Returning Individual Research Results to Participants Guidance for a New Research Paradigm (2018) / Chapter Skim
Currently Skimming:
Appendix C: Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research
Appendix C: Analysis of Legal and Regulatory Landscape Relevant to Return of Individual Results Generated from Biospecimens in Research
Pages 295-338
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 295... ...
Original Access Rule, 310 C Revised Access Rule, 311 D
|
From page 296... ...
Genetic Information Nondiscrimination Act, 334 2. Americans with Disabilities Act, 335 B
|
From page 297... ...
It is generally recognized that these amendments have created a dilemma for research laboratories that are covered by HIPAA but not certified by CLIA. To comply with the expanded access rules, these laboratories must now return test reports and related information contained within designated record sets when individuals request them to do so, but research laboratories cannot do so without becoming CLIA-certified.
|
From page 298... ...
There is a complex web of federal and state laws that address unwanted access to and discriminatory use of health information. Two major federal statutes are the Genetic Information Nondiscrimination Act (GINA)
|
From page 299... ...
Legal Landscape This memorandum describes the U.S. legal and regulatory landscape relevant to the return of individual results generated from biospecimens in research.
|
From page 300... ...
The U.S. Constitution is the supreme law of the land.14 Because no federal or state law may contradict it, federal constitutional law represents the highest legal authority.15 Second in rank is federal statutory law, which is enacted by Congress and must be followed by the states, and third is federal regulations that interpret federal statutes.16 The lowest legal authority in the federal system is federal common law.17 In the event of a conflict between a federal law and state law, the federal law preempts the state law.18 However, states can generally offer greater protections than federal law, and when this occurs, there is no conflict and state law controls.19 Moreover, state laws generally can address issues that are not addressed by federal law so long as they do not violate the U.S.
|
From page 301... ...
In a research context, test results may be relevant to primary study aims or they may describe incidental or additional findings.28 Research results can further be distinguished based on whether they pertain to individual research participants or are aggregated and reported as general study results,29 as well as when the results are generated in research -- at baseline, while the research is in process, or at study end.30 Further, test results may be those that are originally generated (and possibly also reported) , or they may be results that are later revised to correct errors or reflect new knowledge.31 Test results may be linked (or not)
|
From page 302... ...
(2) (defining research regulated by the Common Rule as involving "identifiable private information" and describing a regulatory exemption for research involving existing non-identified data and biospecimens)
|
From page 303... ...
Licensed laboratories in these states therefore qualify as "CLIA exempt." CLIA further provides that its rules do not apply to "components or functions" of certain laboratories that are referred to as "exceptions."40 For purposes of this analysis, the most important CLIA exception covers: Research laboratories that test humans but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.41 CMS has interpreted this provision to mean that "only those facilities performing research testing on human specimens that do not report patient-specific results may qualify to be excepted from CLIA certification."42 If a research laboratory intends to report individual-level results, and those results "will be or could be" used to diagnose, treat, prevent, or assess human health, the laboratory must first obtain CLIA certification.43 In practice, CMS has taken the position that a research laboratory may not report individual-level research results to any person or entity, where "[t] he results are available to be used for health care for individual patients," unless the laboratory is CLIA-certified.44 Thus, a research laboratory may not report individual-level test results to tested individuals or their clinicians unless it is CLIA-certified.45 Further, a research laboratory may not report individual-level test results to investigators where those results could be used in the treatment of research participants, which includes assignment of participants to control and treatment arms.46 38 Id.
|
From page 304... ...
Original Access Rule Until 2014, CLIA restricted the disclosure of laboratory test results as follows: [T] est results must be released only to authorized persons and, if applicable, the individual responsible for using the test results and the laboratory that initially requested the test.51 CLIA defines an "authorized person" as "an individual authorized under State law to order tests or receive test results, or both."52 Thus, until 2014, laboratories were legally permitted to release 47 See 42 C.F.R.
|
From page 305... ...
New Access Rule Seeking to harmonize the existing CLIA access rule with revisions to the HIPAA access rule (see Part IV, infra) , in 2014, HHS amended CLIA to expand individuals' access to their laboratory test results.
|
From page 306... ...
