Introduction

By 6 October 2014, many laboratories in the United States must comply with recent changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.1 These changes affect most CLIA-certified or exempt clinical laboratories but also implicate some research laboratories. Clinicians and scientists are generally aware of these changes but may not appreciate the full scope of information to which tested individuals will have access. Recent commentary characterizes these amendments as “allowing patients direct access to completed medical laboratory reports.”2 The access right, in fact, is considerably broader, creating issues that will be particularly challenging for providers of genomic testing. These issues require careful study and, in at least one instance discussed below, they demand immediate regulatory action to forestall serious unintended consequences.

Scope of the New Access Right

Starting in October, affected laboratories must comply with the HIPAA Privacy Rule’s data access provisions at 45 C.F.R. § 164.524 (for brevity, § 164.524). These provisions grant individuals a right to inspect and receive copies of certain information about themselves, known as a designated record set (DRS). The US Department of Health and Human Services (HHS) acknowledges that “test reports may be only part of a designated record set that a HIPAA-covered laboratory holds. To the extent an individual requests access to all of his or her protected health information, a HIPAA-covered entity is required to provide access to all of the protected health information in the entire designated record set”(ref. 1 at 7295). The obvious questions are which laboratories must comply with this requirement and what, exactly, is in the DRS?

These changes will not affect laboratories unless they are HIPAA-covered entities that are subject to the Privacy Rule. The Privacy Rule regulates laboratories that conduct specific types of electronic transactions such as billing for health-care services or verifying insurance benefits, so clinical laboratories typically are HIPAA-covered but research laboratories may not be. HHS warns, however, that a laboratory needs to conduct only one covered transaction—such as billing an insurer for a test—to become a HIPAA-covered entity with respect to all of the health information it creates and maintains (ref. 1 at 7291), so research laboratories may be affected. Laboratory personnel should check with their institution’s HIPAA privacy officer if they are unsure.

The precise content of a person’s DRS is an obscure HIPAA technical question that takes on riveting operational and bioethical significance after October 6, because everything in the DRS will be accessible to the individual. This question looms especially large for laboratories that conduct next-generation sequencing (NGS) of DNA, because NGS produces a vast amount of genetic information, which the Privacy Rule treats as protected health information.3 NGS generates large numbers of image files that are processed in real time to produce base call files. Both image and base call files are kept only transiently to conserve data storage space. Data analysis then produces three file types in sequential order: (i) FASTQ, which contains raw sequences with corresponding quality scores; (ii) BAM (binary alignment/map), generated by mapping of raw sequences to the human genome reference; and (iii) the VCF (variant call format) file, which contains a list of sequence variants, sorted by genomic position, at which the individual differs from the reference genome. Many laboratories produce an annotated VCF with numerous details (such as variant type, function, frequency in the population) to aid in the classification and interpretation of each variant. This information, in part, is used to generate the final report for clinicians and patients.

Which of these files are subject to individual access? In part, the answer depends on a laboratory’s data retention policy. Section 164.524 allows individual access only to data that a laboratory “actually maintains” at the time an individual’s request is received (ref. 1 at 7295), so the transient image and base call files are unlikely to be implicated by the recent regulatory changes. There is no clear guidance on how CLIA data retention requirements at 42 C.F.R. § 493.1105 apply to the other files generated during NGS. Recent working groups suggest storing VCF files and, possibly, BAM and FASTQ files.4,5 Based on a review of HIPAA’s regulatory text and guidances, stored VCF, BAM, and FASTQ files may well be part of the DRS to which individuals have access under § 164.524.

The Privacy Rule defines a DRS as including medical, insurance, and billing records plus an additional category of other records “used, in whole or in part, by or for the covered entity to make decisions about individuals.”6 This definition strongly suggests that if a laboratory maintains a VCF or BAM file and uses any part of that file—such as information about one gene variant—to make decisions about a person, the entire file is part of the person’s DRS. In disputes about the scope of the § 164.524 access right, courts (e.g., refs. 7,8) continue to rely on guidance HHS gave in the preamble to the original Privacy Rule in 2000. HHS stated that the DRS includes records used to make decisions that “affect individuals’ interests” whether the decisions are medical or nonmedical in nature.9

Suppose a research study generates an exome in a HIPAA-covered laboratory, but the study limits return of participants’ results to a narrowly defined list such as that recommended by the American College of Medical Genetics and Genomics.10 Under § 164.524, a participant could request all of the NGS data from the laboratory, notwithstanding the decision to limit the return of results. Laboratories, clinicians, and researchers would not, however, be required to provide an analysis of the additional data. HIPAA’s access right is a tool to enhance privacy protections by letting individuals find out what information is being maintained about them. It is a “what’s-on-file-is-what-you-get” right that allows access to data but does not entitle individuals to receive “interpretive assistance” to clarify the clinical implications of those data (ref. 9 at 82,606; ref. 1 at 7293).

