Rapid progress in understanding and deploying human genomics to predict, diagnose, and treat health concerns has created a highly translational field of immense importance. The emergence of precision medicine and its potential to reorganize scientific understanding of disease and treatment opportunities builds on genomic progress while integrating insights from multiple disciplines.Reference Green and Guyer1 Precision medicine requires massive data sets to understand how genetics, environment, exposure history, and life course affect health, treatment options, and outcomes.Reference Khoury2 Large-scale precision medicine research is advancing scientific understanding and clinical care,Reference Evans and Watson3 while instigating consideration of public health uses of genomics.Reference Roberts, Dolinoy and Tarini4 Meanwhile, Internet-enabled networks are increasingly being created and used by individuals, patient advocacy organizations,Reference Koay and Sharp5 and scientists to investigate research questions and bring the power of genetic and genomic analysis to individuals. Companies are now offering genetic and genomic analysis to customers on a direct-to-consumer (DTC) basis, creating large, searchable genomic databases for scientific as well as consumer uses.Reference Bloss6
These developments mean that individuals now encounter genomics in a variety of contexts — including research, clinical care, public health, and DTC — with differing legal rules surrounding the core issues of liability, consent, quality assurance, and privacy protection. These differences in legal framework are poorly understood, even by genomics professionals, much less the individuals whose genetic material is analyzed. Aspects of this problem are familiar; clinical trials and other translational research interdigitate research and clinical care and thus have long provoked confusion regarding the applicable professional duties and ethical frameworks.Reference Wolf, Richardson and Belsky7
Genomics exacerbates this confusion. Large-scale sequencing, up to and including whole exome sequencing (WES) and whole genome sequencing (WGS), routinely produces a mix of findings, with the meaning of some findings well established, while the meaning of others remains uncertain.Reference Biesecker and Green8 Indeed, the field of medical genomics has developed a scheme for categorizing findings that explicitly recognizes variants of uncertain significance (VUSs).Reference Richards9 This means that even when sequencing is used in clinical care, it will predictably generate findings that require research. This recursive quality of toggling between research and clinical care to produce progressively greater knowledge is not unique to genomics, but is a particularly prominent feature in this field.
Another example of straddling two frameworks is that DTC companies are using or selling access to their databases for research.Reference Allyse10 They may ask customers to agree not only to DTC analyses but also to serving as research participants.Reference Tobin11 Alternatively, a company may conduct research on deidentified specimens or data without consent,Reference Hazel and Slobogin12 despite the potential re-identifi-ability of genomic sequence and despite consumers' ignorance of this possibility.Reference Erlich, Narayanan and Gymrek13
We are not the first to recognize the frameworks problem. In addition to the longstanding literature on overlap between research and clinical care in clinical trials,Reference Beauchamp and Saghai14 a more recent literature addresses confusion between research and clinical quality assessment in the context of a learning health care system.Reference Angrist, Jamal, Brody, Miller, Faden, Hall, Alberg, Luheshi, Lee and Wolf15 There are few analyses, however, of the legal side of this confusion, examining conflicts and ambiguity across the legal regimes governing these domains. We are aware of no prior work that addresses those problems across the four major domains of genomics discussed here: research, clinical care, public health, and DTC.
This article begins by suggesting how to navigate the problem of differing legal frameworks across those domains by presenting five overarching recommendations. Those recommendations offer a strategy for resolving such conflicts by prioritizing protection of the rights and interests of those most vulnerable — the research participants, clinical patients, population members, and DTC customers undergoing sequencing or other genomic analysis. In the process, we suggest ways to increase the predictability of the law, to the benefit of all involved. We then illustrate application of our recommendations by applying them to scenarios where legal frameworks conflict as they address four core legal issues: liability, consent, quality, and privacy. We present multiple scenarios for each legal issue that illustrate the challenge of conflicting legal frameworks. We then apply our recommendations to one of those scenarios in order to demonstrate how application of our recommendations would address the frameworks issue. (See Table 1.)
Our proposals offer a translational approach to the law of genomics that recognizes the connections between research, clinical care, public health, and DTC. We urge progress beyond the currently siloed approach to law in these domains, which fails to adequately account for the complex ways genomic data are generated and used across these different domains as well as the harms and inefficiencies generated by conflict and confusion about the law. Rather than treating boundaries and overlap as a problematic “gray zone” of uncertainty, law should embrace the translational realities of modern genomics.Reference Wolf, Burke and Koenig16 There are many versions of this depiction of the translational cycle,Reference Goering, Holland, Edwards, Burke, Kelley and Khoury17 but all show a well-recognized evolutionary process (from basic genomic research at stage T0, to early clinical research at T1, late clinical research and early implementation at T2, implementation in clinical care and public health screening at T3, and securing benefit for patients and populations at T4Reference Khoury18) with connections among these stages and growing understanding. Recognition of this translational process normalizes the idea that research, clinical care, and public health are not isolated contexts but connected. The law of genomics should evolve to address this challenge.
This translational reality is not unique to genomics. Many fields of biomedical science demonstrate these translational dynamics. Nor is the problem of conflicting legal regimes unique to genomics. However, we are addressing a bigger problem than is usually addressed under the rubric of “conflicts of laws” or federal-state law conflict.Reference Smith19 Those rubrics address problems that arise when there are divergent legal rules in two jurisdictions (two states, or state and federal), and both jurisdictions appear relevant to a legal dispute. Law has developed various rules to resolve such conflicts. The conflicts and confusion we are addressing are something bigger — the tension between entire regimes of law across the four domains on which we focus.
This article begins by suggesting how to navigate the problem of differing legal frameworks across those domains by presenting five overarching recommendations. Those recommendations offer a strategy for resolving such conflicts by prioritizing protection of the rights and interests of those most vulnerable — the research participants, clinical patients, population members, and DTC customers undergoing sequencing or other genomic analysis. In the process, we suggest ways to increase the predictability of the law, to the benefit of all involved.
