of personal liberty guaranteed by the Bill of Rights and by the 13th, 14th, 15th, and 19th Amendments, as well as by legislation such as the Voting Rights Act. Civil rights include esp[ecially] the right to vote, the right of due process, and the right of equal protection under the law”). [Google Scholar]
70. See Buchwalter et al., supra note 33 , § 1. [Google Scholar] 73. See id. § 3. 74. See id. (noting that civil rights “pertain originally and essentially to humans”).76. See Roberts Jessica L., Progressive Genetic Ownership , 93 Notre Dame L. Rev. 1105 , 1148 (2018). [Google Scholar]
78. See, e.g, H.B. 1220, 84th Legis. Sess. (Tex. 2015); H.B. 1260, 87th Legis. Assemb., Reg. Sess. (S.D. 2012); H.B. 2110, 82d Legis. Sess. (Tex. 2011).
79. See, e.g., Wagner Jennifer K. & Vorhaus Dan, On Genetic Rights and States: A Look at South Dakota and Around the U.S. , Privacy Rep . ( Mar . 20, 2012), https://theprivacyreport.com/2012/03/20/on-genetic-rights-and-states-a-look-at-south-dakota-and-around-the-u-s/ [https://perma.cc/JNX2-83N9] (discussing the areas of ambiguity in South Dakota’s proposed bill). [Google Scholar]
80. See A la . C ode § 18.13.010 (2018); C olo . R ev . S tat . § 10-3-1104.7 (2018); F la . S tat . § 760.40 (2018); G a . C ode A nn . § 33-54-1 (2018).
81. See Evans Barbara J., Much Ado About Data Ownership , 25 Harv. J.L. & Tech. 69 , 89 (2011) (noting the vagueness of many data ownership proposals and suggesting that individual data ownership would differ from fee simple ownership of a house and might resemble riparian ownership or copyright); [Google Scholar] Roberts, supra note 76 , at 1169–71; [Google Scholar] see also Hall Mark A. & Schulman Kevin A., Commentary, Ownership of Medical Information , 301 JAMA 1282 , 1283–84 (2009) (noting the popular tendency to liken data ownership to fee simple ownership but pointing out that data ownership would differ from familiar “[o]wnership of houses and cars”). [PubMed] [Google Scholar]
82. See, e.g., Cate Fred H., Protecting Privacy in Health Research: The Limits of Individual Choice , 98 Calif. L. Rev. 1765 , 1797 (2010) (“Consent requirements [imposed by the HIPAA Privacy Rule] not only impede health research, but may actually undermine privacy interests.”). [Google Scholar]
83. See generally President’s Council of Advisors on Sci. & Tech., Exec. Office of the President , Report to the President: Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward 2 , 28 (2010), https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf [https://perma.cc/33NN-9YMT] (discussing the weakness of informed consent as a mechanism to protect data privacy and security). [Google Scholar]
84. See Hudson, supra note 2 , at 2662 (noting weaknesses in the framework of genetic privacy protections prior to GINA). [Google Scholar]
85. See id. (characterizing GINA as a civil rights law); infra Part II. 86. See supra notes 73-81 and accompanying text.87. See, e.g., Sec’y’s Advisory Comm. on Genetic Testing, Nat’l Inst. of Health, Enhancing the Oversight of Genetic Tests: Recommendations of the SACGT 8 , 20 (2000), https://osp.od.nih.gov/wp-content/uploads/2013/11/oversight_report.pdf [https://perma.cc/83C3-MGK2]. [Google Scholar]
88. See id. at 15 n.10 (explaining that analytical validity is an indicator of how well a test measures the property or characteristic it is intended to measure and addresses such matters as the test’s accuracy, rate of false positives and negatives, and reliability in the sense of repeatedly getting the same result).
