FC: Replies to father concerned about genetic privacy, clinical trials

[Declan McCullagh <declan () well com>]

[These are truly excellent replies. Thank you very much, all of you, on 
behalf of A Concerned Father. I've included replies below from 
technologists, lawyers, public health specialists, and even one of my 
students from the class I taught this fall at Case Western University law 
school. Previous message: http://www.politechbot.com/p-04217.html --Declan]

---

Date: Fri, 06 Dec 2002 12:11:37 -0500
To: declan () well com
From: "Robert L. Ellis" <rellis () internet-attorneys com>
Subject: Re: FC: Query from a father about genetic privacy and clinical trials

Declan,

As you know I deal with a lot of privacy issues in my law practice.  There 
are two issues I can see.   The first is whether this father can expect an 
enforceable right to anonymity under the law as it currently exists.  The 
second is whether the law will change so as to strip him later of any 
anonymity rights he has now (similar to the change in Oregon law disclosing 
adoption records that birth mothers thought would be sealed forever).

The nearest I have gotten to the father's situation in my practice is "in 
vitro" fertilization contracts.  In the jurisdictions where I have done 
such contracts, there is no governing law, and not even any case law on 
point, regarding anonymity rights.  That's probably the case with this 
father as well, so chances are that it's not possible to know whether he 
has an enforceable anonymity right.  In our in-vitro contracts we have no 
choice but to include an except-where-required-by-law clause, since 
otherwise as the legal situation develops in the future the organization 
which holds the anonymous records could face the Hobson's choice of either 
refusing to release records when required by a court order -- and thus 
facing contempt charges or even criminal prosecution --  or releasing them 
and having to defend a breach-of-contract suit.   Such clauses do not 
indicate that the organization intends to compromise his anonymity.

More important to this father is to ensure that there are solid contractual 
guarantees as well as internal administrative practices within the clinic 
to ensure that to the greatest extent possible, personally identifiable 
information is segregated, protected, disclosed only on a 
genuine-need-to-know basis, and not used for any other purpose.  (Hmm... 
wouldn't that be nice as a policy for homeland security?)  The greatest 
threat to his anonymity is probably not future changes in law or lawsuits, 
but inadvertent disclosure or breach of data security.

- Bob Ellis

---

From: "Baker, Stewart" <SBaker () steptoe com>
To: "'declan () well com'" <declan () well com>
Subject: RE: Query from a father about genetic privacy and clinical trials
Date: Fri, 6 Dec 2002 11:34:04 -0500

Declan,

If I were the lawyer for the clinical trial sponsor (I'm not), I would have 
put language of this sort into the agreement on principle, not necessarily 
because I expected it to be invoked.

Nonetheless, the most obvious circumstance is a subpoena served either by 
government (typically for law enforcement purposes) or by a private party 
(trial lawyer claiming the program was negligently run; divorce lawyer for 
the wife trying to find out who was 'responsible' for the inherited 
problems of the child).  But the father here has not been given a guarantee 
that he'll have notice and a chance to contest access by the third 
party.  While an absolute guarantee can't be given (a criminal subpoena 
might have a gag order in it, to prevent a tipoff to the suspect), if he 
wants to contest access, he should probably ask for an assurance that he'll 
get notice of any effort to obtain access to his data as promptly as 
possible and before access is permitted except to the extent such notice is 
prohibited by law, and only for so long as notice is prohibited.  To decide 
exactly what he needs and whether it will work, though, he needs to talk to 
a lawyer; it would not be responsible to give legal advice on something 
this important on a Dear Abby basis.

Stewart

---

From: "Jack T. Smith" <JSMITH () LISTER2 LHL UAB EDU>
To: "'declan () well com'" <declan () well com>
Subject: RE: Query from a father about genetic privacy and clinical trials
Date: Fri, 6 Dec 2002 11:34:55 -0600

Declan,

As a member of the IRB for my institution (University of Alabama at
Birmingham), I can say that we review protocols that involve storage of
human materials for later genetic testing VERY carefully.

