GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing...
Transcript of GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing...
![Page 1: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/1.jpg)
GLOBAL PRIVACY LAWS AND GENETIC COMPANIES: SOLUTIONS TO COMPLIANCE CHALLENGESJiayan Chen, Partner, McDermott Will & Emery LLP,Jane Pine Wood, Chief Legal Counsel, BioReferenceLaboratoriesMichael Hamilton, Chief Privacy Officer, Invitae
May 8, 2020
![Page 2: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/2.jpg)
AGENDA• Overview: Genetic Testing Laboratories and Data Use
– How do genetic testing laboratories collect, generate, and use data for core laboratory operations?
– In what other ways do genetic testing laboratories use and disclose data?• Legal Framework for Genetic Testing Laboratories
– How do privacy, clinical laboratory, and human subject protection laws intersect and regulate the collection, use, disclosure, and retention of data by genetic testing laboratories?
– Areas of inconsistency among such laws and resulting challenges for genetic testing laboratories
• Practical Application of Privacy Laws in Genetic Testing Laboratories
2
![Page 3: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/3.jpg)
GENETIC TESTING LABORATORIES AND DATA USE
3
![Page 4: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/4.jpg)
WHAT IS A “LABORATORY” IN THE U.S.?
4
A facility for the biological,
microbiological, serological, chemical, immunohematological,
hematological, biophysical, cytological,
pathological, or other examination
of materials derived from the human body
for the purpose of providing information for
the diagnosis, prevention, or treatment
of any disease or impairment of, or the
assessment of the health of, human beings
Is a “laboratory” and subject to the Clinical
Laboratory Improvement Amendments of 1988
(CLIA) (unless an exception applies)
![Page 5: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/5.jpg)
HOW GENETIC TESTING LABORATORIES PROCESS DATA
•
Receipt of data sample & DNA
extraction
Physical specimen may be blood or saliva from which DNA can be extracted.
Blood or saliva then undergoes a series of laboratory processes to extract DNA.
DNA sequencing
Extracted DNA is fed into the DNA sequencer.
Output from sequencing are large files known as FastQ files.
Identify genetic variants
Once the DNA is sequenced, it is sent to bioinformatics systems to process FastQ files and ultimately return list of variants.
Analyze variants & draft report
Clinical experts review variants and determine pathogenicity.
Need to look at other patient data to make this determination.
Findings get summarized in genetic test report that goes to clinician.
5
![Page 6: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/6.jpg)
USES OF GENOMIC DATA IN CLINICAL LAB CONTEXT
• Preparing clinical reportCore activity of genetic testing laboratory1
Quality ImprovementEnsure accuracy of tests and identify areas for improvement 2
ValidationConfirm existing or new test meets performance specifications 3
Research & Development
Contribution to generalizable knowledge/develop new products4
Data / Sample SharingSharing data or samples (identified or de-identified) with third parties 5
6
![Page 7: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/7.jpg)
RESULTS REPORTING & MANAGEMENT• Federal and state laboratory laws and regulations, such as CLIA, require reporting
to the ordering provider.• HIPAA requires the laboratory to provide test results to patients within 30 days after
request.• Laboratories frequently report certain results data to third party payers under the
“healthcare operations” exception under HIPAA (HEDIS reporting, for example) as well as to state departments of health.
• Many laboratories have web-based portals that can be accessed by ordering providers and patients to view test results.
7
![Page 8: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/8.jpg)
RESULTS REPORTING & MANAGEMENT, CONT.• Laboratories receive subpoenas and litigation requests for test results.• Laboratories may also report results in conjunction with research studies.• Occasionally sales personnel may request access to test results to assist clients
and respond to specific client requests, but such access must be very carefully considered on a case by case basis.