89. See id. at 15 n.11 (explaining that clinical validity refers to the accuracy with which a test predicts the presence or absence of a clinical condition or predisposition, addressing whether there is a strong and well validated association between having a particular gene variant and having a particular health condition, and asking whether knowing that a person has the gene variant offers meaningful insight into the person’s health or reproductive risks); see also Fabsitz Richard R. et al., Ethical and Practical Guidelines for Reporting Genetic Research Results to Study Participants: Updated Guidelines from a National Heart, Lung, and Blood Institute Working Group , 3 Circulation Cardiovascular Genetics 574 , 575 (2010) (expressing this concept by stating that a test result has an “established” meaning). [PMC free article] [PubMed] [Google Scholar]
90. See Sec’y’s Advisory Comm. on Genetic Testing, supra note 87 , at 15 n.12 (“Clinical utility refers to the usefulness of the test and the value of the information to the person being tested. If a test has utility, it means that the results—positive or negative—provide information that is of value to the person being tested because he or she can use that information to seek an effective treatment or preventive strategy. Even if no interventions are available to treat or prevent the disease or condition, there may be benefits associated with knowledge of the result.”). [Google Scholar]
91. See Fabsitz et al., supra note 89 , at 575 (“Actionable means that disclosure has the potential to lead to an improved health outcome; there must be established therapeutic or preventive interventions available or other available actions that may change the course of the disease.”). [Google Scholar]
92. See Sec’y’s Advisory Comm. on Genetic Testing, supra note 87 , at 15. [Google Scholar]95. See, e.g., Office of Tech. Assessment, Cong. of the U.S., Assessing the Efficacy and Safety of Medical Technologies 17–18 (1978) (conceiving medical product safety as a risk/benefit ratio with a product deemed “safe” if its risks are acceptable in relation to its benefits). [Google Scholar]
97. See Basic HHS Policy for Protection of Human Research Subjects (Common Rule) , 45 C.F.R pt. 46 , subpt. A (2018). [Google Scholar]
98. See Federal Policy for the Protection of Human Subjects , 82 Fed. Reg 7149 ( Jan . 19, 2017) (to be codified at 45 C.F.R. pt. 46 and in various other regulations of implementing agencies); [PubMed] [Google Scholar] see also Federal Policy for the Protection of Human Subjects: Delay of the Revisions to the Federal Policy for the Protection of Human Subjects , 83 Fed. Reg 2885 ( Jan . 22, 2018) (extending the effective date of the new Common Rule until July 19, 2018); [Google Scholar] Federal Policy for the Protection of Human Subjects: Six Month Delay of the General Compliance Date of Revisions While Allowing the Use of Three Burden-Reducing Provisions During the Delay Period , 83 Fed. Reg 28 ,497 ( June 19, 2018) (further delaying implementation until January 21, 2019). [Google Scholar]
99. See Federal Policy for the Protection of Human Subjects , 82 Fed. Reg at 7149 , 7154. [PubMed] [Google Scholar]
100. Standards for Privacy of Individually Identifiable Health Information , 65 Fed. Reg 82 ,462 ( Dec . 28, 2000) (codified at 45 C.F.R. pts. 160, 164) (finalizing the HIPAA Privacy Rule in December 2000). [Google Scholar]
101. See 45 C.F.R. pt. 46.102. See, e.g., Federal Policy for the Protection of Human Subjects: Notice of Proposed Rulemaking , 80 Fed. Reg 53 ,933 (proposed Sept . 8, 2015); [PubMed] [Google Scholar] Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators , 76 Fed. Reg 44 ,512, 44,514 (advance notice of proposed rulemaking provided July 26, 2011) (discussing the benefits of reducing Common Rule oversight of privacy risks in HIPAA-regulated informational research). [Google Scholar]
103. See Federal Policy for the Protection of Human Subjects , 82 Fed. Reg at 7261–62 (adopting a new regulation at § 46.104(d)(4)(iii) which provides, “[e]xcept as described in paragraph (a) of this section, the following categories of human subjects research are exempt from this policy: … (4) Secondary research … [t]he research involves only information collection and analysis involving the investigator’s use of identifiable health information when that use is regulated under 45 CFR parts 160 and 164, subparts A and E, for the purposes of ‘health care operations’ or ‘research’ as those terms are defined at 45 CFR 164.501 or for ‘public health activities and purposes’ as described under 45 CFR 164.512(b)”). [Google Scholar]
104. See supra note 98 . [Google Scholar]105. See Federal Policy for the Protection of Human Subjects , 82 Fed. Reg at 7194 (“HIPAA also provides protections in the research context for the information that would be subject to this exemption (e.g., clinical records), such that additional Common Rule requirements for consent should be unnecessary in those contexts…. This provision introduces a clearer distinction between when the Common Rule and the HIPAA Privacy Rule apply to research in order to avoid duplication of regulatory burden. We believe that the HIPAA protections are adequate for this type of research, and that it is unduly burdensome and confusing to require applying the protections of both HIPAA and an additional set of protections.”). [Google Scholar]
106. See 45 C.F.R. § 46.104(d)(4)(iii) (2018). 107. See Evans, supra note 6 , at 7. [Google Scholar] 108. See Hudson et al., supra note 2 , at 2661–62 (summarizing GINA’s protections). [Google Scholar]109. This Center is now known as the National Human Genome Research Institute within the National Institutes of Health (NIH) . See About the Institute, Nat’l Hum. Genome Res. Inst. ( Feb . 16, 2018), https://www.genome.gov/27534788/about-the-institute/ [https://perma.cc/325N-RWXC]. [Google Scholar]
110. McEwen Jean E. et al., The Ethical, Legal, and Social Implications Program of the National Human Genome Research Institute: Reflections on an Ongoing Experiment , 15 Ann. Rev. Genomics & Hum. Genetics 481 , 482 (2014) (quoting the National Institutes of Health Revitalization Act of 1993 § 1521, Pub. L. No. 103-43, 107 Stat. 122, 180 (1993)). [PubMed] [Google Scholar]
111. Id. at 483. 112. Id. at 482.114. See Kulynych & Greely, supra note 13 , at 94–95 (noting “[w]idespread use of medical records for research, without consent” and noting the increased presence of genomic information in medical records (emphasis omitted)). [Google Scholar]
115. Roberts Jessica L., The Genetic Information Nondiscrimination Act as an Antidiscrimination Law , 86 Notre Dame L. Rev. 597 , 632 (2011) (explaining that GINA took an anticlassification approach that “comprehensively prohibits health insurers and employers from considering genetic information”); id. at 597 (noting that GINA “protects individuals from any intentional differential treatment by health insurers or employers based on genetic information”). [Google Scholar]