To the father who wrote the message below.  There are a variety of scenarios
that might necessitate breaking confidentiality - something goes horribly
wrong and they need to contact you, billing inquiries from the federal
government, etc.  In your Consent Form, there should be several numbers to
call if you have questions.  I would start with the IRB that approved the
protocol you are considering.  They should have a local number and a 800
number for your use.  Their job is to provide you with whatever information
you need and to answer any questions you have.

They may even have a web site that can point you to online resources.  There
are two that I would recommend to you.  First is
http://www3.cancer.gov/legis/dec01/genetic.html. This site gives brief
descriptions and status of legislation in this area.

Second is the web site of the Office for Human Research Protections.  This
office oversees the workings of all the local and group IRBs.  Their address
is http://ohrp.osophs.dhhs.gov/index.htm.

If you would like to write to me, I will be glad to help you in any way
possible.

Jack T. Smith, Jr.
Professor and Associate Director for Public Services
Lister Hill Library of the Health Sciences
The University of Alabama at Birmingham
1700 University Blvd.
Birmingham, Al  35294
(v)205.934.3306
(F)205.975.8313
(email)jsmith () uab edu

---

Declan,
As usual, I'd prefer to comment anonymously.  I don't see why he can't ask 
for clarification about the circumstances under which the law would require 
disclosure.  But presumably it means the data will never be voluntarily 
turned over.  So the hospital is pledging to only turn the data over when 
there is a court order, subpoena or other compulsory legal process requring 
disclosure.   (If this is a governmental institution I'd ask for assurances 
that FOIA requests won't apply to this data.) In case there are 
circumstances where he might want to fight a subpoena and the hospital 
chooses not to do so, he may want to ask for language providing that he 
will be notified 10 days (or whatever period) in advance of any such 
disclosure taking place.  That way he would be afforded an opportunity to 
seek a court order barring disclosure.

-A nameless bureaucrat

Note: I cannot give legal advice to the public b/c my client is the 
govt.  So this person should contact an attorney of his own if he has 
questions about his legal rights.

---

Date: Fri, 6 Dec 2002 12:25:38 -0500 (EST)
From: Sue Blevins <sblevins () forhealthfreedom org>
To: jim.harper () privacilla org
Cc: declan () well com

Dear Jim,

The question you forwarded is a VERY important question that many Americans 
should
be asking. This is clearly a thoughtful and intelligent father who would 
benefit
greatly from becoming informed about the serious ramifications of the new 
Federal
Medical Privacy Rule that was required as part of the Health Insurance 
Portability
and Accountability Act of 1996 (HIPAA).

My short answer to this father is that under the new Federal Medical 
Privacy Rule,
he will have NO IDEA how many people will be able to legally access 
his/families'
genetic information.  The reason is that under the Federal Medical Privacy 
Rule,
citizens do NOT get an accounting of when and to whom their "personal health
information" is disclosed for "routine purposes."  For example, if 
his/families'
genetic information was disclosed to an insurance company, he would have NO 
WAY of
finding out about the disclosure under the Federal Rule because the 
disclosure would
be considered a "routine disclosure".  The public had been MISLED by HHS in 
a very
big way because HHS is telling the public that they'll get an accounting of
nonroutine disclosures under the Federal Medical Privacy Rule.  But the public
doesn't understand that most disclosures will be considered routine, and thus
they'll have no idea how many times their medical information is disclosed and
shared with many others.

Now, another important fact is that under the Federal Medical Privacy Rule, 
there
are many "permissive" disclosures (such as when required by other laws, say 
FDA to
monitor drug reactions), but the only "required" disclosure is to the 
Secretary of
Health and Human Services (HHS).  Thus, Tommy Thompson would be free to 
access every
citizens' personal health information (including genetic information) and 
redisclose
it (without citizens' permission), but citizens' won't get an accounting of 
those
disclosures.

