Returning Research Test Results: Know Your Ethical and Legal Obligations

MICHELLE GRIENAUER, JD, MPH, CIP SENIOR REGULATORY ATTORNEY AT KINETIQ (A DIVISION OF QUORUM)

Disclosure

The presenter(s) for today’s session: I have a relevant financial relationship with respect to this educational activity with the following organization: Employee of Kinetiq (a division of Quorum Review)

Learning Objectives

Upon completion of this presentation, participants should be able to:

• Describe the regulatory requirements and ethical implications related to returning research test results. • Recognize how the CLIA and HIPAA regulations may conflict regarding when an individual may receive research test reports and will be able to discuss potential solutions to resolve the conflict. • Develop approaches for IRBs handling requests to return test results that were generated in a non-CLIA- certified laboratory.

Citation: *E.g., Matthew P. Kirschen,Agnieszka Jaworska, and Judy Illes, Subjects’Expectations in Neuroimaging Research, 23 Magnetic Resonance Imaging 205 (January 2006). OVERVIEW

• Background • 2016 HIPAA • Ethical Issues Guidance • CLIA • FDA • HIPAA • Best Practices • 2014 Amendments to CLIA and HIPAA RETURNING STUDY RESULTS – A SPECTRUM

• Return of Incidental Findings • Return of Individual Research Results • Return of Aggregate Study Results • Public Release of Study Data*

Citation: *SACHRP Letter to the HHS Secretary, Attachment C: Return of Individual Results and Special Consideration of Issues Arising from Amendments of HIPAA and CLIA (July 22, 2015), http://www.hhs.gov/ohrp/sachrp/commsec/attachmentc:letter9/28/15.html . The Legal Question: The Ethical Question: Do the CLIA laboratory According to generally accepted requirements and the HIPAA ethical principles of research, Privacy Rule, allow or require should investigators provide research participants with investigators to provide their individual research test research participants with results? their individual research test results? ETHICAL ISSUES

Research vs. Clinical Care • Therapeutic Misconception • Translational Research*

Citation: *Susan M. Wolf, et al., Mapping the Ethics of Translational Genomics: Situating Return of Results and Navigating the Research-Clinical Divide, 43 J.L. Med. & Ethics 486 (October 2015); Presidential Commission for the Study of Bioethical Issues, Anticipate and Communicate: Ethical Management of Incidental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts (December 2013), http://bioethics.gov/node/316. ETHICAL ISSUES

Researcher Duty to Participants • Respect for persons • Beneficence • Justice FACTORS TO CONSIDER

When Deciding Whether to Return Research Test Results

• Analytic and clinical validity • Clinical actionability • Clinical or reproductive significance • Magnitude of potential harm • Informed consent process • Applicable law*

Citation: *Presidential Commission for the Study of Bioethical Issues, Anticipate and Communicate: Ethical Management of Inci- dental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts (December 2013), http://bioethics.gov/node/316; Susan M. Wolf et al., Managing Incidental Findings and Research Results in Genomic Research Involving Biobanks & Archived Datasets, 14 Genetics in Med. 361 (April 2012); Richard R. Fabsitz et al., Ethical and Practical Guidelines for Reporting Genetic Research Results to Study Participants: Updated Guidelines from a National Heart, Lung and Blood Institute Working Group, 3 Circulation: Cardiovascular Genetics 574 (December 2010). APPLICABLE LAWS

There is currently no federal law or regulation in the US that directly addresses the return of research results or incidental findings. HUMAN SUBJECT PROTECTION REGULATIONS

The federal human subject protection regulations do not currently address the return of individual results to research subjects.

Indirect implications: General requirements for informed consent.

BUT the revised Common Rule includes new elements of informed consent.

Depending on the type of research, a participant must be informed whetheror not they will receive clinically relevant research results, including individual research results.

