National Academies Press: OpenBook

Returning Individual Research Results to Participants: Guidance for a New Research Paradigm (2018)

Chapter: Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research

« Previous: Appendix B Public Agendas
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 237
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 238
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 239
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 240
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 241
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 242
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 243
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 244
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 245
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 246
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 247
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 248
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 249
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 250
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 251
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 252
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 253
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 254
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 255
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 256
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 257
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 258
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 259
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 260
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 261
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 262
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 263
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 264
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 265
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 266
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 267
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 268
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 269
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 270
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 271
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 272
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 273
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 274
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 275
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 276
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 277
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 278
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 279
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 280
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 281
Suggested Citation:"Appendix C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research." National Academies of Sciences, Engineering, and Medicine. 2018. Returning Individual Research Results to Participants: Guidance for a New Research Paradigm. Washington, DC: The National Academies Press. doi: 10.17226/25094.
×
Page 282

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

C Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research1 EXECUTIVE SUMMARY, C-3 INTRODUCTION, C-5 I. Background, C-5 A. Legal Landscape, C-5 B. Regulatory Landscape, C-5 C. Legal Hierarchy, C-6 D. Conceptual Distinctions, C-6 REGULATORY LANDSCAPE, C-8 II. CLIA, C-8 A. Scope, C-8 B. Original Access Rule, C-10 C. New Access Rule, C-10 D. Original Versus New Access Rule, C-11 E. Enforcement, C-11 III. State Laws Equivalent to CLIA, C-12 A. Washington, C-12 B. New York, C-12 IV. HIPAA, C-13 A. Scope, C-13 B. Original Access Rule, C-15 C. Revised Access Rule, C-16 1 A white paper commissioned by the National Academies of Sciences, Engineering, and Medicine’s Committee on the Return of Individual-Specific Research Results Generated in Research Laboratories, written by Christi J. Guerrini, J.D., M.P.H., Baylor College of Medicine. PREPUBLICATION COPY: UNCORRECTED PROOFS C-1

C-2 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS D. Enforcement, C-19 V. CLIA–HIPAA Interactions, C-20 A. Overview of Legal Obligations Related to Access, C-20 B. Potential Conflicts Between CLIA and HIPAA, C-20 C. Institutional Responses, C-22 1. Institutional Policies, C-22 2. Case-by-Case Determinations, C-22 VI. Federal Human Research Subject Protections, C-23 1. Common Rule, C-23 1. Current, C-23 2. Pending Revisions, C-23 B. FDA Protections, C-25 VII. FDA Regulations, C-26 A. Scope, C-26 B. Return of Results as Relevant to Regulation of LDTs, C-26 C. Return of Results as Relevant to IDE Requirements, C-27 D. Interpretation of Results as Relevant to Unlawful Promotion, C-30 OTHER LEGAL ISSUES, C-31 VIII. Property Rights, C-31 IX. Tort Liability, C-32 A. Non-Disclosure Liability, C-32 B. Fiduciary Relationships, C-32 C. Special Relationships, C-34 D. Scope of Duties, C-35 E. Disclosure Liability, C-36 X. Anti-Discrimination Statutes, C-37 A. Federal Statutes, C-37 1. Genetic Information Nondiscrimination Act, C-37 2. Americans with Disabilities Act, C-39 B. State Statute, C-40 PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-3 EXECUTIVE SUMMARY This memorandum describes the U.S. legal and regulatory landscape relevant to the return of individual results generated from biospecimens in research. The Clinical Laboratory Improvement Amendments of 1988 (CLIA) requires certification (or waiver of certification) of all laboratories, which are defined as facilities where human specimens are examined for the purpose of providing information for diagnosis, prevention, treatment, or health assessment. However, research laboratories need not become certified so long as they do not report results to tested individuals, their physicians, or researchers, where the results could be used for diagnostic, preventative, treatment, or health assessment purposes. Since 2000, the Health Insurance Portability and Accountability Act (HIPAA) has provided individuals with a right of access to inspect and obtain a copy of their protected health information that is contained within a designated record set, which is defined broadly as any record used by covered entities to make any kind of decision about individuals. So defined, the designated record set may include laboratory test reports and related information. Research laboratories are HIPAA-covered entities if they electronically conduct at least one billing-related transaction or function as part of a larger covered entity, such as a hospital or academic medical center. Before 2014, all laboratories, including research laboratories, were not only exempted by HIPAA from compliance with the right of access, but also were prohibited by CLIA from returning laboratory test results directly to tested individuals unless explicitly authorized to do so by state law. In 2014, however, both CLIA and HIPAA were amended to require all HIPAA- covered laboratories, including HIPAA-covered research laboratories, to comply with the right of access. It is generally recognized that these amendments have created a dilemma for research laboratories that are covered by HIPAA but not certified by CLIA. To comply with the expanded access rules, these laboratories must now return test reports and related information contained within designated record sets when individuals request them to do so, but research laboratories cannot do so without becoming CLIA-certified. Yet, CLIA certification is time consuming and expensive, and it may be unrealistic to require all research laboratories to become CLIA-certified in order to comply with HIPAA. Some institutions have responded to this dilemma by adopting policies that interpret the designated record set to exclude some research-related information or by making case-by-case determinations to return certain research results even if generated by laboratories that are not CLIA-certified. The return of research results is also relevant to regulations for the protection of research participants. These include the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) and relevant regulations adopted by the Food and Drug Administration (FDA). Neither set of regulations explicitly allows or prohibits the return of results to study participants. However, they both require that, where appropriate, research participants be informed of significant findings that may relate to participants’ willingness to continue participation. Moreover, pending revisions to the Common Rule will require that plans to return results be provided as an element of informed consent in some circumstances. In practice, when a study protocol includes a plan to return results, an institutional review board (IRB) will review the plan to ensure its benefits outweigh its risks. While IRBs can prohibit investigators from returning results, however, they cannot block access when study participants request results PREPUBLICATION COPY: UNCORRECTED PROOFS

C-4 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS under HIPAA. The return of individual research results is relevant to other FDA regulations related to the agency’s responsibility to protect and promote public health by ensuring the safety and effectiveness of medical drugs and devices, which include laboratory tests. First, the return and subsequent use of results generated by laboratory-developed tests (LDTs) have factored into FDA interest in abandoning its policy of enforcement discretion of LDTs. The return of results directly to consumers also has played a role in FDA regulation of specific genetic tests. Further, FDA regulation of investigational devices, including laboratory tests, depends in part on whether and how results from such devices will be returned. Finally, the communication of interpreted research results in some cases may constitute prohibited promotion of devices. In general, state courts have not viewed research results, including data generated from genetic tests, as legal property belonging to research participants. However, in the context of genetics, some states, including Colorado and Alaska, have enacted statutes that explicitly recognize property rights of individuals in their test results. Individuals can also privately agree to allocate rights in test results that are different from default legal rules. The return of research results may give rise to tort liability under state law for researchers and laboratories. Tort liability associated with the return of research results can generally be categorized as non-disclosure liability or disclosure liability; the most probable cause of action for both is negligence. In general, individuals owe a duty of reasonable care under the circumstances, but tort law imposes no affirmative duties to act for another's benefit and individuals are not required to warn others of impending harm. A number of factors can overcome this general tort law notion that individuals do not owe others affirmative duties, however, including the existence of a fiduciary relationship or other “special relationship,” as well as contractual obligations. While physicians are held to be fiduciaries of their patients, researchers are generally not viewed as fiduciaries of their research participants. Nevertheless, in some cases, researchers have been held to have a “special relationship” with their research participants giving rise to affirmative duties. Whether those duties include the return of certain test results depends on the prevailing standard of care. Researchers who return results must do so consistent with the standard of care and regulatory requirements. Many kinds of actions associated with the return of research results may give rise to tort liability, including disclosure of incorrect results as a result of, e.g., improper test administration. Meanwhile, disclosure of results to individuals who are not authorized to receive them may give rise to negligence claims where, among other things, the tested individual suffered discrimination as a result. There is a complex web of federal and state laws that address unwanted access to and discriminatory use of health information. Two major federal statutes are the Genetic Information Nondiscrimination Act (GINA), which limits access to and use of genetic information in health insurance and employment contexts, and the Americans with Disabilities Act (ADA), which limits discrimination against individuals with disabilities in employment, public services, and public accommodations contexts. However, GINA and the ADA do not preempt state laws that provide equal or greater protection, and over the years, many state anti-discrimination statutes have been enacted that vary widely in scope and applicability. The majority of states have enacted laws that regulate employment and/or insurance discrimination based upon genetic test results or genetic status, and some also regulate genetic discrimination by life, disability, or long- term care insurers. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-5 INTRODUCTION I. Background A. Legal Landscape This memorandum describes the legal and regulatory landscape relevant to the return of individual results generated from biospecimens in research. Black’s Law Dictionary defines law broadly as “[t]he body of authoritative grounds of judicial and administrative action” (Garner, 2014). The legal landscape of a particular issue therefore encompasses the collective legal rules and practices that are followed when deciding controversies relevant to that issue. The legal landscape consists of: federal and state constitutions (constitutional law), federal and state statutes (statutory law), federal and state regulations and administrative practices (administrative law), and laws and principles derived from federal and state judicial decisions (common law). B. Regulatory Landscape The legal landscape relevant to a particular issue necessarily includes its regulatory landscape. The regulatory landscape refers to the regulations adopted and practices followed by administrative agencies, such as the Department of Health and Human Services (HHS). Within the regulatory landscape, agency action can be classified as rulemaking or adjudication (Koch and Murphy, 2017, Sect. 2.10). Focusing on the rulemaking power of agencies, many agencies are authorized to issue what are known as legislative rules that grant legal rights to or impose legally binding obligations or prohibitions on regulated parties (O’Reilly, 2017, Section 2.3). Legislative rules must be issued in accordance with notice-and- comment procedures (Koch and Murphy, 2017, Sect. 4.10). Examples of legislative rules include regulations implementing CLIA2 and the Health Insurance Portability and Accountability Act (HIPAA).3 Final legislative rules are codified in the Code of Federal Regulations (Koch and Murphy, 2017, Sect. 1). They are also published in the Federal Register and are typically preceded by a preamble that describes the regulatory changes taking effect (O’Reilly, 2017, Sect. 10.1, 12.1). Although a preamble cannot control the meaning of a regulation and so does not itself have the force of law (O’Reilly, 2017, Sect. 10.2),4 courts have recognized that a preamble may serve as evidence of “contemporaneous agency intent” regarding the meaning and operation of the regulation.5 2 42 C.F.R., Sect. 493 (2017) (implementing CLIA). 3 45 C.F.R., Sect. 160, 162, 164 (2017) (implementing HIPAA). 4 However, an agency’s own procedural rules may give a Federal Register preamble more authority. See, e.g., 21 C.F.R., Sect. 10.85(d)–(e) (providing that a Federal Register preamble constitutes an FDA advisory opinion that FDA is obligated to follow until it is amended or revoked). 5 Wyo. Outdoor Council v. U.S. Forest Serv., 165 F.3d 43, 53 (D.C. Cir. 1999) (“Although the preamble does not ‘control’ the meaning of the regulation, it may serve as a source of evidence concerning contemporaneous agency intent.”); see also City of Las Vegas, Nev. v. F.A.A., 570 F.3d 1109, 1117 (9th Cir. 2009) (“When a regulation is ambiguous, we consult the preamble of the final rule as evidence of context or intent of the agency promulgating the regulation.”). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-6 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS In addition to legislative rules, agencies may adopt procedural rules directed at organizing and improving their operations and interpretive rules that interpret a statute or another rule (O’Reilly, 2017, Sect. 2.4–2.5). Because neither procedural nor interpretive rules create new duties, rights, or obligations, they may be issued without following notice-and- comment procedures (O’Reilly, 2017, Sect. 2.4–2.5). Finally, and similar to interpretive rules, general policy statements (sometimes set forth in or labeled as “guidance documents,” “guidelines,” or “manuals”) are announcements to advise the public prospectively of the manner in which an agency proposes to exercise its discretionary powers (O’Reilly, 2017, Sect. 2.6). Like an interpretive rule, a general policy statement does not purport to establish a binding norm and so does not have the force of law (O’Reilly, 2017, Sect. 2.6). Nevertheless, courts hold that it is prudent to give deference to interpretive rules and policy statements (Kock and Murphy, 2017, Section 10). C. Legal Hierarchy The U.S. legal system functions as a hierarchy that dictates how different categories of law rank in authority. The U.S. Constitution is the supreme law of the land (C.J.S., 2017). Because no federal or state law may contradict it, federal constitutional law represents the highest legal authority (C.J.S., 2017). Second in rank is federal statutory law, which is enacted by Congress and must be followed by the states, and third is federal regulations that interpret federal statutes (Harnad et al, 2017). The lowest legal authority in the federal system is federal common law (Glennon, 1985). In the event of a conflict between a federal law and state law, the federal law preempts the state law (American Jurisprudence, 2017, Sect. 227). However, states can generally offer greater protections than federal law, and when this occurs, there is no conflict and the state law controls (American Jurisprudence, 2017, Sect. 13, 218). Moreover, state laws generally can address issues that are not addressed by federal law so long as they do not violate the U.S. Constitution or the state’s constitution (American Jurisprudence, 2017, Sect. 11, 13). At the state level, the highest legal authority is the state’s constitution, followed by state statutes, state regulations, and, finally, state common law (American Jurisprudence, 2017, Sect. 11). D. Conceptual Distinctions At the outset, it is important to acknowledge certain conceptual distinctions that are relevant as a legal, practical, or technical matter to this analysis. First, there is a generally recognized distinction between research and clinical care (Wolf, 2012). Research is focused on the production of generalizable knowledge, where the responsibility of researchers is to preserve the integrity of the research process (Burke et al, 2014). While researchers are obligated to minimize harms to participants, they do not have a duty to optimize participants’ health (Burke et al, 2014). By contrast, the responsibility of clinicians is to provide care directed to the best interests of patients (Burke et al, 2014). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-7 The distinction between research and clinical care is central to laws and responsibilities relevant to the conduct of research and medical practice (Wolf, 2012).6 In addition, the distinction is used for practical purposes to classify, e.g., results of laboratory tests of biospecimens as research results or clinical results and laboratories that perform such tests as research laboratories or clinical laboratories. Distinctions can also be made between the kinds of information generated by laboratory tests. These include uninterpreted raw data and interpreted findings. In the context of a genetic test, uninterpreted raw data are sequencing data, whereas an interpreted finding might be information that the test identified a genetic variant that increases one’s risk of developing a particular disease or condition.7 For the sake of simplicity, this analysis will refer to the spectrum of information generated by laboratory tests of biospecimens generally as “results” except where finer distinctions are required. In a research context, test results may be relevant to primary study aims, or they may describe incidental or additional findings (Evans, 2014). Research results can further be distinguished based on whether they pertain to individual research participants or are aggregated and reported as general study results (OHRP, 2015a) as well as according to when the results are generated in research—at baseline, while the research is in process, or at study’s end (OHRP, 2016). Furthermore, test results may be those that were originally generated (and possibly also reported), or they may be results that are later revised to correct errors or reflect new knowledge (see Part IX, below). Test results may be linked (or not) to research participants according to different standards. Thus, de-identified results can be linked to specific individuals but information that would identify those individuals with the results has been removed in accordance with HIPAA standards.8 Non-identified results can also be linked to known individuals but identifying information has been removed in accordance with the Federal Policy for the Protection of Human Subjects (also known as the Common Rule), which prescribes standards that are different than HIPAA standards.9 Re-identified results are de-identified or non-identified results whose links to known individuals have been restored. Finally, distinctions can be made regarding to whom test results are returned. Depending on applicable laws, results can be returned to the individuals whom they describe, their relatives, or other authorized persons (Wolf et al., 2015). Distinctions also can made between returning results when the individuals to whom they pertain are alive versus deceased, as well as when the individuals, if alive, are capacitated versus incapacitated (Wolf et al., 2015). 6 However, Wolf also explains that the discovery that research credibly generates clinically significant information has challenged this traditional dichotomy (pp. 443–445). For a discussion of the relevance of the clinical care– research distinction to tort liability, see Part IX. 7 See Adrian Thorogood et al., APPLaUD: Success for Patients and Participants to Individual Level Uninterpreted Genomic Data, 12 Human Genomics 7, 7-8 (2018) (distinguishing uninterpreted raw data from interpreted results); Anna Middleton et al., Potential Research Participants Support the Return of Raw Sequence Data, 52 J. Med. Genetics 571, 571 (2015) (same). 8 45 C.F.R., Sect. 164.514(b) (describing process of de-identification). 9 45 C.F.R., Sect. 46.101(b)(4), 102(f) (defining research to involve identifiable private information and describing exemption for research involving existing non-identified data and biospecimens); see also OHRP (2008) describing process of non-identification by coding. PREPUBLICATION COPY: UNCORRECTED PROOFS