8
![Page 9: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/9.jpg)
LEGAL FRAMEWORK FOR GENETIC TESTING LABORATORIES
9
![Page 10: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/10.jpg)
KEY OVERSIGHT BODIES RELEVANT TO DATA USE AND SHARING BY GENETIC TESTING LABORATORIES
10
Genetic Testing Laboratories
State Clinical
Laboratory Regulators
State Attorneys General (State
Privacy and Consumer Protection)
Office for Civil Rights(HIPAA)
EU Member State Supervisory
Authorities and Other Ex-U.S.
Data Protection Regulators
(E.g., GDPR)
Food & Drug Administration(Drugs, Devices,
Biologics)
Office for Human
Research Protections(Common
Rule)
Centers for Medicare & Medicaid
Services (CMS)(Clinical
Laboratory Improvement
Amendments of 1988)
Accreditation Bodies (e.g.,
College of American
Pathologists)
Ex-U.S. Clinical Laboratory Regulators
![Page 11: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/11.jpg)
TODAY’S PRESENTATION: IN SHARPER FOCUS
Laboratory Certification /
Licensure Laws
Human Subject
Protections
Privacy and Data
Protection Laws
11
• How are genetic testing laboratories required to use data in order to comply with their obligations under laboratory certification / licensure laws?
• How do federal and state laws define “research” and how do they intersect with and place restrictions on certain clinical laboratory operations?
• What restrictions apply to a genetic testing laboratory’s processing of patient data
under privacy and data protection laws?
![Page 12: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/12.jpg)
LABORATORY CERTIFICATION / LICENSURE LAWS
12
![Page 13: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/13.jpg)
CLINICAL LABORATORY IMPROVEMENT AMENDMENTS OF 1988 (CLIA)
What is CLIA?•U.S. federal certification scheme applicable to “laboratories”
– Requires laboratories to obtain a certificate and comply with other operational requirements
•Enforced by the Centers for Medicare & Medicaid Services (CMS)– Implemented with assistance from state Departments of Health and
federally-recognized accreditation organizations such as the College of American Pathologists
13
![Page 14: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/14.jpg)
WHAT DOES CLIA REQUIRE?
• Overall requirement – Laboratory must have a current, unrevoked, and unsuspended certificate applicable to the category of tests performed by the laboratory or be CLIA-exempt– Certain exceptions apply, such as for research laboratories not reporting
specific patient results• Type of certificate required depends on complexity of testing performed
at facility– Genetic tests offered as laboratory-developed tests (i.e., without FDA
clearance/approval) are “high” complexity tests
14
![Page 15: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/15.jpg)
WHAT ARE THE ONGOING REGULATORY REQUIREMENTS FOR A CLIA-CERTIFIED LABORATORY?
• Proficiency Testing – Laboratory must test samples and report results under a PT program
approved by U.S. Department of Health & Human Services (HHS) Typically requires multiple rounds of testing each year
– Results get compared against “known” results (general threshold of 80% for satisfactory performance)
• Facility Administration– E.g., appropriate physical space, appropriate equipment, supplies, and
reagents, safety procedures, and record and specimen retention requirements
15
![Page 16: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/16.jpg)
WHAT ARE THE ONGOING REGULATORY REQUIREMENTS FOR A CLIA-CERTIFIED LABORATORY? (CONT’D)
• Quality Systems– Laboratory must have process in place for its preanalytic, analytic, and post-
analytic systems (e.g., test requisitions, specimen handling, procedure manual, test systems, establishing and/or verifying performance specifications, quality control, and test reports)
• Personnel– Education and experience requirements for laboratory personnel based on
specific role• Inspection
– Initial and biennial (or more frequently for cause) for laboratories not operating under certificate of waiver
16
![Page 17: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/17.jpg)
USES OF DATA AND SAMPLES TO SATISFY CLINICAL LABORATORY REGULATORY REQUIREMENTS
Reviewing test results or generated data to identify errors or inefficiencies within the laboratory
Reviewing test results or generated data to verify the quality of work of laboratory personnel
Validating the performance of a test after modifying the physical materials used (e.g., change in equipment or specimen type)
Validating the performance of a test after updating the software that supports the data-to-report process (e.g., after the software has been taught something new, confirming the end-to-end test works as expected)