So, the bottom line is if this concerned father wants to make sure he can 
control
who has access to his/families' genetic information, he has two options:

(1) Modify the "informed consent" form to have it say what he would like it 
to say.
For example, he could say he must give his permission before the genetic 
information
is shared for any purposes whatsoever.  He should obtain legal advice from 
a lawyer
specializing in contract law to make sure the contract is valid; or

(2) Don't share the genetic information.

FYI--A registered nurse who has always been a blood donor told me she is no 
longer
going to donate blood because of the weak Federal Medical Privacy Rule, 
which by the
way, excludes blood donations from the Federal Medical Privcay Rule.  In other
words, when citizens donate blood, that blood is not covered under the Federal
Medical Privacy Rule.

Finally, I'd recommend he seriously consider studying the Federal Medical 
Privacy
Rule.  Below are a few links that summarize the main points (from the 
consumer's
perspective).

I hope this is useful.

Sincerely,
Sue Blevins, President
Institute for Health Freedom
sblevins () ForHealthFreedom org
phone: (202) 429-6610

http://www.forhealthfreedom.org/Publications/privacy/IHFHosts.html
http://www.forhealthfreedom.org/Publications/Privacy/TruthAbout.html
http://www.forhealthfreedom.org/Publications/privacy/MedPrivFacts.html

---

Date: Fri, 6 Dec 2002 14:58:31 -0800 (PST)
From: eackerma () u washington edu
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Query from a father about genetic privacy and clinical trials

Greetings Declan,

This information may be of use to those concerned about genetic privacy, 
thanks go to the state of R.I.:
http://www.healthri.org/genetics/legislation.htm

An excerpt from that page sucinctly states current gentic discrimination law:
"Currently, there is no federal legislation to protect the public against 
genetic discrimination by insurance providers. States have varying genetic 
discrimination laws."

Relatedly, a good example of how disclosure plays out in the courts (in 
this case without any representation for, or presumably knowledge of, the 
medical donor/subject) can be found at:
http://www.mrsc.org/mc/courts/supreme/117wn2d/117wn2d772.htm

Note that even though that court ordered disclosure, the decison was taken 
very seriously and the identity isn't even now on "public" record.  Like 
the "concerned father" indicated, in court, there is generaly serious 
consideration & some proceedural safeguarding, the disclosures people need 
to worry about are the low-or non-paying data handling jobs...

Ethan Ackerman
(just Ethan Ackerman)

---

Date: Fri, 6 Dec 2002 11:23:15 -0500 (EST)
From: "J.D. Abolins" <jda-ir () njcc com>
To: Declan McCullagh <declan () well com>
cc: gb () graysonbarber com
Subject: Re: FC: Query from a father about genetic privacy and clinical trials

I can't answer the concerned father's question with the expertise of an
attorney. The comments below are general observations only.

The father is pointing to a tension in law and medicine. From some law
enforcement and public safety concerns there's an interest in knowing
details of certain medical records. From medical view, anonymity or
psuedonymity can be a life saver.

For example, the lack of knowledge by a blood recipient of the donors'
identity is a great help in encouraging honesty by donors in answering
health and life practices questionaires. To illustrate, I'll use a
fictional scenario where a fellow is about to undergo surgery and he wants
to get blood from those family members who have compatible blood types.
Now if each member of the family with compatible blood types knows that
the recipient is expecting to receive blood from them, a disqualification
might lead to difficult questions. Therefore, there is the temptation to
lie in response to questions that indicate a risk of blood borne diseases.
Perhaps the tests done on the blood will catch the presence of pathogens
in time; perhaps, the donor was recently infected and is not detectable.
That's why those questionaires are so important. The effectiveness of the
questionaires is strongly linked to confidentiality of the answers.

In medical research, there are similar privacy interests. If research
subjects are unlikely to cooperate or to volunteer because of the
possibility of disclosure beyond the purposes of the medical research and
unintended consequences. (E.g.; a future law allows police access to
genetic info to facilitate DNA dragnets; insurers and employers get the
info and lock out people with certain genetic sequences; etc.)