116. Genetic Information Nondiscrimination Act of 2008 § 102(a)(4), 42 U.S.C. § 300gg-91(d)(15)-(19) (2012).
117. Id. § 105 (codified at 42 U.S.C. § 1320d-9).118. See id. § 102(a)(4) (codified at 42 U.S.C. § 300gg-91(d)(16)(A)) (amending the Public Health Service Act at 42 U.S.C. § 300gg-91(d) to define genetic information as meaning, “with respect to any individual, information about—(i) such individual’s genetic tests, (ii) the genetic tests of family members of such individual, and (iii) the manifestation of a disease or disorder in family members of such individual”).
120. See generally id.121. See, e.g., Food & Drug Admin., U.S. Dep’t of Health & Human Servs., Optimizing FDA’s Regulatory Oversight of Next Generation Sequencing Diagnostic Tests—Preliminary Discussion Paper ( Dec . 29, 2014), https://www.fda.gov/downloads/medicaldevices/newsevents/workshopsconferences/ucm427869.pdf[https://perma.cc/837T-BQLT] (focusing on analytical performance and clinical performance—that is, analytic and clinical validity—as key aspects of whether genomic tests are safe for clinical uses and providing examples of misdiagnoses and other harms that might occur if tests lack these attributes).
122. See, e.g., 1 Nat’l Bioethics Advisory Comm’n, Research Involving Human Biological Materials: Ethical Issues and Policy Guidance 71 (1999) (“Experts disagree about whether findings from research should be communicated to [research participants], although most do believe that findings should not be conveyed unless they are confirmed and reliable and constitute clinically significant or scientifically relevant information. Those who oppose revealing unconfirmed findings argue that the harms that could result from revealing preliminary data are serious, including anxiety or unnecessary (and possibly harmful) medical interventions.”); [Google Scholar] Bookman Ebony B. et al., Reporting Genetic Results in Research Studies: Summary and Recommendations of an NHLBI Working Group , 140A Am. J. Med. Genetics 1033 , 1037 (2006) (counseling “extreme caution” in returning results that are preliminary and not validated by other studies). Analytic validity is widely viewed as the bare minimum quality standard for return of results from research. [PMC free article] [PubMed] [Google Scholar] See, e.g., Wolf Susan M., The Role of Law in the Debate over Return of Research Results and Incidental Findings: The Challenge of Developing Law for Translational Science , 13 Minn. J.L. Sci. & Tech. 435 , 446 (2012) (noting “a near-universal demand [in the literature] for analytic validity as a precondition” for returning results and incidental findings). Many commentators would require, in addition, that the results should have some level of clinical significance (clinical validity and/or utility). [PMC free article] [PubMed] [Google Scholar] See, e.g., Maschke Karen J., Returning Genetic Research Results: Considerations for Existing No-Return and Future Biobanks , 13 Minn. J.L. Sci. & Tech. 559 , 559 (2012) (citing the fact that most genetic research results have uncertain clinical significance as a reason why many biobanks adopt a “no-return policy”); [Google Scholar] Wolf Susan M. et al., Managing Incidental Findings in Human Subjects Research: Analysis and Recommendations , 36 J.L. Med. & Ethics 219 , 235 (2008) (noting that many commentators call for results to be returned only if they have clinical validity, that is, a well-established clinical or reproductive significance); id. at 231 (“Disclosure should occur only when findings are valid and confirmed, have significant health implications, and the health problem can be treated.”); [PMC free article] [PubMed] [Google Scholar] see also Fabsitz et al., supra note 89 , at 578 (noting the controversy surrounding return of results that have personal utility but not clinical significance/validity/utility). [Google Scholar] But see Holman Ingrid A. & Taylor Patrick L., The Informed Cohort Oversight Board: From Values to Architecture , 13 Minn. J.L. Sci. & Tech. 669 , 676 (2012) (supporting disclosure of information even if its clinical significance is uncertain but requiring that it be analytically valid). [PMC free article] [PubMed] [Google Scholar]