Using leftover specimens to meet proficiency testing requirements (where contrived specimens not commercially available)
17
![Page 18: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/18.jpg)
ADDITIONAL USE CASES
Reviewing genome sequencing data and phenotypic data to identify additional genetic variants of clinical significanceCreating a new multi-gene panelAdding new genes to an existing multi-gene panel
18
![Page 19: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/19.jpg)
PRIVACY LAWS
19
![Page 20: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/20.jpg)
PATCHWORK OF LAWS
20
Domestic (Federal, State) / Multinational
Privacy Protections for Human Subjects in Research
![Page 21: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/21.jpg)
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
21
• Applies to clinical laboratories as Covered Entities insofar as they bill health plans or other third party payors for tests using HIPAA standard transactions
• Includes a number of pathways relevant to a laboratory’s various internal and external operations and initiatives that require use or disclosure of protected health information (PHI)
– However, there are ambiguities as to the appropriate pathway given lack of direct mapping between HIPAA and CLIA / state clinical laboratory regulations
![Page 22: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/22.jpg)
HIPAA PRIVACY RULE: PERMITTED USES AND DISCLOSURES AS REQUIRED BY LAW
• Required By Law– A Covered Entity or Business Associate may use or disclose PHI as
“Required by Law,” which means a mandate contained in a law that compels a use or disclosure of PHI and that is enforceable in a court of law
– E.g., court orders, governmental or administrative body authorized to require production of information, and statutes and regulations that require production of information
22
![Page 23: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/23.jpg)
HIPAA PRIVACY RULE: PERMITTED USES AND DISCLOSURES FOR RESEARCH
• HIPAA includes the following pathways for using/disclosing PHI for research: – HIPAA authorization – institutional review board (IRB) or privacy board waiver of the HIPAA
authorization requirement (must satisfy certain criteria)– reviews preparatory to research (e.g., to assess feasibility of research,
develop protocol, identify potentially eligible subjects)– research using de-identified data– research using a limited data set (PHI with direct identifiers removed)
under a data use agreement with the recipient of the limited data set
23
![Page 24: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/24.jpg)
HIPAA PRIVACY RULE: THE QUALITY VS. RESEARCH CONUNDRUM
Health Care Operations• Includes “Conducting quality assessment and improvement
activities … provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities”
Research• A systematic investigation, including research development, testing,
and evaluation, designed to develop or contribute to generalizableknowledge
24
Consider: How to characterize the establishment of performance specifications? Validation activities?
![Page 25: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/25.jpg)
STATE GENETIC PRIVACY LAWS
Wide variation among states in scope and the uses and disclosures that they permit or prohibit
25
Scope (Identifiability
of Data Regulated)
Restrictions on Use
Scope (Entities
Regulated)Restrictions
on Disclosure
![Page 26: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/26.jpg)
VARIATIONS AMONG STATE GENETIC PRIVACY LAWS
26
Variable ExampleDoes the law apply to only identifiable genomic data or samples?
Alaska Genetic Testing Law: “A person may not … disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person … for the … disclosure.” Alaska Stat. § 18.13.010(a)(1).
“DNA analysis” is not defined in a way that makes it clear whether it is limited to identifiable information. It means “DNA or genetic typing and testing to determine the presence or absence of genetic characteristics in an individual, including tests of nucleic acids or chromosomes in order to diagnose or identify a genetic characteristic; “DNA analysis” does not include a routine physical measurement, a test for drugs, alcohol, cholesterol, or the human immunodeficiency virus, a chemical, blood, or urine analysis, or any other diagnostic test that is widely accepted and in use in clinical practice.” Alaska Stat. § 18.13.100.
![Page 27: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/27.jpg)
VARIATIONS AMONG STATE GENETIC PRIVACY LAWS
27
Variable ExampleDoes the law apply only to certain entities (e.g., employers or third party payors)?
