1 Charles A. Welch, Sacred Secrets - The Privacy of Medical Records, 435 N. Eng. J. Med. 371,372(2001).

2 Paul S. Appelbaum, Threats to the Confidentiality of Medical Records - No Place to Hide, 283 Jama 795, 795 (2000).

3 Assessing HIPAA: How Federal Medical Record Privacy Regulations Can Be Improved: Hearing Before the Subcomm. on Health, House Comm. on Energy and Commerce, 107th Cong. (2001) (testimony of Janlori Goldman, Dir., Health Privacy Project, Inst, for Health Care Research and Policy, Georgetown Univ.).

4 For a compilation of state statutes addressing genetic privacy and genetic information, see the National Conference of State Legislators website, at http://www.ncsl.org./public/leglinks.cfm. These laws, often found in state insurance codes, contain inconsistent and somewhat arbitrary definitions of “genetic information,” reflecting the practical difficulty of drawing operationally meaningful distinctions between genetic and other types of medical information. The definitions of “genetic information” in some state statutes are overly inclusive because they extend beyond the results of DNA analysis to encompass family medical histories and the results of common laboratory tests for gene products. See, e.g., Cal. Health & Safety Code § 1374.7(d) (West 2002); N.J. Stat. Ann. 10:5-5(oo) (West 2001); Va. Code Ann. § 38, 2-508.4(A) (Michie 2001). The alternative approach, as outlined in the model Genetic Privacy Act, protects only the results of DNA tests and would not create an effective bar to the unauthorized disclosure of information about hereditary characteristics. See Patricia Roche et al., The Genetic Privacy Act: A Proposal for National Legislation, 37 Jurimetrics 1 (1996); see also David Korn, Genetic Privacy, Medical Information Privacy, and the Use of Human Tissue Specimens in Research, in Genetic Testing and the Use of Information 16 (Clarisa Long ed., 1999); Yesley, Michael S., Protecting Genetic Difference, 13 Berkeley Tech. L. J. 653 (1998)Google Scholar.

5 See Beckwith, Jon & Alper, Joseph S., Reconsidering Genetic Antidiscrimination Legislation, 26 J.L. Med. & Ethics 205, 205-06 (1998)CrossRefGoogle Scholar (describing survey research suggesting that consumers believe genetic information is used in a discriminatory fashion).

6 See Philip R. Reilly, Genetic Discrimination, in Genetic Testing and the Use of Information 106, 117-18 (analyzing published studies of genetic discrimination and concluding that the perception of widespread discrimination is not supported by the literature).

7 See Etzioni, Amatai, The Limits of Privacy 152 (1999)Google Scholar (discussing the need to balance privacy interests and the common interest in research and public health).

8 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,471 (Dec. 28, 2000).

9 See Barnes, Mark & Krauss, Sara, The Effect of HIPAA on Human Subjects Research, 26 Health L. Rep. (BNA), at 1026, 1027 (2001)Google Scholar.

10 The view that genetic information can and should be differentiated from other medical information and afforded special protections has been termed “genetic exceptionalism,” and has been roundly critiqued in theory and in application. See Korn, supra note 4, at 40 (citing Thomas H. Murray, Genetic Exceptionalism and Future Diaries: Is Genetic Information Different from Other Medical Information, in Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic ERA 60 (Mark A. Rothstein ed., 1997)). But see Annas, George J. et al., Drafting the Genetic Privacy Act: Science, Policy, and Practical Considerations, 23 J.L. Med. & Ethics 360 (1995)CrossRefGoogle Scholar (arguing that state and federal legislation should specifically define and protect the privacy of “genetic information”).

11 Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776 (proposed Mar. 27, 2002) (to be codified at 45 C.F.R. pts. 160 and 164).

12 See Korn, supra note 4, at 20 (discussing various legislative initiatives to address medical or genetic privacy).

13 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936, 2023 (codified in scattered sections of 26 U.S.C., 28 U.S.C. and 42 U.S.C.).

14 See 42 U.S.C. § 1320d-2 notes (2000) (relating the provisions of Pub. L. 104-191, Title II, Subtitle F, § § 264(a)-(b), 110 Stat. 2033).

15 Id.

16 Id.

17 Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918 (proposed Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160 and 164).

18 45 C.F.R. §164.501 (2001).