Some approaches to medical research may get around the privacy concerns
by, say, requiring all people to be tested and cataloged, mandating access
to all genetic info (along the lines of what's being done in Iceland), or
blowing away expectations of medical/genetic privacy altogether (perhaps
by arguing that one's genes are a public, not a private resource).

MIT Technology Review a couple of years ago interviewed one of the people
involved in the Iceland's contract to allow access to its people's genetic
info. The interviewed person quipped to the effect <paraphrased>: "You and
I enjoy 20th Century level of medical care because our parents and
grandparents did not have medical privacy. If you insist up strong medical
privacy, your children and grandchildren will be doomed to a 20-th Century
level of medical in the 21st-Century." (What's not mentioned is that there
might not have been legislated medical privacy in earlier days but there
was much practical privacy.)  I'll try to dig up that article and send you
the quote and the citations.

J.D. Abolins
Meyda Online -- Infosec & Privacy Studies
Web site: http://www.MeydaOnline.com

---

From: "frank20" <frank20 () cox net>
To: <declan () well com>
References: <5.1.1.6.0.20021206110209.026898e8 () mail well com>
Subject: Re: Query from a father about genetic privacy and clinical trials
Date: Fri, 6 Dec 2002 11:35:13 -0600

'Concerned Father' has every reason to be concerned.

The protection of 'Individually Identifiable Health Information' (IIHI)
(often also referred to as 'Personal or Private Health Information' (PHI))
is off sufficient concern that regulations under the Health Insurance
Portability and Accountability Act (HIPAA) have been approved and will soon
(during 2003) go into effect. The new Privacy regulation essentially defines
IIHI / PHI as health data that can be directly connected to an individual
(based on name, address, or any of some 18 demographic identifiers) and
establishes strict rules (backed by both criminal and civil penalties) for
storage, transfer, sharing, release, etc of such IIHI/PHI. Under the rules,
for example, the 'health data' itself, when 'de-identified' (i.e., all the
info connecting the data to a specific individual), can be shared for
research purposes; When the health data is coupled with all or part of the
data that identifies an individual, it can only be shared under specific
circumstances, through specified channels, all intended to ensure that the
situation envisioned by 'Concerned Father' don't happen.

Unfortunately, the regulations promulgated under HIPAA will not be applied
to every member of the healthcare community...at least as currently written.
Essentially, the 'reach' of the Government is limited to situations where
electronic transfer of such information happens. This means that there are
'covered entities' to whom the rules will apply...the rest are outside the
HIPAA regs.

As a general rule, most healthcare providers, payers, and claims processors
now handle insurance claims electronically. These folks are thereby 'covered
entities' and will have to comply with the new regulations. This means, for
'Concerned Father', that if he were admitted to a typical Hospital and
underwent tests that showed the genetic marker of concern, that info is
reasonably safe from release to other agencies. (I say reasonably because,
unless you have the Security and Privacy controls of a Hospital inspected /
vetted by someone you know and trust, how can you really be sure?)

The real problem is going to be situations where IIHI/PHI is collected by
entities that are 'not covered' and thus not subject to the regulations at
all.

Example 1: Your employer has an on-site clinic to handle minor accidents /
health problems that occur at work. You do not pay for treatment...in fact,
nothing done by the Doctor or Nurse or their staff defines them as a
'Covered Entity'. In this case, whatever personal health information is
collected is 'protected' only by the medical staff's conscience and whatever
rules the State where the clinic is may have. It is likely perfectly legal
for the clinic to share its information on you with the employer who
underwrites the clinic...or anyone else.

Example 2: Situation referenced by 'Concerned Father', you are asked to
participate in a study, perhaps underwritten by an insurance company or a
pharmaceutical firm. You don't 'pay' for anything, etc., and organization,
again, doesn't fit criteria of a 'Covered Entity'. Again, level of
protection 'guaranteed is low. Depending on rules of State where study is
conducted, self-imposed rules of organization doing study, conscience of
study managers, etc, your 'protection' may range from 'great' to
'non-existent'. And, once more, it will be really hard for an individual to
know what the real situation is.