Citation: *45 C.F.R. §§ 46.116(a)(2), (a)(3), (b)(5) (2016); 21 C.F.R. §§ 50.25(a)(2), (a)(3), (b)(5) (2016); 82 Fed. Reg 7,149, 7,266 (Jan. 19, 2017). CLIA AND HIPAA

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule affect when a research participant may/must be provided with research test results. CLIA

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) Established to strengthen federal oversight of clinical laboratories and to ensure the accuracy and reliability of patient test results. “CLIA Certification” Facilities that meet the CLIA definition of a “laboratory” must obtain certification prior to conducting patient testing.*

Citation: *CLIA Laboratory Requirements, 42 C.F.R. § 493 (2015). CLIA (CONT.)

• CLIA-Exempt Laboratories* CLIA-certification is not required for laboratories in states with requirements equal to or more stringent than CLIA. • CLIAExceptions** CLIA does not apply to research laboratories that do not report patient specific results “for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.”

Citation: *42 C.F.R. § 493.3(b)(2016); **42 C.F.R. § 493.2(2016.) CLIA (CONT.)

• Exemption vs. Exception • Research laboratories “excepted” from CLIA, not “exempt” from CLIA.

Same difference?*

Citation: *Mark Barnes et al., The CLIA/HIPAA Conundrum of Returning Test Results to Research Participants, 14 Bloomberg BNA Med. Res. L. & Pol. Rep. 491 (July 2015) PENALTIES FOR CLIA VIOLATIONS

• Criminal Sanctions • Suspension of Medicare payments • For intentional violations - imprisonment(up to 1 year) or fine (up to $100,000) • Directed plan of correction • Civil Suit • State onsite monitoring* • CMA can bring suit to enjoin the operations of a noncompliant laboratory. • Civil Money Penalty • $50-$10,000 per day of noncompliance • Suspension, limitation, or revocation of a CLIA certificate

Citation: *42 C.F.R. §§ 493.1800- 1850 (2016). HIPAA

• The Health Insurance Portability andAccountability Act (HIPAA) Privacy Rule • Establishes standards for protecting the privacy of individually identifiable health information. • Confers rights on individuals, including the rights to access to all of the protected health information maintained in the individual’s “designated record set.”

Citation: 45 C.F.R. § 160 (2016); 45 C.F.R. § 164, Subparts A and E (2016). DESIGNATED RECORD SET (DRS)

• “Designated record set” – A group of records maintained by or for a covered entity thatis: • (i) The medical records and billing records about individuals maintained by or for a covered health care provider; • (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or • (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. • “Record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a coveredentity.*

Citation: *45 C.F.R. § 164.501 (2016). PENALTIES FOR HIPAA VIOLATIONS

• Criminal sanctions • Fine of $50,000-$250,000 and imprisonment for 1-10 years* • Civil money penalty • Range: $100 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million. • Exclusion from Medicare participation.**

Citation: *42 U.S.C. § 1320d-6 (2016); **45 C.F.R. § 160, Subparts C, D, and E (2016); CLIA PROGRAM AND HIPAA PRIVACY RULE; PATIENTS’ ACCESS TO TEST REPORTS.

• On Feb. 6, 2014, HHS promulgated a joint OCR/CMS rule.* • Amended both the CLIA Laboratory Requirements andthe HIPAA Privacy Rule. • HHS Intent: • Remove barriers to an individual’s direct access to his or her own test reports from laboratories. • Empower individuals to better manage their health and take action to prevent and control disease.*

Citation: *CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports, 79 Fed. Reg. 7,290 (Feb. 6, 2014) (amending 42 C.F.R. § 493.1291; 45 C.F.R. § 164.524). CLIA

Before After • CLIA-certified laboratories only • CLIA-certified laboratories may allowed to disclose laboratory give completed test results results to certain individuals (e.g. directly to a patient.* provider ordering test).

• Depending on state law, a patient might not be authorized to order or receive a test result.

Citation: *42 C.F.R. §§ 493.1291(f), (l) (2016). HIPAA

Before After

• Access provisions did not apply • Removed the exception. to CLIA-certified and CLIA- • Laboratories must allow an exempt laboratories. individual access to test results • Exceptions were originally that are part of the designated created to avoid conflict with record set.* CLIA, which restricted patient access to test reports.