To illustrate the difference, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule addresses potential conflict with state privacy law by stating that state law generally supersedes HIPAA when state law is more protective of patient privacy.20 In other words, HIPAA creates a federal floor that states can exceed.21 However, the entire HIPAA and state law approach to patient privacy fails to resolve differences in the approach to deidentification and re-identifiability in the context of research with human participants versus clinical care. And HIPAA provides little help to consumers interacting with DTC companies when those companies are not HIPAA-covered entities. It is the larger conflict across regimes of law that this paper addresses.
I. Resolving Conflicts and Increasing Predictability
To generate an approach to managing translational conflicts when a scenario involves more than one of the four genomic domains (research, clinical care, public health, and DTC) and conflicting legal approaches apply, we suggest five guidelines.
1. Translational genomics can lead to legal conflicts and confusion when genomics straddles spheres with different legal approaches.
Legal authorities and actors should recognize that genomic analysis and interpretation is being conducted in all four domains (research, clinical, public health, and DTC), and may straddle more than one domain simultaneously, with potential for conflicting or ambiguous legal rules.
2. Transparency and accountability require clarity and education about the different legal frameworks pertaining to genomics.
Legal actors (such as lawmakers, attorneys, and judges), scientific investigators, clinicians, and the individuals who undergo genomic analyses (as research participants, patients, people undergoing public health screening, and DTC customers) should understand these differences. This requires education, continuing dialogue as genomics evolves, and discussion of challenging scenarios straddling separate legal domains. Clarity about the different domains of law and potential for conflict between them will help inform stakeholders of their rights and responsibilities.
3. Law in each domain should be “fit for purpose.”
While there are important differences in goal and purpose in the four domains, there are also high-level, cross-cutting similarities. For example, the goal in public health genomics involving newborn screening (NBS) is different than in research or clinical care. Because the NBS goal is initially to identify those newborns who should undergo further testing for certain pathogenic conditions that can cause devastating harm in childhood, screening errs on the side of false positives, emphasizing sensitivity at the expense of specificity.Reference Caggana and Chen22 Employing a test with a similar false positive rate in research involving a clinical trial might invite demands from the Food and Drug Administration (FDA) for the investigators to seek an Investigational Device Exemption (IDE) and employing such a test in clinical care might invite liability. What this illustrates is the different goals in each sphere — identifying all potentially at-risk individuals in NBS, creating generalizable knowledge while monitoring and limiting risk to participants in research, and correctly diagnosing and treating individual patients in clinical care. Yet in each domain, law should serve the core purposes distinguishing that domain of genomics:
Law should support appropriate consent practices. These will vary depending on the goals in each domain.
Law should advance the quality of genomic analysis and interpretation in a way that is appropriate for each domain of genomics.
Law should support accountability for deviating from the governing standards in each domain in a way that causes harm.
Law should support privacy and data security standards and practices that are appropriate for each domain and protect against unauthorized dissemination of private and identifiable information.
Legal oversight regimes should be evaluated periodically for effectiveness and modified to enhance effectiveness.
4. Where differences in law across domains can be reduced or harmonized, this simplification will aid understanding and compliance.
Some differences in law across domains cannot be reduced or eliminated, because the differences reflect the distinct goals served in each domain. However, other differences may not be needed and may instead unnecessarily confuse the actors involved. For example, differences in the law and regulations of research versus clinical care pertaining to identifiability, deidentification, and re-identification cause unnecessary confusion.
5. A decision rule can offer a starting point to guide resolution of conflicts between law in different domains.
When an individual whose genomics are being evaluated is “caught between” the divergent legal frameworks in different domains, both should apply, and in cases of conflict, the rules that are more protective of the individual's rights and interests should apply. This general approach, which applies in a number of other areas of law as well,23 can serve as a default rule to resolve conflicts between the law in different domains.
By generating guidelines to help resolve conflicts between the law in these different domains of genomics, we offer a new approach. This approach respects differences in goals across the four domains, rather than merging the domains. At the same time, this approach addresses the reality of overlap and potential for confusion, especially for participants, patients, and consumers.
Application of these guidelines will require judgment. For example, applying the third guideline to assess whether the law in question is “fit for purpose” will require articulation of the goals in that domain of genomics and then evaluation of the appropriateness of the law on the axes specified in the guideline. Similarly, applying the fifth guideline will require comparison of the rules protecting the rights and interests of individuals in differing frameworks, as well as consideration of which rules are actually more protective. We offer these recommended guidelines to structure a process to reconcile divergent frameworks, not as a simple formula that can be applied mechanically.
The sections that follow examine how the four domains currently deal with the specific legal issues of liability, consent, quality, and privacy.Reference Marchant, Evans and Clayton24 The focus in each section is not on providing a comprehensive survey of the law, but rather on demonstrating the existence of divergent legal frameworks for research, clinical care, public health screening, and DTC. In each section, we thus illustrate the divergent legal approaches in these domains, present multiple scenarios that straddle frameworks and thus raise the question of how to reconcile these differences, and then show how the five guidelines above can help by applying them to one of the scenarios in some depth. Table 1 shows the subset of scenarios that are considered in depth below.
II. Liability
Differences across Domains:
Liability is a major concern in the fast-evolving field of medical genomics.Reference Marchant, Lindor and Cheung25 Yet the contours of potential liability vary significantly across the four domains we are addressing. These differences can lead to gaps and confusion, as the scenarios below suggest.
Clinical genomics is the familiar domain of malpractice suits brought under state law. In such a suit, the patient must demonstrate that the defendant owed them a clinical duty (as in a physician-patient relationship), that the clinician breached their duty by failing to meet the applicable standard of care, and that this breach cased harm compensable in damages. State statutes often impose special rules on malpractice suits (such as statute of limitations restrictions) that do not apply to suits for negligence in the research context.Reference Marchant26
Human participants in genomic research may fail to recognize that their ability to sue for research-related harm and their likelihood of receiving compensation are less than what patients have in the context of clinical care. In research there is no individual cause of action under the federal Common Rule and FDA regulations on human participant research.Reference Wolf, Paradise and Caga-anan27 A research participant's options for suit are a product of state law and thus vary from state to state. Research participants generally must claim research negligence and may have a difficult time establishing the relevant standard of care in research and that its breach caused compensable harm.Reference Pike28 Researchers and their institutions typically face less liability exposure for research than for clinical care. A larger threat is often administrative sanctions from the federal Office for Human Research Protections (OHRP) and funders, including loss of funding.
