Hostname: page-component-745bb68f8f-d8cs5 Total loading time: 0 Render date: 2025-01-11T22:51:57.193Z Has data issue: false hasContentIssue false
  • English
  • Français

The Perils of Parity: Should Citizen Science and Traditional Research Follow the Same Ethical and Privacy Principles?

Published online by Cambridge University Press:  01 January 2021

Barbara J. Evans
Get access Rights & Permissions [Opens in a new window]

Abstract

The individual right of access to one’s own data is a crucial privacy protection long recognized in U.S. federal privacy laws. Mobile health devices and research software used in citizen science often fall outside the HIPAA Privacy Rule, leaving participants without HIPAA’s right of access to one’s own data. Absent state laws requiring access, the law of contract, as reflected in end-user agreements and terms of service, governs individuals’ ability to find out how much data is being stored and how it might be shared with third parties. Efforts to address this problem by establishing norms of individual access to data from mobile health research unfortunately can run afoul of the FDA’s investigational device exemption requirements.

Type
Symposium Articles
Information
Journal of Law, Medicine & Ethics , Volume 48 , Issue S1: Unregulated Health Research Using Mobile Devices , Spring 2020 , pp. 74 - 81
Copyright
Copyright © American Society of Law, Medicine and Ethics 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Rothstein, M.A. et al., “Citizen Science on Your Smartphone: An ELSI Research Agenda,” Journal of Law, Medicine & Ethics 43, no. 4 (2015): 897-903, at 901.CrossRefGoogle Scholar
Patrick-Lake, B. and Goldsack, J.C., “Mind the Gap: The Ethics Void Created by the Rise of Citizen Science in Health and Biomedical Research,” American Journal of Bioethics 19, no. 8 (2017): 1-2.CrossRefGoogle Scholar
45 C.F.R. pt. 46, subpt. A.Google Scholar
21 C.F.R. pts. 50, 54, 56, 809, 812.Google Scholar
Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C. (2012)).Google Scholar
45 C.F.R. pts. 160, 164 (2018).Google Scholar
Evans, B.J. and Wolf, S.M., “A Faustian Bargain that Undermines Research Participants’ Privacy Rights and Return of Results,” Florida Law Review 71, no. 5 (2019): 1281-1345, at 1296–1307.Google Scholar
Wolf, S.M., “Return of Results in Participant-Driven Research: Learning from Transformative Research Methods,” Journal of Law, Medicine & Ethics 48, no. 1, Supp. (2020): 159-166.CrossRefGoogle Scholar
Pub. L. No. 90-321, 84 Stat. 1128 (codified as amended at 15 U.S.C. § 1681 (2012)) (authorizing collection and storage of individuals’ financial and credit data without their consent but granting individuals a right of access to their data).Google Scholar
Pub. L. No. 93–579, 88 Stat. 1896 (codified as amended at 5 U.S.C. §§ 552(a), (d) (2012)) (providing an individual right of access to data held in governmental databases).Google Scholar
45 C.F.R. § 164.524 (2018).CrossRefGoogle Scholar
Evans, B.J., “The Genetic Information Nondiscrimination Act at Age 10: GINA’s Controversial Assertion that Data Transparency Protects Privacy and Civil Rights,” William & Mary Law Review 60, no. 6 (2019): 2017-2109, at 2055-2066 (reviewing the stated legislative and regulatory purposes).Google Scholar
Id., at 2059.Google Scholar
U.S. Dep’t of Health & Human Servs., Confidentiality of Individually Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, Pursuant to Section 264 of the Health Insurance Portability and Accountability Act of 1996 (September 11, 1997), available at <https://aspe.hhs.gov/report/confidentiality-individually-identifiable-health-information> [https://perma.cc/2V9X-XFAV] (last visited January 22, 2020).+[https://perma.cc/2V9X-XFAV]+(last+visited+January+22,+2020).>Google Scholar
Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC, art. 15, 2016 O.J. (L 119): 1, 43.Google Scholar
See, e.g., California Consumer Privacy Act, 2018 Cal. Legis. Serv. 3 (West) (“[I]t is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights[, including] … [t]he right of Californians to access their personal information.”); id., at 3–4 (amending Part 4 of Division 3 of the Civil Code to add § 1798.100(d), which provides individuals with a right of access to their data).Google Scholar