NOTE: * Both the original and new CLIA access rules are legally in effect.
|
From page 307... ...
Washington Washington law regulates "medical test sites," defined as any facility or site "which analyzes materials derived from the human body for the purposes of health care, treatment, or screening."66 Washington provides exceptions for two kinds of facilities, neither of which is relevant to this analysis.67 When asked whether research laboratories are considered medical test sites that require certification, an official with the Washington State Department of Health explained that if a research laboratory "is giving out results that get to patients and/or providers," the testing will be considered clinical testing by a medical test site subject to state regulation.68 In this respect, Washington's rule prohibiting the return of research results generated by unlicensed laboratories is identical to the CLIA prohibition.69 The default access rule in Washington requires that "test reports" be released to "authorized persons or designees," defined as individuals allowed by state law to order tests or receive test results. 70 After the new CLIA access rule was enacted, Washington adopted a similar provision that test reports may be released to patients and their personal representatives.71 B
|
From page 308... ...
practice or in the fulfillment of [their] official duties."78 After the new CLIA access rule was enacted, New York adopted a similar provision that test reports may be released to patients.79 IV.
|
From page 309... ...
The first is when they electronically conduct a covered transaction.85 HHS has emphasized that the conduct of a single covered transaction will transform a laboratory into a covered entity "with respect to all protected health information that it creates or maintains," not just the individuals or information associated with the covered transaction.86 The second situation in which research laboratories are covered entities is when they function as part of larger covered entities. Thus, research laboratories that operate within HIPAA-covered hospitals, medical centers, or medical schools may also be covered by HIPAA by virtue of these relationships.87 However, a covered entity may elect to become a "hybrid entity," which is defined as a covered entity whose business activities include both covered and non-covered functions.88 When a covered entity elects to become a hybrid entity, it must ensure that its designated health care components that perform covered functions do not disclose PHI to other components except as permitted by HIPAA.89 This becomes difficult in the case of a clinician-investigator who is an employee of and performs duties for both a health care component and a non-covered component of a hybrid entity.90 In the end, hospitals, medical centers, and medical schools often do not elect hybrid entity status and designate their research laboratories as non-covered components because of the operational complexities and high transaction costs associated with doing so successfully.91 82 See 45 C.F.R.
|
From page 310... ...
sed, in whole or in part, by or for the covered entity to make decisions about individuals."93 HHS has interpreted this definition broadly to mean that the designated record set includes all "records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access."94 Further, qualifying "decisions" include but are not limited to health care decisions "because other decisions by covered entities can also affect individuals' interests."95 Before 2014, the HIPAA access rule provided an exception for HIPAA-covered laboratories. Specifically, two provisions excluded from access any PHI maintained by: (1)
|
From page 311... ...
laboratories but also research laboratories is reinforced by the preamble's repeated reference to the expanded access obligations of all HIPAA-covered laboratories.106 Table C-3 compares the original and revised HIPAA access rules. TABLE C-3 Original Versus Revised HIPAA Access Rule*
|
From page 312... ...
In sum, the revised HIPAA access rule provides individuals with a broad right of access to their PHI contained within designated record sets maintained by HIPAA-covered laboratories.107 A designated record set includes at least laboratory test reports, but as noted above, it also includes all other PHI maintained by a laboratory that is used to make any kind of decision about any person.108 In 2016, the Office for Civil Rights (OCR) , the HHS office responsible for enforcing HIPAA, published guidance explaining the kinds of information that may fall within the designated record set maintained by laboratories.109 The guidance states that in the context of a genetic test conducted by a clinical laboratory, the designated record set includes: the "completed test report"; the "full gene variant information generated by the test"; the "underlying data used to generate the report"; "as well as any other information in the designated record set concerning the test."110 There are two limits to the HIPAA access rule that are relevant to this analysis.
|
From page 313... ...
, 356 SCIENCE 586 (2017) (describing the application of the HIPAA access rule to proprietary genomic databases)
|
From page 314... ...