South Carolina Privacy of Genetic Information Law:
Scope section of the law states that it “applies to health insurance coverage offered in connection with an individual health plan, a group health plan, or a health benefit plan that is delivered, issued for delivery, or renewed in this state.” S.C. Code § 38-93-20.
But certain sections of the law, without specific reference to health insurance issuers, require the confidentiality of genetic information and prohibit performing genetic tests without informed consent. S.C. Code §§38-93-40, -50.
![Page 28: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/28.jpg)
VARIATIONS AMONG STATE GENETIC PRIVACY LAWS
28
Variable ExampleHow does the law prohibit or restrict the disclosure or sharing of genomic data or samples?
Massachusetts Genetic Privacy Law:
Prohibits disclosure of reports and records pertaining to any genetic information without informed written consent, subject to certain exceptions including:• As “confidential research information” for use in epidemiological or
clinical research, where the genetic test results are maintained under protocols reviewed and approved by an IRB established under the provisions of the Common Rule (45 CFR Part 46) or FDA Good Clinical Practice regulations (21 CFR Parts 50, 56) and that protect the confidentiality of the individual either by encryption, encoding, or other means consistent with such federal regulations, or where the individual’s identity is unknown or protected from disclosure by encrypting or encoding or by other means consistent with such federal regulations.
![Page 29: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/29.jpg)
INCONSISTENCIES AND CHALLENGES UNDER STATE GENETIC PRIVACY LAWS
• De-identification as a precise and broad pathway under HIPAA vs.consent, IRB review, encryption, or other requirements under state genetic privacy laws even for data that is de-identified under HIPAA
• Ambiguity regarding applicability of certain state laws to de-identified (i.e., coded) data vs. anonymized data
• Certain state laws regulate not only the use or disclosure, but also the retention, of genomic data or samples
• Ambiguity regarding clinical laboratory use of genomic data or samples for operational purposes, such as quality control, proficiency testing, validation
29
![Page 30: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/30.jpg)
GENERAL DATA PROTECTION REGULATION• Like HIPAA, the GDPR allows the processing of personal data only when there is a
lawful basis for the processing activity (Article 6). For example:– Consent– Compliance with certain legal obligations under EU or Member State law– Legitimate interests of the data controller or third party
• To lawfully process sensitive personal data, an Article 6 lawful basis must be coupled with a separate permission for processing under Article 9. For example:– Explicit Consent– Public Interest in the area of public health, such as ensuring high standards of quality and safety
of medicinal products based on EU/Member State law– Certain scientific or historical research based on EU/Member State law
30
![Page 31: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/31.jpg)
ADDITIONAL CONSIDERATIONS UNDER THE GDPR AND MEMBER STATE LAW
• Explicit consent is required when the consent pathway is used to process genetic information (as “sensitive” personal data)– Requires a clear statement (written or spoken)
• EU or Member State law may impose additional restrictions or obligations around reliance on consent to process sensitive personal data– Thus, while a privacy consent may not be required for compliance with the
GDPR, consent may nonetheless be required to comply with applicable Member State law when processing genetic data for genetic testing or certain other purposes (e.g., research)
31
![Page 32: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/32.jpg)
GDPR VS. U.S. PRIVACY FRAMEWORK: INCONSISTENCIES AND CHALLENGES
• Anonymization under GDPR vs. de-identification under HIPAA• Additional basis required for processing genomic data because it is
sensitive personal data– Explicit consent? Scientific research?– What is an appropriate basis for activities such as proficiency testing or
test validation? • IRB or privacy board waiver is not a basis for processing of personal
data under the GDPR• More stringent Member State law
32
![Page 33: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/33.jpg)
HUMAN SUBJECT PROTECTION REQUIREMENTS
33
![Page 34: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/34.jpg)
COMMON RULE (FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS)• Imposes IRB review and informed consent requirements
• Applies to “research” involving a “human subject” funded or supported by any federal agency or department that has signed onto the Common Rule (45 CFR Part 46)– May be relevant even if not directly applicable by law (e.g., incorporated into applicable
