GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing...
Transcript of GLOBAL PRIVACY LAWS AND GENETIC …...2020/05/08 · Legal Framework for Genetic Testing...
GLOBAL PRIVACY LAWS AND GENETIC COMPANIES: SOLUTIONS TO COMPLIANCE CHALLENGESJiayan Chen, Partner, McDermott Will & Emery LLP,Jane Pine Wood, Chief Legal Counsel, BioReferenceLaboratoriesMichael Hamilton, Chief Privacy Officer, Invitae
May 8, 2020
AGENDA• Overview: Genetic Testing Laboratories and Data Use
– How do genetic testing laboratories collect, generate, and use data for core laboratory operations?
– In what other ways do genetic testing laboratories use and disclose data?• Legal Framework for Genetic Testing Laboratories
– How do privacy, clinical laboratory, and human subject protection laws intersect and regulate the collection, use, disclosure, and retention of data by genetic testing laboratories?
– Areas of inconsistency among such laws and resulting challenges for genetic testing laboratories
• Practical Application of Privacy Laws in Genetic Testing Laboratories
2
GENETIC TESTING LABORATORIES AND DATA USE
3
WHAT IS A “LABORATORY” IN THE U.S.?
4
A facility for the biological,
microbiological, serological, chemical, immunohematological,
hematological, biophysical, cytological,
pathological, or other examination
of materials derived from the human body
for the purpose of providing information for
the diagnosis, prevention, or treatment
of any disease or impairment of, or the
assessment of the health of, human beings
Is a “laboratory” and subject to the Clinical
Laboratory Improvement Amendments of 1988
(CLIA) (unless an exception applies)
HOW GENETIC TESTING LABORATORIES PROCESS DATA
•
Receipt of data sample & DNA
extraction
Physical specimen may be blood or saliva from which DNA can be extracted.
Blood or saliva then undergoes a series of laboratory processes to extract DNA.
DNA sequencing
Extracted DNA is fed into the DNA sequencer.
Output from sequencing are large files known as FastQ files.
Identify genetic variants
Once the DNA is sequenced, it is sent to bioinformatics systems to process FastQ files and ultimately return list of variants.
Analyze variants & draft report
Clinical experts review variants and determine pathogenicity.
Need to look at other patient data to make this determination.
Findings get summarized in genetic test report that goes to clinician.
5
USES OF GENOMIC DATA IN CLINICAL LAB CONTEXT
• Preparing clinical reportCore activity of genetic testing laboratory1
Quality ImprovementEnsure accuracy of tests and identify areas for improvement 2
ValidationConfirm existing or new test meets performance specifications 3
Research & Development
Contribution to generalizable knowledge/develop new products4
Data / Sample SharingSharing data or samples (identified or de-identified) with third parties 5
6
RESULTS REPORTING & MANAGEMENT• Federal and state laboratory laws and regulations, such as CLIA, require reporting
to the ordering provider.• HIPAA requires the laboratory to provide test results to patients within 30 days after
request.• Laboratories frequently report certain results data to third party payers under the
“healthcare operations” exception under HIPAA (HEDIS reporting, for example) as well as to state departments of health.
• Many laboratories have web-based portals that can be accessed by ordering providers and patients to view test results.
7
RESULTS REPORTING & MANAGEMENT, CONT.• Laboratories receive subpoenas and litigation requests for test results.• Laboratories may also report results in conjunction with research studies.• Occasionally sales personnel may request access to test results to assist clients
and respond to specific client requests, but such access must be very carefully considered on a case by case basis.
8
LEGAL FRAMEWORK FOR GENETIC TESTING LABORATORIES
9
KEY OVERSIGHT BODIES RELEVANT TO DATA USE AND SHARING BY GENETIC TESTING LABORATORIES
10
Genetic Testing Laboratories
State Clinical
Laboratory Regulators
State Attorneys General (State
Privacy and Consumer Protection)
Office for Civil Rights(HIPAA)
EU Member State Supervisory
Authorities and Other Ex-U.S.
Data Protection Regulators
(E.g., GDPR)
Food & Drug Administration(Drugs, Devices,
Biologics)
Office for Human
Research Protections(Common
Rule)
Centers for Medicare & Medicaid
Services (CMS)(Clinical
Laboratory Improvement
Amendments of 1988)
Accreditation Bodies (e.g.,
College of American
Pathologists)
Ex-U.S. Clinical Laboratory Regulators
TODAY’S PRESENTATION: IN SHARPER FOCUS
Laboratory Certification /
Licensure Laws
Human Subject
Protections
Privacy and Data
Protection Laws
11
• How are genetic testing laboratories required to use data in order to comply with their obligations under laboratory certification / licensure laws?
