NPRM Summary from HHS

As Michelle noted, the Notice of Proposed Rule Making (NPRM) on human subjects research is out after a long delay. For my (and many Bill of Health bloggers’) view about its predecessor ANPRM, you can check out our 2014 book, Human Subjects Research Regulation: Perspectives on the Future.

Here is HHS’s own summary of what has changed and what it thinks is most important:

The U.S. Department of Health and Human Services and fifteen other Federal Departments and Agencies have announced proposed revisions to modernize, strengthen, and make more effective the Federal Policy for the Protection of Human Subjects that was promulgated as a Common Rule in 1991.  A Notice of Proposed Rulemaking (NPRM) was put on public display on September 2, 2015 by the Office of the Federal Register.  The NPRM seeks comment on proposals to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators. It is expected that the NPRM will be published in the Federal Register on September 8, 2015.  There are plans to release several webinars that will explain the changes proposed in the NPRM, and a town hall meeting is planned to be held in Washington, D.C. in October. Continue reading

The 21st Century Cures Act, HIPAA, Big Data, and Medical Research

By Nicholson Price

The 21st Century Cures Act is a big deal; the House passed it handily, and we’re still waiting to see what the Senate does.  A lot has been written about what it does in terms of changing FDA review processes, and a fair bit about the lovely increase in funding for NIH (see Rachel Sachs’ blog posts here, here, and here).  These are tremendously important.

But another provision in the bill has been getting much less play: the way it changes HIPAA to enable large-scale research, which is also a big deal all by itself. Continue reading

Should Health Lawyers Pay Attention To The Administration’s Privacy Bill?

By Nicolas Terry

Cross Posted from Health Affairs Blog

Health care lawyers justifiably ignored the 2012 Obama administration consumer privacy framework because it expressly and broadly exempted entities subject to HIPAA, stating “To avoid creating duplicative regulatory burdens, the Administration supports exempting companies from consumer data privacy legislation to the extent that their activities are subject to existing Federal data privacy laws.”

In contrast, the administration’s 2015 draft bill, the Consumer Privacy Bill of Rights Act, though based on that framework, substantially affects health care entities, including those subject to HIPAA, and so demands more attention in the health law community.

The “HIPAA clause” in the draft bill is subtly different (and noticeably narrower than its preemption of state law clause): “If a covered entity is subject to a provision of this Act and a comparable provision of a Federal privacy or security law [the list includes HIPAA] such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy or security law applies to such person.” Continue reading

Federal Newborn Screening Law Emphasizes Informed Consent

Allison M. Whelan, J.D.
Senior Fellow, Center for Bioethics and Global Health Policy, University of California, Irvine
Guest Blogger

On December 18, 2014, President Obama signed into law the Newborn Screening Saves Lives Reauthorization Act of 2014. The Act includes new timeliness and tracking measures to ensure newborn babies with deadly yet treatable disorders are diagnosed quickly. These changes responded to a Milwaukee Journal Sentinel investigation that found thousands of hospitals delayed sending babies’ blood samples to state labs.  A primary purpose of newborn screening is to detect disorders quickly, so any delays increase the risk of illness, disability, and even death.

Although a major reason for the Act’s amendments is to address these problematic delays, another important addition to the Act establishes a parental consent requirement before residual newborn blood spots (NBS) are used in federally-funded research. The Act directs the Department of Health and Human Services (HHS) to update the Federal Policy for the Protection of Human Subjects (the “Common Rule”) to recognize federally-funded research on NBS as “human subjects” research. It also eliminates the ability of an institutional review board to waive informed consent requirements for NBS research.

Continue reading

A Chief Privacy Officer’s Take on the Chanko Case

Earlier this month, Charles Ornstein explored a New York City family’s charge that their privacy was violated by a local hospital and a reality television show in ProPublica. More specifically, he details how the death of one Mr. Mark Chanko was filmed at NY Presbyterian Hospital without the family’s consent, and then nationally aired on ABC’s NY MED over a year later. Mr. Chanko’s face was blurred for viewers but he remained recognizable to family and friends who watched the show. Since the broadcast, the family has pursued legal action through several New York courts with little success thus far.

The piece has already been commented upon by several smart people, most recently Kay Lazar of the Boston Globe. Just one day after Ornstein’s piece went to press, the Dean of Harvard Medical School Jeffrey Flier (@jflier) tweeted “How could this be allowed to happen?” only to be informed by the Chair of Surgery at Boston Medical Center, Gerard Doherty, (@GerardDoherty4) that three Harvard-affiliated hospitals are in fact currently hosting camera crews for a similar series. The ensuing conversation reminded me just how limited a platform Twitter is for tricky conversations about health care law and ethics. So I did what any self-respecting millennial would do – I went home for the holidays and asked my mom to help me understand what the internet couldn’t.

