GLOBAL PRIVACY LAWS AND GENETIC COMPANIES: SOLUTIONS TO COMPLIANCE CHALLENGESJiayan Chen, Partner, McDermott Will & Emery LLP,Jane Pine Wood, Chief Legal Counsel, BioReferenceLaboratoriesMichael Hamilton, Chief Privacy Officer, Invitae

May 8, 2020

AGENDA• Overview: Genetic Testing Laboratories and Data Use

– How do genetic testing laboratories collect, generate, and use data for core laboratory operations?

– In what other ways do genetic testing laboratories use and disclose data?• Legal Framework for Genetic Testing Laboratories

– How do privacy, clinical laboratory, and human subject protection laws intersect and regulate the collection, use, disclosure, and retention of data by genetic testing laboratories?

– Areas of inconsistency among such laws and resulting challenges for genetic testing laboratories

• Practical Application of Privacy Laws in Genetic Testing Laboratories

2

GENETIC TESTING LABORATORIES AND DATA USE

3

WHAT IS A “LABORATORY” IN THE U.S.?

4

A facility for the biological,

microbiological, serological, chemical, immunohematological,

hematological, biophysical, cytological,

pathological, or other examination

of materials derived from the human body

for the purpose of providing information for

the diagnosis, prevention, or treatment

of any disease or impairment of, or the

assessment of the health of, human beings

Is a “laboratory” and subject to the Clinical

Laboratory Improvement Amendments of 1988

(CLIA) (unless an exception applies)

HOW GENETIC TESTING LABORATORIES PROCESS DATA

•

Receipt of data sample & DNA

extraction

Physical specimen may be blood or saliva from which DNA can be extracted.

Blood or saliva then undergoes a series of laboratory processes to extract DNA.

DNA sequencing

Extracted DNA is fed into the DNA sequencer.

Output from sequencing are large files known as FastQ files.

Identify genetic variants

Once the DNA is sequenced, it is sent to bioinformatics systems to process FastQ files and ultimately return list of variants.

Analyze variants & draft report

Clinical experts review variants and determine pathogenicity.

Need to look at other patient data to make this determination.

Findings get summarized in genetic test report that goes to clinician.

5

USES OF GENOMIC DATA IN CLINICAL LAB CONTEXT

• Preparing clinical reportCore activity of genetic testing laboratory1

Quality ImprovementEnsure accuracy of tests and identify areas for improvement 2

ValidationConfirm existing or new test meets performance specifications 3

Research & Development

Contribution to generalizable knowledge/develop new products4

Data / Sample SharingSharing data or samples (identified or de-identified) with third parties 5

6

RESULTS REPORTING & MANAGEMENT• Federal and state laboratory laws and regulations, such as CLIA, require reporting

to the ordering provider.• HIPAA requires the laboratory to provide test results to patients within 30 days after

request.• Laboratories frequently report certain results data to third party payers under the

“healthcare operations” exception under HIPAA (HEDIS reporting, for example) as well as to state departments of health.

• Many laboratories have web-based portals that can be accessed by ordering providers and patients to view test results.

7

RESULTS REPORTING & MANAGEMENT, CONT.• Laboratories receive subpoenas and litigation requests for test results.• Laboratories may also report results in conjunction with research studies.• Occasionally sales personnel may request access to test results to assist clients

and respond to specific client requests, but such access must be very carefully considered on a case by case basis.

8

LEGAL FRAMEWORK FOR GENETIC TESTING LABORATORIES

9

KEY OVERSIGHT BODIES RELEVANT TO DATA USE AND SHARING BY GENETIC TESTING LABORATORIES

10

Genetic Testing Laboratories

State Clinical

Laboratory Regulators

State Attorneys General (State

Privacy and Consumer Protection)

Office for Civil Rights(HIPAA)

EU Member State Supervisory

Authorities and Other Ex-U.S.

Data Protection Regulators

(E.g., GDPR)

Food & Drug Administration(Drugs, Devices,

Biologics)

Office for Human

Research Protections(Common

Rule)

Centers for Medicare & Medicaid

Services (CMS)(Clinical

Laboratory Improvement

Amendments of 1988)

Accreditation Bodies (e.g.,

College of American

Pathologists)

Ex-U.S. Clinical Laboratory Regulators

TODAY’S PRESENTATION: IN SHARPER FOCUS

Laboratory Certification /

Licensure Laws

Human Subject

Protections

Privacy and Data

Protection Laws

11

• How are genetic testing laboratories required to use data in order to comply with their obligations under laboratory certification / licensure laws?