Please note that (1) I am not a lawyer; (2) I have been working with HIPAA
and its implications for IT for quite some time; and (3) I have am in a
situation like that of 'Concerned Father', as I have children with similar
medical conditions. You can find out a lot more on this subject by looking
into HIPAA at the CMS site dedicated to this subject
(http://cms.hhs.gov/hipaa/ )

Frank J. Hannaford

---

From: "Crawford, William"
To: "'Declan McCullagh '" <declan () well com>
Subject: RE: Query from a father about genetic privacy and clinical trials
Date: Fri, 6 Dec 2002 14:38:14 -0500

Not a lawyer, but I have been involved with the IT aspects of this for a 
while, and asked a few questions around the office to confirm my previous 
understanding: The data protections surrounding clinical trial data are, in 
general, very good, and enforced by Federal law. Unblinding a trial, i.e. 
revealing the names of participants, rather than the ID numbers that are 
used through the course of the clinical research process, requires a 
subpoena.  The NIH interns won't have access, certainly (having met some of 
them, I can assure it). Patients are generally identified within systems by 
number only.

Of course, there are always risks, as when any secret is shared more 
broadly than between yourself and the cat, but the penalties for 
distributing this data are quite high and the barriers, both legal and 
technical, are are very extensive.

The FDA maintains some good resources on this at www.fda.gov, although you 
have to dig around.

Will
(www.williamcrawford.info, rather than my email address above, if you share 
this; thanks).

---

Date: Fri, 6 Dec 2002 15:34:30 -0500
From: Mathias Wegner <mwegner () cs oberlin edu>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Query from a father about genetic privacy and clinical trials

Please pass this along to The Concerned Father

The Alliance of Genetic Support Groups has more information than you can 
shake a stick
at, and it almost certainly has onformation on the particular disease and 
on situations
like the one described.  If the webiste doesn't have the info you need, the 
helpline
will (or a referal to someone who does know).

www.geneticalliance.org

Mathias

---

Date: Fri, 6 Dec 2002 15:41:30 -0800 (PST)
From: Eugene Strupinsky <estrupin () yahoo com>
Subject: Re: FC: Query from a father about genetic privacy and clinical trials
To: declan () well com

Declan,

As a law student who's done well in Bioethics last year, I'll chime in with 
the following:  The most important question is what the hospital (or 
whoever is conducting the study) thinks the privacy restriction 
means.  This depends on state laws and the practices of the hospital.  Will 
the hospital disclose names to a curious insurance company? (We'd like to 
think not) What are the 'sunshine laws' of the state?

If the hospital means "as required by law as compelled on individual 
bases," will it disclose during civil discovery or upon a criminal subpoena 
or warrant?  If this is the case, at least the Parent will have notice and 
an opportunity to consult with their own lawyer.

Parent's concern is understandible, and I would recommend sitting down with 
the hospital's attorney and possibly their own to go over the 
agreement.  That's just what you have to do with contracts.

Eugene Strupinsky

---

From: codehead () ix netcom com
To: Declan McCullagh <declan () well com>
Date: Fri, 6 Dec 2002 16:29:47 -0800

Declan,

Obviously IANAL, although I recently did a paper on potential
cryptogaphic protection for an individual's genome--controllable by
the individual, of course.

Here's the current status:

1.  Several bills have been introduced in the House and Senate in
the U.S. that usually have the following common characteristics:
(a) the same protection for genetic records as for other medical
data; (b) prohibition against health insurance companies forbidding
them from refusing insurance based on genomic information; (c)
prohibition against employers against hiring/firing on genomic
grounds.  None of these bills has ever passed both houses.  It's
my opinion that they never will if the pressure of public opinion
doesn't overwhelm the insurance lobby's pressure.  (Perhaps I
should mention that some European government have passed
relatively strong genetic privacy legislation, but like most privacy
laws that get passed in European countries, the government is
generally exempt.)