In public health genomics such as newborn screening, state actors loom large.29 Newborn screening may be carried out by clinicians in a private health care institution, but the process is governed by state law. Public health laboratories and authorities, including the state department of health or equivalent, usually play a large role. Individuals (such as parents, in the newborn screening example) can sue for malpractice, for violations of state law, or for state or federal constitutional violations, and some have successfully done so. But sovereign immunity protects state actors who are performing ministerial functions and thus limits or precludes many lawsuits that could be brought against public health officials or other state actors.Reference Jackson30
The liability rules in DTC genomics are unclear. Customers may not be able to sue for malpractice, as there may not be a physician involved in their testing. Even if there is, there may not be a physician-patient relationship to ground liability or that relationship might be substantially limited by contract.Reference Hogarth31 Liability is more likely under state law on negligence and products liability. However, in many states a products liability suit may fail because the DTC company is regarded as selling a service, not a product.Reference Ossorio32 States differ on where to draw the line between product and service.33
Focusing on compensation for harm in the four domains highlights the differences. In the clinical domain, patients have a clear avenue to compensation for wrongful harms by bringing a lawsuit, even though empirical studies (such as the Harvard Malpractice Study) show that in reality the malpractice system does a poor job in generating compensation for the patients negligently harmed.Reference Localio34 Research participants generally do not have clear access to compensation for research-generated harm, though participants can try to sue under state tort law.35 In the context of public health genomics, sovereign immunity may prevent compensation in state-run programs. The compensation available to DTC customers remains unclear.
Illustrative Scenarios:
This brief sketch of differences across the four domains of research, clinical care, public health, and DTC suggests the problems that can erupt when scenarios cross these domains. For example, a research project may be studying how best to integrate genomic sequencing into clinical care. In this first scenario, the project may be enrolling affected patients and placing results intended for use in clinical care into the medical record.Reference Henderson36 If a participant-patient alleges malpractice in variant analysis and interpretation, it may not be clear whether research rules, clinical rules, or both apply. This can make a big difference, as the state's statute of limitations for malpractice may preclude suit (depending on how much time has passed), leaving the participant-patient dependent on negligence law alone.37
A second scenario raises a different conflict — between DTC and clinical care — that may arise when a customer purchases genomic sequencing from a DTC company using a laboratory compliant with the Clinical Laboratory Improvement Amendments (CLIA), if the DTC company issues a report that incorrectly interprets a clinically significant genomic variant as benign. The customer then brings the DTC report to their primary care physician, who relies on the report and thus fails to pursue a cancer risk variant, leading to potential harm because the patient loses her chance to follow-up with testing and prevention. In this scenario, the customer may or may not have a cause of action against the DTC company, depending on state law. The physician may argue that the DTC error was the sole cause of the harm and no malpractice was involved. Whether that argument will succeed in absolving the physician may depend on whether state law or the court determines that physicians have a duty to consider DTC reports presented and a duty to order re-testing or variant reinterpretation.
A third scenario pits the research framework against the public health one. In this scenario, a state launches research using second-tier newborn screening tests and fails to notify parents that their newborn tested positive in this research.38
Applying the Guidelines:
The first scenario is one illustration of the confusion that can result when research and clinical genomics overlap. Though a big literature addresses ethical issues that can arise due to this overlap (such as therapeutic misconception), there is little literature on the legal issues. Investigators seeking consent for participation in such trials should address both the ethical and legal issues. This means making clear to participants in a concrete and appropriate way what aspects of the interaction are research governed by research ethics and research law, what aspects of the interaction are clinical care governed by those ethics and law, and where potentially both apply. This clarity addresses the first two guidelines above by identifying the problem of conflicting domains of law and educating the prospective participant. This kind of clarity on the hybrid nature of the first scenario and its implications for the potential participant is part of seeking informed consent to participate in the research. The prospective participant needs to understand potential harms that may flow from participation and what recourse will be available.
The third guideline calls for examining the law in both domains to assess whether it is “fit for purpose.” Improving requirements for research consent, as suggested, will advance the law and regulations of research to ensure more fully informed consent. The bigger problem is that the law of research deemphasizes accountability to research participants for harm, while relying to a great extent on Institutional Review Board (IRB) and sponsor prevention of harm, as well as penalties imposed by OHRP and funders. Neither mechanism has been shown to be fully effective in preventing harm and neither purports to redress harm already caused. Significant problems plague the law of liability and compensation in the realm of clinical care as well. There, empirical studies show a poor correlation between expert-adjudged malpractice and the legal system's judgment that malpractice has occurred.Reference Studdert39 Thus, in both the research and clinical domains, more work is needed to improve the way law supports prevention, identification, and accountability for harm.
Some proposals for improvement in both domains would lead to greater harmonization, in keeping with the fourth guideline. For example, proposals to create a system of no-fault compensation for harm caused in both the research and clinical domains would reduce the differences.Reference Henry, Studdert and Brennan40 Another option is to apply the fifth guideline and assure research participants that harm caused in the portions of the protocol that are both research and clinical care (such as incorporating genomic findings intended for clinical care use into the medical record) will be governed by the law of clinical care. This applies the decision rule in the fifth guideline as it avoids restricting the individual's access to the courts to adjudicate claimed harm.