• How do federal and state laws define “research” and how do they intersect with and place restrictions on certain clinical laboratory operations?

• What restrictions apply to a genetic testing laboratory’s processing of patient data

under privacy and data protection laws?

LABORATORY CERTIFICATION / LICENSURE LAWS

12

CLINICAL LABORATORY IMPROVEMENT AMENDMENTS OF 1988 (CLIA)

What is CLIA?•U.S. federal certification scheme applicable to “laboratories”

– Requires laboratories to obtain a certificate and comply with other operational requirements

•Enforced by the Centers for Medicare & Medicaid Services (CMS)– Implemented with assistance from state Departments of Health and

federally-recognized accreditation organizations such as the College of American Pathologists

13

WHAT DOES CLIA REQUIRE?

• Overall requirement – Laboratory must have a current, unrevoked, and unsuspended certificate applicable to the category of tests performed by the laboratory or be CLIA-exempt– Certain exceptions apply, such as for research laboratories not reporting

specific patient results• Type of certificate required depends on complexity of testing performed

at facility– Genetic tests offered as laboratory-developed tests (i.e., without FDA

clearance/approval) are “high” complexity tests

14

WHAT ARE THE ONGOING REGULATORY REQUIREMENTS FOR A CLIA-CERTIFIED LABORATORY?

• Proficiency Testing – Laboratory must test samples and report results under a PT program

approved by U.S. Department of Health & Human Services (HHS) Typically requires multiple rounds of testing each year

– Results get compared against “known” results (general threshold of 80% for satisfactory performance)

• Facility Administration– E.g., appropriate physical space, appropriate equipment, supplies, and

reagents, safety procedures, and record and specimen retention requirements

15

WHAT ARE THE ONGOING REGULATORY REQUIREMENTS FOR A CLIA-CERTIFIED LABORATORY? (CONT’D)

• Quality Systems– Laboratory must have process in place for its preanalytic, analytic, and post-

analytic systems (e.g., test requisitions, specimen handling, procedure manual, test systems, establishing and/or verifying performance specifications, quality control, and test reports)

• Personnel– Education and experience requirements for laboratory personnel based on

specific role• Inspection

– Initial and biennial (or more frequently for cause) for laboratories not operating under certificate of waiver

16

USES OF DATA AND SAMPLES TO SATISFY CLINICAL LABORATORY REGULATORY REQUIREMENTS

Reviewing test results or generated data to identify errors or inefficiencies within the laboratory

Reviewing test results or generated data to verify the quality of work of laboratory personnel

Validating the performance of a test after modifying the physical materials used (e.g., change in equipment or specimen type)

Validating the performance of a test after updating the software that supports the data-to-report process (e.g., after the software has been taught something new, confirming the end-to-end test works as expected)

Using leftover specimens to meet proficiency testing requirements (where contrived specimens not commercially available)

17

ADDITIONAL USE CASES

Reviewing genome sequencing data and phenotypic data to identify additional genetic variants of clinical significanceCreating a new multi-gene panelAdding new genes to an existing multi-gene panel

18

PRIVACY LAWS

19

PATCHWORK OF LAWS

20

Domestic (Federal, State) / Multinational

Privacy Protections for Human Subjects in Research

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

21

• Applies to clinical laboratories as Covered Entities insofar as they bill health plans or other third party payors for tests using HIPAA standard transactions

• Includes a number of pathways relevant to a laboratory’s various internal and external operations and initiatives that require use or disclosure of protected health information (PHI)

– However, there are ambiguities as to the appropriate pathway given lack of direct mapping between HIPAA and CLIA / state clinical laboratory regulations

HIPAA PRIVACY RULE: PERMITTED USES AND DISCLOSURES AS REQUIRED BY LAW

• Required By Law– A Covered Entity or Business Associate may use or disclose PHI as

“Required by Law,” which means a mandate contained in a law that compels a use or disclosure of PHI and that is enforceable in a court of law

– E.g., court orders, governmental or administrative body authorized to require production of information, and statutes and regulations that require production of information

22

HIPAA PRIVACY RULE: PERMITTED USES AND DISCLOSURES FOR RESEARCH

• HIPAA includes the following pathways for using/disclosing PHI for research: – HIPAA authorization – institutional review board (IRB) or privacy board waiver of the HIPAA

authorization requirement (must satisfy certain criteria)– reviews preparatory to research (e.g., to assess feasibility of research,

develop protocol, identify potentially eligible subjects)– research using de-identified data– research using a limited data set (PHI with direct identifiers removed)

under a data use agreement with the recipient of the limited data set

23

HIPAA PRIVACY RULE: THE QUALITY VS. RESEARCH CONUNDRUM

Health Care Operations• Includes “Conducting quality assessment and improvement

activities … provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities”

Research• A systematic investigation, including research development, testing,

and evaluation, designed to develop or contribute to generalizableknowledge

24

Consider: How to characterize the establishment of performance specifications? Validation activities?