Citation: *42 C.F.R. § 164.524 (2016); 45 C.F.R. § 160.103 (2016); 45 C.F.R. §164.501 (2016); 45 C.F.R. § 164.514(h) (2016). THE CONTROVERSY DOES THE NEW RULE CREATE A CONFLICT BETWEEN THE CLIAAND HIPPA REQUIREMENTS?

CLIA HIPPA THE PERCEIVED CONFLICT

CLIA HIPAA Non-CLIA-certified If the non-CLIA-certified research laboratories may laboratory is a HIPAA not report patient specific covered entity, and results “for the diagnosis, research test results are prevention or treatment of considered part of the any disease or impairment DRS, research participants of, or the assessment of have a legal right to the health of individual receive these test results. patients.” THE PERCEIVED CONFLICT (CONT.)

Error! Does not compute! If the research laboratory complied with the Privacy Rule’s access requirements, it would violate CLIA’s prohibition against returning individual results from a non-CLIA- certified laboratory.

Citation: See, e.g., Secretary’s Advisory Committee on Human Research Protections (SACHRP) Letter to the HHS Secretary, Attachment C: Return of Individual Results and Special Consideration of Issues Arising from Amendments of HIPAA and CLIA (September 28, 2015), http://www.hhs.gov/ohrp/sachrp/commsec/attachmentc:letter9/28/15.html; Mark Barnes et al., The CLIA/HIPAA Conundrum of Returning Test Results to Research Participants, 14 Bloomberg BNA Med. Res. L. & Pol. Rep. 491 (July 2015); Barbara J. Evans et al., Regulatory changes raise troubling questions for genomic testing, 16 Am. C. Med. Genetics & Genomics 799 (November 2014). IS THIS CONFLICT REAL?

OCR and CMS do not see a conflict. • Research laboratories who wish to be able to return results can obtain CLIA certification. • Research laboratories that are part of a larger HIPAA covered entity can be “carved out” of the covered entity. • Access to research results can be suspended during the life of the study. DEEP DIVE! DO THE AMENDMENTS APPLY TO RESEARCH LABORATORIES?

• CLIA • HIPAA • Research laboratories fall outside the scope of the CLIA • CLIA-certified and CLIA- laboratory requirements. exempt laboratories must now honor an individuals’ request • Research laboratories: for access to test results, as • Do not need to be CLIA- certified and long as the result is part of the • Do not fall under the definition of DRS. a “CLIA- exempt” laboratory. DO THE AMENDMENTS APPLY TO RESEARCH LABORATORIES? (cont.) Remember that the access provisions are part of HIPAA, not CLIA!

HIPAA uses different terminology than CLIA. DO THE AMENDMENTS APPLY TO RESEARCH LABORATORIES? (CONT.)

HHS Interpretation: • When the Privacy Rule was • first published, HHS • interpreted the term “CLIA- • exempt” to include “research • laboratories” for purposes of the Privacy Rule. • Therefore, under the HIPAA • Privacy Rule, research • laboratories that are covered • entities must comply with the HIPAA access provisions.

Citation: *Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82, 485 (Dec. 28, 2000). DOES THE DRS INCLUDE RESEARCH TEST RESULTS?

• Laboratories only have to provide access to test results if those results are part of the DRS. • HHS states in the amendment’s preamble that: • Laboratory test reports that are maintained by or for a laboratory that is a covered entity are part of theDRS. • Test reports are not part of the DRS until they are “complete.”* • Implication: The DRS includes complete research tests maintained by or for a laboratory that is a covered entity.

Citation: *CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports, 79 Fed. Reg. 7,290, 7,291 (Feb. 6, 2014) (amending 42 C.F.R. § 493.1291; 45 C.F.R. § 164.524). DESIGNATED RECORD SET – UNCERTAINTY

What kind of test is complete (vs. when is a test complete)?

Next generation sequencing (NGS)?