III. Consent
Differences across Domains:
Each of the four domains takes a different legal approach to the question of what kind of consent or decision making is required from the person undergoing genomic analysis. In research genomics, the federal Common Rule on human participant research generally requires consent when investigators interact with participants or perform research on readily identifiable material; the regulations have detailed requirements for the consent process and consent documents.41 Consent to genomic sequencing in research is complex, due to the many issues that need to be addressed and differences in research design and population.42 In addition, 2017 revisions to the Common Rule have expanded consent options by adding the option of broad consent to current and future research use of individual data and biospecimens. State law on research may also specify requirements for consent and who is authorized to consent when the research participant is a minor or lacks capacity. Consent failures may trigger IRB, institutional, funder, and administrative penalties. Individuals attempting suit will generally use state tort law (negligence) and state law on research (where that is robust enough). Investigators must generally seek participants' consent to a proposed plan regarding providing or withholding return of results and secondary or incidental findings. In Maryland, the Grimes case found a cause of action for failure to communicate individual results.43 In Ande v. Rock, the Wisconsin court rejected a malpractice action against researcher-physicians for failing to communicate results, as the court found no physician-patient relationship.44
In DTC genomics, customers elect whether to purchase DTC genetic or genomic testing and interpretation services. This is a commercial transaction in which the company offers goods and services for a fee. When customers agree to purchase the company's genomic analyses, they are entering into a contract with the company, subject to the terms of use stated by the company. The law on DTC genomics is in flux.
In clinical genomics, patients or their surrogates must consent to genomic sequencing and analyses. Though federal law and regulations play a large role in governing research consent, consent requirements in clinical care are primarily governed by state law, both common law and statutes or regulations. States may apply a reasonable-patient standard to govern consent disclosures, may rely on medical custom, or some combination of the two. Some states also have specific statutes on consent to genetic testing, though these statutes have been criticized as inadequate to fully address the issues that arise in clinical genomic sequencing.Reference Spector-Bagdady45 Failures to obtain informed consent may ground individual suits for malpractice or negligence under state law. The American College of Medical Genetics and Genomics (ACMG) has noted the near-inevitability of incidental findings in clinical sequencing (depending on the scope of analysis)46 and has recommended that clinicians routinely test for a roster of secondary findings in clinical sequencing, unless patients opt out.Reference Green, Kalia and Wolf47
Public health genomics, such as newborn screening, is governed by specific provisions of state law. These statutes and regulations specify the mandated approach to parental decision making — mandatory screening, routine screening with opt-out (most states) or opt-in.Reference Ross48 State public health power and the state's police powers to protect the vulnerable create a different context for consent and can limit individual rights to refuse. Individuals have sued under state law arguing that certain aspects of newborn screening require specific opt-in consent, namely retention of newborn blood spots and subsequent research.49
In DTC genomics, customers elect whether to purchase DTC genetic or genomic testing and interpretation services. This is a commercial transaction in which the company offers goods and services for a fee. When customers agree to purchase the company's genomic analyses, they are entering into a contract with the company, subject to the terms of use stated by the company. The law on DTC genomics is in flux.Reference Dick and Novy50 There is debate about what law and rules govern the advertising and contracting process, that is, the informed consent.Reference Spector-Bagdady51 In seeking the customer's business, the company must clearly and accurately describe the services offered; misrepresentation or fraud may be actionable under state law or ground investigation and penalty by the Federal Trade Comission (FTC).52 The FDA may impose labeling and consent requirements.53 To the extent that the company is deemed to be marketing medical services, state law on clinical informed consent will apply and individuals can sue for malpractice.Reference Marietta and McGuire54
Illustrative Scenarios:
This brief description of the different approaches to consent and different bodies of law implicated in the four domains suggests the difficulties involved when genomic analyses cross two or more of these spheres. Multiple scenarios can illustrate those difficulties. In a first scenario, state public health authorities require newborn screening based on an opt-out consent regime. However, they also plan to use the dried blood spots generated in screening for research unrelated to the newborn screening program. They offer the collection of dried blood spots to university researchers for research involving whole genome sequencing, without seeking parent/guardian consent. It is unclear what deidentification will occur and what steps to avoid potential reidentification. (Note that several features of this hypothetical scenario distinguish it from the practices challenged in Bearder, for example, where blood spots were collected for the purpose of NBS but excess samples were retained and some used in research related to improving the state's NBS program as well as unrelated research, most of the research used de-identified samples, and with no indication that whole genome sequencing was involved.) In this scenario crossing the spheres of public health and research, the state's opt-out regime for NBS is in tension with the usual requirements of opt-in consent to research, as the collection of dried blood spots was for two distinct purposes: newborn screening and unrelated research.
In a second scenario, cancer patients may have consented to large-scale clinical genomic sequencing in order to identify molecular targets to guide their treatment. Researchers within the institution then analyze deidentified biospecimens from those patients and find clinically actionable pharmacogenomics variants. The researchers would like to trigger re-identification in order to convey the findings to the relevant patients and their clinicians. However, the patients were never asked to consent to the pharmacogenomics research because their specimens were deidentified. This scenario thus crosses the clinical and research domains.
In a third scenario, customers sign up for a DTC genetic testing service offering WGS and encouraging them to submit updated health information and diagnoses going forward. The company is approached by a large pharmaceutical company seeking access to the database and accruing health information for research and development. The DTC company sells access to both. The DTC company fails to seek customer consent for inclusion in this database. In the research context, participants would have been asked for consent to this research use and the potential for commercial sale of participants' data would have been disclosed.
Applying the Guidelines:
The first scenario illustrates the tension that can arise between the opt-out approach that most states use for NBS and the tremendous research potential of a population-wide archive of newborn blood spots that can be subjected to genomic sequencing analysis. The rationale for departing from the full autonomy protections of opt-in consent in the context of NBS is that screening newborns for genetically based conditions that must be recognized and treated from birth to avoid harm is a public health function for the benefit of those children. Including a condition on the NBS list means that analysis has already yielded the conclusion that the preconditions for population screening have been metReference Wilson, Junger, Johnson and Wise55 and that the benefits of screening outweigh the harms.Reference Andermann56 In the absence of objection, parent/guardian consent is assumed, and the parent/guardian must take the step of opting-out of screening in order to deprive the child of the benefits. Moreover, states may limit the grounds on which parents can opt-out.