Continue reading

The Constitutional Implications of Ebola: Civil Liberties and Civil Rights In Times of Health Crises

Join us for an important public forum:

Constitutional Implications of Ebola:
Civil Liberties & Civil Rights In Times of Health Crises

This public forum addresses the constitutional and public health implications of Ebola response in the United States.  According to state and federal laws, patient information is deemed private and is to be held in strict confidentiality.  However, in the wake of Ebola, well-established protocols to guard patient privacy have been neglected or suspended without public debate.  At this forum, a panel of experts raise questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy, civil liberties, and civil rights.  To what extent are Americans’ Ebola fears influenced by the origins of the disease?  What liberties are Americans willing to sacrifice to calm their fears?  How to balance the concern for public welfare with legal and ethical privacy principles?

Speakers: Reverend Jesse L. Jackson, Sr.;  Michele Goodwin, Chancellor’s Chair, UC Irvine School of Law;  Professor Andrew Noymer, UC Irvine School of Public Health; and Dr. George Woods, American Psychiatric Association.

This Forum intervenes in the current national and international discourse on Ebola by probing law’s role in addressing public health crises.  This forum is free and open to the public.

WHEN: Wednesday, November 19, 2014, 3.30pm-5.30pm

WHERE: University of California Irvine, School of Law; ROOM EDU 1111, 401 E Peltason Dr, Irvine, CA 92612

Ebola and Privacy

By Michele Goodwin

As the nation braces for possibly more Ebola cases, civil liberties should be considered, including patient privacy.  As news media feature headline-grabbing stories about quarantines,  let’s think about the laws governing privacy in healthcare. Despite federal laws enacted to protect patient privacy, the Ebola scare brings the vulnerability of individuals and the regulations intended to help them into sharp relief.

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy.  Specifically, HIPAA’s Privacy Rule requires that healthcare providers and their business associates restrict access to patients’ health care information.  For many years, the law has been regarded as the strongest federal statement regarding patient privacy. But it may be tested in the wake of the Ebola scare with patients’ names, photographs, and even family information entering the public sphere.

Ebola hysteria raises questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy.  What liberties are Americans willing to sacrifice to calm their fears?  How to balance the concern for public welfare with legal and ethical privacy principles?  For example, will Americans tolerate profiling travelers based on their race or national origin as precautionary measures?  What type of reporting norms should govern Ebola cases?  Should reporting the existence of an Ebola case also include disclosing the name of the patient?  I don’t think so, but the jury appears out for many.

Facebook Rumored To Be Planning Foray Into the Online Health Space

Reuters broke the story on Friday, citing anonymous sources:

The company is exploring creating online “support communities” that would connect Facebook users suffering from various ailments. . . . Recently, Facebook executives have come to realize that healthcare might work as a tool to increase engagement with the site. One catalyst: the unexpected success of Facebook’s “organ-donor status initiative,” introduced in 2012. The day that Facebook altered profile pages to allow members to specify their organ donor-status, 13,054 people registered to be organ donors online in the United States, a 21 fold increase over the daily average of 616 registrations . . . . Separately, Facebook product teams noticed that people with chronic ailments such as diabetes would search the social networking site for advice, said one former Facebook insider. In addition, the proliferation of patient networks such as PatientsLikeMe demonstrate that people are increasingly comfortable sharing symptoms and treatment experiences online. . . . Facebook may already have a few ideas to alleviate privacy concerns around its health initiatives. The company is considering rolling out its first health application quietly and under a different name, a source said.

I’m quoted in this International Business Times article about Facebook’s rumored plans. After the jump is the full statement I provided to the reporter (links added).  Continue reading

HHS Issues Guidance on Same Sex Spouses and HIPAA

[Cross-posted at HealthLawProfs blog.]

Under HIPAA, patients’ spouses and other family members have certain rights to access health information. In an important guidance document in the wake of United States v. Windsor, the Office for Civil Rights (OCR) at HHS has clarified that “spouse” under HIPAA refers to legally married same-sex spouses, even if the individual is receiving services in a jurisdiction not recognizing same-sex marriage.  Continue reading

Getting Granular with Apple’s mHealth Guidelines

By Nicolas Terry

In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.

Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture. Continue reading

Apple’s mHealth Rules Fear to Tread Where Our Privacy Laws Fall Short

By Nicolas Terry

On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.

What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.

But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading

The $4 billion Medical Data Breach Case That Lost Its Way

By Nicolas Terry

Sutter Health v. Superior Court, 2014 WL 3589699 (Cal. App. 2014), is a medical data breach class action case that raises questions beyond the specifics of the Californian Confidentiality of Medical Information Act.

The stakes were high in Sutter — under the California statute medical data breach claims trigger (or should trigger!) nominal damages at $1000 per patient. Here four million records were stolen.

Plaintiffs’ first argued the defendant breached a section prohibiting unconsented-to disclosure. The not unreasonable response from the court was that this provision required an affirmative act of disclosure by the defendant which was not satisfied by a theft.

A second statutory provision argued by the plaintiffs looked like a winner. This section provided, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” Continue reading

Art Caplan Says Vasectomy Has No Place in Plea Deal

Art Caplan has a new opinion piece on NBCNews on the controversy over the case of Jessie Herald, in which he was offered a plea bargain that involved sterilization for a reduced sentencing. From the piece:

Jessie Lee Herald was facing five years or more in prison after a crash in which police and prosecutors said his 3-year-old son was bloodied but not seriously hurt. But Herald cut a deal. Or more accurately, the state agreed to reduce his sentence if he would agree to be cut. Shenandoah County assistant prosecutor Ilona White said she offered Herald, 27, of Edinburg, Virginia, the opportunity to get a drastically reduced sentence if he would agree to a vasectomy. It may not be immediately clear what a vasectomy has to do with driving dangerously and recklessly. It shouldn’t be. There is no connection.

Read the full article.

Chip and Fish: Inadvertent Spies

Art Caplan has authored a new opinion piece on on the issue of “chipping” human beings. From the piece:

There has been a great deal of fingerpointing, second-guessing and recrimination over the decision by the President to exchange five former Taliban leaders for the American soldier, Bowe Bergdahl.  “You’ve just released five extremely dangerous people, who in my opinion … will rejoin the battlefield,” Senator Marco Rubio, R-Fla., and likely Presidential candidate told Fox News.  Senator John McCain, R-AZ, told ABC news and many other outlets that he would never have supported the swap if he’d known exactly which prisoners would be exchanged given their former high roles in battling the U.S. in Afghanistan.

Put aside for a second whether the five Taliban leaders that were flown to Qatar for Bergdahl are now too old and too long removed from Taliban affairs to resume anything close to their old roles.  Presume, instead, they will eagerly resume where they left off prior to their capture, attacking Americans and others they see as hindering Taliban goals for Afghanistan.  Is it possible that the U.S. did something to these men before letting them go in the swap—surreptitiously implanting them with microchips so that they could be tracked or traced?

Read the full article.

PCAST, Big Data, and Privacy

By Leslie Francis

Cross-post from HealthLawProf Blog

The President’s Council of Advisors on Science and Technology (PCAST) has issued a report intended to be a technological complement to the recent White House report on big data. This PCAST report, however, is far more than a technological analysis—although as a description of technological developments it is wonderfully accessible, clear and informative.  It also contains policy recommendations of sweeping significance about how technology should be used and developed.  PCAST’s recommendations carry the imprimatur of scientific expertise—and lawyers interested in health policy should be alert to the normative approach of PCAST to big data.

Here, in PCAST’s own words, is the basic approach: “In light of the continuing proliferation of ways to collect and use information about people, PCAST recommends that policy focus primarily on whether specific uses of information about people affect privacy adversely. It also recommends that policy focus on outcomes, on the “what” rather than the “how,” to avoid becoming obsolete as technology advances. The policy framework should accelerate the development and commercialization of technologies that can help to contain adverse impacts on privacy, including research into new technological options. By using technology more effectively, the Nation can lead internationally in making the most of big data’s benefits while limiting the concerns it poses for privacy. Finally, PCAST calls for efforts to assure that there is enough talent available with the expertise needed to develop and use big data in a privacy-sensitive way.”  In other words:  assume the importance of continuing to collect and analyze big data, identify potential harms and fixes on a case-by-case basis possibly after the fact, and enlist the help of the commercial sector to develop profitable privacy technologies.  Continue reading

Bumps on the Road Towards Clinical Trials Data Transparency- A recent U-Turn by the EMA?