19 Privacy Rule Comment Period Closes. HHS Progresses with Other HIPAA Standards, 5 Health Care Daily Rep. (BNA), at 37 (February 24, 2000).

20 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,461 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160 and 164).

21 Technicality Causes Delay of Effective Date for Health Data Privacy Rule to Mid-April, 6 Health Care Daily Rep. (BNA), at 36 (Feb. 22, 2001).

22 HHS Medical Privacy Rule to Take Effect as Scheduled, Administration Announces, 6 Health Care Daily Rep. (BNA), at 72 (Apr. 13, 2001).

23 Health plans with annual receipts of $5 million or less must comply with the privacy rule by April 14, 2004. 45 C.F.R. § 164.534(b)(2); see also AAMP&R, Final Patient Recovery Rule Implemented, at http://www.aampr.org/memphys/pmrprac/privrule.htm (explaining the definition of a small health plan).

24 Sections 1176 and 1177 of the HIPAA statute establishes the following enforcement scheme:

25 A number of research organization expressed their concerns about the privacy rule in comment letters submitted to the Secretary of DHHS. See, e.g., Letter from Elizabeth Andrews, President, International Society of Pharmacoepidemiology and Don Willison, Chair, North American Data Privacy Committee, on behalf of the International Society of Pharmacoepidemiology, to Dr. Margaret Ann Hamburg, Asst. Sec'y of Planning and Evaluation, Dep't. Health and Human Servs. (Feb. 17, 2000), at www.pharmacoepi.org/resources/cfr_parts.htm; Letter from Jordan J. Cohen, M.D., President, Assoc, of American Medical Colleges, on behalf of the Association of American Medical Colleges, to Dep't. Health and Human Servs. Sec'y Tommy Thompson (Mar. 29, 2001), at www.aamc.org/advocacy/testimnyresearch/hipaathompson.htm.

26 45 C.F.R. § 164.520 (2001).

27 Id. § 164.506.

28 Id. § 164.508.

29 Id. § 164.514.

30 30id. § 164.514(a).

31 See Bradly Malin & Latanya Sweeney, Determining the Identifiability of DNA Database Entries, Proc. AMIA Symp. Nov. 2000, 537 (describing a study in which publicly-available hospital discharge records were used in combination with a computer algorithm and an anonymous hospital DNA database to identify more than 98% of patients with single gene diseases).

32 Letter from Paul Clayton & Paul C. Tang on behalf of the American Medical Informatics Association to Dr. Margaret Hamburg, Asst. Sec'y for Planning and Evaluation, Dep't. Health and Human Servs, commenting on the proposed federal medical privacy rule (proposed 45 C.F.R. Parts 160 and 164), Jan. 10, 2000, available at http://www.amia.org/resource/policy/nprm_response.html. (describing the definition of “research information unrelated to treatment” as “confusing at a minimum”).

33 45 C.F.R. § 164.514(b)(2) (2001). The rule contains an exception for codes that cannot be transformed or reverse-engineered to reveal the identity of the subject, but only when the recipient of the data is prevented from obtaining the code key and the covered entity does not use the code for any other purpose. Id. § 164.514(c).

34 See. e.g., HIPAADVISORY, Researchers: Privacy Rule Create Obstacles, Needs Fixing, at http://www.hipaadvisory.com/news/2001/aamc0827.htm.

35 C.F.R. § 164.514(b)(1).

36 Many of the federal agencies that fund or regulate research have adopted a version of the federal research policy, known as the Common Rule, promulgated in 1991. DHHS, which funds biomedical research through the National Institutes of Health, has implemented the Common Rule. 45 C.F.R. § 46 (2001). The Food and Drug Administration (FDA) has implemented a similar version of the Common Rule applicable (with exceptions) to research conducted on the products FDA regulates. 21 C.F.R. §§ 50.1-50.27 (2001). See also Background note at 56 Fed. Reg. 28,003 (June 18, 1991) (codified at scattered sections of C.F.R.) (stating that many of the federal agencies that fund or regulate research have adopted a version of the federal research policy known as the “Common Rule”).

37 45 C.F.R. §46.102(f)(2001).