Rothstein, M.A. et al., “Unregulated Health Research Using Mobile Devices: Ethical Considerations and Policy Recommendations,” Journal of Law, Medicine & Ethics 48, no. 1, Suppl. (2020): 196-226.CrossRefGoogle Scholar
45 C.F.R. § 164.524(a).Google Scholar
45 C.F.R. § 164.501 (“Designated record set means: (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.”); see also id. § 160.103 (treating genetic information as health information for purposes of the Privacy Rule); id. § 164.501 (“[T]he term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.”).Google Scholar
Id. § 164.501.Google Scholar
Evans, B.J. et al., “Regulatory Changes Raise Troubling Questions for Genomic Testing,” Genetics in Medicine 16, no. 11 (2014): 799-803, at 800.CrossRefGoogle Scholar
U.S. Dep’t of Health & Human Servs., Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (February 25, 2016), available at <https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html> [https://perma.cc/9S7L-3QEP] (last visited January 22, 2020).+[https://perma.cc/9S7L-3QEP]+(last+visited+January+22,+2020).>Google Scholar
Id.Google Scholar
Id.Google Scholar
45 C.F.R. § 164.524(a)(2), (3) (listing unreviewable and reviewable grounds for denial of access).Google Scholar
See id. § 164.524(a)(2)(iii).Google Scholar
Id.Google Scholar
Id.Google Scholar
Wiggins, A. and Wilbanks, J., “The Rise of Citizen Science in Health and Biomedical Research,” American Journal of Bio-ethics 19, no. 8 (2019): 3-14.Google Scholar
Bobe, J., Meyer, M.N., and Church, G., “Privacy and Agency Are Critical to a Flourishing Biomedical Research Enterprise: Misconceptions about the Role of CLIA,” Florida Law Review Forum (2019), available at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3499923> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
Arnstein, S.R., “A Ladder of Citizen Participation,” Journal of the American Planning Association 35, no. 4 (1969): 216-224.Google Scholar
Hurley, Elisa A., “Why We Need to Keep the Term “Research Subject’ in Our Research Ethics Vocabulary,” Ampersand blog (February 22, 2019), available at <https://blog.primr.org/research-subject-vs-research-participant> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
Bobe et al., supra note 30, at 9.Google Scholar
Rothstein et al., supra note 17.Google Scholar
Peppet, S.R., “Regulating the Internet of Things: First Steps toward Managing Discrimination, Privacy, Security, and Consent,” Texas Law Review 93, no. 1 (2014): 85-179, at 145.Google Scholar
Hall, M.A., “Property, Privacy, and the Pursuit of Interconnected Electronic Medical Records,” Iowa Law Review 95 (2010): 631-663, at 646.Google Scholar
Rodwin, M.A., “Patient Data: Property, Privacy & the Public Interest,” American Journal of Law & Medicine 36 (2010): 586-618, at 588.CrossRefGoogle Scholar
Peppet, supra note 35, at 93.Google Scholar
Id.Google Scholar
Peppet, supra note 35, at 145.Google Scholar
Id., at 129, 143.Google Scholar
Id., at 143-44.Google Scholar
Id., at 129.Google Scholar
Id., at 161-162; Barua, D. et al., “Viewing and Controlling Personal Sensor Data: What Do Users Want?” in Persuasive 2013: Proceedings of the 8th International Conference on Persuasive Technology (Berkovsky, Shlomo and Freyne, Jill eds., 2013): at 15-26.CrossRefGoogle Scholar
Id., at 144.Google Scholar
Health Data Exploration Project, Personal Health Data for the Public Good: New Opportunities to Enrich Understanding of Individual and Population Health (2014), available at <http://hdexplore.calit2.net/wp-content/uploads/2015/08/hdx_final_report_small.pdf> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
Food and Drug Administration, Device Software Functions Including Mobile Medical Applications (September 26, 2019), available at <https://www.fda.gov/medical-devices/digital-health/mobile-medical-applications> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
Pub. L. 114-255 (2016).Google Scholar
21 U.S.C. § 360j(o)(1)(B).Google Scholar