2.  Some legal protection, which I consider to be relatively weak,
exists because of regulatory case law.  In the late 90s, Burlington-
Northern decided to test all employees coming down with carpal
tunnel syndrome for a genetic trait that causes the disease in a
minority of cases.  They then fired all people who tested positive
for this gene.  The EEOC eventually ruled that all of the firings were
illegal, and set up a doctrine that people could not be denied hiring
or be fired because of genes.  Some legal experts question the
capability of the EEOC to set such a policy, and this may be headed
eventually for a showdown in the courts.

Frankly, like other private information, whether your correspondent
decides to give out such information is dependent on how much he
trusts the researchers.  While I don't realistically expect that most
researchers will roll over nearly as easily as say, AOL, when
asked for information, it's important to recognize that many of them
do not have the budgets to support the legal defense of somebody
else's genetic privacy.  To be fair, let me point out that medical
researchers go to great lengths to protect privacy, and generally
only one or a few people out of many ever have access to
identifying information.  However, accidents do happen, such as
the case a couple of years ago when a medical database at
University of Washington medical school was hacked and
thousands of names were revealed.

A few states have passed laws to protect genetic privacy, but
they are by far the exception.  Your correspondent may wish to do
further research on his own state's laws to see what kind of
coverage he has.

The only real protection anybody has right now as far as their
genome goes is "security by obscurity" and, as cypherpunks
know, simply not giving out the information in the first place.  It
costs so much to sequence somebody's genome--$400K is the
best rate I've found--that it's simply not economic for anyone to go
fishing.  However, looking for a single gene out of 40,000 or so is
often much, much cheaper.  It's the testing by interested parties for
a few genes that will become controversial in the next few years,
the equivalent of the urine test.

In any case, the sequencing of all of a person's genome should be
down to under $1,000 in 10 years.  That's cheap enough that
almost any health or life insurance company, and most employers,
would find this economical.  (Potential marriage partners may want
a peek, too, just as some are now purchasing credit records and
background checks on prospective mates.)  Within 5 years after
that, sequencing will be cheap enough to use as biometric
identification, and the potential for abuse by both public and private
entities will be very high.

Declan, I personally am unwilling to gamble on what future law will
come about to protect genetic privacy.  I'm very hesitant to depend
on protection that is weak now and could change at any time,
recognizing that there's a lot of money and influence behind those
interests who really would like to know that kind of information--
and be able to use it.  If I really, really wanted to participate in the
trial, I'd consider not using my true name.  The researchers don't
need it anyway, as long as they can compile data over time, and
don't lose track of their subjects.  Or I would simply hold off on
joining the trial and wait for the technology to develop to the point
where I could anonymously take advantage of it.  This is not much
comfort for this man, and it's unfortunate that no good mechanism
currently exists that provides for individual-controlled genetic
privacy.

Emily S.
(who spent the last two weeks doing gene splicing of e.coli to
confer some lovely multiple antibiotic resistance on them--I just
hope I never ingest one of those beauties.  And yes, I'm becoming
a biopunk.)

---

From: "Thomas Leavitt" <thomasleavitt () hotmail com>
To: <declan () well com>
Subject: Re: Query from a father about genetic privacy and clinical trials
Date: Fri, 6 Dec 2002 18:07:00 -0800

Declan,

 It is worth pointing out that under a "single-payer" health insurance
system, accompanied by reasonable forms of social security (structural forms
that spread the risk out over the entire population and age spectrum, thus
preventing "free riders" from opting out when they can expect to healthy,
and opting in when not), the primary motivations for this gentleman's
concerns would simply not be operative - if everyone is insured and legally
entitled to reasonable care, then not being able to obtain health insurance,
etc. is simply not an issue.

 It is not economically efficient for society as a whole for these
individuals (and others in similar situations), to exclude themselves from
the research pool or deliberately remain ignorant of their future risks as a
means of self-protection.

 As genetic research proceeds, this will become more and more of an issue -
"single payer" health insurance may not be the solution; I appreciate there
is substantial debate about that, but I think it is clear that the current
structure under which the health of American citizens is protected has
substantial flaws when confronted with issues of this sort.

Regards,
Thomas Leavitt





-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------