Opt-out consent in NBS contrasts with the general requirement for opt-in consent to research involving human participants. The Common Rule does not require consent to research with materials that were not collected for research and cannot be readily re-identified; that is not considered research with human participants.Reference Wolf57 In this scenario, the intent in collecting the biospecimens was dual — NBS as well as unrelated research — and it is not clear that the bio-specimens provided to the researchers were deidentified. Moreover, the 2017 revision of the Common Rule recognizes that changing technology may increase the re-identifiability of biospecimens and data, especially when the researchers are conducting WGS. The revised Common Rule thus creates a process for periodic reassessment of whether materials have become more readily identified and consent to the research is needed.58 In addition, legal challenges to retention and research uses of newborn blood spots have hinged on state law; for example, in Bearder the Minnesota Supreme Court interpreted the consent provisions in the state's Genetic Privacy Act to require parent/guardian consent to sample retention and dissemination to researchers.59
Applying the first two guidelines would suggest educating parents/guardians, clinicians, researchers, and public health authorities about the multiple potential uses of blood spots, including NBS-related research and research beyond NBS. This requires transparency about the benefits as well as the risks to parents/guardians and children. The third guideline suggests that although opt-out consent makes sense for NBS, if broad research uses are also contemplated at the time the blood specimens are collected — research uses beyond NBS improvement and quality control — and maintaining public trust and support is important, there is a significant argument for seeking more explicit consent for that wider research.Reference Shayeb60 The third guideline also suggests considering release of only deidentified specimens for research. However, even if specimens are deidentified, seeking consent also protects future research use of deidentified biospecimens in genomic research if the review process set up by the revised Common Rule yield a future determination that re-identifiability (especially after WGS) has become easier and consent is thus required. Consent innovations such as the “broad consent” endorsed by the revised Common Rule61 and public educational programs on the health benefits that can be generated by such research can help harmonize consent in the public health and research spheres, in keeping with the fourth guideline. And erring on the side of seeking at least broad consent follows the fifth guideline's decision rule to resolve conflict between the rules in conflicting domains by applying the rule more protective of individual rights and interests.
The question of how to ensure the appropriate quality of genomic analysis and interpretation in different domains (research, clinical care, public health screening, and DTC testing) is complex. In genomic research with human biospecimens and data, a central question guiding quality requirements is whether the laboratory analysis is undertaken in order to generate results for direct clinical use in diagnosis, treatment, prevention, or health assessment.
IV. Quality
Differences across Domains:
The question of how to ensure the appropriate quality of genomic analysis and interpretation in different domains (research, clinical care, public health screening, and DTC testing) is complex. In genomic research with human biospecimens and data, a central question guiding quality requirements is whether the laboratory analysis is undertaken in order to generate results for direct clinical use in diagnosis, treatment, prevention, or health assessment. If so, then CLIA applies and the laboratory must be CLIA-certified or CLIA-exempt (together, “CLIA-compliant”). However, much research on human biospecimens and data is undertaken for research purposes without the intent that the results will be directly used in clinical care. In such protocols, the laboratory's activity is beyond the reach of the CLIA statute and regulation that recognizes a research laboratory exception applies.Reference Evans and Wolf62 Consequently, the laboratory need not be CLIA-compliant. It is widely recognized that CLIA is often a poor fit for research analyses, which may use advanced technologies beyond what CLIA contemplates. In research, there are multiple other mechanisms in place to achieve the quality of analyses and interpretation needed. These include funder and peer review of research plans and quality in awarding grants, professional society guidance on laboratory practice and variant interpretation,Reference Richards63 projects such as ClinVar and ClinGen creating central resources to support sound variant interpretation,Reference Landrum and Landrum64 efforts within multi-project consortia and other research confederations to achieve consistency in analysis and interpretation (such as CSER variant “bake-offs” comparing results across research groupsReference Amendola65), and peer review prior to publication.
When a genomic assay is used in a clinical trial or other research investigation involving human participants, the device may need an Investigational Device Exemption (IDE) under FDA rules before the research can commence.Reference Micheel, Nass and Omenn66 An IDE permits a device to be transported in interstate commerce and used in clinical research even though the FDA has not cleared or approved it for marketing. If an IRB deems the device a “non-significant risk” (NSR) device, then clinical research can commence after IRB approval; the device is considered to have an approved IDE.67 If the IRB determines the device is a significant risk device, its sponsors must file an IDE application with the FDA and clinical research cannot begin until the FDA has approved the application.68 A device with an approved IDE is an “investigational device” and the Federal Food, Drug and Cosmetics Act requires that it be labeled as such.69 This labeling is referred to as “investigational use only” (IUO) labeling.70 The purpose of IUO labeling is to ensure that devices that are not cleared or approved for marketing are not used in clinical care (outside of a FDA-regulated clinical study). Genomic assays that are still in the laboratory stage of development can be sold, shipped, and used without an IDE, but such assays cannot be used for clinical purposes or in a clinical research.71 They can be labeled “research use only” (RUO). Genomic assays that are not intended for clinical use may also be sold with the RUO label. The purpose of RUO labeling is to prevent health care providers from inadvertently using the device to diagnose or manage a patient, and to prevent researchers from using such a device in clinical research without an IDE. The RUO label should also prevent manufacturers from marketing a device for any purpose other than laboratory research.
In clinical genomics, laboratories must be CLIA-compliant. In addition, professional societies such as ACMG, the Association for Molecular Pathology (AMP), and the College of American Pathologists (CAP) issue guidance for laboratory analysis and variant interpretation. The FDA regulates devices used in laboratory genomic analysis, including many of the software and algorithms incorporated. Developing a regulatory approach for next-generation sequencing has required FDA innovation. Because of the scale of the genome and quantity of base pairs that may be analyzed, the FDA has moved away from validating each separate gene test to validating the analytic pathway.72 The FDA considers not just analytic validity, but also the clinical validity of variant calling and interpretation. These latter functions involve software and algorithms utilizing databases to interpret the genome. The FDA has issued guidance on the quality and use of such databases.73 Federal, state, and private payers also provide quality oversight in deciding what clinical genomic testing to fund or reimburse.