• How do federal and state laws define “research” and how do they intersect with and place restrictions on certain clinical laboratory operations?
• What restrictions apply to a genetic testing laboratory’s processing of patient data
under privacy and data protection laws?
LABORATORY CERTIFICATION / LICENSURE LAWS
12
CLINICAL LABORATORY IMPROVEMENT AMENDMENTS OF 1988 (CLIA)
What is CLIA?•U.S. federal certification scheme applicable to “laboratories”
– Requires laboratories to obtain a certificate and comply with other operational requirements
•Enforced by the Centers for Medicare & Medicaid Services (CMS)– Implemented with assistance from state Departments of Health and
federally-recognized accreditation organizations such as the College of American Pathologists
13
WHAT DOES CLIA REQUIRE?
• Overall requirement – Laboratory must have a current, unrevoked, and unsuspended certificate applicable to the category of tests performed by the laboratory or be CLIA-exempt– Certain exceptions apply, such as for research laboratories not reporting
specific patient results• Type of certificate required depends on complexity of testing performed
at facility– Genetic tests offered as laboratory-developed tests (i.e., without FDA
clearance/approval) are “high” complexity tests
14
WHAT ARE THE ONGOING REGULATORY REQUIREMENTS FOR A CLIA-CERTIFIED LABORATORY?
• Proficiency Testing – Laboratory must test samples and report results under a PT program
approved by U.S. Department of Health & Human Services (HHS) Typically requires multiple rounds of testing each year
– Results get compared against “known” results (general threshold of 80% for satisfactory performance)
• Facility Administration– E.g., appropriate physical space, appropriate equipment, supplies, and
reagents, safety procedures, and record and specimen retention requirements
15
WHAT ARE THE ONGOING REGULATORY REQUIREMENTS FOR A CLIA-CERTIFIED LABORATORY? (CONT’D)
• Quality Systems– Laboratory must have process in place for its preanalytic, analytic, and post-
analytic systems (e.g., test requisitions, specimen handling, procedure manual, test systems, establishing and/or verifying performance specifications, quality control, and test reports)
• Personnel– Education and experience requirements for laboratory personnel based on
specific role• Inspection
– Initial and biennial (or more frequently for cause) for laboratories not operating under certificate of waiver
16
USES OF DATA AND SAMPLES TO SATISFY CLINICAL LABORATORY REGULATORY REQUIREMENTS
Reviewing test results or generated data to identify errors or inefficiencies within the laboratory
Reviewing test results or generated data to verify the quality of work of laboratory personnel
Validating the performance of a test after modifying the physical materials used (e.g., change in equipment or specimen type)
Validating the performance of a test after updating the software that supports the data-to-report process (e.g., after the software has been taught something new, confirming the end-to-end test works as expected)
Using leftover specimens to meet proficiency testing requirements (where contrived specimens not commercially available)
17
ADDITIONAL USE CASES
Reviewing genome sequencing data and phenotypic data to identify additional genetic variants of clinical significanceCreating a new multi-gene panelAdding new genes to an existing multi-gene panel
18
PRIVACY LAWS
19
PATCHWORK OF LAWS
20
Domestic (Federal, State) / Multinational
Privacy Protections for Human Subjects in Research
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
21
• Applies to clinical laboratories as Covered Entities insofar as they bill health plans or other third party payors for tests using HIPAA standard transactions
• Includes a number of pathways relevant to a laboratory’s various internal and external operations and initiatives that require use or disclosure of protected health information (PHI)
– However, there are ambiguities as to the appropriate pathway given lack of direct mapping between HIPAA and CLIA / state clinical laboratory regulations
HIPAA PRIVACY RULE: PERMITTED USES AND DISCLOSURES AS REQUIRED BY LAW
• Required By Law– A Covered Entity or Business Associate may use or disclose PHI as
“Required by Law,” which means a mandate contained in a law that compels a use or disclosure of PHI and that is enforceable in a court of law
– E.g., court orders, governmental or administrative body authorized to require production of information, and statutes and regulations that require production of information
22
HIPAA PRIVACY RULE: PERMITTED USES AND DISCLOSURES FOR RESEARCH
• HIPAA includes the following pathways for using/disclosing PHI for research: – HIPAA authorization – institutional review board (IRB) or privacy board waiver of the HIPAA
authorization requirement (must satisfy certain criteria)– reviews preparatory to research (e.g., to assess feasibility of research,
develop protocol, identify potentially eligible subjects)– research using de-identified data– research using a limited data set (PHI with direct identifiers removed)
under a data use agreement with the recipient of the limited data set
23
HIPAA PRIVACY RULE: THE QUALITY VS. RESEARCH CONUNDRUM
Health Care Operations• Includes “Conducting quality assessment and improvement
activities … provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities”
Research• A systematic investigation, including research development, testing,
and evaluation, designed to develop or contribute to generalizableknowledge
24
Consider: How to characterize the establishment of performance specifications? Validation activities?