STATE GENETIC PRIVACY LAWS

Wide variation among states in scope and the uses and disclosures that they permit or prohibit

25

Scope (Identifiability

of Data Regulated)

Restrictions on Use

Scope (Entities

Regulated)Restrictions

on Disclosure

VARIATIONS AMONG STATE GENETIC PRIVACY LAWS

26

Variable ExampleDoes the law apply to only identifiable genomic data or samples?

Alaska Genetic Testing Law: “A person may not … disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person … for the … disclosure.” Alaska Stat. § 18.13.010(a)(1).

“DNA analysis” is not defined in a way that makes it clear whether it is limited to identifiable information. It means “DNA or genetic typing and testing to determine the presence or absence of genetic characteristics in an individual, including tests of nucleic acids or chromosomes in order to diagnose or identify a genetic characteristic; “DNA analysis” does not include a routine physical measurement, a test for drugs, alcohol, cholesterol, or the human immunodeficiency virus, a chemical, blood, or urine analysis, or any other diagnostic test that is widely accepted and in use in clinical practice.” Alaska Stat. § 18.13.100.

VARIATIONS AMONG STATE GENETIC PRIVACY LAWS

27

Variable ExampleDoes the law apply only to certain entities (e.g., employers or third party payors)?

South Carolina Privacy of Genetic Information Law:

Scope section of the law states that it “applies to health insurance coverage offered in connection with an individual health plan, a group health plan, or a health benefit plan that is delivered, issued for delivery, or renewed in this state.” S.C. Code § 38-93-20.

But certain sections of the law, without specific reference to health insurance issuers, require the confidentiality of genetic information and prohibit performing genetic tests without informed consent. S.C. Code §§38-93-40, -50.

VARIATIONS AMONG STATE GENETIC PRIVACY LAWS

28

Variable ExampleHow does the law prohibit or restrict the disclosure or sharing of genomic data or samples?

Massachusetts Genetic Privacy Law:

Prohibits disclosure of reports and records pertaining to any genetic information without informed written consent, subject to certain exceptions including:• As “confidential research information” for use in epidemiological or

clinical research, where the genetic test results are maintained under protocols reviewed and approved by an IRB established under the provisions of the Common Rule (45 CFR Part 46) or FDA Good Clinical Practice regulations (21 CFR Parts 50, 56) and that protect the confidentiality of the individual either by encryption, encoding, or other means consistent with such federal regulations, or where the individual’s identity is unknown or protected from disclosure by encrypting or encoding or by other means consistent with such federal regulations.

INCONSISTENCIES AND CHALLENGES UNDER STATE GENETIC PRIVACY LAWS

• De-identification as a precise and broad pathway under HIPAA vs.consent, IRB review, encryption, or other requirements under state genetic privacy laws even for data that is de-identified under HIPAA

• Ambiguity regarding applicability of certain state laws to de-identified (i.e., coded) data vs. anonymized data

• Certain state laws regulate not only the use or disclosure, but also the retention, of genomic data or samples

• Ambiguity regarding clinical laboratory use of genomic data or samples for operational purposes, such as quality control, proficiency testing, validation

29

GENERAL DATA PROTECTION REGULATION• Like HIPAA, the GDPR allows the processing of personal data only when there is a

lawful basis for the processing activity (Article 6). For example:– Consent– Compliance with certain legal obligations under EU or Member State law– Legitimate interests of the data controller or third party

• To lawfully process sensitive personal data, an Article 6 lawful basis must be coupled with a separate permission for processing under Article 9. For example:– Explicit Consent– Public Interest in the area of public health, such as ensuring high standards of quality and safety

of medicinal products based on EU/Member State law– Certain scientific or historical research based on EU/Member State law

30

ADDITIONAL CONSIDERATIONS UNDER THE GDPR AND MEMBER STATE LAW

• Explicit consent is required when the consent pathway is used to process genetic information (as “sensitive” personal data)– Requires a clear statement (written or spoken)