C-8 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS REGULATORY LANDSCAPE II. CLIA A. Scope The Centers for Medicare & Medicaid Services (CMS) is responsible for administering the regulatory standards governing laboratories known as CLIA10. CLIA establishes quality standards for laboratories to ensure the accuracy, reliability, and timeliness of individual test results. CLIA defines regulated “laboratories” as any facility for the . . . examination of materials derived from the human body for the purpose of providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.11 CLIA requires certification (or waiver of certification) of all laboratories, so defined, except “CLIA exempt” laboratories,12 which have been licensed by a state that has enacted laws relating to CMS-approved laboratory requirements “that are equal to or more stringent than CLIA requirements.”13 As discussed in Part III, CMS has approved the licensure programs of Washington and New York. Licensed laboratories in these states therefore qualify as “CLIA exempt.” CLIA further provides that its rules do not apply to “components or functions” of certain laboratories that are referred to as “exceptions.” For purposes of this analysis, the most important CLIA exception covers [r]esearch laboratories that test humans but do not report patient specific results for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of, the health of individual patients.14 CMS has interpreted this provision to mean that “only those facilities performing research testing on human specimens that do not report patient-specific results may qualify to be excepted from CLIA certification” (CMS, 2014a; emphasis in original). If a research laboratory intends to report individual-level results, and those results “will be or could be” used to diagnose, treat, prevent, or assess human health, the lab must first obtain CLIA certification.15 In practice, CMS has taken the position that a research laboratory may not report individual-level research results to any person or entity where “[t]he results are available to be used for health care for individual 10 FDA and the Centers for Disease Control and Prevention also have responsibilities related to CLIA. See FDA, Clinical Laboratory Improvement Amendments (CLIA), fda.gov, https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/IVDRegulatoryAssistance/ucm124105.htm (last updated March 22, 2018) – access date: June 26, 2018 11 42 C.F.R., Sect. 493.2. 12 42 C.F.R., Sect. 493.3(a). 13 42 C.F.R., Sect. 493.2. 14 42 C.F.R., Sect. 493.3(b)(2). 15 42 C.F.R., Sect. 493.3(b)(2). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-9 patents,” unless the laboratory is CLIA-certified (Myers, 2011).16 Thus, a research lab may not report individual-level test results to the tested individual or their clinician unless the laboratory is CLIA-certified.17 Furthermore, a research laboratory may not report individual-level test results to investigators where those results could be used in the treatment of research participants, which includes the assignment of participants to control and treatment arms.18 Table C-1 summarizes these three categories of laboratories: labs regulated by CLIA and requiring CLIA certification, CLIA-exempt labs, and research labs that are exceptions to CLIA. TABLE C-1 CLIA Categories of Laboratories CLIA Definition CLIA Certification Required? Labs “[F]acilit[ies] for the . . . examination of materials derived from Yes regulated by the human body for the purpose of providing information for CLIA the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings” CLIA-exempt Laboratories licensed by states that have “enacted laws No, but subject to, labs relating to CMS-approved laboratory requirements that are CMS-approved, equal to or more stringent than CLIA requirements” state regulations Research Facilities “that test humans but do not report patient-specific No labs results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of, the health of individual patients” Laboratories may obtain waivers from CLIA to the extent that they perform only tests that: are so simple and accurate that the likelihood of error is negligible; pose no reasonable risk of harm if performed incorrectly; or are cleared by FDA for home use.19 With respect to genetic testing, there has been a trend in recent years of unbundling the collection of biospecimens and test administration from data interpretation services (Curnutte et al., 2014). Because CLIA is limited to the regulation of laboratories, legal scholars have noted that the act should not extend to firms offering only interpretation services (Javitt and Carner, 2014). CMS is currently considering its position on this issue.20 16 Moreover, it is CMS’s position that research labs returning results cannot avoid the requirement of CLIA certification by including disclaimers that, e.g., the testing was conducted in a research setting and/or the clinical meaning of the results is unknown. Telephone communication with Penelope Meyers, technical director, Division of Laboratory Services, CMS (Nov. 16, 2017). See also Ledbetter and Faucett (2008), noting the misconception that CLIA allows research laboratories to return results and “simply qualify [them] with statements (verbal or written) that testing was done on a research basis.” 17 Telephone communication with Penelope Meyers, technical director, Division of Laboratory Services, CMS (Nov. 16, 2017). 18 Telephone communication with Penelope Meyers, ibid. 19 42 C.F.R., Sect. 493.15. 20 Telephone communication with Karen Dyer, Director, Division of Laboratory Services, CMS (Dec. 14, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-10 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS B. Original Access Rule Until 2014 CLIA restricted the disclosure of laboratory test results follows: [T]est results must be released only to authorized persons and, if applicable, the individual responsible for using the test results and the laboratory that initially requested the test.21 CLIA defines an “authorized person” as “an individual authorized under State law to order tests or receive test results, or both.”22 Thus, until 2014, laboratories were legally permitted to release results only to health care providers, ordering laboratories, and persons authorized by state law to order tests or receive test results. In states that did not provide for direct access to laboratory test results, individuals were required to request and obtain their results through their ordering providers (CMS, 2014b). C. New Access Rule Seeking to harmonize the existing CLIA access rule with revisions to the HIPAA access rule (see Part IV, infra), in 2014, HHS amended CLIA to expand individuals’ access to their laboratory test results. HHS did so by retaining the original CLIA access rule and adopting a new provision that: Upon request by a patient (or the patient’s personal representative), the laboratory may provide patients, their personal representatives, and those persons specified under [the HIPAA access rule], as applicable, with access to completed test reports.23 The new rule does not define a “completed test report,” although HHS explained in the Federal Register preamble to the new access rule that it considers test results to be “complete” when “all results associated with an ordered test are finalized and ready for release.”24 HHS further clarified that laboratories are not required to provide any interpretation of the test reports that they provide.25 The new rule provides that the return of completed test reports is discretionary (“may”) in the identified circumstances. Thus, to the extent that the return of completed test reports to individuals would conflict with a state law that prohibits disclosure without provider consent, the state law controls unless it is preempted by another federal law, such as HIPAA.26 (See Part IV infra.) 21 42 C.F.R., Sect. 493.1291(f). 22 42 C.F.R., Sect. 493.2. 23 42 C.F.R., Sect. 493.1291(l). 24 CLIA Program and HIPAA Privacy Rule Final Rule, 79 Fed. Reg. 7290, 7295 (Feb. 6, 2014). 25 CLIA Program and HIPAA Privacy Rule Final Rule, 79 Fed. Reg. 7290, 7293 (Feb. 6, 2014). 26 See Part IV. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-11 D. Original Versus New Access Rule Today, both the original and new CLIA access rules apply to all requests for access to results of tests performed by CLIA-regulated laboratories. Table C-2 describes some key distinctions between the rules. TABLE C-2 Original vs. New CLIA Access Rule* Original Access Rule New Access Rule Who may request N/A Patients access? Patients’ personal representatives Who may obtain Individuals responsible for using Patients access? test results Patients’ personal representatives Labs initially requesting results Individuals designated by Individuals authorized by state law requestors (as provided in HIPAA) to order tests Individuals authorized by state law to receive test results What may be “Test results” “Completed test reports” obtained? NOTE: * Both the original and new CLIA access rules are legally in effect. E. Enforcement CMS is authorized to enforce CLIA. Its principal enforcement mechanism is the suspension, limitation, or revocation of a laboratory’s CLIA certificate, which also can result in the cancellation of a laboratory’s approval to receive Medicare payments for its services.27 For research laboratories that are not CLIA-certified, CMS generally has two enforcement options: (1) impose a civil money penalty of $50–$10,000 per day of noncompliance per violation, depending on whether the deficiency poses an “immediate jeopardy”; or (2) file a civil lawsuit to enjoin the continuation of any activity that CMS has reason to believe constitutes a “significant hazard to the public health.”28 CMS publishes a laboratory registry every year identifying laboratories and individuals that have been sanctioned for CLIA violations (CMS, 2017a). Based on these registries, there do not appear to have been any actions taken against laboratories that involved the return of research results. Furthermore, a search of CMS’s website did not identify any published hearing decisions involving research laboratories (CMS, 2017b). Otherwise, there are few known instances in which CMS has used less formal mechanisms to enforce CLIA against research labs that returned or planned to return individual- level results. The most recent such instance involved ORIG3N, a direct-to-consumer (DTC) genetic testing firm that offers genetic tests purporting to identify genetic variants associated with intelligence, athleticism, and metabolism (ORIG3N, 2018). After ORIG3N announced plans to give away tests at a Baltimore Ravens game in September 2017, CMS intervened to examine whether those tests are subject to CLIA (Barker, 2017). ORIG3N claimed to be outside the scope 27 42 C.F.R., Sect. 493.1806(a)–(b). 493.1840(a)–(b), 493.1846(a). 28 42 U.S.C., Sect. 263a(h)–(j); 42 C.F.R., Sect. 493.1806(c)(3)–(d), 493.1834(a)–(d), 493.1846. PREPUBLICATION COPY: UNCORRECTED PROOFS

C-12 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS of CLIA as a “research laboratory that does not provide patient specific results,” but instead provides results to “customers.”29 CMS rejected this characterization, however, and concluded that ORIG3N is subject to CLIA because it provides information for health assessment purposes and CMS directed ORIG3N to apply for certification.30 III. State Laws Equivalent to CLIA CMS has determined that the laboratory licensure programs of Washington and New York are equivalent to CLIA requirements and so laboratories in these states can qualify as “CLIA exempt” (CMS, 2018). A. Washington Washington law regulates “medical test sites,” which are defined as any facility or site “which analyzes materials derived from the human body for the purposes of health care, treatment, or screening.”31 Washington provides exceptions for two kinds of facilities, neither of which is relevant to this analysis.32 When asked whether research laboratories are considered medical test sites that require certification, an official with the Washington State Department of Health explained that if a research laboratory “is giving out results that get to patients and/or providers,” the testing will be considered clinical testing by a medical test site subject to state regulation.33 In this respect, Washington’s rule prohibiting the return of research results generated by unlicensed laboratories is identical to the CLIA prohibition.34 The default access rule in Washington requires that “test reports” be released to “authorized persons or designees,” which are defined as individuals allowed by state law to order tests or receive test results.35 After the new CLIA access rule was enacted, Washington adopted a similar provision that test reports may be released to patients and their personal representatives.36 B. New York New York law regulates “clinical laboratories” that are located in New York or that accept specimens from New York.37 New York’s definition of clinical laboratories is somewhat similar to CLIA’s definition of laboratories except that New York’s regulations also encompass laboratory testing for forensic and identification purposes.38 29 Letter from Karen Dyer, director, Division of Laboratory Services, CMS, to Kate Blanchard, chief operating officer, ORIG3N (Oct. 30, 2017) (on file with author). 30 Letter from Karen Dyer, ibid. 31 Wash. Admin. Code, Sect. 246-338-001, 246-338-010(25) (2017). 32 Wash. Admin. Code, Sect. 246-338-010(25). 33 E-mail from Susan Walker, program manager, Washington Laboratory Quality Assurance, to author (Sept. 14, 2017) (on file with author). 34 Telephone communication with Susan Walker, program manager, Washington Laboratory Quality Assurance (Nov. 2, 2017). 35 Wash. Admin. Code, Sect. 246-338-010(2), 246-338-070(3). 36 Wash. Admin. Code, Sect. 246-338-070(3). 37 N.Y. Public Health Law, Sect. 571(1) (McKinney 2017). 38 See N.Y. Public Health Law, Sect. 571(1) (defining “clinical laboratory” to include examination for the purpose of “obtaining information” for health assessment and identification purposes); see also New York State Department PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-13 Like CLIA, New York provides an exception for facilities that “perform laboratory tests solely for research purposes.”39 In its Clinical Laboratory Evaluation Program’s Guide to Program Requirements and Services, the New York Department of Health has clarified the clinical/research laboratory distinction as follows: Research testing is considered clinical in nature if a patient-identified result is generated. This would include results used to make clinical decisions for patient management under an IRB-approved research protocol or clinical trial.40 When a result is obtained during the course of research testing that the laboratory feels ethically compelled to report to a clinician or research participant, the laboratory must obtain a New York clinical laboratory permit prior to reporting (Wadsworth Center, n.d.). In practice, New York’s rule prohibiting the return of research results generated by unlicensed laboratories is comparable to the CLIA prohibition.41 The default access rule in New York restricts the reporting of test results of specimens “submitted for evidence of human disease or medical condition” to three categories of individuals: physicians, their agents, and persons legally authorized “to employ the results thereof in the conduct of [their] practice or in the fulfillment of his official duties.”42 After the CLIA new access rule was enacted, New York adopted a similar provision that test reports may be released to patients.43 IV. HIPAA A. Scope The Health Insurance Portability and Accountability Act (HIPAA) applies to three categories of individuals and entities: health plans, health care clearinghouses, and health care providers who transmit “any health information in electronic form” to carry out certain activities related to furnishing, billing, or receiving payment for health care.44 Such covered transactions include sending claims to health plans to inquire about eligibility to receive health care or to request payment for medical services.45 of Health Wadsworth Center, Clinical Laboratory Evaluation Program: A Guide to Program Requirements and Services 3 (rev. Jan. 2017) [hereinafter New York State Program Guide] (providing that “[c]linical laboratories located in New York State, and laboratories conducting clinical or forensic testing on specimens originating in New York State regardless of location, must hold a New York State Department of Health clinical laboratory permit”). 39 N.Y. Public Health Law, Sect. 580. 40 New York State Program Guide, note 38, at 4; see also Wadsworth Center (n.d.): “Examples of testing performed for participant management include those that influence enrollment (exclusion or inclusion), safety, or dosing.”. 41 Telephone communication with Stephanie Shulman, director, New York Clinical Laboratory Program (Nov. 14, 2017). 42 N.Y. Comp. Codes R. & Regs., tit. 10, Sect. 58-1.8 (2017). 43 N.Y. Comp. Codes R. & Regs., tit. 10, Sect. 58-1.8 (2017). 44 42 U.S.C., Sect. 1320d-1(a), 1320d-2(a) (2017); see also CMS (2016), summarizing covered transactions. 45 42 U.S.C., Sect. 1320d-2(a)(2) (listing covered transactions); 45 C.F.R. Sect. 162.1101, 162.1201 (defining transactions relevant to “health claims or equivalent encounter information” and “eligibility for a health plan”). See also CMS (2016, 2017c). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-14 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS The privacy and security regulations developed to implement HIPAA also extend to “business associates” of covered entities.46 A business associate is any person who creates, receives, maintains, or transmits protected health information on behalf of a covered entity or provides services to a covered entity that includes the disclosure of protected health information (PHI).47 PHI is defined as individually identifiable health information, which is any information (including genetic information) that (1) is created or received by a covered entity or employer; (2) “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual”; and (3) identifies or could be used to identify the individual.48 Research laboratories are HIPAA-covered entities in two situations. The first is when they electronically conduct a covered transaction.49 HHS has emphasized that the conduct of a single covered transaction will transform a laboratory into a covered entity “with respect to all protected health information that it creates or maintains,” not just the individuals or information associated with the covered transaction.50 The second situation in which research laboratories are covered entities is when they function as part of larger covered entities. Thus, research laboratories that operate within HIPAA-covered hospitals, medical centers, and medical schools may also be covered by HIPAA by virtue of these relationships (see Evans et al. (2014), explaining that a research laboratory may “fall under HIPAA because of its business organizational arrangements [for example, if it is part of a HIPAA-covered academic medical center]”). However, a covered entity may elect to become a “hybrid entity,” which is defined as a covered entity whose business activities include both covered and non-covered functions.51 When a covered entity elects to become a hybrid entity, it must ensure that its designated health care components that perform covered functions do not disclose PHI to other components except as permitted by HIPAA.52 This becomes difficult in the case of a clinician-investigator who is an employee of and performs duties for both a health care component and a non-covered component of a hybrid entity.53 In the end, hospitals, medical centers, and medical schools often do not elect hybrid entity status and instead designate their research laboratories as non-covered components because of the operational complexities and high transaction costs associated with successfully functioning under hybrid status.54 46 45 C.F.R., Sect. 164.302, 164.500(c). 47 45 C.F.R., Sect. 160.103. 48 45 C.F.R., Sect. 160.103. 49 42 U.S.C., Sect. 1320d-1(a), 1320d-2(a) (2017); 45 C.F.R., Sect. 162.1101, 162.1201. See also CMS (2016, 2017c).. 50 CLIA Program and HIPAA Privacy Rule Final Rule, 79 Fed. Reg. 7290, 7291 (Feb. 6, 2014). 51 45 C.F.R., Sect. 164.103, 164.105(a)(2)(iii)(D). 52 45 C.F.R., Sect. 164.105(a)(2)(ii). Health care components include every component that “would meet the definition of a covered entity or business associate if it were a separate legal entity.” —Sect. 164.105(a)(2)(iii)(D). 53 45 C.F.R., Sect. 164.105(a)(2)(ii)(C); telephone communication with Mark Barnes, partner, Ropes & Gray LLP (Nov. 15, 2017). 54 Telephone communication with Mark Barnes, partner, Ropes & Gray LLP (Nov. 15, 2017). Furthermore, if a research lab functions as a business associate to a hospital, medical center, or medical school that has elected hybrid entity status, it must be designated a covered health care component. See 45 C.F.R., Sect. 164.105(a)(2)(iii)(D); see also Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act Final Rule, 78 Fed. Reg., 5566, 5588 (Jan. 25, 2013) (explaining that the final rule “requires that the health care PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-15 B. Original Access Rule Since 2000, HIPAA regulations have included a rule that individuals have a “right of access” to inspect and obtain a copy of their PHI that is maintained within a “designated record set” for as long as the PHI is maintained in the designated record set.55 A designated record set is defined as a “group of records” maintained by or for a covered entity that includes medical, claims, and billing records as well as any other record “[u]sed, in whole or in part, by or for the covered entity to make decisions about individuals.”56 HHS has interpreted this definition broadly to mean that the designated record set includes all “records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.”57 Furthermore, qualifying “decisions” include but are not limited to health care decisions “because other decisions by covered entities can also affect individuals’ interests.”58 Before 2014 the HIPAA access rule provided an exception for HIPAA-covered laboratories. Specifically, two provisions excluded from access any PHI maintained by: (1) laboratories “[s]ubject to [CLIA], to the extent the provision of access to the individual would be prohibited by law”; and (2) laboratories “[e]xempt from [CLIA], pursuant to 42 C.F.R. § 493.3(a)(2)” (which refers to CLIA-exempt laboratories).59 The first provision excluded CLIA-regulated laboratories because at that time CLIA prohibited the return of results to individuals except in states that explicitly authorized such returns (see Part II, supra). The second provision excluded “CLIA-exempt” laboratories regulated by New York and Washington. Importantly, however, in the preamble to the original access rule, HHS interpreted the second provision excluding laboratories “[e]xempt from [CLIA], pursuant to 42 C.F.R. § 493.3(a)(2)” to also include research laboratories—even though research laboratories are excluded from CLIA under a different regulatory section.60 HHS explained that this interpretation was necessary because if research laboratories were “subject to the access requirements of this regulation, such entities would be forced to meet the requirements of CLIA from which they are currently exempt.”61 “To eliminate this additional regulatory burden,” HHS viewed research laboratories as excluded from the HIPAA access requirement.62 component of a hybrid entity include all business associate functions within the entity”); telephone communication with David Peloquin, associate, Ropes & Gray LLP (Nov. 22, 2017). 55 45 C.F.R., Sect. 164.524. 56 45 C.F.R., Sect. 164.501. A “record,” in turn, is defined as any “item, collection, or grouping of information” that includes PHI and is “maintained, collected, used, or disseminated by or for a covered entity.” 57 Standards for Privacy of Individually Identifiable Health Information Final Rule, 65 Fed. Reg. 82,462, 82,606 (Dec. 28, 2000). 58 Standards of Privacy . . ., ibid. 59 45 C.F.R., Sect. 164.524(a)(1)(iii). 60 Standards for Privacy of Individually Identifiable Health Information Final Rule, 65 Fed. Reg. at 82,485. Evans at al. (2014) argue that CMS forgot this history when it eliminated the exception that kept “CLIA-exempt” labs from having to comply with the HIPAA access rule, thereby inadvertently putting “HIPAA-covered, non-CLIA laboratories squarely in the crosshairs of individuals’ new Sect. 164.524 access right.” 61 Standards for Privacy of Individually Identifiable Health Information Final Rule, 65 Fed. Reg. at 82,485. 62 Standards for Privacy . . . ibid. Research laboratories might also have been excluded by the terms of the first exclusion. In the view of CMS, research laboratories cannot return results unless they are CLIA-certified, so a PREPUBLICATION COPY: UNCORRECTED PROOFS