STATE GENETIC PRIVACY LAWS
Wide variation among states in scope and the uses and disclosures that they permit or prohibit
25
Scope (Identifiability
of Data Regulated)
Restrictions on Use
Scope (Entities
Regulated)Restrictions
on Disclosure
VARIATIONS AMONG STATE GENETIC PRIVACY LAWS
26
Variable ExampleDoes the law apply to only identifiable genomic data or samples?
Alaska Genetic Testing Law: “A person may not … disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person … for the … disclosure.” Alaska Stat. § 18.13.010(a)(1).
“DNA analysis” is not defined in a way that makes it clear whether it is limited to identifiable information. It means “DNA or genetic typing and testing to determine the presence or absence of genetic characteristics in an individual, including tests of nucleic acids or chromosomes in order to diagnose or identify a genetic characteristic; “DNA analysis” does not include a routine physical measurement, a test for drugs, alcohol, cholesterol, or the human immunodeficiency virus, a chemical, blood, or urine analysis, or any other diagnostic test that is widely accepted and in use in clinical practice.” Alaska Stat. § 18.13.100.
VARIATIONS AMONG STATE GENETIC PRIVACY LAWS
27
Variable ExampleDoes the law apply only to certain entities (e.g., employers or third party payors)?
South Carolina Privacy of Genetic Information Law:
Scope section of the law states that it “applies to health insurance coverage offered in connection with an individual health plan, a group health plan, or a health benefit plan that is delivered, issued for delivery, or renewed in this state.” S.C. Code § 38-93-20.
But certain sections of the law, without specific reference to health insurance issuers, require the confidentiality of genetic information and prohibit performing genetic tests without informed consent. S.C. Code §§38-93-40, -50.
VARIATIONS AMONG STATE GENETIC PRIVACY LAWS
28
Variable ExampleHow does the law prohibit or restrict the disclosure or sharing of genomic data or samples?
Massachusetts Genetic Privacy Law:
Prohibits disclosure of reports and records pertaining to any genetic information without informed written consent, subject to certain exceptions including:• As “confidential research information” for use in epidemiological or
clinical research, where the genetic test results are maintained under protocols reviewed and approved by an IRB established under the provisions of the Common Rule (45 CFR Part 46) or FDA Good Clinical Practice regulations (21 CFR Parts 50, 56) and that protect the confidentiality of the individual either by encryption, encoding, or other means consistent with such federal regulations, or where the individual’s identity is unknown or protected from disclosure by encrypting or encoding or by other means consistent with such federal regulations.
INCONSISTENCIES AND CHALLENGES UNDER STATE GENETIC PRIVACY LAWS
• De-identification as a precise and broad pathway under HIPAA vs.consent, IRB review, encryption, or other requirements under state genetic privacy laws even for data that is de-identified under HIPAA
• Ambiguity regarding applicability of certain state laws to de-identified (i.e., coded) data vs. anonymized data
• Certain state laws regulate not only the use or disclosure, but also the retention, of genomic data or samples
• Ambiguity regarding clinical laboratory use of genomic data or samples for operational purposes, such as quality control, proficiency testing, validation
29
GENERAL DATA PROTECTION REGULATION• Like HIPAA, the GDPR allows the processing of personal data only when there is a
lawful basis for the processing activity (Article 6). For example:– Consent– Compliance with certain legal obligations under EU or Member State law– Legitimate interests of the data controller or third party
• To lawfully process sensitive personal data, an Article 6 lawful basis must be coupled with a separate permission for processing under Article 9. For example:– Explicit Consent– Public Interest in the area of public health, such as ensuring high standards of quality and safety
of medicinal products based on EU/Member State law– Certain scientific or historical research based on EU/Member State law
30
ADDITIONAL CONSIDERATIONS UNDER THE GDPR AND MEMBER STATE LAW
• Explicit consent is required when the consent pathway is used to process genetic information (as “sensitive” personal data)– Requires a clear statement (written or spoken)
• EU or Member State law may impose additional restrictions or obligations around reliance on consent to process sensitive personal data– Thus, while a privacy consent may not be required for compliance with the
GDPR, consent may nonetheless be required to comply with applicable Member State law when processing genetic data for genetic testing or certain other purposes (e.g., research)
