American Journal of Law & Medicine

Use and disclosure of health information in genetic research: weighing the impact of the new federal medical privacy rule.


Perceived threats to medical privacy arouse intense emotion, even among those who might otherwise approach complex health policy issues with academic dispassion. The author of an August 2001 editorial in the New England Journal of Medicine describes medical records as "sacred secrets," and decries the use of medical information for purposes unrelated to patient care as "an abridgement of individual rights" and "an unfolding American tragedy." (1) A like-minded commentator in the Journal of the American Medical Association strikes a more apocalyptic note, warning that with respect to medical privacy, "[t]here is, increasingly, no place to hide." (2) Not surprisingly, privacy advocates also depict a full-blown crisis in medical privacy, one that Janlori Goldman of the Georgetown Health Privacy Project asserts has led consumers "to withdraw from full participation in their own healthcare" for fear of "discrimination, loss of benefits, stigma and unwanted exposure." (3)

The distraught tenor of such rhetoric only amplifies consumer fears about the potential misuse of personal health information and has engendered strong support for increased government oversight of medical privacy. Potential threats to the privacy of genetic test results have been a particular source of public anxiety. Public reaction has stimulated legislative initiatives at both the state and federal levels targeted toward the amorphous category of "genetic information." (4)

It is inarguable that basic safeguards for the privacy and confidentiality of genetic information and, for that matter, all other types of medical information are essential. Consumers perceive themselves to be at significant risk when third parties such as employers or commercial entities enjoy unfettered access to medical records and other confidential health data. The anticipated risks may be psychological, including annoyance at becoming the target of an intrusive marketing scheme for a medical product and embarrassment if a stigmatizing condition is revealed, or they may extend to the loss of health insurance or employment upon disclosure of a genetic predisposition to serious disease. (5)

Whatever the actual magnitude of these privacy risks, (6) a thoughtful, measured response on the part of policymakers is necessary and appropriate. Yet, problems arise when the response overreaches, attempting a utopian ideal of medical privacy that may ultimately do more harm than good. This is especially so when new limits on the use or disclosure of health information are adopted in haste (or fear). Such measures may prove costly and difficult to implement and threaten to constrict the flow of essential health data to researchers who develop insights into the determinants of health and disease, as well as new medical products, therapies and disease prevention strategies.

Amidst the strident demands of privacy advocates for near absolute individual control over medical information, the challenge for policymakers has been to keep the broader, more "communitarian" goals in sight--namely, the advancement of medical knowledge and improvement of public health through research that cannot be accomplished without ready, albeit controlled, access to medical information. (7) Across the nation, the stored clinical records and archived tissues of generations of patients--a veritable library of human encounters with illness and responses to therapies--has proved over decades to be a unique, irreplaceable source of new knowledge about diseases and their treatment. Researchers recount this new knowledge in medical literature; healthcare providers turn to the literature to inform decisions about diagnosis and treatment. Consequently, every patient has a direct and personal stake in preserving researchers' ready access to medical information accumulated in archived clinical records and tissue samples. One might even assert that individual patients, every one of whom stand to benefit directly from the fruits of research conducted with medical information, bear an ethical responsibility to contribute to the ongoing research endeavor by contributing the record of their experiences to this vast population database.

Drafters of the new federal medical privacy rule, Standards for Privacy of Individually Identifiable Health Information, (8) acknowledged the necessity of balancing private rights and public benefit, but ultimately chose to privilege privacy at the expense of medical research. Perhaps because the medical privacy rule does not require compliance until April 2003, the research community has been slow to appreciate the serious implications of this policy choice. (9) Although the rule's drafters wisely opted not to create special standards for genetic information, (10) the limits they have placed upon the use and disclosure of all "identifiable" health information will profoundly affect the conduct of genetic studies and many other forms of research. Research compliance efforts will become more costly and time consuming as institutions and individual providers who use or disclose health information for research confront new procedural requirements and new liability for failures to meet the privacy rule's intricate compliance obligations. Investigators who use health information, as well as the institutional committees that must review human subjects research proposals, will need to familiarize themselves with a confusing array of new terminology, ambiguous standards and burdensome required paperwork.

To place the rule's new research provisions in proper context, we first summarize existing federal and state requirements applicable to genetic research in Part II of this Article. In Part III, the Article will explore the impact of the privacy rule on research, focusing on its implications for genetic research. We present in Part IV a list of proposed modifications that we believe would abate the rule's negative consequences for research without unduly disturbing its basic architecture of privacy protections. During the preparation of this Article, the Department of Health and Human Services (DHHS) issued a Notice of Proposed Rule-Making (NPRM) with a number of changes to mitigate some of the provisions of the privacy rule that are burdensome to research. (11) The comment period for the NPRM has closed, but when DHHS will issue its final revised rule is still unknown. We review the proposed changes relevant to research in Part V, noting additional modifications of the rule that we believe are necessary to prevent unintended impairment of vital biomedical and health sciences research.


Despite broad stakeholder interest in enhancing medical privacy, the 1990s witnessed a series of unsuccessful attempts to legislate federal medical privacy protections. (12) Congress's repeated failure to pass a federal medical privacy law eventually triggered rulemaking under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a complex statute enacted to address a panoply of healthcare and insurance issues. (13) Although HIPAA itself did not contain new medical privacy protections, the statute mandated federal regulatory action in the event that Congress did not pass medical privacy legislation by a certain date.

This regulatory mandate is contained within a set of provisions, entitled "Administrative Simplification," that are intended to facilitate the development and wide implementation of electronic health information transmission systems. (14) Specifically, section 264 of the provisions instructs the Secretary to submit recommendations to Congress for protecting the privacy of electronically transmitted, individually identifiable health information. (15) Section 264(b) provides that if Congress fails to enact such privacy standards into legislation by the statutory deadline (August 21, 1999), the Secretary must promulgate regulations for this purpose. (16)

When the statutory deadline passed without new privacy legislation, the Secretary issued an NPRM for a federal medical privacy rule. (17) The proposal was broad in scope and remarkably complicated. It aspired to regulate the manner in which "covered entities" (providers, health plans and health clearinghouses) handle "protected health information" (PHI), by imposing strict controls on the disclosure of PHI to third parties, including researchers, who are not themselves subject to regulation under the HIPAA statute. Notably, the rule broadens (and arguably exceeds) the statutory definition of PHI, by including within the regulatory definition not only electronically transmitted, individually identifiable health information, but all such information transmitted or maintained in any form or medium. …

Log in to your account to read this article – and millions more.