C-16 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS C. Revised Access Rule In 2014, following three years of deliberation, HHS announced its elimination of the laboratory exclusion from the HIPAA access rule and the CLIA prohibition on the return of laboratory test results to individuals.63 HHS was motivated by concerns that these rules impeded individuals’ access to their records, thereby preventing individuals from having a more active role in their personal health care decisions.64 HHS also stated that removing these impediments would support its commitments to personalized medicine and the widespread adoption of electronic health records.65 Focusing on HIPAA, the revisions eliminated the original HIPAA access rule’s carve-out for laboratories.66 In the Federal Register preamble, HHS explained that the purpose of this change was to require all HIPAA-covered laboratories to comply with the access rule regardless of their status under CLIA: Even if CLIA does not apply to the conduct of certain types of laboratory tests, HIPAA may still apply to require access to certain test reports to the extent the laboratory is a HIPAA covered entity and the information to which an individual is requesting access is protected health information under HIPAA.67 Elsewhere in the preamble, HHS further explained that under the proposed rule, which was adopted with only minor clarifications and conforming changes, “HIPAA covered entities that are laboratories subject to CLIA, as well as those that are exempt from CLIA,”68 would have the same obligations as other types of covered health care providers” with respect to providing individuals access to their PHI. That “exempt” in this context encompasses not only “CLIA- exempt” (i.e., New York and Washington) laboratories but also research laboratories is reinforced by the preamble’s repeated reference to the expanded access obligations of all HIPAA-covered laboratories.69 Table C-3 compares the original and revised HIPAA access rules. TABLE C-3 Original Versus. Revised HIPAA Access Rule* Original Access Rule Revised Access Rule Who may request Individuals who are the subject of Individuals who are the subject of access? PHI PHI Who may obtain Individuals who are the subject of Individuals who are the subject of access? PHI and other persons as directed PHI and other persons as directed by individuals by individuals research lab’s return of results would trigger the need for CLIA certification, but at that time CLIA certification would have prohibited the lab from returning results. 63 CLIA Program and HIPAA Privacy Rule Final Rule, 79 Fed. Reg. 7290 (Feb. 6, 2014). 64 CLIA Program and HIPAA Privacy Rule Final Rule, 79 Fed. Reg. 7290 (Feb. 6, 2014). 65 CLIA Program and HIPAA Privacy Rule Final Rule, 79 Fed. Reg. 7290 (Feb. 6, 2014). 66 45 C.F.R., Sect. 164.524(a)(1). 67 CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. at 7296-97. 68 CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. at 7292. 69 This interpretation was also confirmed by OCR. Telephone communication with Deven McGraw, Deputy Director (former), Health Information Privacy, OCR (Jan. 5, 2018). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-17 What may be PHI about an individual maintained PHI about an individual maintained obtained? within a designated record set within a designated record set From whom may HIPAA-covered entities, but not HIPAA-covered entities information be CLIA-regulated labs, “CLIA-exempt” obtained? labs, and research labs NOTE: * Only the revised HIPAA access rule is legally in effect. In sum, the revised HIPAA access rule provides individuals with a broad right of access to their PHI contained within designated record sets maintained by HIPAA-covered laboratories.70 A designated record set includes at least laboratory test reports,71 but, as noted above, it also includes all other PHI maintained by a lab that is used to make any kind of decision about any person.72 In 2016 the Office for Civil Rights (OCR), the HHS office responsible for enforcing HIPAA, published guidance explaining the kinds of information that may fall within the designated record set maintained by laboratories.73 The guidance states that in the context of a genetic test conducted by a clinical laboratory, the designated record set includes: the “completed test report”; the “full gene variant information generated by the test”; the “underlying data used to generate the report[]”; “as well as any other information in the designated record set concerning the test.” (HHS, 2016). The guidance refers only to access to genomic information “maintained by or for a clinical laboratory that is a covered entity” (HHS, 2016). The guidance does not refer to research laboratories. There are two limits to the HIPAA access rule that are relevant to this analysis. First, the rule provides for a temporary suspension of access related to clinical research activities. Specifically, it provides that an individual’s access to PHI created or obtained “in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress” provided that the individual has consented to this temporary denial of access.74 However, the right of access must be reinstated upon completion of the research.75 The second limit to the access rule is set forth in HIPAA’s authorizing statute. It provides that HIPAA standards “shall not require disclosure of trade secrets or confidential commercial information” by covered entities.76 Thus, a covered entity may legally refuse to provide 70 Dr. Evans argues that, as applied to genetic information, the access rule is a federal civil rights regulation compelled by the understanding that “access to one’s own genomic data is a foundational civil right that empowers people to protect all their other civil rights.” Barbara J. Evans, HIPAA’s Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights, 102 Am. J. Hum. Genetics 5, 6-7 (2018). 71 CLIA Program and HIPAA Privacy Rule, 79 Fed. Reg. at 7295. 72 Standards for Privacy of Individually Identifiable Health Information Final Rule, 65 Fed. Reg., 82,462, 82,606 (Dec. 28, 2000). 73 See HHS, Individuals’ Right Under HIPAA to Access Their Health Information 45 C.F.R. § 164.524, hhs.gov, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html (last visited Jan. 16, 2017) [hereinafter HHS, Individuals’ Right Under HIPAA]. Relevant FAQs include “Does an Individual Have a Right Under HIPAA to Access from a Clinical Laboratory the Genomic Information the Laboratory Has Generated About the Individual?” and “Does an Individual Have a Right Under HIPAA to Access More Than Just Test Results from a Clinical Laboratory?” Both FAQs were last reviewed on June 24, 2016. 74 45 C.F.R., Sect. 164.524(a)(2)(iii). 75 45 C.F.R., Sect. 164.524(a)(2)(iii). 76 42 U.S.C., Sect. 1320d-1(e) (2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-18 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS individuals any requested PHI contained within a designated record set that the entity views as a trade secret or confidential commercial information. In at least one instance, HHS has explicitly authorized a covered entity’s refusal to disclose in these circumstances (Feldman and Newman, 2013). This limit on the HIPAA access rule may have special significance in the context of laboratories that maintain proprietary databases of raw test data and associated algorithms (Guerrini et al., 2017).77 If these limits do not apply, the covered entity must provide individuals “the access requested by the individuals, including inspection or obtaining a copy,” of the requested PHI, within 30 days of receipt of the request.78 Alternatively, the covered entity may provide a summary or explanation of the PHI if agreed upon by the requesting individual.79 The PHI must be provided in the form and format requested by the individual to the extent that it is readily producible in that form and format; otherwise, the PHI must be provided in “readable hard copy form” or any other agreed-upon form and format.80 Finally, the covered entity may charge the requestor a reasonable, cost-based fee covering its labor, supplies, and postage expenses associated with responding to requests for copies.81 The 2016 guidance makes clear that an individual’s reasons for requesting access to his or her PHI maintained in a designated record set are irrelevant to a covered entity’s obligation to respond to that request: [A] covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access (HHS, 2016; emphasis in original). Finally, the revised HIPAA access rule preempts any contrary provisions of state law.82 Thus state laws that prohibit an individual’s direct access to test results are void to the extent they conflict with HIPAA.83 However, states may provide greater rights of access than those set forth in HIPAA.84 D. Enforcement OCR enforces HIPAA by investigating complaints of HIPAA violations filed by individuals and conducting compliance reviews of covered entities.85 Since April 2003, OCR has 77 HIPAA’s exclusion of trade secret information is consistent with the trend in this country toward enhanced protection of trade secrets. See, e.g., Defend Trade Secrets Act of 2016, Pub. L. No. 114-153 (2016) (creating a new federal cause of action for trade secret misappropriation). 78 45 C.F.R., Sect. 164.524(b)(2)(i), 164.524(c)(1). 79 45 C.F.R., Sect. 164.524(c)(2)(iii). 80 45 C.F.R., Sect. 164.524(c)(2)(i). 81 45 C.F.R., Sect. 164.524(c)(4). 82 45 C.F.R., Sect. 160.203. 83 See, e.g., Conn. Agencies Regs., Sect. 19a-36-D32 (2017) (providing that laboratory findings on specimens may be reported to “lay persons” only upon the written request of the provider who ordered the testing”). 84 45 C.F.R., Sect. 160.202, 160.203. 85 See 45 C.F.R., Sect. 160.306, 164.524(d)(2)(iii) (individual complaints); 45 C.F.R., Sect. 160.308 (compliance reviews). The HHS Secretary delegated its authority to enforce the Privacy and Security Rules of HIPAA to OCR. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-19 received over 169,000 HIPAA complaints and initiated over 860 compliance reviews (OCR, 2018a). Following the filing of a complaint by an individual, OCR will investigate if the complaint is timely and alleges a violation against a HIPAA-covered entity (OCR, 2017a). If OCR concludes that a violation has occurred, it will attempt to resolve the case by obtaining voluntary compliance, corrective action, or a signed resolution agreement, and most investigations are concluded through these mechanisms.86 However, if the covered entity does not take action to resolve the matter in a way that is satisfactory to OCR, OCR can impose civil money penalties upwards of $50,000 for each violation (but not more than $1,500,000 for identical violations per calendar year).87 Individuals’ lack of access to their health information is among the top five issues that OCR investigates every year (OCR, 2018a,c). OCR’s website identifies several examples of access-related complaints that it has investigated and resolved (OCR, 2017c).88 None of these appear to involve research laboratories. An example of an ongoing OCR investigation based on denial of access was initiated against Myriad Genetics by four individuals for whom Myriad had performed genetic testing (Park and Lapidus, 2016). The individuals claim that HIPAA entitles them to four categories of information specific to those tests: (1) raw and assembled genetic sequence data; (2) a list of all variants identified, including benign variants; (3) the results of large-scale analyses; and (4) “records relating to clinical interpretation” of identified variants (Park and Lapidus, 2016). While Myriad initially refused to provide this information, it eventually disclosed to each complainant a list of identified variants and raw data from Myriad’s large rearrangement test (Park and Lapidus, 2016). Myriad stated that it does not retain and so cannot disclose any other requested sequence information (Park and Lapidus, 2016). Nevertheless, OCR opened an investigation, which is ongoing.89 V. CLIA–HIPAA Interactions A. Overview of Legal Obligations Related to Access Table C-4 summarizes laboratories’ current legal obligations regarding individual access under CLIA and HIPAA. Boxes A and C describe access obligations of HIPAA-covered laboratories with additional detail in Box C for laboratories not certified by CLIA before and See Statement of Delegation of Authority, 65 Fed. Reg. 82,381 (Dec. 28, 2000) (Privacy Rule); Statement of Delegation of Authority, 74 Fed. Reg. 38,630 (Aug. 4, 2009) (Security Rule). 86 45 C.F.R., Sect. 160.312. See also OCR (2017b) and OCR (2018b), which states: “A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years,” and may also agree to pay a settlement amount. 87 See 45 C.F.R., Sect. 160.312, 160.404(b)(2), 160.410(c), and OCR (2018b). In the case of a continuing violation, a separate violation occurs each day the covered entity or business associate is in violation. 45 C.F.R., Sect. 160.406. 88 Based on the website descriptions, it is unclear whether civil monetary penalties were imposed in any of these cases. 89 E-mail from Thomas Dresslar, media relations associate, American Civil Liberties Union, to author (Dec. 1, 2017) (on file with author). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-20 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS after the 2014 regulatory changes. Boxes B and D describe access obligations of laboratories not covered by HIPAA. TABLE C-4 Legal Obligations Related to Individual Access, by Type of Laboratory HIPAA Covered Laboratory Not HIPAA Covered Laboratory A B CLIA- Federal law (HIPAA): Mandatory access Federal law (CLIA): Permissive access certified State law: Preempted unless provide State law: Not preempted; can mandate, laboratory greater access permit, or prohibit access Example: Clinical laboratory Example: Independent clinical laboratory that does not seek third-party reimbursement C1 (pre-2014) D Federal law (CLIA): Prohibited access Federal law: N/A unless authorized by state law State law: Not preempted; can mandate, State law: Not preempted; could permit, or prohibit access Not CLIA- mandate, permit, or prohibit access Example: Independent research lab certified C2 (current) laboratory Federal law (HIPAA): Mandatory access (but disclosure requires lab to become CLIA-certified according to CMS) State law: Preempted unless provide greater access Example: Research lab that is part of a covered entity B. Potential Conflicts Between CLIA and HIPAA As explained above, CMS has interpreted the CLIA exception for research laboratories to apply only where laboratories do not return individual-specific results or otherwise use those results to make clinical decisions. If laboratories return results to individuals or their clinicians for any reason, CMS’s position is that they must become CLIA-certified.90 Furthermore, if labs return results to investigators and those results could be used in the treatment of participants, they must become CLIA-certified.91 It is generally recognized that the 2014 changes to CLIA and HIPAA have created a dilemma for research laboratories that are not certified by CLIA but are covered by HIPAA because they conduct at least one electronic covered transaction or by virtue of their relationships with HIPAA-covered entities (Barnes et al., 2015; Evans et al., 2014).92 To comply with the 90 See notes Error! Bookmark not defined.–17 above and accompanying text; see also Standards for Privacy of Individually Identifiable Health Information Final Rule, 65 Fed. Reg. 82,462, 82,485 (Dec. 28, 2000) (explaining that laboratories subject to the HIPAA access rule “would be forced to meet the requirements of CLIA”). 91 Telephone communication with Penelope Meyers, technical director, Division of Laboratory Services, CMS (Nov. 16, 2017); Meyers (2011). 92 The return of results generated by research laboratories has been considered by several national committees and working groups, but none made specific recommendations regarding how to reconcile such a practice with CMS’s PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-21 expanded access rules, HIPAA-covered research laboratories must now return any PHI contained within designated record sets (including but not limited to test results) when individuals request them to do so, but these laboratories cannot do so without becoming CLIA-certified (See Table C-4, Box C-2). Yet, the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has stated that it would be unrealistic to require all research labs to become CLIA certified in order to comply with HIPAA (OHRP, 2015b). That is because the process of CLIA certification is expensive and time consuming (Barnes et al., 2015). As noted by a National Heart, Lung, and Blood Institute working group, many research laboratories are not CLIA-certified, and many existing biobanks and current studies do not use CLIA-certified labs (Fabsitz et al., 2010). Relying on principles of statutory interpretation, some scholars argue that, contrary to CMS’s interpretation, the return of results by research labs should not trigger a requirement to obtain CLIA certification (Burke et al., 2014; Evans, 2014). Focusing on the provision in CLIA that certification is not required if research laboratories do not return individual results “for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, individual patients,”93 they contend that the need for CLIA compliance is dependent on the purpose for which a laboratory reports results (Burke et al., 2014; Evans, 2014). Although CLIA provides no guidance on how to assess the purpose of returning results, these scholars argue that returning results to an individual along with a suggestion that the individual seek confirmatory testing or consult a physician constitutes informational communication and does not amount to reporting for diagnostic, preventative, treatment, or health assessment purposes (Burke et al., 2014). Thus, the return of results by research laboratories in such circumstances should not trigger the requirement to obtain CLIA certification (Burke et al., 2014).94 Moreover, one of these scholars has separately argued that there may be a First Amendment right for a willing researcher to share results generated by a research lab with a willing participant (Evans, 2014). Finally, some practitioners have noted that even if a conflict exists between CLIA and HIPAA, it is unclear whether OCR will require research laboratories to comply with the new access rule (Barnes et al., 2014). In this regard, it may be notable that OCR’s 2016 guidance on access to genetic test information refers only to information maintained by or for clinical laboratories and does not also address the access obligations of research laboratories(HHS, 2016).95 C. Institutional Responses Institutions have responded to the perceived CLIA–HIPAA conflict in different ways. These include adopting policies that exclude research data from designated record sets and making case-by-case determinations to return research results. position that CLIA prohibits the return of results generated by research labs. See Jarvik et al. (2014) summarizing the conclusions of these groups. 93 42 C.F.R., Sect. 493.3(b)(2). 94 However, Burke et al. do note that where the research is a clinical trial occurring in a health care setting, the distinction between research and clinical care may be so fine that investigators should presume that the return of results will require CLIA certification. 95 Telephone communication with David Peloquin, associate, Ropes & Gray LLP (Nov. 22, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-22 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS 1. Institutional policies Some institutions may be minimizing the conflict through policies that interpret the institution’s designated record set to exclude research-related information. For example, the policy of Johns Hopkins Medicine (JHM) is that researchers may not disclose results of research tests to subjects, patients, families, or caregivers “when such tests have been performed in laboratories that have not been CLIA-certified and do not have a state laboratory license” (JHM, 2015).96 More generally, JHM has taken the position that a “research record” is categorically not part of any designated record set and so is not subject to the HIPAA access rule. Rather, “only information that is entered into an individual’s medical record during the course of research would be part of the ‘designated record set’” (JHM, 2015). However, the policy recognizes that if the research involves treatment of a patient and there is only one “record,” the research and medical record are the same. The policy concludes: “[T]his is not a settled area of the law. Different experts have different opinions. But until there is further clarification, this is our position on this issue” JHM, 2015). Similarly, New York University (NYU) Langone Health System’s policy is that the results of tests performed at laboratories not certified by CLIA to perform such tests are categorically not part of any designated record set and so are not subject to the HIPAA access rule. The designated record set is further interpreted to exclude research records that are not used or not available to treating providers to make health care decisions about patients (NYU Langone Health System, 2016). 2. Case-by-case determinations Yet, there is anecdotal evidence that institutional policies prohibiting the return of results generated by research laboratories are being overruled in some instances. For example, a qualitative interview study of 31 IRB professionals at six sites across the United States reported two cases in which research test results that could not be confirmed in CLIA-certified laboratories were nevertheless reported to individual research participants. In one of these cases, the researcher had identified several genes associated with hyper-coagulability in a participant, and the IRB recommended returning this result after concluding that doing so posed a low risk of harm but high anticipated benefit to the participant (Dressler et al., 2012). Although additional instances have been noted in the literature,97 the frequency with which these decisions are being made in practice is unclear. VI. Federal Research Participant Protections There are several federal regulations for the protection of human research subjects that are relevant to the return of results generated from biospecimens in research. These include the Common Rule98 and regulations adopted by FDA.99 Although this analysis is limited to federal protections, it should be noted that several states also have adopted protections for human 96 See also Johns Hopkins Medicine (2013), forbidding researchers from “disclos[ing] or report[ing] results of research tests when such tests have been performed in laboratories that have not been CLIA-certified and do not have a state laboratory license.” 97 See, e.g., Prince et al. (2015), describing the practice of the Familial Dilated Cardiomyopathy Research Project to notify participants of “meaningful results” generated by a research laboratory. 98 45 C.F.R., Sect. 46. 99 21 C.F.R., Sect. 50, 56. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-23 research participants.100 A. Common Rule 1. Current The Common Rule applies to all research in which data or biospecimens are obtained through “intervention or interaction” with a “human subject” where the research is federally funded, federally supported, or conducted by institutions that have voluntarily agreed (through federal-wide assurances) to comply with the Common Rule for both covered and non- covered research.101 However, several categories of research are excluded from the Common Rule’s scope, including secondary studies involving only data or biospecimens that cannot be identified as originating from specific individuals.102 For covered studies, the Common Rule requires IRBs to ensure that the risks of participation are minimized and reasonable in relation to the anticipated benefits and also that participation is conditioned on informed consent.103 The Common Rule neither explicitly allows nor prohibits the return of results to study participants. Although it requires that potential participants be notified of certain study features in order for consent to be valid, these features do not include the study’s plan to return (or not return) results. Still, legal scholars have noted that the Common Rule requires that, when appropriate, a research participant be informed of “significant new findings developed during the course of the research which may relate to the subject’s willingness to continue participation.”104 They note that this requirement “at a minimum, may obligate investigators to disclose the fact that significant findings might be discovered during the course of research and whether or not those will be offered to subjects and/or their physicians” (McGuire et al., 2014, p. 720). In practice, when a study protocol includes a plan to return results, the IRB will review the plan to ensure its benefits outweigh its risks (Alessi, 2013). However, while IRBs can prohibit investigators from returning results, they cannot block access when study participants request results under HIPAA (Evans et al., 2014). 2. Pending revisions In January 2017, following many years of deliberation, HHS announced its adoption of revisions to the Common Rule.105 Most of the revisions, including all of those mentioned in this analysis, were scheduled to go into effect on January 19, 2018.106 However, HHS postponed the effective date by six months to July 19, 2017 (OMB, 2017).107 The revisions continue to exempt secondary studies involving only non-identifiable data or biospecimens. They also identify new categories of exempt studies, including secondary research involving only collection and analysis of identifiable health information originally 100 See Cal. Health & Safety Code, Sect. 24170–24179.5 (2017); Md. Code. Ann. Health-Gen., Sect. 13-2001 et seq. (2017); N.Y. Pub. Health Law, Sect. 2440–2446 (2017); Va. Code Ann., Sect. 32.1-162.16 et seq. (2017). 101 See 45 C.F.R., Sect. 46.101(a), 46.102(f). Research, in turn, is defined as “a systematic investigation . . . designed to develop or contribute to generalizable knowledge.” 45 C.F.R., Sect. 46.102(d). 102 See 45 C.F.R., Sect. 46.102(f). 103 45 C.F.R., Sect. 46.109, 46.111. 104 45 C.F.R., Sect. 46.116(b)(5). 105 Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149 (Jan. 19, 2017). 106 Id. at 7259 (revised § 101(l)). The requirement for one IRB to review cooperative research projects conducted in the U.S. will go into effect in January 2020. Id. 107 As of the date of this draft, the proposed delay was still pending review. PREPUBLICATION COPY: UNCORRECTED PROOFS