By Timo Minssen

In a recent blog I discussed the benefits and potential draw-backs of a new “EU Regulation on clinical trials on medicinal products for human use,” which had been adopted by the European Parliament and Council in April 2014. Parallel to these legislative developments, the drug industry has responded with its own initiatives providing for varying degrees of transparency. But also medical authorities have been very active in developing their transparency policies.

In the US, the FDA proposed new rules which would require disclosure of masked and de-identified patient-level data. In the EU, the EMA organized during 2013 a series of meetings with its five advisory committees to devise a draft policy for proactive publication of and access to clinical-trial data. In June 2013 this process resulted in the publication, of a draft policy document titled “Publication and access to clinical-trial data” (EMA/240810/2013).

Following an invitation for public comments on this document, the EMA received more than 1,000 submissions from stakeholders. Based on these comments the EMA recently proposed “Terms of Use” (TOU) and “Redaction Principles” for clinical trial data disclosure.

In a letter to the EMA’s executive director Dr. Guido Rasi, dated 13 May 2014, the European Ombudsman, Emily O’Reilly, has now expressed concern about what seems to be a substantial shift of policy regarding clinical trial data transparency. Continue reading

Not Just Any Week in Privacy

By Nicolas Terry

Privacy is never easy to think about. This week it became harder. Two pieces framed my week. First, Eben Moglen’s essay in The Guardian (based on his Columbia talks from late last year) took my breath away; glorious writing and stunning breadth combined to deliver a desperately sad (but not entirely hopeless) message about government and corporate overreaching in data collection and processing.

A wry speech posted by software developer Maciej Ceglowski also helped frame my thoughts. He wrote, “The Internet somehow contrives to remember too much and too little at the same time, and it maps poorly on our concepts of how memory should work.” There’s the problem in a nut. Ceglowski alludes to the divide between how human (offline) memory operates (it’s “fuzzy” and “memories tend to fade with time, and we remember only the more salient events”) and the online default of remembering everything. Government and Google and, for that matter, Big Data Brokers tell us that online rules now apply across the board and ‘that’s just peachy’ because we’ll have better national security, better searches, or more relevant advertising. But, that’s backwards. Continue reading

DUE 6/3: Call for Abstracts: Emerging Issues and New Frontiers for FDA Regulation

            PFC_Logo_300x300                    FDLI_Logo_380

The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School and the Food and Drug Law Institute are pleased to announce an upcoming collaborative academic symposium:

Emerging Issues and New Frontiers for FDA Regulation

Monday, October 20, 2014 

Washington, DC

We are currently seeking abstracts for academic presentations/papers on the following topics:  Continue reading

A Bad Debt That Will Shake Big Data

By Nicolas Terry

A resident of Spain allegedly owed back taxes triggering attachment proceedings. The local newspaper published the details of an upcoming auction of his property in early 1998. At some point the issue was settled. However, the matter was not forgotten—the newspaper was online and a Google search of the gentleman’s name returned this history. He complained to the Spanish data protection agency (AEPD) that he had a right to have older, irrelevant information erased and that Google should remove the links. The AEPD agreed and Google sued for relief. The Spanish High Court referred the interpretation of the Data Directive (95/46) to the European Court of Justice in 2010 and in 2013 the Advocate-General issued an advisory opinion supportive of Google’s position. Somewhat surprisingly the European Court of Justice has now taken the opposite view (Case C‑131/12, Google Spain SL v. AEPD, May 13, 2014). Continue reading

Call for Abstracts: Emerging Issues and New Frontiers for FDA Regulation





The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School and the Food and Drug Law Institute are pleased to announce an upcoming collaborative academic symposium:

Emerging Issues and New Frontiers for FDA Regulation

Monday, October 20, 2014 

Washington, DC

We are currently seeking abstracts for academic presentations/papers on the following topics:

  • Stem cell therapies
  • Nanotechnologies
  • Genetic (and biomarker) tests
  • Gene therapies
  • Personalized medicine
  • Comparative efficacy research
  • Drug resistant pathogens
  • Globalized markets
  • Tobacco
  • GMO
  • Bioterrorism countermeasures
  • Mobile health technologies
  • Health IT
  • Drug shortages
  • Other related topics

Abstracts should be no longer than 1 page, and should be emailed to Davina Rosen Marano at by Tuesday, June 3, 2014. Questions should also be directed to Davina Rosen Marano.

We will notify selected participants by the end of June.  Selected participants will present at the symposium, and will be expected to submit a completed article by December 15, 2014 (after the event) to be considered for publication in a 2015 issue of FDLI’s Food and Drug Law Journal (FDLJ).  Publication decisions will be made based on usual FDLJ standards.