123. See Nat’l Bioethics Advisory Comm’n, supra note 122 , at 71–72. [Google Scholar]124. See id. at 71 (quoting MacKay Charles R., Ethical Issues in Research Design and Conduct: Developing a Test to Detect Carriers of Huntington’s Disease , 6 IRB 1 , 3 (1984)). [PubMed] [Google Scholar]
126. See What Is CODIS? , Nat’l Inst. Just. ( July 16, 2010), https://www.nij.gov/journals/266/Pages/backlogs-codis.aspx [https://perma.cc/2RJL-JLWW] (describing the FBI’s Combined DNA Index System and its uses). [Google Scholar]
127. See Kaye DH, Please, Let’s Bury the Junk: The CODIS Loci and the Revelation of Private Information , 102 Nw. U. L. Rev. Colloquy 70 , 81 (2007). [Google Scholar]
128. See What is CODIS? , supra note 126 . [Google Scholar]130. See Genetic Information Nondiscrimination Act 2008 § 105(a), 42 U.S.C. § 1320d-9(a) (2012) (calling, in the section entitled “Application of the HIPAA Regulations to Genetic Information,” for HHS/OCR to amend the definition of “protected health information” that HIPAA protects to include all of the genetic information within GINA’s broad definition and ordering the Secretary of Health and Human Services to implement the change within one year); see also 42 U.S.C. § 1320d-9(b)(1) (stating, in a new section introduced by GINA’s § 105, that Congress deems “genetic information,” as broadly defined by GINA at 42 U.S.C. § 300gg-91, to be health information, for purposes of making it subject to HIPAA’s privacy protections).
131. See Standards for Privacy of Individually Identifiable Health Information , 65 Fed. Reg 82 ,462 ( Dec . 28, 2000) (codified at 45 C.F.R. pts. 160, 164) (promulgating the original HIPAA Privacy Rule). [Google Scholar]
132. 45 C.F.R. § 160.103 (2001).133. See 42 U.S.C. § 1320d(4) (2012) (“The term ‘health information’ means any information, whether oral or recorded in any form or medium, that—(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”).
134. See id. 135. See id.; supra notes 88-90. 136. See § 1320d(4). 137. See id.138. See Food & Drug Admin., U.S. Dep’t of Health & Human Servs., supra note 121 (“Unlike other laboratory tests that typically detect a single or a defined number of substances to diagnose a limited set of conditions, a single [genome sequencing] test can identify thousands—even millions—of genetic variants.”). [Google Scholar]
140. See Dewey et al., supra note 18 , at 1039. [Google Scholar]142. See generally Deverka Patricia A. & Jennifer C. Dreyfus, Clinical Integration of Next Generation Sequencing: Coverage and Reimbursement Challenges , 42 J.L. Med. & Ethics 22 (2014) (discussing difficulties obtaining coverage for clinical genomic testing). [PMC free article] [PubMed] [Google Scholar]
143. See Collins Ryan L., Strength in Numbers: Genetic Sequencing of Large Populations Is Shaping the Future of Medicine , Harv. U. Sci. News Blog ( June 5, 2017), http://sitn.hms.harvard.edu/flash/2017/strength-numbers-genetic-sequencing-large-populations-shaping-future-medicine/ [https://perma.cc/R4D6-3UHS] (discussing the large number of gene sequencing tests that are generated in research studies). [Google Scholar]
144. See, e.g., Wolf Susan M. & Evans Barbara J., Return of Results and Data to Study Participants , 362 Science 159 , 159 (2018) (“Some research results will meet clinical standards of quality, but many will not, because research seeks to advance understanding.”); [PubMed] [Google Scholar] see also Burke Wylie et al., Return of Results: Ethical and Legal Distinctions Between Research and Clinical Care , 166 Am. J. Med. Genetics Part C (Seminars Med. Genetics) 105 , 106–07 (2014) (distinguishing the goals and data quality requirements of research and clinical care). [PMC free article] [PubMed] [Google Scholar]
145. See infra this Part. 146. See supra notes 88-91.147. See 42 C.F.R. § 493.3(b)(2) (2018) (providing an exception that allows some research laboratories to operate without having to comply with the CLIA regulations).