• EU or Member State law may impose additional restrictions or obligations around reliance on consent to process sensitive personal data– Thus, while a privacy consent may not be required for compliance with the

GDPR, consent may nonetheless be required to comply with applicable Member State law when processing genetic data for genetic testing or certain other purposes (e.g., research)

31

GDPR VS. U.S. PRIVACY FRAMEWORK: INCONSISTENCIES AND CHALLENGES

• Anonymization under GDPR vs. de-identification under HIPAA• Additional basis required for processing genomic data because it is

sensitive personal data– Explicit consent? Scientific research?– What is an appropriate basis for activities such as proficiency testing or

test validation? • IRB or privacy board waiver is not a basis for processing of personal

data under the GDPR• More stringent Member State law

32

HUMAN SUBJECT PROTECTION REQUIREMENTS

33

COMMON RULE (FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS)• Imposes IRB review and informed consent requirements

• Applies to “research” involving a “human subject” funded or supported by any federal agency or department that has signed onto the Common Rule (45 CFR Part 46)– May be relevant even if not directly applicable by law (e.g., incorporated into applicable

state law; benchmark for good practices in human subject protection)– “Human subject” includes individual about whom investigator obtains identifiable

private information (IPI) (i.e., private information for which identity is or may readily be ascertained by investigator) or identifiable biospecimens

34

COMMON RULE: EXAMPLES OF PATHWAYS

• Informed consent• IRB waiver of informed consent

– Must demonstrate, inter alia, that the research involves no more than minimal risk and cannot practicably be conducted without the waiver and IPI

• De-identification– Data that is de-identified under HIPAA currently would not be considered a

“human subject” under Common Rule

35

COMMON RULE: KEY TAKEAWAYS

• Relevance to clinical laboratories often due to incorporation into applicable state laws or as a benchmark for good practices in human subject protections for research by such laboratories (e.g., use of identifiable data or samples to develop new tests)

• Informed consent requirements for ethical purposes under the Common Rule distinct from the required privacy pathway for using/disclosing PHI under HIPAA and basis for processing personal data under the GDPR

• Key driver of potentially evolving framework for permitted use of samples or genomic data from an ethical and privacy standpoint

36

STATE HUMAN SUBJECT PROTECTION LAWS AND REGULATIONS• IRB review requirements are also in many state genetic privacy laws, some of

which incorporate Common Rule standards• Examples:

– Massachusetts General Laws Chapter 111, § 70G: Provides exception frominformed consent requirement for disclosure of genetic test results if results aremaintained as “confidential research information” under IRB-approved researchprotocols that protect the confidentiality of the individual through encryption,encoding, or other means consistent with Common Rule and FDA Good ClinicalPractice Regulations

– New York Civil Rights Law § 79-l(4)(a): Genetic tests may be performed onanonymous samples for research purposes under a protocol approved by an IRBthat assures the anonymity of the sources of the samples

37

OVERLAPPING CONSIDERATIONS

Research Proficiency Testing

Quality AssuranceValidation

38

Pathways / bases• Consent / authorization?• Anonymization?• De-identification?• Other pathway (e.g., health care operations,

legitimate interest, scientific research)?

Operational requirements• IRB review and approval?• Encryption?• Security safeguards?

PRACTICAL TAKEAWAYS

39

PRACTICAL RECOMMENDATIONS • Distill regulatory requirements into simple business rules

– Draft policies and materials in a manner that can be readily understood and implemented by business personnel

– Assess whether preference for operational simplicity favors adopting highest common denominator (i.e., more restrictive rules than what the law requires in each jurisdiction)

• Develop clear plan for patient consenting – Challenges insofar as laboratory typically is not involved in obtaining the

consent from patients– Help laboratory clients understand laboratory data use and sharing activities to

facilitate more uniform consent policies and protocols and adequate consent language

– Buttress consents with clear and current notices and privacy policies; consider other creative ways of enhancing transparency

40

PRACTICAL RECOMMENDATIONS, CONT.

• Develop clear plan for results reporting & management – Critical for the laboratory to have an established policy for the use and

disclosure of test results • Bolster internal data governance

– Importance of multi-disciplinary team to quickly and consistently address questions raised by business (e.g., data use committee)

– Work with business to understand and weigh the business challenges in light of legal risks

41

THANK YOUJane Pine Wood

Chief Legal Counsel, BioReference Laboratoriesjwood@bioreference.com

Jiayan ChenPartner, McDermott Will & Emery LLP

jychen@mwe.com

Michael HamiltonChief Privacy Officer, Invitae

michael.hamilton@invitae.com