C-24 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS collected for other purposes if that use already is regulated by HIPAA.108 This exemption was adopted on grounds that HIPAA protections already in place for this kind of research are sufficiently “adequate” and it is “unduly burdensome and confusing” to require such research to also be subject to Common Rule protections.109 In addition to exempting new categories of research, the Common Rule revisions specify new categories of research eligible for limited IRB review. These include including secondary studies of identifiable data and biospecimens where the investigator “does not include returning individual research results to subjects as part of the study plan.”110 The regulations make clear, however, that an investigator of a study that falls within this category may still return results if required by law to do so. Otherwise, the changes require, for the first time, that investigators disclose their plans regarding the return of results in some circumstances. Specifically, the revised Common Rule sets forth a new element of information that, when appropriate, must be provided to research participants. That element is: A statement regarding whether clinically relevant research results, including individual research results, will be disclosed to subjects and, if so, under what conditions.111 Furthermore, with respect to the storage, maintenance, and secondary research use of identifiable data and biospecimens, a research participant may provide “broad consent,” which must be conditioned on disclosure of the following information: Unless it is known that clinically relevant research results, including individual research results, will be disclosed to the subject in all circumstances, a statement that such results may not be disclosed to the subject.112 Under the new rules, it is therefore possible for a study investigator to have no plans to return research results and to inform (and be required to inform) study participants that individual research results will not be returned, yet be required by HIPAA to return results to participants upon their request according to procedures outside of IRB review. 108 See Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. at 7262 (revised § 104(d)(4)(iii)); see also id. at 7191-92 (explaining that the information and biospecimens covered by this exclusion “would generally be found by the investigator in some type of records (in the case of information) or some type of tissue repository (such as a hospital’s department for storing clinical pathology specimens)”). 109 Id. at 7194 (noting HIPAA’s requirement that researchers obtain an individual’s authorization for certain research uses of protected health information or a waiver of that authorization by an IRB or HIPAA privacy board). 110 Federal Policy for the Protection of Human Subjects, 82 Fed. Reg., 7149 (Jan. 19, 2017), at 7263 (proposed Sect. 104(d)(8)). 111 Federal Policy for the Protection of Human Subjects, 82 Fed. Reg., 7149 (Jan. 19, 2017), at 7266 (proposed Sect. 116(c)(8)). 112 Federal Policy for the Protection of Human Subjects, 82 Fed. Reg., 7149 (Jan. 19, 2017), at 7266-67 (proposed Sect. 116(d)(6)). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-25 B. FDA Protections FDA research participant protections apply to all “clinical investigations,” regardless of funding source, that are regulated by FDA or that support applications for research or marketing permits for products regulated by FDA.113 A clinical investigation is defined as an experiment involving a test article and one or more human participants.114 Because the reach of FDA protections partially overlaps with the scope of the Common Rule, some research studies must comply only with FDA protections, some must comply only with the Common Rule, and some must comply with both. FDA protections and the Common Rule have different regulatory purposes, and so their substance is not identical. Still, many FDA protections are the same as or similar to provisions of the Common Rule (Lee, 2018). For example, for covered investigations, FDA regulations (like the Common Rule) require IRBs to ensure that the risks of participation are minimized and reasonable in relation to the anticipated benefits and also that participation is conditioned on informed consent.115 Also like the Common Rule, FDA regulations neither explicitly allow nor prohibit the return of results to study participants. Although they require that potential participants be notified of certain study features for consent to be valid, they do not require that participants be notified as to whether the study’s results will be returned.116 However, FDA protections (like the Common Rule) include the requirement that, when appropriate, research participant be informed of “significant new findings developed during the course of the research which may relate to the subject’s willingness to continue participation.”117 In practice, an IRB overseeing an FDA-regulated study will review the study’s return-of-results plan to ensure that adequate protections accompany any return and that prospective participants are informed through the consent process and provided an opportunity to opt out of receiving results if not essential to the study.118 The pending revisions to the Common Rule will have no effect on FDA research participant protections (Valentine and Clissold, 2017). However, in the Federal Register preamble to the revisions, HHS stated its intention to “consider the need for updates to FDA regulations and other relevant federal departmental or agency regulations with overlapping scope.”119 Further, the 21st Century Cures Act, enacted in 2016, requires HHS to harmonize differences between the Common Rule and FDA research participant regulations “to the extent practicable.”120 Therefore, it should be expected that many Common Rule revisions will be incorporated into FDA regulations.121 113 21 C.F.R., Sect. 50.1, 50.3(b), 56.101, 56.102(b). 114 21 C.F.R., Sect. 50.3(c), 56.102(c). 115 21 C.F.R., Sect. 50.20, 50.25, 56.103, 56.109, 56.111. 116 21 C.F.R., Sect. 50.25. 117 21 C.F.R., Sect. 50.25(b)(5). 118 Telephone communication with Abram Barth, associate, Ropes & Gray LLP (Nov. 24, 2017). 119 Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149, at 7151 (Jan. 19, 2017). 120 21st Century Cures Act, Pub. L. No. 114-255, Sect. 3023 (2016). 121 Telephone communication with Abram Barth, associate, Ropes & Gray LLP (Nov. 24, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-26 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS VII. FDA Regulations A. Scope Under the authority of the Federal Food, Drug, and Cosmetic Act (FDCA), FDA is responsible for protecting and promoting public health by ensuring the safety and effectiveness of medical drugs and devices.122 Devices regulated by FDA are defined broadly as articles “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals.”123 So defined, FDA-regulated devices cover many laboratory tests, including in vitro diagnostic tests. FDA classifies each device intended for human use on the basis of its risk to consumers.124 The greater the risk posed by a device and the more control presumed necessary to ensure its safety and effectiveness, the higher will be its classification. Thus, Class I devices are subject only to general controls, including registration and labeling requirements, whereas most Class II devices require pre-market notification and “special controls,” including stricter labeling requirements.125 Class III devices are subject to the most stringent standards and require pre- market approval before marketing.126 In determining the safety and effectiveness of a device for purposes of its classification, FDA considers four factors: (1) the individuals who are intended or represented as the users of the device, (2) conditions of use, (3) the “probable benefit to health from the use of the device weighed against any probable injury or illness from such use of the device,” and (4) the device’s reliability.127 FDA has classified more than 1,700 distinct types of medical devices (FDA, 2014a). B. Return of Results as Relevant to Regulation of Laboratory-Developed Tests FDA has discretion in its enforcement of regulations, and historically the agency has followed a policy of enforcement discretion with respect to LDTs (FDA, 2017a). An LDT is an in vitro diagnostic device that are designed, manufactured, and used within a single laboratory. In 2010, responding to concerns about the increasing complexity, reach, and risk of LDTs as well as about the use of results from faulty LTDs to direct major treatment decisions, FDA announced its intent to reconsider its policy of enforcement discretion with respect to LDTs (FDA, 2017). Although some scholars questioned FDA’s legal authority to regulate LDTs (Clement and Tribe, 2015; Javitt, 2014), these concerns became moot in January 2017 when FDA announced that it would not issue a final guidance to allow for further public discussion and to give Congress the opportunity to develop a legislative solution (FDA, 2017b). Nevertheless, FDA generally does not exercise enforcement discretion against firms providing direct-to-consumer genetic tests, whether or not they constitute LDTs (FDA, 2014b), at least in part due to concerns associated with returning results directly to customers.128 In 2013, 122 21 U.S.C., Sect. 301 et seq. 123 21 U.S.C., Sect. 321(h). 124 21 U.S.C., Sect. 360c.; 21 C.F.R., Sect. 860.1 et seq. 125 21 C.F.R., Sect. 860.3(c). 126 21 C.F.R., Sect. 860.3(c). 127 21 C.F.R., Sect. 860.7(b). 128 Telephone communication with Alberto Gutierrez, director (retired), Office of In Vitro Diagnostics and Radiological Health, FDA (Nov. 21, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-27 for example, FDA sent 23andMe a warning letter that its marketing of the Personal Genome Service (PGS) Test without FDA clearance or approval violated the FDCA, citing concerns that customers might self-manage their treatments based on false positive or false negative test outcomes.129 In 2017, after 23andMe submitted a request for de novo classification of the PGS Test, FDA granted permission to market the test for certain genetic health risks as a Class II device (FDA, 2017c). However, based on concerns including the possibility that customers might incorrectly interpret the results, FDA imposed special controls that include providing customers information to help them interpret results and requiring their opt-in to receive results related to risk of life-threatening but unpreventable or untreatable conditions (FDA, 2017c).130 C. Return of Results as Relevant to IDE Requirements Although FDA generally does not enforce its regulations against LDTs, that policy does not apply to LDTs that are the subject of clinical investigations to determine safety or effectiveness.131 In those cases, investigators may be required to engage with a regulatory process applicable to “investigational devices.” Investigational devices include LDTs and other devices that have not been approved or cleared by FDA for the purpose for which they are intended to be used by investigators (FDA, 2010),132 and the FDCA and implementing regulations describe a path of regulatory exemption for the conduct of clinical investigations o determine the safety or effectiveness of “investigational devices.”133 Procedures for this exemption, known as an investigational device exemption (IDE), are detailed in Part 812 of FDA regulations and summarized in Figure 1. Devices subject to an approved IDE are exempt from regulatory requirements related to, among other things, performance standards and premarket notification and approval.134 129 Warning Letter from Alberto Gutierrez, director, Office of In Vitro Diagnostics and Radiological Health, FDA, to Ann Wojcicki, chief executive officer, 23andMe, Inc. (Nov. 22, 2013). 130 See also Spector-Bagdady (2016), explaining that “FDA’s current risk assessment of the 23andMe service is based entirely on the data and information that are returned to the customer” (p. 518, emphasis in original). 131 21 C.F.R., Sect. 812.119(a); telephone communication with Alberto Gutierrez, director (retired), Office of In Vitro Diagnostics and Radiological Health, FDA (Nov. 21, 2017). 132 A device may be an investigational device subject to Part 812 regardless of whether it is used in a clinical or research lab. Telephone communication with Alberto Gutierrez, director (retired), Office of In Vitro Diagnostics and Radiological Health, FDA (Nov. 21, 2017). 133 21 U.S.C., Sect. 360j(g); 21 C.F.R., Sect. 812.1 et seq. 134 21 C.F.R., Sect. 812.1(a). However, they may still be subject to requirements of IRB review. See 21 C.F.R., Sect. 50.1, 56.101. PREPUBLICATION COPY: UNCORRECTED PROOFS