state law; benchmark for good practices in human subject protection)– “Human subject” includes individual about whom investigator obtains identifiable
private information (IPI) (i.e., private information for which identity is or may readily be ascertained by investigator) or identifiable biospecimens
34
![Page 35: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/35.jpg)
COMMON RULE: EXAMPLES OF PATHWAYS
• Informed consent• IRB waiver of informed consent
– Must demonstrate, inter alia, that the research involves no more than minimal risk and cannot practicably be conducted without the waiver and IPI
• De-identification– Data that is de-identified under HIPAA currently would not be considered a
“human subject” under Common Rule
35
![Page 36: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/36.jpg)
COMMON RULE: KEY TAKEAWAYS
• Relevance to clinical laboratories often due to incorporation into applicable state laws or as a benchmark for good practices in human subject protections for research by such laboratories (e.g., use of identifiable data or samples to develop new tests)
• Informed consent requirements for ethical purposes under the Common Rule distinct from the required privacy pathway for using/disclosing PHI under HIPAA and basis for processing personal data under the GDPR
• Key driver of potentially evolving framework for permitted use of samples or genomic data from an ethical and privacy standpoint
36
![Page 37: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/37.jpg)
STATE HUMAN SUBJECT PROTECTION LAWS AND REGULATIONS• IRB review requirements are also in many state genetic privacy laws, some of
which incorporate Common Rule standards• Examples:
– Massachusetts General Laws Chapter 111, § 70G: Provides exception frominformed consent requirement for disclosure of genetic test results if results aremaintained as “confidential research information” under IRB-approved researchprotocols that protect the confidentiality of the individual through encryption,encoding, or other means consistent with Common Rule and FDA Good ClinicalPractice Regulations
– New York Civil Rights Law § 79-l(4)(a): Genetic tests may be performed onanonymous samples for research purposes under a protocol approved by an IRBthat assures the anonymity of the sources of the samples
37
![Page 38: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/38.jpg)
OVERLAPPING CONSIDERATIONS
Research Proficiency Testing
Quality AssuranceValidation
38
Pathways / bases• Consent / authorization?• Anonymization?• De-identification?• Other pathway (e.g., health care operations,
legitimate interest, scientific research)?
Operational requirements• IRB review and approval?• Encryption?• Security safeguards?
![Page 39: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/39.jpg)
PRACTICAL TAKEAWAYS
39
![Page 40: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/40.jpg)
PRACTICAL RECOMMENDATIONS • Distill regulatory requirements into simple business rules
– Draft policies and materials in a manner that can be readily understood and implemented by business personnel
– Assess whether preference for operational simplicity favors adopting highest common denominator (i.e., more restrictive rules than what the law requires in each jurisdiction)
• Develop clear plan for patient consenting – Challenges insofar as laboratory typically is not involved in obtaining the
consent from patients– Help laboratory clients understand laboratory data use and sharing activities to
facilitate more uniform consent policies and protocols and adequate consent language
– Buttress consents with clear and current notices and privacy policies; consider other creative ways of enhancing transparency
40
![Page 41: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/41.jpg)
PRACTICAL RECOMMENDATIONS, CONT.
• Develop clear plan for results reporting & management – Critical for the laboratory to have an established policy for the use and
disclosure of test results • Bolster internal data governance
– Importance of multi-disciplinary team to quickly and consistently address questions raised by business (e.g., data use committee)
– Work with business to understand and weigh the business challenges in light of legal risks
41
![Page 42: GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing Laboratories – How do privacy, clinical laboratory, and human subject protection laws intersect](https://reader036.fdocuments.in/reader036/viewer/2022071102/5fdb924f91608a324a03e83e/html5/thumbnails/42.jpg)
THANK YOUJane Pine Wood
Chief Legal Counsel, BioReference [email protected]
Jiayan ChenPartner, McDermott Will & Emery LLP
Michael HamiltonChief Privacy Officer, Invitae