38 Id. § 46.111(a)(4); see also id. § 46.116 (explaining informed consent).

39 To waive the requirement for informed consent, the IRB must determine that the research involves no more than minimal risk and could not practicably be carried out without the waiver, that the waiver will not adversely affect subjects' rights and welfare and that wherever appropriate, subjects will be provided additional pertinent information after participation. Id. § 46.116(d).

40 /rf. § 46.116(b).

41 W. § 46.111(a) (7).

42 See Dep't of Health & Human Servs., Office of Human Research Protections, Institutional Review Board Guidebook, Chapter V (H): Human Genetic Research, available at http://www.ohrp.osophs.dhhs.gov (last visited Mar. 23, 2002); see also Dep't of Health & Human Servs., Office of Human Research Protections, Issues to Consider in the Research Use of Stored Data or Tissues, available at http:www.ohrp.osophs.dhhs.gov/humansubjects/guidance/ reposit.htm (last visited Mar. 23, 2002).

43 21 C.F.R. §312.3(b) (2001); see id. § 812.36 for requirements applicable to medical device investigations.

44 See, e.g., Cal. Health & Safety Code §§ 24172-24175 (2002) (requiring a specific consent form for persons involved in “medical experimentation” and providing that subjects must receive a “bill of rights” containing specific disclosures); Nev. Rev. Stat. §§ 629.151, 629.181 (requiring specific consent form for disclosure of genetic information in a study unless the identities of the subjects are not disclosed to researchers and establishing a procedure for obtaining consent).

45 See Restatement (Second) of Torts, § 892B cmt. i (1979); see also Moore v. Regents of Univ. of Cal., 793 P.2d 479 (1990) (finding duty on the physician's part to disclose to patient any personal interests that may affect the physician's professional judgment)

46 Grimes v. Kennedy-Kriger Inst. Inc., 782 A.2d 807 (Md. 2001).

47 It is reasonable to conclude that tissue is not information because it does not contain facts or data, nor does it communicate knowledge or intelligence. See Merriam-Webster'S Collegiate Dictionary 599 (10th ed. 1995) (defining “information” as “the communication or reception of knowledge or intelligence”). Nonetheless, as DNA-based identification techniques become increasingly sophisticated, DNA samples will be difficult to distinguish from fingerprints or other “biometric identifiers” that the privacy rule deems to be identifiable health information.

48 A physician who is otherwise covered by the privacy rule could collect a subject's DNA sample and health information for research purposes without authorization, if the research is conducted outside the treatment setting (e.g., in a research laboratory) and involves no clinical services, and the physician does not use information from patient files to recruit subjects. Due to the complexity of distinguishing research that does not involve treatment, however, at least one commentary recommends that as a “best practice” IRBs should require investigators to obtain HIPAA research authorizations for all human subjects research. Barnes, supra note 9, at 3.

49 45 C.F.R. §164.508 (c)(i), (f) (2001).

50 Id. § 164.502(b).

51 Dep't of Health & Human Servs., Office For Civil Rights, National Standards to Protect the Privacy of Personal Health Information (Minimum Guidance), available at http://www.hhs.gov/ocr/hipaa/assist.html (last updated July 7, 2001).

52 45 C.F.R. § 46.102 (f)(2) (2001).

53 Id. §46.102(f)(2)(i).

54 Id. § 46.101(b)(4).

55 As of 2001, at least twenty-two states require some form of consent for the disclosure of genetic information. National Conference of State Legislators, NCSL Genetic Tables: State Genetic Privacy Laws, at http://www.ncls.org/programs/health/Genetics/prt.htm (last updated July 4, 2002). In Nevada, state law requires a specific form of consent for disclosure of identifiable genetic information in research, and would not appear to permit the waiver of consent if the information is disclosed in a manner that allows identification of the subject of this information. Nev. Rev. Stat. §§ 629.151, 629.171 (2001). In Massachusetts, a law prohibiting the disclosure of genetic test results without consent contains an exception for IRB-approved research in which the identify of the research subject is either unknown or protected from disclosure. Mass. Gen. Laws ch. 254, § 2 (2000).