Public health genomics (e.g., newborn screening) utilizes CLIA-compliant laboratories for primary testing and second-tier labs. In addition, the Centers for Disease Control and Prevention (CDC) provide quality guidance for newborn screening.74 However, the goal of population (or subpopulation) screening differs from the goal of clinical patient testing. In screening, the goal is to identify individuals who may need further evaluation and individual testing, within a screening framework that aims to provide net benefit on a population-wide basis. In NBS, this means striving to avoid missing a child who may be positive for the conditions under scrutiny, and thus tolerating a certain level of false positives on initial screening.
The quality of analysis and interpretation appropriate to DTC genomics remains controversial. Those laboratories performing DTC analyses for diagnosis, treatment, prevention, or health assessment must comply with CLIA to provide quality assurance of analytic validity; DTC companies whose laboratories are performing analyses for other uses need not comply. State law may regulate DTC companies.75 The FDA famously shut down 23andMe's ability to market genetic and genomic analyses, until the company sought premarket approval for and met standards for FDA approval of several types of testing (including Bloom syndrome and limited BRCA risk assessment). The FDA then proceeded to grant additional approvals test-by-test. Eventually the FDA indicated that it would no longer grant approval test-by-test, but instead would require premarket approval of an initial test, allowing additional tests to be added without further approvals, though with “special controls” specified. In October 2018, the FDA approved pharmacogenomics (PGx) testing with the special control that clinicians refrain from relying on DTC PGx test results in making prescribing and dosing decisions.76 As a consequence, clinicians need to reconfirm DTC PGx results through clinical testing before use.
Illustrative Scenarios:
In a first scenario, investigators offer research results to participants and their clinicians with an alert that these results were not generated in a CLIA-certified lab and should not be used for diagnosis or treatment, but should be confirmed and evaluated in a clinical context. This offer of non-CLIA research results, because of their potential clinical implications and the communication of those results to the participant for potential pursuit in the clinical sphere, appears at first glance to create a conflict between research and clinical quality rules.
In a second scenario, a clinician diagnoses her patient with a rare cancer and seeks genomic analysis of the patient's germline and tumor to guide treatment. The health center's laboratory is CLIA-certified but inexperienced in analyzing the genetics associated with this cancer. The clinician would prefer to refer the patient to the county's leading research laboratory studying this cancer. That research laboratory, which has an outstanding reputation, is not CLIA-certified, but claims to have excellent tracking and analytic procedures. This scenario again seems to create a conflict between the quality rules in research and those in clinical care.
In a third scenario, a patient brings her DTC printout to her primary care clinician, who is unsure what confidence to attach to the findings. The printout states that the results were generated in a CLIA-certified lab, but the clinician hesitates to use them in clinical care without reconfirmation. This scenario shows a potential conflict between quality rules in DTC genomics and in clinical care.
Applying the Guidelines:
The first scenario illustrates a widely recognized tension between the research and clinical domains. Return of research results to participants due to their potential clinical implications will involve no conflict when the research laboratory is CLIA-compliant; results generated will meet CLIA standards for analytic quality that allow their direct use in clinical care. Similarly, if a non-CLIA research laboratory confirms results in a CLIA-compliant laboratory before return, there will be no quality conflict. That conflict becomes a question only when non-CLIA research results are communicated to the participant or clinician to trigger clinical evaluation. However, the well-recognized resolution is to make clear that these are non-CLIA research results communicated for the purpose of triggering a clinical process of reconfirmation and patient evaluation.Reference Burke, Evans, Jarvik, Wolf and Evans77 Return of results to trigger clinical evaluation is not the same as returning results that are suitable for clinical use. Under the CLIA statute, only returning results for the latter purpose — use of those results in diagnosis, treatment, prevention, or health assessment — requires CLIA compliance.
This scenario demonstrates that careful analysis is crucial to understanding whether there truly is a conflict and how to navigate between two domains — in this case, research and clinical care. Recognizing the potential for conflict comports with the first guideline. The second guideline, calling for clarity and education, emphasizes the importance of the participant, researcher, and clinician understanding when results are suitable for immediate clinical use and when instead they require reconfirmation and evaluation prior to clinical use.
The third guideline is a reminder of why some research results are appropriately generated in non-CLIA laboratories. Requiring that all research be conducted in CLIA laboratories would violate this principle saying that law in each sphere should be “fit for purpose.” It is widely agreed that requiring all research laboratories to comply with CLIA would be unrealistic and would burden them with expense and regulatory requirements that would detract from their ability to make research progress. Moreover, CLIA is a poor fit for many research laboratories conducting novel and exploratory research, and CLIA has done a poor job of keeping pace with advanced research technologies. Finally, the CLIA statute limits required CLIA compliance to those laboratories conducting and reporting analyses for use in clinical care. CMS has no authority to require additional laboratories to comply.
The fourth guideline urges an effort to harmonize or reconcile the approach in separate domains. Recognizing that research laboratories may seek CLIA confirmation of the subset of results they wish to offer participants or may communicate non-CLIA results for purposes of CLIA confirmation and evaluation in the clinical domain creates mechanisms to reconcile the two spheres of research and clinical care.
The final and fifth guideline offers a starting point for resolving differences between the two domains by recognizing that results should be CLIA-confirmed before they are actually used in clinical care. Researchers may themselves initiate this reconfirmation before returning results or they may communicate results to trigger consideration of this reconfirmation process in the clinical domain. Either pathway leads to respecting participants' well-documented interest in receiving research results while ensuring CLIA confirmation of results before their use in clinical care.
V. Privacy
Differences across Domains:
Privacy encompasses a number of different issues, two of which are particularly pertinent here. The first is the ability to limit who has access to data and information about an individual. The other is the ability of the individual to obtain data about him- or herself. These two issues are related; unless a person can see the information being held on them, they cannot assess the privacy threat posed by retention and circulation of that information and cannot make informed decisions about whether to authorize further use and sharing of that information.Reference Evans78 Access to one's own information is a well-established part of privacy protection in multiple areas of the law.79
Limiting access and use by others.