Un-interpreted genetic data?*

Citation: *Mark Barnes et al., The CLIA/HIPAA Conundrum of Returning Test Results to Research Participants, 14 Bloomberg BNA Med. Res. L. & Pol. Rep. 491 (July 2015); Barbara J. Evans et al., Regulatory changes raise troubling questions for genomic testing, 16 Am. C. Med. Genetics & Genomics 799 (November 2014). RECENT HIPAA GUIDANCE

Understanding Individuals’ Right under HIPAA to Access their Health Information (January 7, 2016)*

• The DRS includes: • The Privacy Rule does not • The test report require laboratories to • All of the underlying data interpret test results for generated as part of the test patients. • Any other information • Laboratories may include a concerning the test disclaimer explaining the limitations of the data for diagnosis or treatment purposes.*

Citation: *OCR Guidance, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (January 7, 2016), http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. REPORTING RESULTS FOR TREATMENT OR HEALTH ASSESSMENT PURPOSES (CONT.)

CMS Interpretation • A CMS representative has publically indicated that the agency would regard any return of research results to be for the purpose of treatment or health assessment.* • BUT no official agency guidance has been published.

Citation: *Remarks of Penelope Meyers, Technical Director, CLIA, CMS, delivered at March 25, 2015 meeting of HHS Secretary’s Advisory Committee on Human Research Protections (SACHRP), accessible at http://videocast.nih.gov/Summary.asp?File=18913&bhcp=1. REPORTING RESULTS FOR TREATMENT OR HEALTH ASSESSMENT PURPOSES

• What does it mean to report results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients? • Is communicating results at the request of an individual, pursuant to the individual’s right of access, the same as reporting results for treatment or a health assessment? • Is urging a person to seek a health assessment the same thing as a health assessment?*

Citation: *Barbara J. Evans, The First Amendment Right to Speak About the Human Genome, 16 J. Const. L. 549 (Feb. 2014) What does the FDA have to say about all of this? FDA OVERSIGHT OF LABORATORY DEVELOPED TESTS (LDTS)?

• October 2014: the FDA issued draft guidance describing how the FDA intends to enforce regulatory oversight of LDTs.*

• November 2016: the FDA indefinitely delays oversight action. • FDA intends to work with the new administration, Congress, and stakeholders to update the LDT framework.**

Citation: *FDA Draft Guidance, Framework for Regulatory Oversight of Laboratory Developed Tests (LDTs) (October 2014), http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm416685.pdf; **Regulatory Affairs Professionals Society, FDA Delays Finalization of Lab-Developed Test Draft Guidance, http://www.raps.org/Regulatory-Focus/News/2016/11/18/26218/FDA-Delays-Finalization-of- Lab-Developed-Test-Draft-Regulations/ (Nov. 18, 2016); FDA Guidance, Discussion Paper on Laboratory Developed Tests (LDTs) (Jan. 13, 2017), https://www.fda.gov/downloads/MedicalDevices/ProductsandMedicalProcedures/InVitroDiagnostics/LaboratoryDevelopedTests/UCM536965.pdf. UNCERTAINTY

• Remaining Questions • Will CMS or OCR exercise their enforcement discretion? • How many research participants will request access to their research test results? • Will the FDA re-visit its LDT framework?

• Result: • Significant disagreement about what constitutes CLIAcompliance. • Institutions left to make ad hoc decisions based on level of risk tolerance. • Communication of potentially clinically significant results is chilled. NAVIGATING UNCERTAINTY Navigating Uncertainty

• Institution • Create policy delineating what will and will not be made part of the designated record set. • Decide how to handle research test results from non-CLIA-certified laboratories.

• Investigator/Sponsor • Anticipate the possibility of discovering incidental findings and/or clinically significant researchtest results. • Address plan for handling results in the protocol and consent form. • Consult with IRB in difficult situations.

• IRB • Review the investigator’s plan forhandling research results. • Ensure adequacy of informed consent. • Provide consultation in difficultsituations. QUESTIONS?