The grounds and procedures for denying individual access under § 164.524 are specified in the regulation,11 and they are considerably narrower than the grounds many bioethicists cite as justification to deny return of genetic test results. These bioethical concerns include, for example, that genetic information is sensitive and may cause psychosocial harm to scientifically naive laypeople, who lack contextual knowledge to appreciate its uncertainty and who may seek follow-up care that is harmful, unnecessary, or wasteful of scarce health-care resources. Persons who provided public comments on the recent amendments were sharply divided on whether such concerns are valid versus paternalistic. HHS ultimately concluded that such concerns are not a sufficient basis for interfering with individuals’ important right of access to their own laboratory information (ref. 1 at 7292–95). Under the Privacy Rule, institutional review boards overseeing human-subjects research have no power to block § 164.524 access. The Privacy Rule allows research participants’ access to be temporarily suspended, but only for the duration of the research and only if subjects have agreed to the suspension in their informed consents.12

HHS’s 2000 Privacy Rule guidance underscores the broad right of access: it states that the DRS “includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.”9 This seemingly would include information about a gene for a congenital disorder in the DRS of an adult who does not have that disorder, if the laboratory uses that gene at other times in unrelated decision making. This guidance clarifies that the DRS does not just include “information that already has been used to make decisions” but also includes records that are “are reasonably likely to be used” to make decisions.9 As applied to NGS findings with their ever-evolving reasonable uses, HIPAA’s DRS is “Pandora’s Box.”

Is There a Conflict with CLIA?

CLIA’s new reporting regulation at 42 C.F.R. § 493.1291(l) expressly allows laboratories to provide patients with direct access to “completed test reports.” Does it exceed the scope of what 42 C.F.R. § 493.1291(l) allows—and thus violate CLIA’s reporting regulations—if a laboratory grants individual access to the entire DRS under § 164.524? If this were the case, laboratories could argue that obeying HIPAA violates CLIA, and that the conflict between the two laws excuses them of their duty to allow access to the DRS. This argument does not appear to work, however.

HHS promulgated the recent CLIA and HIPAA changes together in a single regulatory proceeding and, by doing so, implied that the agency sees no conflict. A close reading of the two regulations confirms there is no conflict. In introducing the recent changes, HHS stated that it will “not consider test reports to be part of the designated record set until they are “complete”” (ref. 1 at 7295) but carefully explained what “complete” means. This discussion was directed at situations in which a diagnostic test requires significant time to yield its anticipated result or those in which a single ordered test includes multiple components scheduled to be performed over time. A test is complete (and therefore deemed to be part of the DRS) “when all results associated with an ordered test are finalized and ready for release”—that is, when the test is no longer a work in progress and the laboratory has finished its planned work. This concept addresses when—but not what types of—test-related information must be added to an individual’s DRS.

Laboratories that perform NGS would be on shaky legal ground if they took the position that VCF, BAM, and FASTQ files are incomplete tests that can be excluded from the DRS. CLIA does not require genetic testing to be bundled together with genomic interpretation services, and some CLIA laboratories embrace a data-only business model and regularly supply uninterpreted variant data as their completed work product.13 The fact that a laboratory was not ordered to, or chose not to, analyze and interpret all the variants detected during NGS does not transform those findings into incomplete test results. Nothing in the CLIA regulation prevents the release of uninterpreted genetic findings in data-only form, and that is all HIPAA’s § 164.524 requires laboratories to do.

Moreover, it ultimately does not matter whether uninterpreted genomic information in the DRS is—or is not—a “completed test report.” CLIA allows it to be disclosed to the individual in either case. Suppose, for the sake of argument, that HHS made a determination that the entire DRS is not a “completed test report” that qualifies for release under CLIA’s new reporting regulation at 42 C.F.R. § 493.1291(l). All that would do is require laboratories to follow CLIA’s more general reporting rules at 42 C.F.R. § 493.1291(f) and § 493.2. Under these rules, laboratories can release test results directly to individuals only if state laws authorize individuals to receive them. In the past, some states did have laws that prevented individuals from receiving their test results. However, HHS has made it very clear that the HIPAA Privacy Rule preempts—that is, takes precedence over—any state laws that get in the way of individuals’ new access rights under § 164.524 (ref. 1 at 7304). CLIA allows the DRS to be released to “authorized persons,” and any state law that claims that an individual is not authorized to receive his or her own DRS has just been preempted by HIPAA.