C-28 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS + NO Clinical investigation of an investigational device to learn about safety or effectiveness? YES Non-invasive diagnostic device YES where results confirmed by medically established procedures? NO Significant risk device? YES NO Part 812 generally Abbreviated Full IDE does not apply IDE only required FIGURE C-1 Part 812 applicability. NOTE: IDE= investigational device exemption Part 812 defines an “investigational device” as one “that is the object of an investigation,” where an “investigation” is defined as “a clinical investigation or research involving one or more subjects to determine the safety or effectiveness of a device.”135 An approved or cleared device that is used in a study “in accordance with the approved or cleared labeling is not investigational and, therefore, is not subject to the IDE regulation.”136 In the Federal Register preamble to these regulations, FDA has stressed that Part 812 is limited to investigations conducted for the purposes of determining safety or effectiveness and not for other purposes.137 Nevertheless, FDA has viewed Part 812 as applying to all investigations involving devices where investigators expect to learn about the safety or effectiveness of the device, regardless of whether that is the primary research purpose (NHGRI, 2016). If investigators do expect to learn about the safety or effectiveness of an investigational device the question becomes whether it poses a “significant risk,” meaning it “presents a potential for serious risk to the health, safety, or welfare of a subject.”138 FDA has explained that risk depends not on the nature of the device, but rather on how the information that it generates will be used in a specific study, and also that risk is evaluated on a case-by-case basis according to the worst-case scenario (NHGRI, 2016; FDA, 2006). Factors that FDA considers in determining whether an investigational device poses significant risk include the health status of 135 21 C.F.R., Sect. 812.3(g)-(h); see also 21 C.F.R., Sect. 812.119(a) (providing that “[t]his part applies to all clinical investigations of devices to determine safety and effectiveness”). 136 FDA, Guidance for Industry and FDA Staff: In Vitro Diagnostic (IVD) Device Studies -Frequently Asked Questions, at 9, FDA.GOV (June 25, 2010) [hereinafter FDA, IVD FAQs]. A device may be an investigational device subject to Part 812 regardless of whether it is used in a clinical or research lab. Telephone communication with Alberto Gutierrez, supra note 128. 137 Procedures for Investigational Device Exemptions Final Rule, 45 Fed. Reg. 3732, 3735 (Jan. 18, 1980). 138 21 C.F.R., Sect. 812.2(b)(1), 812.3(m). FDA has elaborated that determination of risk level depends on how the information generated by the device will be used in a specific trial and by reference to guidelines about standards of care for conditions. See NHGRI (2016). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-29 the study population and the manner in which results will be returned.139 Factors that FDA does not consider in determining whether an investigational device poses significant risk include the size of the cohort and potential benefits to participants (NHGRI, 2017a). Investigational devices that do not pose significant risk are subject only to abbreviated IDE requirements, including proper labeling and IRB approval. When a device satisfies these abbreviated requirements, FDA considers it to have an approved IDE application.140 Furthermore, Part 812 does not apply to a diagnostic device if it is properly labeled, “non-invasive,” and not used for diagnostic purposes without confirmation of the diagnosis by a “medically established” diagnostic product or procedure.141 The regulations define both blood sampling that involves simple venipuncture and the use of surplus body fluids and tissues originally taken for non-investigational purposes as non-invasive.142 There is ambiguity, however, with respect to the kinds of devices that qualify as medically established. Devices that are used for purposes for which they already have been approved or cleared qualify as medically established (FDA, 2010). But it is unclear whether unapproved or uncleared LDTs used in laboratories can qualify as medically established and whether and how CLIA certification of the laboratories might affect that determination.143 In the context of genetic testing, FDA has stated that Sanger sequencing will sometimes constitute a medically established procedure (NHGRI, 2016, 2017a). Recently, the IDE regulations were an issue for four studies funded by the National Institute of Health as part of the Newborn Sequencing in Genomic Medicine and Public Health program. In 2013,FDA asked the investigators of those studies, which include genetic testing of children and newborns, to participate in the IDE process (Karow, 2014). FDA considered whether the genetic tests used in the study posed a significant risk, given that the results might be used to influence critical medical decision making. FDA also expressed concern that results might not be confirmed in every case by medically established procedures before their return to subjects.144 Ultimately, all four of the studies filed a “pre-IDE” to determine whether they needed to obtain an IDE, but only the North Carolina study was deemed to hold significant risk and to require the submission of a full IDE application (Karow, 2014).145 Although FDA eventually approved the application, the process of obtaining approval set back the study at least a year.146 In 2016, the National Human Genome Research Institute (NHGRI) held a workshop to discuss the IDE regulations as they apply to clinical research that uses genomic technologies. To develop the content of this event, NHGRI collaborated with FDA’s Center for Devices and 139 Telephone communication with Alberto Gutierrez, director (retired), Office of In Vitro Diagnostics and Radiological Health, FDA (Nov. 21, 2017); see also NHGRI (2017a), providing as an example of a significant risk study that involves genome sequencing of healthy participants with an intent to return variants of unknown significance because the test results might lead healthy individuals to pursue unnecessary treatments that could expose them to harm. 140 21 C.F.R., Sect. 812.2(b). 141 21 C.F.R., Sect. 812.2(a), 812.2(c)(3). However, it is still subject to regulations related to disqualification of investigators. See 21 C.F.R., Sect. 812.119. 142 21 C.F.R., Sect. 812.3(k). 143 Telephone communication with Abram Barth, associate, Ropes & Gray LLP (Nov. 24, 2017); telephone communication with [name withheld]. 144 Personal communication with Stacey Pereira, instructor, Baylor College of Medicine (Oct. 3, 2017). 145 Also an e-mail from Jonathan Berg, assistant professor, Department of Genetics, University of North Carolina at Chapel Hill, to author (Dec. 1, 2017). The “pre-IDE” process is described in FDA (2010). 146 Telephone communication with Jonathan Berg, Assistant Professor, Department of Genetics, University of North Carolina at Chapel Hill (Dec. 20, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-30 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS Radiological Health, which reviews IDE submissions and is responsible for FDA’s medical device regulations. Outstanding questions identified at the workshop’s conclusion that are relevant to the return of results included whether FDA considers professional guidelines recommending the return of results to represent a standard of care, and if so, how those guidelines factor into risk assessments (NHGRI, 2016). D. Interpretation of Results as Relevant to Unlawful Promotion Although FDA regulates the statements that device manufacturers can make about the clinical significance of test results, the agency generally does not have regulatory jurisdiction over the practice of medicine (Evans, 2015).147 According to its authorizing statute, FDA may not “limit or interfere with the authority of a health care practitioner to prescribe or administer any legally marketed device to a patient for any condition or disease within a legitimate health care practitioner–patient relationship.”148 However, statute makes clear that the exclusion of medical practice from FDA’s reach does “not change any existing prohibition on the promotion of unapproved uses of legally marketed devices.”149 Moreover, with respect to investigational devices, FDA regulations state that sponsors, investigators, and persons acting on their behalf may not promote or test market an investigational device before FDA has approved it for commercial distribution or “represent” that the device “is safe or effective for the purposes for which it is being investigated.”150 According to legal scholars, these rules mean that FDA likely cannot prohibit statements that physicians make to patients about their laboratory test results, including explanations of the clinical significance of the results, if they are made during the course of medical practice (Evans, 2015).151 However, it is unclear whether there are circumstances in which an investigator’s communication to participants of interpreted results generated from an investigational device would constitute unauthorized activity and where, precisely, the FDA draws the line between permissible communications and impermissible promotion.152 147 But see Zettler (2015), arguing that, “contrary to conventional wisdom, the federal government is deeply entangled in regulating medical practice, and such federal regulation is lawful.” 148 21 U.S.C., Sect. 396. 149 21 U.S.C., Sect. 396. 150 21 C.F.R., Sect. 812.7(a), 812.7(d). 151 Javitt and Carner (2014): “[A]ny attempt by FDA to regulate the activities of a state-licensed interpretive service or other health care provider could be viewed as an unauthorized interference into the practice of medicine, which FDA statutorily is prohibited from doing” (p. 17). Kwon (2016): “FDA cannot interfere with how a physician uses LDT results in diagnosing a patient—and the agency does not seek to regulate a physician’s post-market diagnostic use of LDTs” (p. 951). Also, telephone communication with Alberto Gutierrez, director (retired), Office of In Vitro Diagnostics and Radiological Health, FDA (Nov. 21, 2017). However, if physicians’ claims about test results violate the standard of care, they may be subject to tort lawsuits or disciplinary actions by state medical practice boards; see Evans (2015). 152 Telephone communication with Patricia Zettler, associate professor, Georgia State University College of Law (Nov. 2, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-31 OTHER LEGAL ISSUES VIII. Property Rights The return of research results is also relevant to the issue of property rights, which is generally governed by the states. In general, state courts have not viewed research results, including data generated from genetic tests, as legal property belonging to research participants. This conclusion has been reached by several courts in lawsuits where individuals who provided biospecimens for research claimed an ownership interest in the results of tests performed on those biospecimens or, more generally, information and discoveries obtained through analysis of the biospecimens.153 In Greenberg v. Miami Children’s Hosp. Research Inst., for example, a federal district court in Florida held that donors’ property rights in their biospecimens “evaporates once the sample is voluntarily given to a third party” and declined to recognize a “continuing right for donors to possess the results of any research.”154 Nevertheless, legal scholars describe a widespread belief that individuals “own” their personal data (Rothstein, 2015).155 Moreover, in the context of genetics, some state legislatures have explicitly recognized the property rights of individuals in their test results.156 A Colorado statute, for example, provides that “[g]enetic information is the unique property of the individual to whom the information pertains,”157 although, it permits information derived from genetic testing to be used in research so long as the identity of any individual to whom the information pertains is not disclosed to third parties.158 An Alaska statute similarly provides that “a DNA sample and the results of a DNA analysis performed on the sample are the exclusive property of the person sampled or analyzed.”159 The statute further authorizes civil and criminal liability against any person who retains a DNA sample or the results of a DNA analysis without informed consent.160 A lawsuit alleging the unlawful disclosure of test results in violation of these provisions is currently pending before the federal district court in Alaska.161 The court has not yet interpreted the 153 See, e.g., Ande v. Rock, 256 Wis. 2d 365, 382-83 (Wis. App. 2002) (rejecting plaintiffs’ claim that under Wisconsin law they had a property interest in diagnostic results that had not been returned to them); Moore v. Regents of the Univ. Cal., 51 Cal. 3d 120, 141 (1990) (declining to find that a patient retained ownership rights in his excised cells). Accord Washington Univ. v. Catalona, 490 F.3d 667, 675 (8th Cir. 2007) (holding that individuals who donated their biological materials voluntarily to a research institution did not retain an ownership interest allowing them to direct the transfer of the materials to third parties). 154 264 F. Supp. 2d 1064, 1074-76 (S.D. Fl. 2003) (dismissing a claim of conversion of body tissue and genetic information voluntarily given to researchers). 155 Whether the propertization of data and biospecimens is prudent or not is the subject of ongoing academic debate. See, e.g., pp. 9–10 in Contreras (2016), proposing to replace the de facto property regime for the governance of genetic research, which does not adequately protection individuals and promote research, with a liability rule system; Javitt (2013), explaining reasons to be “leery” of the property construction, including consequences for public health laws related to transplantable human organs and the disposal of biological materials). 156 See, e.g., Alaska Stat., Sect. 18.13.010(a)(2) (2017); Colo. Rev. Stat. Ann., Sect. 10-3-1104.7(1)(A) (2017); Fla. Stat., Sect. 760.40(2)(A) (2017). 157 Colo. Rev. Stat. Ann., Sect. 10-3-1104.7(1)(a). 158 Colo. Rev. Stat. Ann., Sect. 10-3-1104.7(5). 159 Alaska Stat., Sect. 18.13.010(a)(2). 160 Alaska Stat., Sect. 18.13.020, 18.13.030. 161 Complaint, Cole v. Gene by Gene, Ltd., Case No. 1:14-cv-00004-SLG (D. Alaska) (filed May 13, 2014). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-32 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS substantive provisions of the statute, although the test provider filed notice that it is challenging the statute as unconstitutionally vague because it does not allow reasonable people to understand what behavior would run afoul of it (Wagner, 2017a). Still, parties can privately agree to allocate property rights in test results that are different from default legal rules.162 This is done by, for example, the Personal Genome Project (PGP), which conducts genetic sequencing on biospecimens donated by participants, collects the results of health surveys and previous genetic tests, and publishes all individual-level data on the Internet for use by researchers (Harvard Personal Genome Project, n.d.). PGP’s informed consent document specifies that donors retain ownership of the data they provide, although by participating in PGP, they license it a perpetual to use that data without restriction.163 On the other hand, any information created or prepared by PGP from donated biospecimens and data, including the results of any research or analysis performed by or in collaboration with PGP, are “the property of and owned by the PGP and not by [participants].”164 Although PGP will attempt to make this information available to participants and the public, it states that it “is unable to guarantee if, when, or in what form [participants] will receive access to any information, data, or materials as part of [their] participation.”165 IX. Tort Liability The return of research results may give rise to tort liability under state law for researchers and laboratories. A tort is a civil wrong (other than a breach of contract) for which a remedy may be obtained, usually in the form of damages.166 Tort liability associated with the return of research results can generally be categorized as non-disclosure or disclosure liability. A. Non-Disclosure Liability There are several legal theories under which a researcher can be sued for failure to return results, although negligence has been identified as the “most probable” cause of action. An individual is liable for negligence where the individual owed a duty to another person, but breached that duty, and the person was harmed as a result (McGuire et al., 2014). Whether one owes a legal duty to another depends on the nature of their relationship and is highly context specific (Pike et al., 2014). In general, individuals owe a duty of reasonable care under the circumstances, but tort law imposes no affirmative duties to act for another's benefit, and individuals are not required to warn others of impending harm (Pike et al., 2014; Tovino, 2008). A number of factors can overcome this general tort law notion that individuals do not owe others affirmative duties, including the existence of a fiduciary relationship or other “special relationship,” as well as contractual obligations (Pike et al., 2014, p. 262). 162 This may be accomplished directly by contract or indirectly through informed consent documents, which have been interpreted in some circumstances as contracts. See, e.g., Grimes v. Kennedy Krieger Inst., Inc., 782 A.2d 807, 843-44 (Md. 2001). Individuals also can contractually agree to give broad rights to use their test results. Telephone communication with David Peloquin, associate, Ropes & Gray LLP (Nov. 22, 2017). 163 Consent Form Sect. 8.2 (rev. May 5, 2015), available at https://my.pgp-hms.org/static/PGP_Consent_2015-05- 05_online_stamped.pdf (last visited Sept. 29, 2017). 164 Consent Form, Sect. 8.3. 165 Consent Form, Sect. 8.3. 166 Black’s Law Dictionary. 10th ed. (2014). Tort. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-33 B. Fiduciary Relationships Fiduciary relationships are two-way relationships based on trust: the principal must have placed trust in the fiduciary, and the fiduciary must have accepted that trust. The fiduciary duty has been described as “extremely high,” where the fiduciary has a duty “to act with undivided loyalty in the best interests of the principal” (Tovino, 2008, p. 251). Physicians are held to be fiduciaries of their patients and are obligated to use their specialized knowledge and skill to act primarily in their patients’ best interests (McGuire et al., 2014). Researchers, on the other hand, are generally not viewed as fiduciaries because their obligation is to produce generalizable knowledge, which may require acting in ways that are not primarily for the benefit of research participants (McGuire et al., 2014; Meltzer, 2006; Pike et al., 2014). In several notable cases, courts have declined to view researchers as fiduciaries of participants in their studies where the researchers were not also the participants’ treating physicians.167 There is a question, however, whether a researcher’s act of returning clinically relevant results to a research participant, including interpretation of the clinical relevance of those results, by itself constitutes the practice of medicine that transforms their relationship into one of physician and patient. If so, the researcher assumes the fiduciary duties of a physician. No court apparently has addressed this issue in a precedential opinion, although legal scholars have argued that communication of the need to seek care is not necessarily the practice of medicine: Law recognizes a distinction between informing a person of the need to seek medical care and actually rendering medical care. . . . Return of research results lacks the treatment step that is necessary to create a [physician-patient relationship] and transform research into medical practice.168 Another question is whether a laboratory is a health care provider, which is presented in a pending federal lawsuit in South Carolina. The Williams v. Quest Diagnostics lawsuit is based on allegations that a clinical laboratory returned erroneous genetic test results and did not provide corrected test results until almost eight years later.169 Bringing suit on behalf of her son, who died as a result of receiving the wrong treatment, the plaintiff alleges negligence and other claims based on the laboratory’s failure to correctly classify her son’s genetic variant consistent with 167 Greenberg v. Miami Children’s Hosp. Research Inst., Inc., 264 F. Supp. 2d 1064, 1070-72 (S.D. Fl. 2003) (explaining that there is “no automatic fiduciary relationship that attaches when a researcher accepts medical donations” and finding that the plaintiffs’ failure to sufficiently allege that the defendant researchers had accepted the plaintiffs’ trust was fatal to their claim); Ande v. Rock, 256 Wis. 2d 365, 377-79 (Wis. App. 2002) (finding no legally cognizable allegations in the complaint that there existed a physician-patient relationship between tested children and non-treating researchers); Moore v. Regents of the Univ. Cal., 51 Cal. 3d 120, 133 (1990) (rejecting the claim that researchers who were not physicians had a fiduciary relationship with the complainant). 168 Burke et al., supra note Error! Bookmark not defined., at 107. However, where the testing is conducted at the request of a physician, some scholars have argued that the “tests are merely an extension of the doctor’s favored methods for evaluating a patient and diagnosing the problem” and so the testing service is “part and parcel of the doctor’s practice of medicine.” Clement & Tribe, supra note Error! Bookmark not defined., at 12 (emphasis in original) (arguing that FDA cannot regulate LDTs because doing so would constitute unlawful interference with the practice of medicine). 169 Complaint, Williams v. Quest Diagnostics, Inc., Case No. 2016-CP-40-01166 (S.C. Ct. Com. Pl.) (filed Feb. 24, 2016). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-34 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS then-known scientific information.170 However, the laboratory seeks to reframe the case as a medical malpractice suit, which would be barred under the state’s statutes of limitations and repose.171 To resolve this issue, the trial judge asked the South Carolina Supreme Court to determine (“certify” the question) whether a clinical laboratory is a licensed healthcare provider under South Carolina law.172 Although the federal court’s decision in this case will not be binding on subsequent cases except in limited circumstances,173 it nevertheless may have practical significance to the extent that judges presiding over similar cases choose to follow its reasoning.174 C. Special Relationships In addition to fiduciary relationships, “special relationships” between researchers and research participants can give rise to affirmative duties to disclose certain findings (McGuire et al., 2014). Two courts have recognized the potential existence of such a relationship in the research context in the absence of any physician-patient relationship. First, in Blaz v. Michael Reese Hospital Foundation, a federal court in Illinois found a special relationship existed between research participants and a physician in charge of follow-up to the research program by virtue of his specialized knowledge and communication with participants.175 Even though the participants were not the physician’s patients, the court held that the special relationship created a duty on the part of the physician to warn of risks. Two years later, in Grimes v. Kennedy Krieger Institute, Maryland’s highest court took a more expansive view and suggested that a special relationship between researchers and participants can exist by virtue of the “very nature of nontherapeutic scientific research” and also that informed consent documents can give rise to duties to warn.176 At issue in Grimes was a nontherapeutic study led by the Kennedy Krieger Institute (KKI) to investigate the effectiveness of lead-based paint abatement strategies in local housing rented to families with small children. The study included three treatment groups of homes that received varying levels of less-than- comprehensive lead abatement and two control groups of homes that received comprehensive 170 Id. 171 See Laurel Coons, Williams v. Athena Motion to Dismiss Hearing—SC Supreme Court May Be Asked to Decide Whether a Diagnostic Laboratory Qualifies as a Healthcare Provider, Genomics L. Rep. (Jan. 26, 2017), https://www.genomicslawreport.com/index.php/2017/01/26/williams-v-athena-motion-to-dismiss-hearing-sc- supreme-court-may-be-asked-to-decide-whether-a-diagnostic-laboratory-qualifies-as-a-healthcare-provider (accessed June 26, 2018). 172 See Turna Ray, Wrongful Death Suit Awaits Input from South Carolina Supreme Court, GenomeWeb (Apr. 4, 2017), https://www.genomeweb.com/molecular-diagnostics/wrongful-death-suit-awaits-input-south- carolina-supreme-court (accessed June 26, 2018). 173 Deborah Levenson, Lawsuit Raises Questions about Variant Interpretation and Communication, 173 Am. J. Med. Genetics Sequence 838, 839 (2017) (summarizing commentary by John Conley, William Rand Kenan Jr. Professor of Law, UNC School of Law). Specifically, if the decision is appealed to the U.S. Court of Appeals for the Fourth Circuit, that appellate court’s decision would be binding on federal courts within the Fourth Circuit applying the same South Carolina laws. See id. 174 See Coons, supra note Error! Bookmark not defined. (afterword by John Conley). Moreover, the South Carolina Supreme Court’s ruling on the narrow question whether clinical laboratories are licensed healthcare providers in South Carolina, which it has certified, will be binding on all courts applying South Carolina law. See id. 175 Blaz v. Michael Reese Hosp. Found., 74 F. Supp. 2d 803, 806-807 (N.D. Ill. 1999). 176 Grimes v. Kennedy Krieger Inst., Inc., 782 A.2d 807, 834-35 (Md. 2001). The details over the next several paragraphs can all be found in this opinion. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-35 lead abatement or were more recently constructed and presumed not to have lead-based paint. The effectiveness of the abatement strategies was determined by comparing lead levels in the blood of the children with lead samples taken from the homes, exterior soil, and drinking water. The Grimes opinion is directed to the research experiences of two participants who were children. Participant Ericka Grimes lived with her family in a home where initial lead dust testing revealed “hot spots” of lead, although her mother was not informed of these results until 9 months after sample collection. In the meantime, Miss Grimes was tested three times for lead in her blood; the second and third tests detected elevated lead levels. Her family sued for failure to timely disclose the property’s elevated lead dust levels. Participant Myron Higgins lived with his mother in a home that tested positive for lead but had received partial abatement. After they moved in, lead dust samples were taken using two different methods; his mother was not informed of the elevated lead dust levels detected by one of the methods. Mr. Higgins was tested three times for lead in his blood, and all tests detected elevated lead levels. His family sued for failure to timely disclose the property’s original lead test results and failure to ever disclose the elevated lead dust levels detected after they moved in. The court granted summary judgment for KKI in both cases on grounds that KKI had no legal duty to warn the research participants of potential harms, and the rulings were appealed to the Court of Special Appeals.177 The Court of Appeals of Maryland then granted certiorari to consider the relevant issues and concluded that summary judgment was incorrectly granted because such a duty to warn may exist as a matter of law.178 The court held that “the very nature of nontherapeutic research on human subjects can, and normally will, create special relationships out of which duties arise.” The creation of such a relationship is especially likely where researchers “recruit people, especially children, whose consent is furnished indirectly,” to participate in potentially dangerous research. Alternatively, the court held that the informed consent documents signed by the participants’ family members created bilateral contracts that obliged KKI to provide “full, detailed, prompt, and continuing warnings as to all the potential risks and hazards inherent in the research or that [arose] during the research.” In its subsequent denial of a motion for reconsideration, however, the court clarified that its opinion was limited to the finding that summary judgment was improperly granted and that “[e]very issue bearing on liability or damages remains open for further factual development.” Furthermore, the opinion has been widely criticized and generally not followed. 179 D. Scope of Duties If researchers owe legal duties to participants with whom they interact, the scope of that duty and whether it includes an obligation to return certain results depends on the prevailing standard of care. The standard of care can be established by guidance and recommendations to return results, the recognition by scholars and the research community of an ethical obligation to 177 See id. at 818. 178 See id. at 818-19. 179 See, e.g., Pike et al., supra note Error! Bookmark not defined., at 820 n.132 (noting that “courts that have considered similar fact patterns have generally refused to extend the holding of Grimes, and Grimes has been the subject of significant scholarly criticism”); Diane E. Hoffmann & Karen H. Rothenberg, Whose Duty is it Anyway? The Kennedy Krieger Opinions and its Implications for Public Health Research, 6 J. Health Care L. & Pol’y 109 (2002) (criticizing the duty implied by the court as unclear and potentially overbroad). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-36 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS return results, and a common practice of returning results (Pike et al., 2014; Tovino, 2008).180 Legal scholars have further explained that the “more encompassing guidelines and practices are with regard to return of results, the more sweeping the potential ethical and legal obligation” to do so will be. Furthermore, if the practice of returning results becomes routine, researchers “will be legally required” to do so because “[t]his is the way tort law has worked for decades” (Clayton and McGuire, 2012). Finally, in the case of physician-investigators, legal scholars have suggested that if the research itself generates individualized and identifiable data, medical obligations may trump research obligations and support a “higher duty to disclose relevant and significant findings” (McGuire et al., 2014). E. Disclosure Liability Many kinds of actions associated with the return of research results may give rise to tort liability. These include (1) The disclosure of correct results to the wrong individual, which might be caused by improper labeling of biospecimens or results; (2) The disclosure of incorrect results to the right individual, which might be caused by mishandling of biospecimens or improper test administration; (3) The disclosure of results to individuals who are not authorized to receive them; and (4) Failure to update previously disclosed results and to return the updated results. Researchers who return results must do so consistently with the standard of care and regulatory requirements. Thus, laboratories that deviate from good laboratory practices and standards regarding interpretation may be exposed to tort liability if they return erroneous results to individuals who are harmed as a result. In fields like genomics, however, the standard of care regarding interpretation is rapidly evolving. “[G]iven that there is still fervent debate about how to interpret variants,” legal scholars have argued, “it will be extremely difficult to prove what the standard of care is or that it has clearly been breached by a researcher acting in good faith who provides interpreted genetic results” (McGuire et al., 2014, p. 722). Nevertheless, researchers are generally required to comply with standards that are designed to maximize the analytic and clinical validity of findings. Legal scholars have concluded that if researchers return erroneous results generated by a research laboratory and not validated in a CLIA-certified lab and if they do not make it clear that the results need to be repeated before any clinical interventions are undertaken, those researchers may be liable in tort (McGuire et al., 2014). However, the legal effect of such disclaimers remains unclear, as does the question of whether they will absolve researchers of tort liability.181 Meanwhile, the disclosure of results to individuals who are not authorized to receive them may give rise to negligence claims in cases where, among other things, the tested 180 But see Wolf et al. (2015), pp. 440–441, describing numerous ethics recommendations on return of results that have been promulgated over the years, none of which has been cited in support of legal liability. 181 CMS has made clear, however, that the use of disclaimers in returning research results will not absolve a laboratory from the legal requirement to be CLIA-certified in order to return such results. Telephone communication with Penelope Meyers, technical director, Division of Laboratory Services, CMS (Nov. 16, 2017). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-37 individual suffered discrimination as a result. These negligence claims would be in addition to any privacy claims that might be available to the tested individual.182 On the other hand, a laboratory’s obligation to update previously returned results in response to, for example, new scientific evidence or consensus or following the laboratory’s adoption of a different classification scheme, remains unsettled. This question is raised in Williams v. Quest Diagnostics but has not yet been resolved.183 X. Anti-Discrimination Statutes There is a complex web of federal and state laws that address unwanted access to and the discriminatory use of health information. Whereas unwanted access is the domain of privacy laws, which are based on ethical principles of autonomy, discriminatory use is the domain of anti-discrimination laws, which are animated by concerns about equality and fairness (Roberts, 2015). As noted by legal scholars, however, privacy laws can “do the work” of preventing discrimination by blocking access to information that might be the basis for discriminatory conduct (Roberts, 2015). Therefore, provisions relevant to both types of activities are sometimes included in the same statute. A. Federal Statutes The major federal statutes that address problematic downstream uses of health information, whether generated in research or clinical contexts, are the Genetic Information Nondiscrimination Act (GINA), which is focused on genetic information, and the Americans with Disabilities Act (ADA), which is directed toward actual and perceived disabilities. 1. Genetic Information Nondiscrimination Act Passed in 2008, GINA limits access to and use of genetic information in health insurance and employment contexts, where an individual’s genetic information is generally defined to encompass information about his or her genetic tests, the genetic tests of family members, the manifestation of a disease or disorder in family members, the request or receipt of genetic services by the individual or family members, and participation in clinical research by the individual or family members that includes genetic services184 The legislative purpose of GINA is to promote genetic testing for personal health and research purposes by allaying concerns about the potential misuse of information learned from genetic tests.185 Prior to the passage of GINA, HIPAA prohibited group health insurers from using genetic information to determine eligibility or set premiums for individuals or from treating 182 See Part X. 183 Complaint, Williams v. Quest Diagnostics, Case No. 2016-CP-40-01166 (Ct. Com. Pl.) (filed Feb. 24, 2016). In Williams, the clinical laboratory allegedly made an error in the original variant classification, which did not reflect the then-existing literature, and it did not correct this classification in a revised report until 8 years later. The plaintiff’s position is that the revised report corrected an error rather than provided an update or reinterpretation. See Wagner (2016a). The analogous question regarding the potential duty of physicians to provide patients new information that might be relevant to their ongoing medical care is addressed in Rothstein and Siegal (2012). 184 Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. No. 110-233 (2008) (codified as amended in scattered sections of 26, 29, and 42 U.S.C.). 185 See Sect. 2 of GINA. PREPUBLICATION COPY: UNCORRECTED PROOFS