31
GDPR VS. U.S. PRIVACY FRAMEWORK: INCONSISTENCIES AND CHALLENGES
• Anonymization under GDPR vs. de-identification under HIPAA• Additional basis required for processing genomic data because it is
sensitive personal data– Explicit consent? Scientific research?– What is an appropriate basis for activities such as proficiency testing or
test validation? • IRB or privacy board waiver is not a basis for processing of personal
data under the GDPR• More stringent Member State law
32
HUMAN SUBJECT PROTECTION REQUIREMENTS
33
COMMON RULE (FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS)• Imposes IRB review and informed consent requirements
• Applies to “research” involving a “human subject” funded or supported by any federal agency or department that has signed onto the Common Rule (45 CFR Part 46)– May be relevant even if not directly applicable by law (e.g., incorporated into applicable
state law; benchmark for good practices in human subject protection)– “Human subject” includes individual about whom investigator obtains identifiable
private information (IPI) (i.e., private information for which identity is or may readily be ascertained by investigator) or identifiable biospecimens
34
COMMON RULE: EXAMPLES OF PATHWAYS
• Informed consent• IRB waiver of informed consent
– Must demonstrate, inter alia, that the research involves no more than minimal risk and cannot practicably be conducted without the waiver and IPI
• De-identification– Data that is de-identified under HIPAA currently would not be considered a
“human subject” under Common Rule
35
COMMON RULE: KEY TAKEAWAYS
• Relevance to clinical laboratories often due to incorporation into applicable state laws or as a benchmark for good practices in human subject protections for research by such laboratories (e.g., use of identifiable data or samples to develop new tests)
• Informed consent requirements for ethical purposes under the Common Rule distinct from the required privacy pathway for using/disclosing PHI under HIPAA and basis for processing personal data under the GDPR
• Key driver of potentially evolving framework for permitted use of samples or genomic data from an ethical and privacy standpoint
36
STATE HUMAN SUBJECT PROTECTION LAWS AND REGULATIONS• IRB review requirements are also in many state genetic privacy laws, some of
which incorporate Common Rule standards• Examples:
– Massachusetts General Laws Chapter 111, § 70G: Provides exception frominformed consent requirement for disclosure of genetic test results if results aremaintained as “confidential research information” under IRB-approved researchprotocols that protect the confidentiality of the individual through encryption,encoding, or other means consistent with Common Rule and FDA Good ClinicalPractice Regulations
– New York Civil Rights Law § 79-l(4)(a): Genetic tests may be performed onanonymous samples for research purposes under a protocol approved by an IRBthat assures the anonymity of the sources of the samples
37
OVERLAPPING CONSIDERATIONS
Research Proficiency Testing
Quality AssuranceValidation
38
Pathways / bases• Consent / authorization?• Anonymization?• De-identification?• Other pathway (e.g., health care operations,
legitimate interest, scientific research)?
Operational requirements• IRB review and approval?• Encryption?• Security safeguards?
PRACTICAL TAKEAWAYS
39
PRACTICAL RECOMMENDATIONS • Distill regulatory requirements into simple business rules
– Draft policies and materials in a manner that can be readily understood and implemented by business personnel
– Assess whether preference for operational simplicity favors adopting highest common denominator (i.e., more restrictive rules than what the law requires in each jurisdiction)
• Develop clear plan for patient consenting – Challenges insofar as laboratory typically is not involved in obtaining the
consent from patients– Help laboratory clients understand laboratory data use and sharing activities to
facilitate more uniform consent policies and protocols and adequate consent language
– Buttress consents with clear and current notices and privacy policies; consider other creative ways of enhancing transparency
40
PRACTICAL RECOMMENDATIONS, CONT.
• Develop clear plan for results reporting & management – Critical for the laboratory to have an established policy for the use and
disclosure of test results • Bolster internal data governance
– Importance of multi-disciplinary team to quickly and consistently address questions raised by business (e.g., data use committee)
– Work with business to understand and weigh the business challenges in light of legal risks
41
THANK YOUJane Pine Wood
Chief Legal Counsel, BioReference [email protected]
Jiayan ChenPartner, McDermott Will & Emery LLP
Michael HamiltonChief Privacy Officer, Invitae