148. See infra this Part.149. See Jarvik Gail P. et al., Return of Genomic Results to Research Participants: The Floor, the Ceiling, and the Choices in Between , 94 Am. J. Hum. Genetics 818 , 823 (2014) (noting that clinically “actionable information might be learned from assays that cannot easily be confirmed in a CLIA-compliant laboratory”). [PMC free article] [PubMed] [Google Scholar]
150. See generally Dewey et al., supra note 18 , at 1041 (discussing how few genetic variants currently have known clinical significance); [Google Scholar] Jarvik et al., supra note 149 , at 818–23 (discussing data produced during genome sequencing). [Google Scholar]
151. A laboratory is considered CLIA-compliant if it either holds a CLIA certificate or is exempt from the CLIA regulations . See 42 C.F.R. § 493.2. A laboratory is CLIA-exempt if it has been licensed by a state whose laboratory requirements CMs has determined are equal to or more stringent than CLIA’s requirements, and the state licensure program has been approved by CMS. See id. Two states—New York and Washington—currently meet these conditions. See List of Exempt States Under the Clinical Laboratory Improvement Amendments (CLIA), Ctrs. for Medicare & Medicaid Servs., https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/ExemptStatesList.pdf [https://perma.cc/8ZRX-A7WS]. [Google Scholar]
152. See discussion infra this part.153. Ctrs. for Medicare & Medicaid Servs., U.S. Dep’t of Health & Human Servs., CMS Initiatives to Improve Quality of Laboratory Testing Under the CLIA Program 1 (2006), https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/060630BackgrounderrlEG.pdf [https://perma.cc/6DL8-6WRY]. [Google Scholar]
155. See id. (describing CLIA’s applicability to clinical settings). 156. 42 C.F.R. § 493.1443. 157. Cf. id. (detailing scientific qualifications required of laboratory directors). 158. See Evans, supra note 6 , at 8. [Google Scholar] 159. See supra notes 88–90. [Google Scholar]160. See What Is CMS’s Authority Regarding Laboratory Developed Tests (LDTs) and How Does It Differ from FDA’s Authority? , Ctrs. for Medicare & Medicaid Servs. ( Oct . 22, 2013), https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/LDT-and-CLIA_FAQs.pdf [https://perma.cc/9P77-ARA4] [hereinafter “What Is CMS’s Authority ?”] (“[U]nlike the FDA regulatory scheme, CMS’ CLIA program does not address the clinical validity of any test.”).
162. See Evans, supra note 6 , at 8. [Google Scholar] 163. See id.164. See U.S. Gov’t Accountability Off., GAO-06-416, Clinical Lab Quality: CMS and Survey Oversight Should be Strengthened 33 (2006); [Google Scholar] see also Gabler, supra note 125 (“Even when serious violations are identified, offending labs are rarely sanctioned except in the most extreme cases. In 2013, just 90 sanctions were issued—accounting for not even 1% of the 35,000 labs that do high-level lab testing in the United States.”). [Google Scholar]
165. See Chen Bin et al., Good Laboratory Practices for Molecular Genetic Testing for Heritable Diseases and Conditions , Morbidity & Mortality Wkly. Rep. , June 12, 2009, at 1 , 5. [PubMed] [Google Scholar]
166. Id.; see also Secy’s Advisory Comm. on Genetics, Health, & Soc’y, U.S. Dep’t of Health & Human Servs., U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of Health and Human Services (2008), https://repository.library.georgetown.edu/bitstream/handle/10822/512822/SACGHS_oversight_report.pdf?sequence=1&isAllowed=y [https://perma.cc/L45B-C3HA].
167. Chen et al., supra note 165 , at 10. [Google Scholar]168. See, e.g., Gabler, supra note 125 (detailing mix-up errors at CLIA-regulated laboratories); [Google Scholar] Kolata Gina, The Lab Says It’s Cancer: But Sometimes the Lab Is Wrong , N.Y. Times; ( June 26, 2017), https://www.nytimes.com/2017/06/26/health/the-lab-says-its-cancer-but-sometimes-the-lab-is-wrong.html [https://perma.cc/A9XJ-6554] (discussing cases of mix- ups at CLIA labs). [Google Scholar]
169. See supra note 118 (reciting the broad definition of “genetic information” that GINA’s § 102(a)(4) inserted at 42 U.S.C. § 300gg-91(d)(16)); see also 42 U.S.C. § 300gg-91(d)(17) (2012) (defining “genetic test” as meaning “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes” and thus clearly including non-clinically-significant information, such as raw genomic data, within the scope of information included in GINA’s definition of “genomic information”); id.§ 300gg-91(d)(18) (defining “genetic services” as including genetic tests and “genetic counseling (including obtaining, interpreting, or assessing genetic information)” and genetic information, such that information from testing, assessing, and counseling occurring during the course of genetic research is included in GINA’s broad definition of “genetic information”). [Google Scholar]
170. See Genetic Information Nondiscrimination Act of 2008 § 105 (adding a new § 1180 to the Social Security Act, codified at 42 U.S.C. § 1320d-9, providing that “[t]he Secretary shall revise the HIPAA privacy regulation” so that “[g]enetic information shall be treated as health information described in [section 1320d(4)(B)] of this title,” which was the section of the Social Security Act added by the 1996 HIPAA statute in which Congress defined the “health information” that is subject to HIPAA’s privacy protections); supra note 133.