C-38 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS genetic information as the basis of a pre-existing condition exclusion.186 GINA extended these protections to individual health insurers (Sarata and Feder, 2015). GINA further prohibits group health insurers from using genetic information about an individual to determine coverage or set premiums for a group.187 Moreover, under GINA, health insurers cannot request or require genetic testing prior to an individual’s enrollment and cannot request, require, or purchase genetic information for underwriting purposes. 188 While health insurers cannot deny coverage on the basis of genetic information, however, GINA permits them to do so based on already expressed genetic conditions (Green et al., 2015). This loophole was closed in 2011 by the Patient Protection and Affordable Care Act (ACA), which prohibits health insurers from denying coverage based on pre-existing condition.189 GINA similarly limits both access to and the use of genetic information by employers.190 Thus, employers are prohibited from requesting, requiring, or purchasing genetic information about employees or their family members.191 Employers are also enjoined from using genetic information to make employment decisions related to, e.g., hiring, firing, promotion, and compensation, or to deprive employees of employment opportunities.192 Finally, employers must treat the genetic information of their employees as confidential medical records that generally may not be disclosed.193 Yet GINA, even as amended by the ACA, has important limits. It applies only to health insurers and employers, for example; it does not apply to life, disability, or long-term care insurers or to other contexts in which discrimination may occur, such as housing and education. With respect to its prohibitions on employers, GINA does not protect against discrimination based on non-genetic health information or manifested disease.194 Furthermore, and seemingly at odds with GINA’s ban on requesting genetic information, the ACA encourages employers to offer wellness programs that tie health insurance costs to program participation, which may include diagnostic testing programs.195 For these and other reasons, GINA has been widely criticized.196 From fiscal years 2010 to 2017, the Equal Employment Opportunity Commission (EEOC), which is responsible for enforcing GINA, received between 201 and 333 GINA-related complaints each year (EEOC., n.d.a). 186 29 U.S.C., Sect. 1181 (effective to Feb.16, 2009); 29 U.S.C., Sect. 1182 (effective to May 20, 2008). 187 See Amanda K. Sarata & Jody Feder, Genetic Information Nondiscrimination Act of 2008 (GINA), Cong. Res. Serv. Report No. RL34584, at 5, 10 (Aug. 6, 2015) (explaining the legal effect of GINA). 188 42 U.S.C., Sect. 300gg-4(d). 189 Patient Protection and Affordable Care Act (ACA), Pub. L. No. 111-148 Sect. 1201 (2010) (codified at 42 U.S.C. Sect. 300gg-3). 190 The predecessor to these provisions is Executive Order 13145, signed by President Clinton in 2000, which forbids federal executive departments and agencies from using employees’ genetic information to make employment decisions; requesting, collecting, or purchasing employees’ genetic information; or disclosing employees’ genetic information except in limited circumstances. Exec. Order No. 13145, 65 Fed. Reg. 6877 (Feb. 8, 2000), available at https://www.eeoc.gov/eeoc/history/35th/thelaw/13145.html (accessed June 26, 2018). 191 42 U.S.C., Sect. 200ff-1(b). 192 42 U.S.C., Sect. 200ff-1(a). 193 42 U.S.C., Sect. 200ff-15(a)–(b). 194 42 U.S.C., Sect. 2000ff(2)(B) (adopting the definition of “employer” at 42 U.S.C. Sect. 2000e(b)). 195 42 U.S.C., Sect. 300gg-4(b)(2)(B), 300gg-4(j). 196 See, e.g., Mark A. Rothstein, Putting the Genetic Information Nondiscrimination Act in Context, 10 GENETICS MED. 655 (2008). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-39 2. Americans with Disabilities Act While GINA prohibits discrimination on the basis of genetic information, the ADA prohibits discrimination against individuals with disabilities in employment, public services, and public accommodations contexts.197 The threshold issue in every ADA case is whether the individual alleging discrimination has a disability. The ADA, as amended by the ADA Amendments Act of 2008, defines a disability as (1) a physical or mental impairment that substantially limits one or more “major life activities” of an individual, (2) a record of such an impairment, or (3) being regarded as having such an impairment.198 A major life activity is defined to include activities such as concentrating, communicating, caring for oneself, and performing manual tasks as well as carrying out major bodily functions.199 Although the ADA specifies that the definition of disability should “be construed in favor of broad coverage of individuals . . . to the maximum extent permitted,”200 it is unclear whether an asymptomatic individual, such as an individual who has a genetic predisposition for a not-yet- manifested condition, can have a disability recognized by the ADA.201 This question is presented in Chadam v. Palo Alto Unified School District, a lawsuit filed on behalf of a California student who was asked to transfer middle schools on the basis of his genetic status as a carrier of a variant associated with cystic fibrosis.202 The student, who has not exhibited symptoms of the disease, alleged that the school districts’ actions violated the ADA, and in 2016, the U.S. Court of Appeals for the Ninth Circuit upheld his claim on appeal of its dismissal.203 The case remains pending.204 In employment contexts, the ADA prohibits employers from discriminating against individuals who (with or without reasonable accommodation) can perform the essential functions of employment positions.205 Employers are further prohibited from conducting medical examinations or making inquiries of job applicants and employees as to whether they have a disability or about the nature or severity of such disability unless the examinations or inquiries are job-related.206 However, employers may conduct examinations and make inquiries after a job offer has been made (but before employment has begun) for any reason, and they may condition the offer on the results so long as any exclusionary criteria that are applied are job-related and consistent with business necessity.207 197 Americans with Disabilities Act (ADA) of 1990, Pub. L. No. 101-336 (codified at 42 U.S.C. ch. 126 and amended by the ADA Amendments Act of 2008, Pub. L. No. 110-325 (2008)). 198 42 U.S.C., Sect. 12102(1). 199 42 U.S.S., Sect. 12102(2). 200 42 U.S.C., Sect. 12102(4)(A). 201 Compare Disability Discrimination in the Workplace Sect. 13:8 (updated Oct. 2017), stating that asymptomatic individuals might be covered if they are “regarded as” or perceived to be disabled, with Prince and Berkman (2012), stating that “[t]here is arguably no protection for individuals who have manifested some symptoms, but whose symptoms have not risen to the level of substantial limitations.” 202 Complaint, Chadam v. Palo Alto Unified School District, Case No. 4:13-cv-04129-CW (N.D. Cal.) (filed Feb. 28, 2014). It is unclear from the pleadings whether the student is a cystic fibrosis carrier or rather has the cystic fibrosis genotype). See Wagner (2016b). 203 Memorandum, Chadam v. Palo Alto Unified School District, No. 14-17349, D.C. No. 4:13-cv-04129-CW (9th Cir. 2016) (unpublished and non-precedential). 204 A 5-day jury trial has been scheduled for September 2018. See Wagner (2017b). 205 42 U.S.C., Sect. 12112(a)–(b); 29 C.F.R., Sect. 1630.4(a). 206 42 U.S.C., Sect. 12112(d); 29 C.F.R., Sect. 1630.14(a), 1630.14(c). 207 42 U.S.C., Sect. 12112(d)(3); 29 C.F.R., Sect. 1630.14(b). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-40 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS From fiscal years 2010 to 2016, the EEOC, which also is responsible for enforcing alleged violations of the employment discrimination provisions of the ADA, received approximately 25,000 ADA-related complaints each year (EEOC, n.d.b). B. State Statutes GINA and the ADA establish a floor of minimum protection against health-related discrimination and do not preempt state laws that provide equal or greater protection.208 Over the years, many state anti-discrimination statutes have been enacted that vary widely in scope and applicability. In the area of genetic discrimination, some states haves enacted anti-discrimination statutes limited to specific genetic conditions. For example, in 1975, North Carolina became the first state to prohibit employment discrimination against individuals with sickle cell trait or hemoglobin C trait.209 States like New Jersey have expanded this list to also include thalassemia trait, Tay-Sachs trait, and cystic fibrosis trait.210 Most states, however, have enacted general laws that prohibit employment or insurance discrimination based upon genetic test results or “genetic status.”211 According to the National Human Genome Research Institute, 35 states and the District of Columbia have enacted statutes that limit unwanted access to or the discriminatory use of genetic information in employment contexts, and 48 states and the District of Columbia have enacted similar statutes limiting these activities in health insurance contexts. Moreover, 24 states have passed laws regulating genetic discrimination by life, disability, or long-term care insurers (NHGRI, 2017b). In 2011, California passed the most comprehensive anti-discrimination statute to date, the California Genetic Information Nondiscrimination Act (CalGINA), which prohibits genetic discrimination in emergency medical services, housing, mortgage lending, and state-funded programs, including public education.212 REFERENCES Alessi, S. A. 2013. The return of results in genetic testing: Who owes what to whom, when, and why? Hastings Law Journal 64(6):1697–1726. American Jurisprudence, 2d. 2017. Volume 16a, “Constitutional Law.” Lawyers Cooperative Publishing. 208 See 42 U.S.C. Sect., 2000ff-8(a)(1) (GINA employment provisions); 42 U.S.C. Sect. 12201 (ADA). 209 N.C. Gen. Stat., Sect. 95-28.1 (2017). 210 N.J. Stat. Ann., Sect. 10:5-5(x), 10:5-12 (2017). 211 See, e.g., Ariz. Rev. Stat. Ann., Sect. 41-1463(B)(3) (2017) (prohibiting employment discrimination against individuals based on the results of genetic tests received by employers); West’s Fl. Stat. Ann., Sect. 627.4301(2) (2017) (prohibiting health insurers from canceling, limiting, or denying coverage, or establishing differentials in premium rates, based on genetic test results). 212 California Genetic Information Nondiscrimination Act, 2011 Cal. Legis. Serv. ch. 261 (West) (Senate Bill No. 559). See also Wagner (2016b), explaining CalGINA’s applicability to educational contexts. PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-41 Barker, J. 2017. “DNA day” planned for Ravens’ game undergoes federal and state scrutiny. Baltimore Sun, September 18. http://www.baltimoresun.com/business/bs-bz-ravens-dna-day-20170918- story.html (accessed April 15, 2018). Barnes, M., S. Stayn, D. Forster, M. Russell-Einhorn, D. Peloquin, and A. Medina-Jordan. 2015. The CLIA-HIPAA conundrum of returning test results to research participants. Medical Research Law & Policy Report 14 MRLR 491. https://www.ropesgray.com/~/media/Files/articles/2015/July/2015-07-15-Bloomberg-BNA.ashx (accessed April 16, 2018). Burke, W., B. J. Evans, and G. P. Jarvik. 2014. Return of results: Ethical and legal distinctions between research and clinical care. American Journal of Medical Genetics: Seminar in Medical Genetics 166C(1):105–111. C.J.S. (Corpus Juris Secundum). 2017. Volume 16, Constitutional Law. Thomson West. Clayton. E. W., and A. L. McGuire. 2012. The legal risks of returning results of genomic research. Genetics in Medicine 14(4):473–477. Clement, P. D., and L. H. Tribe. 2015. Laboratory testing services, as the practice of medicine, cannot be regulated as medical devices. American Clinical Laboratory Association white paper, Jan. 6. http://www.acla.com/wp-content/uploads/2015/01/Tribe-Clement-White-Paper-1-6-15.pdf (accessed April 15, 2018). CMS (Centers for Medicare & Medicaid Services). 2013. CLIA overview. https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA/Downloads/LDT-and- CLIA_FAQs.pdf (accessed April 14, 2018). CMS. 2014a. Research Testing and Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations. https://www.cms.gov/Regulations-and- Guidance/Legislation/CLIA/Downloads/Research-Testing-and-CLIA.pdf (accessed April 14, 2018). CMS. 2014b. Memorandum from Thomas Hamilton, director of survey and certification group, to state survey agency directors. Ref: S&C:14-11-CLIA. Feb. 7. https://www.cms.gov/Medicare/Provider-Enrollment-and- Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-14-11.pdf (accessed April 15, 2018). CMS. 2016. Administrative simplification: Covered entity guidance. https://www.cms.gov/Regulations- and-Guidance/Administrative-Simplification/HIPAA- ACA/Downloads/CoveredEntitiesChart20160617.pdf (accessed April 14, 2018). CMS. 2017a. Laboratory registry. https://www.cms.gov/Regulations-and- Guidance/Legislation/CLIA/Laboratory_Registry.html (accessed April 15, 2018). CMS. 2017b. CLIA-related hearing decisions. https://www.cms.gov/Regulations-and- Guidance/Legislation/CLIA/Downloads/Hearing-Index-August-14-2017.pdf (accessed April 15, 2018). CMS. 2017c. Transactions overview. https://www.cms.gov/Regulations-and-Guidance/Administrative- Simplification/Transactions/TransactionsOverview.html (accessed April 14, 2018). CMS. 2018. List of exempt states under the Clinical Laboratory Improvement Amendments (CLIA). https://www.cms.gov/Regulations-and- Guidance/Legislation/CLIA/Downloads/ExemptStatesList.pdf (accessed April 15, 2018). Contreras, J. L. 2016. Genetic property. Georgetown Law Journal 105(1):1–54. Coons, L., and J. Conley. 2017. Williams v. Athena motion to dismiss hearing—SC Supreme Court may be asked to decide whether a diagnostic laboratory qualifies as a healthcare provider. Genomics Law Report, January 26. https://www.genomicslawreport.com/index.php/2017/01/26/williams-v- athena-motion-to-dismiss-hearing-sc-supreme-court-may-be-asked-to-decide-whether-a- diagnostic-laboratory-qualifies-as-a-healthcare-provider/ (accessed April 16, 2018). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-42 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS Curnutte, M. A., K. L. Frumovitz, J. M. Bollinger, A. L. McGuire, and D. L. Kaufman. 2014. Development of the clinical next-generation sequencing industry in a shifting policy climate. Nature Biotechnology 32(10):980–982. Dressler, L. G., S. Smolek, R. Ponsaran, J. M. Markey, H. Starks, N. Gerson, S. Lewis, N. Press, E. Juengst, G. L. Wiesner, and the GRRIP Consortium. 2012. IRB perspectives on the return of individual results from genomic research. Genetics in Medicine 14(2):215–222. East Carolina University. 2014. HIPAA designated record set. https://www.ecu.edu/prr/12/60/14 (accessed April 16, 2018). EEOC (U.S. Equal Employment Opportunity Commission). n.d.a. Genetic Information Non- Discrimination Act charges. https://www.eeoc.gov/eeoc/statistics/enforcement/genetic.cfm (accessed April 18, 2018). EEOC. n.d.b. Americans with Disabilities Act of 1990 (ADA) charges. https://www.eeoc.gov/eeoc/statistics/enforcement/ada-charges.cfm (accessed April 15, 2018). Evans, B. J. 2014. The First Amendment right to speak about the human genome. University of Pennsylvania Journal of Constitutional Law 16(3):549–636. Evans, B. J. 2015. The limits of FDA’s authority to regulate clinical research involving high throughput DNA sequencing. Food and Drug Law Journal 70(2):259–287. Evans, B. J., M. O. Dorschner, W. Burke, and G. P. Jarvik. 2014. Regulatory changes raise troubling questions for genomic testing. Genetics in Medicine 16(11):799–803. Fasbitz, R. R., A. McGuire, R. R. Sharp, M. Puggal, L. M. Beskow, L. G. Biesecker, E. Bookman, W. Burke, E. G. Burchard, G. Church, E. W. Clayton, J. H. Eckfeldt, C. V. Fernandez, R. Fisher, S. M. Fullerton, S. Gabriel, F. Gachupin, C. James, G. P. Jarvik, R. Kittles, J. R. Leib, C. O’Donnell, P. P. O’Rourke, L. L. Rodriguez, S. D. Schully, A. R. Shuldiner, R. K. Sze, J. V. Thakuria, S. M. Wolf, and G. L. Burke. 2010. Ethical and practical guidelines for reporting genetic research results to study participants: Updated guidelines from a National Heart, Lung, and Blood Institute Working Group. Circulation: Cardiovascular Genetics 3(6):574–580. FDA (Food and Drug Administration). 2006. Information sheet guidance for IRBs, clinical investigators, and sponsors: Significant risk and nonsignificant risk medical device studies. https://www.fda.gov/downloads/RegulatoryInformation/Guidances/UCM126418.pdf (accessed April 14, 2018). FDA. 2010. Guidance for industry and FDA staff: In vitro diagnostic (IVD) device studies—Frequently asked questions. https://www.fda.gov/downloads/MedicalDevices/.../ucm071230.pdf (accessed April 14, 2018). FDA. 2014a. Device classification panels. https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/ClassifyYourDev ice/ucm051530.htm (accessed April 15, 2018). FDA. 2014b. Draft guidance for industry, Food and Drug Administration staff, and clinical laboratories: Framework for regulatory oversight of laboratory developed tests (LDTs). Center for Biologics Evaluation and Research, FDA, Oct. 3. https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocument s/ucm416685.pdf (accessed April 15, 2018). FDA. 2017a. Laboratory developed tests. https://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/InVitroDiagnostics/Laborat oryDevelopedTests/default.htm (accessed April 15, 2018). FDA. 2017b. Discussion paper on laboratory developed tests (LDTs). Jan. 13. https://www.fda.gov/downloads/MedicalDevices/ProductsandMedicalProcedures/InVitroDiagnos tics/LaboratoryDevelopedTests/UCM536965.pdf (accessed April 15, 2018). FDA. 2017c. Decision summary, DEN160026: Evaluation of automatic Class III designation for the 23andMe Personal Genome Service (PGS) genetic health risk test for hereditary thrombophilia, alpha-1 antitrypsin deficiency, Alzheimer’s disease, Parkinson’s disease, Gaucher disease type 1, factor XI deficiency, celiac disease, G6PD deficiency, hereditary hemochromatosis and early- PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-43 onset primary dystonia, Nov. 2. https://www.accessdata.fda.gov/cdrh_docs/reviews/DEN160026.pdf (accessed April 15, 2018). Feldman, R., and J. Newman. 2013. Copyright at the bedside: Should we stop the spread? Stanford Technology Law Review 16(3):623–655. Garner, B. A. (ed.) 2014. Black’s law dictionary, 10th ed. Thomson West. Glennon, M. J. 1985. Raising the Paquete Habana: Is violation of customary international law by the executive unconstitutional? Northwestern University Law Review 80:321, 348–358. Gordon, M. P. 2009. A legal duty to disclose individual research findings to research subjects? Food and Drug Law Journal 64(1):225–260. Gosfield, A. G. (ed.) 2013. Health law handbook. New York: Clark Boardman Callaghan. Green, R. C., D. Lautenbach, and A. L. McGuire. 2015. GINA, genetic discrimination, and genomic medicine. New England Journal of Medicine 372:397–399 (2015). Guerrini, C. J., A. L. McGuire, and M. A. Majumder. 2017. Myriad take two: Can genomic databases remain secret? Science 356:586–587. Harnad, G. K., J. Holben, S. Larsen, and K. Oakes. 2017. Chapter 218 in American Jurisprudence, 2d. Volume 2, “Administrative Law.” Lawyers Cooperative Publishing. Harvard Personal Genome Project. n.d. About. https://pgp.med.harvard.edu/about/ (accessed April 16, 2018). HHS (Department of Health and Human Services). 2016. Individuals’ right under HIPAA to access their health information 45 C.F.R. § 164.524. https://www.hhs.gov/hipaa/for- professionals/privacy/guidance/access/index.html (accessed April 14, 2018). Jarvik, G. P., L. M. Amendola, J. S. Berg, K. Brothers, E. W. Clayton, W. Chung, B. J. Evans, J. P. Evans, S. M. Fullerton, C. J. Gallego, N. A. Garrison, S. W. Gray, I. A. Holm, I. J. Kullo, L. S. Lehmann, C. McCarty, C. A. Prows, H. L. Rehm, R. R. Sharp, J. Salama, S. Sanderson, S. L. Van Driest, M. S. Williams, S. M. Wolf, W. A. Wolf; eMERGE Act–ROR Committee and CERC Committee; CSER Act–ROR Working Group, and W. Burke. 2014. Return of genomic results to research participants: The floor, the ceiling, and the choices in between. American Journal of Human Genetics 94(6):818–826. Javitt, G. H. 2013. Take another little piece of my heart: Regulating the research use of human biospecimens. Journal of Law, Medicine, & Ethics 41(2):424–439. Javitt, G. H, 2014. FDA’s legally-suspect shift of clinical lab test regulation through guidance documents. The WLF Legal Pulse, Aug. 20/ https://wlflegalpulse.com/2014/08/20/fdas-legally-suspect-shift- of-clinical-lab-test-regulation-through-guidance-documents/ (accessed April 15, 2018). Javitt, G. H., and K. S. Carner. 2014. Regulation of next generation sequencing: A policy analysis. Journal of Law, Medicine, & Ethics 42:9–21. JHM (Johns Hopkins Medicine). 2013. 101.2 Organization policy on research laboratory testing results. http://www.hopkinsmedicine.org/institutional_review_board/guidelines_policies/organization_po licies/101_2.html (accessed April 16, 2018). JHM. 2015. HIPAA questions and answers relating to research. http://www.hopkinsmedicine.org/institutional_review_board/hipaa_research/faq_research.html (accessed April 16, 2018). Karow, J. 2014. First newborn sequencing study gets FDA green light while others still await approval. GenomeWeb, December 17. https://www.genomeweb.com/sequencing-technology/first-newborn- sequencing-study-gets-fda-green-light-while-others-still-await (accessed April 14, 2018). Koch, C. H., Jr., and R. Murphy. 2017. Administrative law and practice, 3rd ed. Thomson West. Kwon, S. Y. 2016. Regulating personalized medicine. Berkeley Technology Law Journal 31:931– 960. Ledbetter, D. H., and W. A. Faucett. 2008. Issues in genetic testing for ultra-rare diseases: Background and introduction. Genetics in Medicine 10(5):309–313. Lee, B. M. 2018. Comparison of FDA and HHS human subject protection regulations. https://www.fda.gov/ScienceResearch/SpecialTopics/RunningClinicalTrials/EducationalMaterials /ucm112910.htm (accessed April 15, 2018). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-44 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS Levenson, D. 2017. Lawsuit raises questions about variant interpretation and communication. American Journal of Medical Genetics 173:838–839. McGuire, A. L., B. M. Knoppers, M. H. Zawati, and E. W. Clayton. 2014. Can I be sued for that? Liability risk and the disclosure of clinically significant research findings. Genome Research 24(5):719–723. Meltzer, L. A. 2006. Undesirable implications of disclosing individual genetic results to research participants. American Journal of Bioethics 6(6):28–30. Meyers, P. 2011. CLIA and research results (presentation to the Secretary’s Advisory Committee on Human Research Protections, Mar. 8). http://wayback.archive-it.org/org- 745/20150824191143/http://www.hhs.gov/ohrp/sachrp/mtgings/mtg03-11/rirr_by_p_meyers.pdf (accessed April 14, 2018). NHGRI (National Human Genome Research Institute). 2016. National Human Genome Research Institute (NHGRI) Investigational Device Exemptions (IDEs) and Genomics Workshop. Meeting report: Summary, standing questions, and next steps. https://www.genome.gov/multimedia/slides/ideworkshop/ide_workshop_meeting_report.pdf (accessed April 14, 2018). NHGRI. 2017a. Points to consider regarding the Food and Drug Administration's investigational device exemption regulations in the context of genomics research. https://www.genome.gov/27561291/points-to-consider-in-assessing-when-an-investigational- device-exemption-ide-might-be-needed/ (accessed April 14, 2018). NHGRI. 2017b. Table of state statutes related to genomics. https://www.genome.gov/27552194/table-of- state-statutes-related-to-genomics/ (accessed April 15, 2018). NYU (New York University) Langone Health System. 2016. Policy: Designated record set. http://nyulangone.org/files/policy-designated-record-set-oct-16.pdf (accessed April 16, 2018). OCR (Office for Civil Rights). 2017a. What OCR considers during intake and review. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/what-OCR- considers-during-intake-and-review/index.html?language=en (accessed April 14, 2018). OCR. 2017b. How OCR enforces the HIPAA privacy & security rules. https://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/examples/how-OCR-enforces-the-HIPAA-privacy-and- security-rules/index.html (accessed April 14, 2018). OCR. 2017c. All case examples. https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/examples/all-cases/index.html#case6 (accessed April 16, 2018). OCR. 2018a. Enforcement results as of October 31, 2017. https://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/data/enforcement-highlights/index.html (accessed April 14, 2018). OCR. 2018b. Resolution agreements and civil money penalties. https://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/agreements/index.html (accessed April 14, 2018). OCR. 2018c. Top five issues in investigated cases closed with corrective action, by calendar year. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/top-five-issues- investigated-cases-closed-corrective-action-calendar-year/index.html?language=es (accessed April 14, 2018). OHRP (Office for Human Research Protections). 2008. Coded private information or specimens use in research: Guidance. https://www.hhs.gov/ohrp/regulations-and-policy/guidance/research- involving-coded-private-information/index.html (accessed April 14, 2018). OHRP. 2015a. Attachment D: Recommendations regarding return of general research results. https://www.hhs.gov/ohrp/sachrp-committee/recommendations/2015-april-24-attachment- d/index.html (accessed April 17, 2018). OHRP. 2015b. Attachment C: Return of individual results and special consideration of issues arising from amendments of HIPAA and CLIA. https://www.hhs.gov/ohrp/sachrp- committee/recommendations/2015-september-28-attachment-c/index.html (accessed April 17, 2018). PREPUBLICATION COPY: UNCORRECTED PROOFS