.128 Individuals' lack of access to their health information is among the top five issues that OCR investigates every year.129 OCR's website identifies several examples of access-related complaints that it has investigated and resolved.130 None of these appear to involve research laboratories. An example of an ongoing OCR investigation alleging a clinical laboratory's denial of access was initiated against Myriad Genetics by four individuals for whom Myriad had performed genetic testing.131 The individuals claim that HIPAA entitles them to four categories of information specific to those tests: (1)
|
From page 315... ...
State law: Preempted unless provide greater access Example: Research laboratory that is part of a covered entity 132 Id.
|
From page 316... ...
If laboratories return results to individuals or their clinicians for any reason, CMS's position is that they must become CLIA-certified.136 Further, if laboratories return results to investigators and those results could be used in the treatment of research participants, they must become CLIA-certified.137 It is generally recognized that the 2014 changes to CLIA and HIPAA have created a dilemma for research laboratories that are not certified by CLIA but are covered by HIPAA because they conduct at least one electronic covered transaction or by virtue of their relationships with HIPAA-covered entities.138 To comply with the expanded access rules, HIPAA-covered research laboratories must now return PHI contained within designated record sets (including but not limited to test results) when individuals request them to do so, but these laboratories cannot do so without becoming CLIA-certified (see Table C-4, Box C2)
|
From page 317... ...
Different experts have different opinions. But until there is further clarification, this is our position on this issue."154 Similarly, NYU Langone Health System's policy is that results of tests performed at laboratories not certified by CLIA to perform such tests are categorically not part of any designated record set and so are not subject to the HIPAA access rule.155 The designated record 145 Burke et al., supra note 23, at 108.
|
From page 318... ...
These include the Common Rule160 and regulations adopted by FDA.161 Although this analysis is limited to federal protections, it is noted that several states also have adopted protections for research participants.162 A Common Rule 1.
|
From page 319... ...
to return results. Still, legal scholars have noted, the Common Rule requires that, when appropriate, a research participant be informed of "significant new findings developed during the course of the research which may relate to the subject's willingness to continue participation."166 They note that this requirement, at a minimum, may obligate investigators "to disclose the fact that significant findings might be discovered during the course of research and whether or not those will be offered to subjects and/or their physicians."167 In practice, when a study protocol includes a plan to return results, the IRB will review the plan to ensure its benefits outweigh its risks.168 While IRBs can prohibit investigators from returning results, however, they cannot block access when study participants request results under HIPAA.169 2.
|
From page 320... ...
B FDA Protections FDA research participant protections apply to all "clinical investigations," regardless of funding source, that are regulated by FDA or that support applications for research or marketing permits for products regulated by FDA.180 A clinical investigation is defined as an experiment involving a test article and one or more human participants.181 Because the reach of FDA protections partially overlaps with the Common Rule, some research studies must comply only with FDA protections, some must comply only with the Common Rule, and some must comply with both.
|
From page 321... ...
to return results.184 However, FDA protections (like the Common Rule) include the requirement that, when appropriate, a research participant be informed of "significant new findings developed during the course of the research which may relate to the subject's willingness to continue participation."185 In practice, an IRB overseeing an FDA-regulated study will review the study's return-of-results plan to ensure that adequate protections accompany any return and prospective participants are informed through the consent process and provided an opportunity to opt-out of receiving results if not essential to the study.186 The pending revisions to the Common Rule have no effect on FDA research participant protections.187 However, in the Federal Register preamble to the revisions, HHS stated its intention to "consider the need for updates to FDA regulations and other relevant federal departmental or agency regulations with overlapping scope."188 Further, the 21st Century Cures Act, enacted in 2016, requires HHS to harmonize differences between the Common Rule and FDA research participant regulations "to the extent practicable."189 Therefore, it should be expected that many Common Rule revisions will be incorporated into FDA regulations.
|
From page 322... ...
.197 An LDT is an in vitro diagnostic device that is designed, manufactured, and used within a single laboratory.198 In 2010, responding to concerns about the increasing complexity, reach, and risk of LDTs, as well as the use of results from faulty LDTs to direct major treatment decisions, FDA announced its intent to reconsider its policy of enforcement discretion with respect to LDTs.199 Although some scholars questioned FDA's legal authority to regulate LDTs,200 these concerns became moot in 2017 when FDA announced that it would not issue a final guidance to allow for further public discussion and to give Congress the opportunity to develop a legislative solution.201 Nevertheless, FDA generally does not exercise enforcement discretion against firms providing direct-to-consumer genetic tests, whether or not they constitute LDTs,202 in part due to 193 See 21 U.S.C.
|
From page 323... ...