171. See § 105.173. Statement of Delegation of Authority , 65 Fed. Reg 82 ,381 ( Dec . 28, 2000); [Google Scholar] see also About Us, U.S. Dep’t Health & Hum. Servs., Off. C.R. , https://www.hhs.gov/ocr/about-us/index.html [https://perma.cc/YM54-AA9D].
174. Genetic Information Nondiscrimination Act of 2008 § 105(b); see also The Genetic Information Nondiscrimination Act of 2008: “GINA ,” U.S. Dep’t Lab.: C.R. Ctr. , https://www.dol.gov/oasam/programs/crc/finalGINAguidance.htm [https://perma.cc/AV6X-5362]. [Google Scholar]
175. § 105(b)(1). 176. See §§ 102, 105. 177. See Roberts, supra note 3 , at 441. [Google Scholar]178. See U.S. C onst . art. 1, § 8, cl. 3 (granting Congress the power “[t]o regulate Commerce with Foreign Nations, and among the several States, and with the Indian Tribes”); see also Roberts, supra note 3 , at 484–87. [Google Scholar]
179. Evans, supra note 6 , at 6; see also 45 C.F.R. § 164.524 (2018). [Google Scholar] 180. See supra note 130 and accompanying text. 181. Evans, supra note 6 , at 6. [Google Scholar] 182. Rawls John, A Theory of Justice 136–42 (1971). [Google Scholar]183. Id. at 136-37 (“[Under the veil of ignorance, people] do not know how the various alternatives will affect their own particular case and they are obliged to evaluate principles solely on the basis of general considerations.”).
184. Exodus 9:1.185. See, e.g., Peel Deborah C., Written Testimony Before the HIT Policy Committee , Electronic Privacy Info. Ctr. ( Sept . 18, 2009), http://epic.org/privacy/medicaL/Peel_PPR%20Written%20testimony%20HIT%20Policy%20Committee.pdf [https://perma.cc/Q34X-GQZR] (framing privacy as “control of personal information” and “consumer control over [personal health information]”); [Google Scholar] see also Schwartz Paul M., Internet Privacy and the State , 32 Conn. L. Rev. 815 , 820 (2000) (noting that individual control over one’s data, rather than secrecy of the data, is key to the modern paradigm of data privacy). [Google Scholar]
186. Evans, supra note 63 . [Google Scholar] 187. See id.; Evans, supra note 6 , at 8. [Google Scholar] 188. See infra this Part. 189. See 45 C.F.R. § 164.508 (2018).191. See, e.g., Ohm Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization , 57 UCLA L. Rev. 1701 (2010) (criticizing the Privacy Rule). [Google Scholar]
192. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 264(a)-(b), 110 Stat. 1936, 2033.
193. Id. § 264(c).195. Confidentiality of Individually Identifiable Health Information: Recommendations of the Secretary of Health and Human Services , Pursuant to Section 264 of the Health Insurance Portability and Accountability Act of 1996, U.S. Dep’t Health & Hum. Servs. § I.I ( Sept . 11, 1997) [hereinafter HHS Recommendations], https://aspe.hhs.gov/report/confidentiality-individually-identifiable-health-information [https://perma.cc/M9TK-YZQW]. [Google Scholar]
197. HHS Recommendations, supra note 195, § I.I.198. Id.; see also Cohen I. Glenn, Is There a Duty to Share Healthcare Data? , in Big Data, Health Law, and Bioethics 209 , 209–22 (Cohen I. Glenn et al. eds., 2018) (discussing the role of data sharing in fostering scientific discovery). [Google Scholar]
199. See Letter from Stead William W. to Honorable Burwell Sylvia M., supra note 190 , app. A at 15–17 tbl.1 (summarizing the protections available under the Privacy Rule in situations where data are used without the individual’s authorization); [Google Scholar] Evans & Jarvik, supra note 190 . [Google Scholar]
200. Schauer Frederick, Transparency in Three Dimensions , 2011 U. Ill. L. Rev. 1339 , 1347–50. [Google Scholar]
201. Id. at 1347-48.202. See Food & Drug Admin., U.S. Dep’t of Health & Human Servs., supra note 121 (proposing to leverage genetic databases to evaluate clinical performance of genomic tests). [Google Scholar]
203. Schauer, supra note 200 , at 1350. [Google Scholar] 204. 45 C.F.R. § 164.506(a)-(c) (2018). 205. Schauer, supra note 200 , at 1350. [Google Scholar]206. See generally Frischmann Brett M., Infrastructure: The Social Value of Shared Resources 61–90 (2012) (describing the role of infrastructure, including data infrastructure, in creating public and nonmarket goods). [Google Scholar]
207. See generally Schauer, supra note 200 . [Google Scholar] 208. Id. at 1349. 209. See id.210. See, e.g., Nat’l Comm’n for the Protection of Human Subjects of Biomedical and Behavioral Research, U.S. Dep’t of Health, Educ., & Welfare , The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research pt. B (1979) [hereinafter Belmont Report], https://www.hhs.gov/ohrp/sites/default/files/the-belmont-report-508c_FINAL.pdf [https://perma.cc/99VW-5ZN6] (listing “respect for persons” as the first of three “basic ethical principles”). [Google Scholar]
211. Evans, supra note 63 , at 32–33. [Google Scholar] 212. Id. at 33.213. See HHS Recommendations, supra note 195, § II.C.2 (calling for an individual access right in recommendations that the HIPAA statute required HHS to provide to Congress in 1997); see also 45 C.F.R. § 164.524 (2018) (implementing this right).