APPENDIX C C-45 OHRP. 2016. Attachment B: Return of individual research results. https://www.hhs.gov/ohrp/sachrp- committee/recommendations/attachment-b-return-individual-research-results/index.html (accessed April 17, 2018). OMB (Office of Management and Budget). 2017. Pending EO 12866 regulatory review. https://www.reginfo.gov/public/do/eoDetails?rrid=127614 (accessed April 15, 2018). O’Reilly, J. T. 2017. Administrative rulemaking: Structuring, opposing, and defending federal regulations. Online ed. https://www.jstor.org/stable/40709258?seq=1#page_scan_tab_contents (accessed April 18, 2018). ORIG3N. 2018. Home page. https://orig3n.com/ (accessed April 15, 2018). Park, S. S., and L. M. Lapidus. 2016. Health information privacy complaint. Filed with Office for Civil Rights, U.S. Department of Health and Human Services, May 19. https://www.aclu.org/sites/default/files/field_document/2016.5.19_hipaa_complaint.pdf (accessed April 16, 2018). Pike, E. R., K. H. Rothenberg, and B. E. Berkman. 2014. Finding fault? Exploring legal duties to return incidental findings in genomic research, Georgetown Law Journal 102:795–843. Prince, A. E. R., and B. Berkman. 2012. When does an illness begin: Genetic discrimination and disease manifestation. Journal of Law, Medicine, Ethics 40(3):655–664. Prince, A. E. R., J. M. Conley, A. M. Davis, G. Lazaro-Munoz, and R. J. Cadigan. 2015. Automatic placement of genomic research results in medical records: Do researchers have a duty? Should participants have a choice? Journal of Law, Medicine, & Ethics 43(4):827–842. Ray, T. 2017. Wrongful death suit awaits input from South Carolina Supreme Court. GenomeWeb, April 4. https://www.genomeweb.com/molecular-diagnostics/wrongful-death-suit-awaits-input-south- carolina-supreme-court (accessed April 15, 2018). Roberts, J. L. 2015. Protecting privacy to prevent discrimination. William & Mary Law Review 56:2097– 2174. Rothstein, M. A. 2015. Ethical issues in big data health research. Journal of Law, Medicine, & Ethics 43(2):425–429. Rothstein, M. A., and G. Siegal. 2012. Health information technology and physicians’ duty to notify patients of new medical developments. Houston Journal of Health Law & Policy 12: 93–136. Sarata, A. K., and J. Feder. 2015. The Genetic Information Nondiscrimination Act of 2008 (GINA). Congressional Research Service Report No. RL34584. https://fas.org/sgp/crs/misc/RL34584.pdf (accessed April 15, 2018). Spector-Bagdady. K. 2016. “The Google of healthcare”: Enabling the privitization of genetic bio/databanking. Annals of Epidemiology 26(7):515–519. Tovino, S. A. 2008. Incidental findings: A common law approach. Accountability in Research 15(4):242– 261. Valentine, J. E., and D. B. Clissold. 2017. The final Common Rule: Much either retained or removed, but not much new added. FDA Law Blog, Feb. 17. http://www.fdalawblog.net/fda_law_blog_hyman_phelps/2017/02/the-final-common-rule-much- either-retained-or-removed-but-not-much-new-added-.html (accessed April 15, 2018). Wadsworth Center. n.d. Test approval. New York State Department of Health. https://www.wadsworth.org/regulatory/clep/clinical-labs/obtain-permit/test-approval (accessed April 14, 2018). Wagner, J. K. 2016a. Litigating the accountability of clinical genomics laboratories. Genomics Law Report, May 31. https://www.genomicslawreport.com/index.php/2016/05/31/litigating-the- accountability-of-genomics-laboratories/ (accessed April 15, 2018). Wagner, J. K. 2016b. Genetic discrimination case against school district is appealed to Ninth Circuit. Genomics Law Report, February 2. https://www.genomicslawreport.com/index.php/2016/02/02/genetic-discrimination-case-against- school-district-is-appealed-to-ninth-circuit/ (accessed April 15, 2018). PREPUBLICATION COPY: UNCORRECTED PROOFS