56 When researchers are required to obtain patient consent for the disclosure of medical records, studies have shown that patients from different demographic groups refuse consent at different rates, resulting in a dataset that is not representative of the general patient population. See Douglas B. McCarthy et al., Medical Records and Privacy: Empirical Effects of Legislation, 34 Health Serv. Res. 417 (1999); see also David Kom & C. McCabe, Confidentiality of Medical Records: AAMC Report on the Minnesota Experience, available at http://www.aamc.org/advocacy/ issues/research/minreport.htm (last visited Mar. 23, 2002).

57 45 C.F.R. §46.116(d) (2001).

58 Id. § 164.508.

59 Id. §164.508(c). If the researcher is the covered entity maintaining the archived PHI, the authorization form must contain additional elements. See id. § 164.508(d). When the covered entity is not the researcher but the archival PHI was originally created during a clinical trial, a strict reading of the authorization provisions suggests that such information should only be disclosed pursuant to the authorization for research involving treatment. See generally id. § 164.508.

60 Id. § 164.512(h)(i)(l)(i).

61 Id. §§ 164.512(h)(i)(2)(ii)(B), (E).

62 See, e.g., Colo. Rev. Stat. §10-3-1104.7(l)(a) ( declaring that genetic information is the “unique property” of the individual to whom the information pertains); Fl. Stat. Ann. § 760.40(2)(a) (Supp. 2002) (stating that the results of DNA analysis are confidential “exclusive property” of the person tested, and may not be disclosed without consent); Ga. Code Ann . § 33-54-1(1) (1996) (declaring that genetic information is the “unique property” of the individual tested).

63 45C.F.R. § 164.512(h)(i)(2)(ii)(B).

64 An incident that occurred in a genetic research protocol at Virginia Commonwealth University brought this issue into sharp focus. The father of a research participant objected to the content of survey questions used in the research, triggering an investigation by the federal Office of Protection from Research Risks (subsequently renamed the Office of Human Research Protections). See Dave Amber, Case at VCU Brings Ethics to Forefront, 14 Scientist 1, 1 (May 1, 2000); see also Jeffrey R. Botkin et al., Privacy and Confidentiality in the Publication of Pedigrees, 279 Jama 1808 (1998) (describing the privacy risks to individuals included on published genetic pedigrees created from information obtained from other family members).

65 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,464 (Dec. 28,2000).

66 45 C.F.R. §164.512(h)(i)(l)(i).

67 See generally Letter from E. Ratcliffe Anderson, Jr. on behalf of the members of the American Medical Association, to Dr. Margaret A. Hamburg, Asst. Sec'y for Planning and Evaluation, Dep't. Health and Human Servs., Feb. 17, 2000, at http://www.ama-assn.org (last visited May 5, 2002).

68 Amy Goldstein & Robert O'Harrow, Bush Will Proceed on Patient Privacy: But Clinton-Era Rules Likely to be Modified, Wash. Post, Apr. 13, 2001, at Al .

69 The DHHS guidance focuses largely on issues related to treatment, payment, and healthcare operations, and in many instances endorses a more lenient interpretation than what would otherwise be indicated by a strict reading of the rule. A notable exception is the research provisions, for which the Guidance follows a strict interpretation of the rule. Dep't of Health & Human Servs., supra note 42.

70 Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776 (proposed Mar. 27, 2002) (to be codified at 45 C.F.R. pts. 160 and 164).

71 Id. at 14,813 (to be codified at 45 C.F.R. pt. 164.508).

72 Id. at 14,794.

73 See AAMC Comment Letter on Privacy NPRM, to Tommy G. Thompson, Sec'y, Dep't. Health and Human Servs. (Apr. 11, 2002), available at http://www.aamc.org/advocacy/library/hipaa/ corres/2002/041102.htm (last visited May 22, 2002).

74 E.g., Donna E. Shalala, A Loss to Medical Privacy, N.Y. Times, Mar. 30, 2002, at A15; Letter from Janlori Goldman, Dir., Health Privacy Project, to Tommy G. Thompson, Sec'y, Dept't. Health and Human Servs. (May 3, 2002), available at http://www.healthprivacy.org/newsletter-url2305/newsletter-url.htm (last visited May 22, 2002).

75 E.g., Amy Goldstein, Bush Plans Would Lessen Patients' Say on Records, Wash. Post, Mar. 22, 2002, at Al ; Robert Pear, Bush Acts to Drop Core Privacy Rule on Medical Data, N.Y. Times, Mar. 22, 2002, at A1.