214. See HHS Announces New Rule that Gives Patients Direct Access to Lab Test Results , Cal. Physician’s Legal Handbook: News ( Feb . 6, 2014), http://cplh.org/blog/detail/?article=hhs-announces-new-rule-that-gives-patients [https://perma.cc/N4N3-QRGF] (alteration in original) (quoting then-HHS Secretary Kathleen Sebelius). [Google Scholar]
215. See, e.g., Park Sandra, Who Should Control Your Genetic Information—You or Corporate Laboratories? , ACLU Blog ( May 19, 2016, 5:00 PM), https://www.aclu.org/blog/privacy-technology/medical-and-genetic-privacy/who-should-control-your-genetic-information-you [https://perma.cc/VXX7-TWW9] (discussing cancer patients’ interests in accessing their genetic information both to aid their family members and to be able to contribute the data to research). [Google Scholar]
216. See supra this Part; see also Schauer, supra note 200 , at 1347–50. [Google Scholar] 217. See infra Part IV.A. 218. See infra Part IV.C.219. See U.S. C onst . amend. I (protecting “the right of the people peaceably to assemble, and to petition the Government for a redress of grievances”); infra Part IV.D.
221. Secretary’s Advisory Comm. on Automated Pers. Data Sys ., U.S. Dep’t of Health, Educ., & Welfare, Records, Computers, and the Rights of Citizens 41 (1973), http://www.justice.gov/opcl/docs/rec-com-rights.pdf[https://perma.cc/LLS9-28EF] (announcing an influential Code of Fair Information Practices (FIPs) based on five principles); [Google Scholar] see also Cate Fred H., The Failure of Fair Information Practice Principles , in Consumer Protection in the Age of the “Information Economy ” 341 , 346 (Winn Jane K. ed., 2006) (tracing subsequent development of FIPs, including access rights, after the 1973 HEW Code of FIPs); HHS Recommendations, supra note 195, § II.C.2 (referring to this principle from the 1973 HEW Code of FIPs in the roadmap for the HIPAA Privacy Rule). [Google Scholar]
222. 5 U.S.C. § 552a(a), (d) (2012), amended by 5 U.S.C. § 552a (Supp. III 2016). 223. 5 U.S.C. § 552 (2012), amended by 5 U.S.C. § 552 (Supp. V 2018).224. Privacy Prot. Study Comm’n, Personal Privacy in an Information Society 508 (1977). [Google Scholar]
225. See Standards for Privacy of Individually Identifiable Health Information , 64 Fed. Reg 59 ,918, 59,980-82 (proposed Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160-64) (explaining, in the preamble to the originally proposed HIPAA Privacy Rule, that HIPAA’s access right was modeled on the similar provisions of the Privacy Act of 1974). [Google Scholar]
226. See Privacy Act of 1974 § 2(a), 5 U.S.C. § 552a note (“The Congress finds that … the right to privacy is a personal and fundamental right protected by the Constitution of the United States, and … it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information.”).
227. Id. § 2(b)(3) (including, as a core element of data privacy protection, safeguards that “permit an individual to gain access to information pertaining to him …, to have a copy made of all or any portion thereof, and to correct or amend such record”).