In clinical genomics, patients generally need to authorize any release of their information under state and federal law. In federal law, HIPAA, the Genetic Information Nondiscrimination Act (GINA), the Americans with Disabilities Act (ADA), and the Affordable Care Act (ACA) provide both privacy and antidiscrimination provisions, especially for health insurance and employment.80 Notably, these laws have limitations and exceptions.81 The law in many states confers privacy and antidiscrimination protections as well.82 HIPAA is a privacy floor; state law may supply more privacy protections, as well as greater access to one's own data.83
In research involving genomic analysis, privacy protections arise from the federal HIPAA Privacy Rule in HIPAA-covered entities, the Privacy Act of 1974 regarding governmental databases including Medicare data,84 federal privacy provisions in the Common Rule and FDA regulations on research involving human participants when those rules apply,85 and state law including statutes with provisions on genetic privacy.86 GINA ordered the Department of Health and Human Services (DHHS) to place all “genetic information” under HIPAA, and amended the Public Health Service Act and Social Security Act accordingly; “genetic information” includes both clinical and research information.87
In HIPAA-covered entities, HIPAA generally requires that the individual authorize disclosures of their health data before those data can be used in research, with important exceptions allowing use without authorization in some circumstances88 as well as the use of deidentified information in research without authorization.89 Consent to research is usually combined with authorization to access and collect health data.90
The Common Rule also requires minimization of privacy risks, IRB consideration of privacy risks in deciding whether to allow the research, and explanation of and consent to privacy risks. The regulations allow research on deidentified biospecimens and data without consent.91 During the rulemaking process leading to the 2017 revision of the Common Rule, proposals to deem all biospecimens identifiable and so require consent were ultimately rejected,92 but the revisions create a process for periodic reconsideration of the effectiveness of deidentification, especially in light of advancing genomic sequencing technology and the potential for re-identification.93 Research sponsored by the National Institutes of Health (NIH) is now automatically covered by certificates of confidentiality.94 Although researchers are usually required to show that they have created robust processes to protect the privacy and confidentiality of individuals' research data and biospecimens, these assurances are limited by NIH requirements for broad data sharing.Reference Majumder95 In addition, some individuals elect to participate in open research projects that offer less privacy or none, with public posting and sharing of their data.Reference Thorogood and Haeusemann96
In the context of public health genomics such as NBS, state law governs data release, including to the individual analyzed or the parents/guardians.Reference Lewis97 HIPAA will apply to HIPAA-covered entities involved in screening.
Privacy protections in DTC genomics are governed by the contract and terms of use to which the customer agrees. HIPAA generally does not apply. A recent analysis of 90 companies in the United States offering DTC genetics found that nearly 40% failed to state their genetic data practices and many of the others provided weak privacy protections.Reference Peppet98 Industry leaders have participated in the formulation of privacy guidelines for genetic testing, but these remain voluntary.99 State statutes may impose data privacy rules, such as California's new data privacy statute.100
The ability of people to access information about themselves.
The HIPAA Privacy Rule also gives the individual a right of access to their information in each HIPAA-covered facility's designated record set (DRS).Reference Evans101 The DRS may include not only clinical information, but also research data or research records, including laboratory reports. The HIPAA Privacy Rule provides a right of access to the DRS on request, and GINA specifies that HIPAA rules apply to genetic information.102 Because the HIPAA Privacy Rule is a federal privacy floor; state law may supply greater access to one's own information and data.
HIPAA allows researchers conducting clinical trials to suspend access to research records for the duration of the research. However, the temporary suspension must be explained and agreed to by the participant, with access restored once the research has been completed.103
Regulatory changes in 2014 under CLIA, HIPAA, and the Health Information Technology for Economic and Clinical Health (HITECH) Act permit patients to obtain copies of completed laboratory reports directly from the laboratory; this includes a right to obtain raw data when that is the laboratory's final product.104 These provisions may apply both to clinical and research data. Discussion of the first scenario below offers further discussion of the access right.
Illustrative Scenarios:
In a first scenario, a healthy participant undergoes WES as part of a research protocol in an academic health center (AHC). One year later, she has puzzling symptoms suggestive of a genetically-based neurological disorder. She seeks access to her genomic data and interpreted results in order to convey them to a well-known health care center specializing in that disease. She also wishes to contribute her data and interpreted results to a DTC company formed by a major patient advocacy group to facilitate research on that disease. However, the original research took place in a HIPAA-covered AHC. She knows that HIPAA guarantees access to clinical results, and wonders whether she can request access to these research results. This scenario raises questions about an individual's rights of access under the HIPAA Privacy Rule and their ability to move data and results from traditional research settings to clinical care contexts as well as citizen-driven DTC research platforms.
In a second scenario, a consumer uses DTC genomics for genome sequencing, in part due to her concern about Alzheimers disease in her family. She tries to decipher the company's policies on privacy from their website and terms of use but finds it difficult. The DTC company sells access to their database of consumers' genomic results to a pharmaceutical company for research use in a widely publicized deal generating millions of dollars for the DTC company. Her brothers, who are also interested in their genomics, purchase DTC WGS and contribute their results to a public database. The original consumer becomes concerned that the pharmaceutical company and any researchers with whom they share her data will now be able to re-identify her by comparing her brothers' posted sequences. In this scenario, the approach to privacy in two types of DTC companies (one posting publicly and the other not) as well as privacy protections in pharmaceutical research that may be subject to FDA rules on research with human participants pose issues.
In a third scenario, an individual volunteers to participate in a large-scale population research study focusing on precision medicine in order to advance public health. The study involves collection of multiple data types, from genomic and other–omics data to physiological, behavioral, and environmental information including geolocation. The study commits to protection of participant privacy, but with so many data types being collected, the participant worries that this protection will ultimately fail. This scenario demonstrates the tension between privacy protections in research and the demands of population studies collecting multiple and diverse data types to advance biomedical understanding and public health.
Applying the Guidelines:
The first scenario focuses on an individual's right to access information collected about them. As noted above, federal privacy statutes have included this right of access since at least the Privacy Act of 1974 and many state privacy and public records statutes also provide this access right. The core purpose of these provisions is to allow individuals to see what information is being held on them and circulated. This allows them to challenge information that appears to be inaccurate and to evaluate the privacy risks associated with storage and circulation of that information.