C-46 RETURNING INDIVIDUAL RESEARCH RESULTS TO PARTICIPANTS Wagner, J. K. 2017a. A constitutional challenge to Alaska’s genetic privacy statute. Genomics Law Report, July 18. https://www.genomicslawreport.com/index.php/2017/07/18/a-constitutional- challenge-to-alaskas-genetic-privacy-statute/ (accessed April 16, 2018). Wagner, J. K. 2017b. Keeping an eye on “perceived disability” litigation in California: Chadam v. Palo Alto Unified School District. Genomics Law Report, May 2. https://www.genomicslawreport.com/index.php/2017/05/02/keeping-an-eye-on-perceived- disability-litigation-in-california-chadam-v-palo-alto-unified-school-district/ (accessed April 15, 2018). Wolf, S. M. 2012. The role of law in the debate over return of research results and incidental findings: The challenge of developing law for translational science. Minnesota Journal of Law, Science, & Technology 13(2):doi:10.2139/ssrn.2117289. Wolf, S. M., J. Paradise, and C. Caga-anan. 2008. The law of incidental findings in human subjects research: Establishing researchers’ duties. Journal of Law, Medicine, & Ethics 36(2):361–383. Wolf, S. M., R. Branum, B. A. Koenig, G. M. Petersen, S. A. Berry, L. M. Beskow, M. B. Daly, C. V. Fernandez, R. C. Green, B. S. LeRoy, N. M. Lindor, P. P. O’Rourke, C. R. Breitkopf, M. A. Rothstein, B. Van Ness, and B. S. Wilfond. 2015. Returning a research participant’s genomic results to relatives: Analysis and recommendations. Journal of Law, Medicine, & Ethics 43(3):440–463. Zettler, P. J. 2015. Toward coherent federal oversight of medicine. San Diego Law Review 52:427–500. PREPUBLICATION COPY: UNCORRECTED PROOFS

Next: Appendix D The Return of Individual-Specific Research Results from Laboratories: Perspectives and Ethical Underpinnings »
Returning Individual Research Results to Participants: Guidance for a New Research Paradigm Get This Book
×
Buy Prepub | $94.00 Buy Paperback | $85.00
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

When is it appropriate to return individual research results to participants? The immense interest in this question has been fostered by the growing movement toward greater transparency and participant engagement in the research enterprise. Yet, the risks of returning individual research results—such as results with unknown validity—and the associated burdens on the research enterprise are competing considerations.

Returning Individual Research Results to Participants reviews the current evidence on the benefits, harms, and costs of returning individual research results, while also considering the ethical, social, operational, and regulatory aspects of the practice. This report includes 12 recommendations directed to various stakeholders—investigators, sponsors, research institutions, institutional review boards (IRBs), regulators, and participants—and are designed to help (1) support decision making regarding the return of results on a study-by-study basis, (2) promote high-quality individual research results, (3) foster participant understanding of individual research results, and (4) revise and harmonize current regulations.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!