IDE Requirements The FDCA and implementing regulations describe a path of regulatory exemption for the conduct of clinical investigations to determine the safety or effectiveness of "investigational devices."207 Procedures for this exemption, known as an investigational device exemption (IDE) , are detailed in Part 812 of FDA regulations and summarized in Figure C-1.
|
From page 324... ...
Telephone communication with Alberto Gutierrez, supra note 203. 211 See Procedures for Investigational Device Exemptions, 45 Fed.
|
From page 325... ...
program.224 In 2013, FDA asked the investigators of those studies, which include genetic testing of newborns, to participate in the IDE process.225 FDA considered whether the genetic tests used in the studies were significant risk given that the results might be used to influence medical decision making for newborns.226 FDA also expressed concern that results might not be confirmed in every case by medically established procedures before their return to participants.227 Ultimately, all of the 215 Telephone communication with Alberto Gutierrez, supra note 203; see also NHGRI, Points to Consider Regarding the Food and Drug Administration's Investigational Device Exemption Regulations in the Context of Genomics Research, GENOME.GOV, https://www.genome.gov/27561291/points-to-consider-in-assessing-when-aninvestigational-device-exemption-ide-might-be-needed (last updated July 27, 2017) [hereinafter, NHGRI, Points to Consider]
|
From page 326... ...
Unlawful Promotion Although FDA regulates statements that device manufacturers can make about the clinical significance of test results, the agency's jurisdiction over the practice of medicine is limited.233 According to its authorizing statute, FDA may not "limit or interfere with the authority of a health care practitioner to prescribe or administer any legally marketed device to a patient for any condition or disease within a legitimate health care practitioner-patient relationship."234 However, the statute makes clear that the exclusion does "not change any existing prohibition on the promotion of unapproved uses of legally marketed devices."235 Moreover, with respect to investigational devices, FDA regulations state that sponsors, investigators, and persons acting on their behalf may not promote or test market an investigational device before FDA has approved it for commercial distribution or "represent" that the device "is safe or effective for the purposes for which it is being investigated."236 According to legal scholars, these rules mean that FDA likely cannot prohibit statements that physicians make to patients about their laboratory test results, including explanations of the clinical significance of the results, if they are made during the course of medical practice.237 However, it is unclear whether there are circumstances in which an investigator's communication to participants of interpreted results generated from an investigational device 228 See Karow, supra note 224. The "pre-IDE" process is briefly described in FDA, IVD FAQs, supra note 210, at 19-20.
|
From page 327... ...
In general, state courts have not viewed research results, including data generated from genetic tests, as legal property belonging to research participants. This conclusion has been reached by several courts in lawsuits where individuals who provided biospecimens for research claimed an ownership interest in results of tests performed on those biospecimens or, more generally, information and discoveries obtained through analysis of the biospecimens.239 In Greenberg v.
|
From page 328... ...
249 Individuals also can contractually agree to give broad rights to use their test results. Telephone communication with David Peloquin, supra note 91.
|
From page 329... ...
Meltzer, Undesirable Implications of Disclosing Individual Genetic Results to Research Participants, 6 AM.
|
From page 330... ...
Special relationships In addition to fiduciary relationships, "special relationships" between researchers and research participants can give rise to affirmative duties to disclose certain findings.272 Two courts have recognized the potential existence of such a relationship in the research context in the absence of any physician-patient relationship. First, in Blaz v.
|
From page 331... ...