HIPAA is only one of the statutes that provide a right of access, but is important in the research and health care arenas. HIPAA entitles individuals to see the contents of their designated record set (DRS) in each HIPAA-covered institution that maintains such records.Reference Lye105 The DRS includes records “used…by and for the covered entity to make decisions about individuals,”106 not just about the particular individual requesting access. This encompasses “a broad array of health information about themselves…including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes.”107
One might argue that although HIPAA confers a right of access to clinical materials in the DRS, it should not confer a right to access to research materials if those were not generated according to clinical rules and standards, such as CLIA. However, this apparent difference between access rights in the clinical versus research sphere diminishes on careful consideration. “[A]ny research records or results that are actually maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule's permitted exceptions applies.”108 Indeed, as noted above, HIPAA makes clear that the access right includes research information by allowing investigators to pause access during a clinical trial. The DHHS Secretary's Advisory Committee on Human Research Protections (SACHRP) recommends that, “If a HIPAA-covered entity believes that a non-CLIA laboratory test result may have clinical significance such that the entity may use it to make decisions related to the individual, then the result is part of a designated record set and must be released upon the individual's request.”109 SACHRP further urges that, “If a covered entity may use a test result from a non-CLIA-certified laboratory to encourage an individual to provide a new specimen or to get tested at a CLIA-certified laboratory, then the entity is using the primary test results to make a decision about the individual.”110 Finally, the Public Health Service Act (PHSA), as amended by GINA, is clear that HIPAA's protections cover genetic information broadly; the PHSA definition of “genetic information” includes genetic information generated in research.111
In addition, 2014 regulatory changes to HIPAA, CLIA, and the HITECH Act gave individuals the right to directly access completed laboratory reports. This expansion of individual access rights extends to non-CLIA research analyses, as part of the stated objective was to remove barriers to access in an era of “personalized medicine initiatives.”112 The CLIA statute and regulations pose no bar to accessing results that were not generated and reported for direct clinical use, though CMS has tried to block this with a document posted on its website. SACHRP has advocated honoring the access right and removing the CMS document, with regulatory clarification that honoring the HIPAA access right does not violate the CLIA rules.113 This approach resolves the purported conflict between access provisions in research and clinical care by recognizing the importance of the access right in both spheres, as well as the stated federal commitments to the importance of this right.
The individual in the first scenario should thus be able to access her research information for purposes of contributing this information to further research. Given the fact that she wishes to contribute to research on a DTC platform, she should carefully review the privacy protections and access rights provided by that platform, as HIPAA may not apply.
Our first and second guidelines would suggest that researchers recruiting participants explicitly address both privacy protections and the scope of their access rights. Similarly, patients need to understand both, as do DTC customers. The third guideline emphasizes that privacy protections and access rights in each sphere should be “fit for purpose.” As DHHS, SACHRP, and many others have emphasized, research participants have a strong interest in being able to participate as partners in research, especially in the more engaged models of research increasingly emerging.114 Their interests extend to being able to contribute their data to additional research. In the clinical sphere, there is already robust recognition in law of the importance of privacy and access. The DTC domain lags, offering inconsistent and often opaque protection for privacy and access interests.
The approach we commend above attempts to reduce and harmonize differences across the research and clinical spheres, in keeping with the fourth guideline. And SACHRP's recognition that individuals' access right should be honored in the research sphere as well as the clinical sphere offers one way of following the fifth guideline, by protecting individuals' right of access across both domains.
The approach we propose is a new form of governance — the development of a translational approach to law. By focusing on conflicts and transition issues across four key domains of genomics, we develop guidelines that can help prevent, address, and resolve those issues. Our proposed approach focuses on the transitions and fast-moving advances that characterize modern genomics. The dynamic and boundary-crossing realities of translational genomics demand a dynamic and boundary-crossing approach to law.
Conclusion
It may be tempting to analyze the law of genomics by examining the distinctive legal regimes that have arisen to address research, clinical care, public health screening and DTC genomics. But the reality is that these are dynamically linked domains, not isolated fiefdoms. Knowledge gained through genomic research may lead to clinical sequencing and, over time, to establishment of the evidence base and benefits that support population screening. Meanwhile, both clinical sequencing and public health screening can generate new research questions. And at each stage, individuals have growing options to use DTC genomic services.
Through this dynamic process, the same individuals may be research participants, clinical patients, members of a population undergoing screening, and DTC customers. Their genomic information may be generated in any or all of these realms and move from one realm to the next. For example, research results may suggest the need for clinical confirmation and evaluation, public health screening results may indicate the need for clinical testing and care, or DTC results may show the need for clinical evaluation. Genetics and genomics professionals are increasingly likely to have some involvement in all four domains.
This highly dynamic and translational process requires an approach to law and governance that considers the big picture. When the actors have to function across all four domains, and the data and even the biospecimens are crossing domains, law has to consider the relationships and transitions across domains. Scholars of law and emerging technology emphasize the importance of considering governance of emerging technologies over time, not just conventional rule-making for familiar scenarios.Reference Ramachandran115 Governance involves “covering the whole decision-making and policy cycle from knowledge generation to taking actions, as well as controlling, evaluating and adjusting them.”Reference Wiek, Gasser and Siegrist116
The approach we propose is a new form of governance — the development of a translational approach to law. By focusing on conflicts and transition issues across four key domains of genomics, we develop guidelines that can help prevent, address, and resolve those issues. Our proposed approach focuses on the transitions and fast-moving advances that characterize modern genomics. The dynamic and boundary-crossing realities of translational genomics demand a dynamic and boundary-crossing approach to law.
Acknowledgments
Preparation of this article was supported by National Human Genome Research Institute and National Cancer Institute of the National Institutes of Health (NIH) under award number R01HG008605 for “LawSeq: Building a Sound Legal Foundation for Translating Genomics into Clinical Application.” The content is solely the responsibility of the authors and does not necessarily represent the views of the funders. Thanks to Ellen Wright Clayton, Barbara Evans, and Leslie Wolf for helpful review and to Kate Hanson, Travis Panneck, and Noah Sattler for research assistance.