228. See 5 U.S.C. § 552a note (codifying these findings). See generally Faigman David L., Constitutional Fictions: A Unified Theory of Constitutional Facts (2008) (pointing out that Congressional findings of fact can include facts about the law); [Google Scholar] Araiza William D., Deference to Congressional Fact-Finding in Rights-Enforcing and Rights-Limiting Legislation , 88 N.Y.U. L. Rev. 878 (2013) (discussing enacted congressional findings of fact and the degree of deference courts accord to them). [Google Scholar]
229. See sources cited supra note 228. 231. Privacy Prot. Study Comm’n, supra note 224 , ch. 7. [Google Scholar] 232. 5 U.S.C. § 552a. 233. 5 U.S.C. § 552.235. See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
236. Privacy Prot. Study Comm’n, supra note 224 , at 281 (observing “how heavily a variety of institutions in our society have come to depend on the information in medical records in order to perform their basic functions”). [Google Scholar]
237. Id. at 597.238. See infra Part VII.B.; see also Kolata Gina, Poking Holes in Genetic Privacy , N.Y. Times: News Analysis ( June 16, 2013), https://www.nytimes.com/2013/06/18/science/poking-holes-in-the-privacy-of-dna.html [https://perma.cc/M7WP-W9PN] (discussing problems with the privacy, security, and reidentifiability of stored genetic information). [Google Scholar]
239. See infra Part IV.A-D.240. See, e.g., CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports , 79 Fed. Reg 7290 ( Feb . 6, 2014) (to be codified at 42 C.F.R. pt. 493 and 45 C.F.R. pt. 164) (noting, in the preamble to final rule on laboratory data access, that barriers to individual data access “prevent[] patients from having a more active role in their personal health care decisions”). [Google Scholar]
241. See id. at 7293 (citing statistics that clinicians fail to inform patients of abnormal test results 7 percent of the time).
242. Standards for Privacy of Individually Identifiable Health Information , 65 Fed. Reg 82 ,462, 82,606 ( Dec . 28, 2000) (to be codified at 45 C.F.R. pts. 160, 164). [Google Scholar]
243. B elmont R eport , supra note 210, pt. B (listing “respect for persons” as the first of three “Basic Ethical Principles”).
244. See supra Part III. 245. See supra notes 222-25 and accompanying text.246. See supra note 122 (listing various recent scholarly works that have maintained that individuals’ access to their own data should be subject to various restrictions, such as limiting return of results to information that has analytic validity, clinical validity and/or clinical utility).
247. B elmont R eport , supra note 210, pt. B. 248. See id. 249. See id. 250. See, e.g., Nat’l Bioethics Advisory Comm’n, supra note 122 , at 71–72. [Google Scholar]251. See supra note 122 and accompanying text (listing a number of scholarly works that have expressed concerns about broad, unrestricted access by individuals to information about themselves generated during the course of research).
252. See Nat’l Bioethics Advisory Comm’n, supra note 122 , at 71 (noting the existence of these concerns); [Google Scholar] Maschke, supra note 122 , at 563 (same); [Google Scholar] Parker Lisa S., Returning Individual Research Results: What Role Should People’s Preferences Play? , 13 Minn. J.L. Sci. & Tech. 449 , 470 (2012) (same); [Google Scholar] Terry Sharon F., The Tension Between Policy and Practice in Returning Research Results and Incidental Findings in Genomic Biobank Research , 13 Minn. J.L. Sci. & Tech. 691 , 713 (2012) (same). [Google Scholar]
253. See Food & Drug Admin., U.S. Dep’t of Health & Human Servs., supra note 121 (noting that uncertain or inaccurate genomic tests “can lead to patients receiving the wrong diagnosis, the wrong treatment or no treatment at all even when effective therapy is available” (internal citations omitted)). [Google Scholar]
254. See Morgan Thomas M., Genomic Screening: The Mutation and the Mustard Seed , 46 J.L. Med. & Ethics 541 , 544 (2018) (discussing the workload involved when individuals turn to their physicians to seek clarification of low-quality or unconfirmed genetic findings). [PMC free article] [PubMed] [Google Scholar]
255. See, e.g., Holman & Taylor, supra note 122 , at 687 (noting these concerns, without necessarily agreeing that they are sufficient grounds to restrict individuals’ access to their own genetic information). [Google Scholar]
256. See supra note 122 (citing examples of scholar works that recommend various restrictions on individuals’ access to research data about themselves).
257. See, e.g., Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators , 76 Fed. Reg 44 ,512, 44,514-15 (advance notice of proposed rulemaking provided July 26, 2011) (to be codified at 45 C.F.R. pts. 46, 160, 164 and 21 C.F.R. pts. 50, 56) (proposing that an Institutional Review Board (IRB) review is necessary in research where results will be returned to participants, even if the research is otherwise low-risk biospecimen research that would be excused from IRB review). [Google Scholar]
258. Holman & Taylor, supra note 122 , at 672–73 [Google Scholar] (quoting Kohane Isaac S. et al., Reestablishing the Researcher-Patient Compact , 316 Sci. 836 , 837 (2007)). [PubMed] [Google Scholar]