Participant Ericka Grimes lived with her family in a home where initial lead dust testing revealed "hot spots" of lead, although her mother was not informed of these results until nine months after sample collection.278 In the meantime, Miss Grimes was tested three times for lead in her blood; the second and third tests detected elevated lead levels.279 Her family sued for failure to timely disclose the property's elevated lead dust levels.280 Participant Myron Higgins lived with his mother in a home that tested positive for lead but had received partial abatement.281 After they moved in, lead dust samples were taken using two different methods; his mother was not informed of the elevated lead dust levels detected by one of the methods.282 Mr. Higgins was tested three times for lead in his blood and all tests detected elevated lead levels.283 His family sued for failure to timely disclose the property's original lead test results and failure to ever disclose the elevated lead dust levels detected after they moved in.284 The lower court granted summary judgment for KKI in both cases on grounds that KKI had no legal duty to warn the research participants of potential harms, and the rulings were appealed to the Court of Special Appeals.285 The Court of Appeals of Maryland then granted certiorari to consider the relevant issues and concluded that summary judgment was incorrectly granted because such a duty to warn may exist as a matter of law.286 273 74 F
|
From page 332... ...
The standard of care can be established by guidance and recommendations to return results, recognition by scholars and the research community of an ethical obligation to return results, and a common practice of returning results.292 Legal scholars have explained that the "more encompassing guidelines and practices are with regard to return of results, the more sweeping the potential ethical and legal obligation" to do so will be.293 Furthermore, if the practice of returning results becomes routine, researchers "will be legally required" to do so because "[t] his is the way tort law has worked for decades."294 Finally, in the case of physician-investigators, legal scholars have suggested that if the research itself generates individualized and identifiable data, medical obligations may trump research obligations and support a "higher duty to disclose relevant and significant findings."295 B
|
From page 333... ...
Researchers who return results must do so consistent with the standard of care and regulatory requirements.296 Thus, laboratories that deviate from good laboratory practices and standards regarding interpretation may be exposed to tort liability if they return erroneous results to individuals who are harmed as a result.297 In fields like genomics, however, the standard of care regarding interpretation is rapidly evolving.298 "[G] iven that there is still fervent debate about how to interpret variants," legal scholars have argued, "it will be extremely difficult to prove what the standard of care is or that it has clearly been breached by a researcher acting in good faith" who provides interpreted genetic results.299 Nevertheless, researchers are generally required to comply with standards that seek to maximize the analytic and clinical validity of findings.300 Legal scholars have concluded that if researchers return erroneous results generated by a research laboratory and not validated in a CLIA-certified lab, and they do not make clear that the results need to be repeated before any clinical interventions are undertaken, the researchers may be liable in tort.301 However, the legal effect of such disclaimers, and whether they will absolve researchers of tort liability, remains unclear.
|
From page 334... ...
1. Genetic Information Nondiscrimination Act Passed in 2008, GINA limits access to and use of genetic information in health insurance and employment contexts, where an individual's genetic information is generally defined to encompass information about his or her genetic tests, the genetic tests of family members, the manifestation of a disease or disorder in family members, the request or receipt of genetic services by the individual or family members, and participation in clinical research by the individual or family members that includes genetic services.305 The legislative purpose of GINA is to promote genetic testing for personal health and research purposes by allaying concerns with the potential misuse of information learned from genetic tests.306 Focusing on its application to health insurance, prior to GINA, HIPAA prohibited group health insurers from using genetic information to determine eligibility or set premiums for individuals or from treating genetic information as the basis of any pre-existing condition exclusion.307 GINA extended these protections to individual health insurers and further prohibits group health insurers from using genetic information about an individual to determine coverage or set premiums for a group.308 Moreover, under GINA, health insurers cannot request or require genetic testing prior to an individual's enrollment and cannot request, require, or purchase genetic information for underwriting purposes.309 While health insurers cannot deny coverage on the basis of genetic information, however, GINA permits them to do so based on already expressed genetic conditions.310 This loophole was closed in 2011 by the Patient Protection and Affordable Care Act (ACA)
|
From page 335... ...
317 See, e.g., Mark A Rothstein, Putting the Genetic Information Nondiscrimination Act in Context, 10 GENETICS MED.
|
From page 336... ...
State Statutes GINA and the ADA establish a floor of minimum protection against health-related discrimination and do not preempt state laws that provide equal or greater protection.331 Over the years, many state anti-discrimination statutes have been enacted that vary widely in scope and applicability. Focusing on genetic discrimination, some states have enacted anti-discrimination statutes limited to specific genetic conditions.
|
From page 337... ...
336 See id. 337 See California Genetic Information Nondiscrimination Act, 2011 Cal.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.