Food and Drug Administration, General Wellness: Policy for Low Risk Devices: Guidance for Industry and Food and Drug Administration Staff (September 27, 2019), available at <https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-wellness-policy-low-risk-devices> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
International Medical Regulators Device Forum, IMDRF SaMD Working Group, Software as a Medical Device (SaMD): Key Definitions (December 9, 2013), available at <http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-131209-samd-key-definitions-140901.pdf> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
Food and Drug Administration, Software as a Medical Device (SAMD): Clinical Evaluation,” December 8, 2017, at 11, available at <https://www.fda.gov/media/100714/download> (last visited January 22, 2020).+(last+visited+January+22,+2020).>Google Scholar
21 C.F.R. § 801.4.Google Scholar
21 U.S.C. § 321(h).Google Scholar
Rothstein et al., supra note 17.Google Scholar
21 U.S.C. § 321(h).Google Scholar
Medical Devices; Procedures for Investigational Device Exemptions, 45 Fed. Reg. at 3735. See also Rothstein et al, supra note 17.Google Scholar
21 C.F.R. pt. 812.Google Scholar
See Rothstein et al., supra note 17.Google Scholar
Food and Drug Administration, Framework for Regulatory Oversight of Laboratory Developed Tests; Draft Guidance for Industry, Food and Drug Administration Staff, and Clinical Laboratories; Availability, 79 Fed. Reg. 59,776 (October 3, 2014); Food and Drug Administration, Notification and Medical Device Reporting for Laboratory Developed Tests; Draft Guidance for Industry, Food and Drug Administration Staff, and Clinical Laboratories; Availability, 79 Fed. Reg. 59,779 (October 3, 2014).Google Scholar
See Food and Drug Administration, Discussion Paper on Laboratory Developed Tests (LDTs) (2017), available at <https://www.fda.gov/downloads/medicaldevices/productsandmedicalprocedures/invitrodiagnostics/laboratorydevelopedtests/ucm536965.pdf> [https://perma.cc/HN5A-W4G9] (last visited December 16, 2019) (noting that FDA announced it would not be issuing final guidance on laboratory developed tests to allow further discussion).+[https://perma.cc/HN5A-W4G9]+(last+visited+December+16,+2019)+(noting+that+FDA+announced+it+would+not+be+issuing+final+guidance+on+laboratory+developed+tests+to+allow+further+discussion).>Google Scholar
Food and Drug Administration, Framework for Regulatory Oversight of Laboratory Developed Tests: Draft Guidance 36-37 (2014), available at <https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm416685.pdf> [https://perma.cc/B28U-TNCJ] (last visited December 16, 2019).+[https://perma.cc/B28U-TNCJ]+(last+visited+December+16,+2019).>Google Scholar
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports; Final Rule, 79 Fed. Reg. 7290, 7293 (February 6, 2014) (codified at 42 C.F.R. pt. 493 and 45 C.F.R. pt. 164).Google Scholar
Parker, L.S., “Returning Individual Research Results: What Role Should People’s Preferences Play?” Minnesota Journal of Law, Science and Technology 13, no. 2 (2012): 449-484, at 456, 471-72; Terry, S.F., “The Tension between Policy and Practice in Returning Research Results and Incidental Findings in Genomic Biobank Research,” Minnesota Journal of Law, Science and Technology 13, no. 2 (2012): 691-736, at 708-709.Google Scholar
Parker, supra note 64, at 472.Google Scholar
21 C.F.R. §801.4.Google Scholar
Parker, supra note 64; Terry, supra note 64.Google Scholar
Institute of Medicine, The Future of Drug Safety: Promoting and Protecting the Health of the Public (2007): at 33, available at <https://www.nap.edu/catalog/11750/the-future-of-drug-safety-promoting-and-protecting-the-health> (last visited January 22, 2020) (reporting that the average new commercial IND submission to the FDA is 14,000 pages long).+(last+visited+January+22,+2020)+(reporting+that+the+average+new+commercial+IND+submission+to+the+FDA+is+14,000+pages+long).>Google Scholar
45 C.F.R. § 164.512(i).Google Scholar
Evans, supra note 12, at 2094-97 (tracing the historical development of HIPAA’s access right and citing the sources that enunciated its rationale).Google Scholar
Id. (citing analysis of this issue in two reports commissioned by Congress).Google Scholar
Bobe et al., supra note 30, at 6-8.Google Scholar
Id., at 6.Google Scholar