Uninterpreted genomic data would probably be incomprehensible to most people, but tools to analyze DNA sequences are being developed and marketed despite substantial uncertainties about the clinical relevance of much of the genome. HHS was aware how much information a DRS contains but indicated that the agency does not expect many individuals to request access to the entire DRS. HHS emphasized that § 164.524 requires laboratories to provide access only to the specific information actually requested. Will patients request all of their data? Public discourse about rights to one’s own genome suggests that some may do so. When individuals do request it, their right of access “extends to test reports and other information about the individual in a designated record set maintained offsite, archived, or created before the publication or effective date of this final rule,” and HHS expressed its intent to apply “the access requirements as broadly and uniformly as possible” (ref. 1 at 7294). When announcing the changes, former Secretary Kathleen Sebelius characterized § 164.524 access as a cornerstone of the Privacy Rule.14

Fixing the Urgent Problem

These amendments were developed through an inclusive notice-and-comment rulemaking process in which all stakeholders had the opportunity to submit comments. The Administrative Procedure Act, which governs federal rulemaking, does not provide for final rules to be reopened merely because some parties—in this case genomic testing laboratories—may have been unaware of the impacts and failed to file timely objections. It is clear, however, that applying the new requirements to genomic testing invites unintended consequences that are, as yet, poorly understood. These impacts need immediate study, and one in particular demands urgent clarification by HHS.

In a grave omission, the recent amendments do not provide an exception that excuses non-CLIA research laboratories—those that operate under CLIA’s research exception at 42 C.F.R. § 493.3(b)(2)—from having to comply with the Privacy Rule’s § 164.524 individual access requirements. HHS may have believed this was unnecessary because the amendments ostensibly apply only to CLIA-certified and CLIA-exempt laboratories. The CLIA regulations define “CLIA-exempt” as referring to laboratories regulated under state laws, as in Washington or New York, that the Centers for Medicare and Medicaid Services has found to be equivalent to CLIA.15 Yet when HHS published the Privacy Rule many years ago, it interpreted the term “CLIA-exempt” as also including non-CLIA research laboratories for purposes of the § 164.524 individual access right (ref. 9 at 82,485). Forgetting this history, the recent amendments eliminated a § 164.524 exception that kept “CLIA exempt” laboratories from having to comply with § 164.524. This inadvertently put HIPAA-covered, non-CLIA laboratories squarely in the crosshairs of individuals’ new § 164.524 access right.

Fortunately, many non-CLIA research laboratories are not HIPAA-covered entities and therefore will not be subject to § 164.524. CLIA’s research exception applies only if research laboratories “test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.”16 Obviously, a laboratory that meets the terms of this exception would not ordinarily conduct the types of transactions—such as billing insurers—that can trigger HIPAA-covered status. A non-CLIA research laboratory might, however, fall under HIPAA because of its business organizational arrangements (for example, if it is part of a HIPAA-covered academic medical center). HHS foresaw this possibility when it was developing the Privacy Rule. That is why the agency, back in 2000, so carefully included non-CLIA research laboratories in the exception that the recent amendments obliterated.

After October 6, non-CLIA research laboratories will be in a real box. If study participants request the full DRS under § 164.524, refusing these requests will violate the Privacy Rule. Complying with the request, on the other hand, may violate the CLIA research exception. It can be argued that releasing uninterpreted genomic data files does not actually violate CLIA’s research exception. In 2000, however, HHS opined that laboratories providing access under § 164.524 need to be CLIA-certified.

The recent amendments may imply that every HIPAA-covered, non-CLIA research laboratory in the nation needs to become CLIA-certified between now and October 6. That would be impossible. Moreover, the apparent requirement to do so seems to have come about by accident rather than through deliberate regulatory intent. To clarify this situation, HHS should issue emergency guidance stating that the agency plans to exercise its enforcement discretion to excuse non-CLIA research laboratories from having to comply with § 164.524. Simultaneously, the agency should initiate rulemaking proceedings to reinsert the inadvertently deleted § 164.524 exception for non-CLIA research laboratories. If the agency fails to take action to fix this problem on its own initiative, affected laboratories can try to force action by petitioning HHS to amend or repeal its defective regulation under the Administrative Procedure Act at 5 U.S.C. § 553(e).

Broader Challenges

Clarifying the status of non-CLIA research laboratories will not change the reality facing HIPAA-covered laboratories that are CLIA compliant or CLIA exempt. They still will be required to honor individuals’ § 164.524 access rights starting in October, and this is not likely to change. HHS has unambiguously stated its intent for individuals to have this right of access. On October 6, laboratories that perform NGS will suddenly be transported to unfamiliar territory where individuals, on request, have ready access to a trove of uninterpreted genetic information. This abrupt transition presents immediate business and practical challenges as well as deeper questions about how to apply familiar bioethical principles in an altered landscape.

Mundane operational matters such as data retention policies will take on a gripping ethical complexity in a world where retaining results may be tantamount to returning them. Laboratories will struggle with what to tell patients and research subjects about the new access rights, and how to word warnings, disclosures, and disclaimers to give to individuals who exercise those rights. For ongoing research studies that wish to suspend participants’ access rights for the duration of the study, investigators will have to scramble to reconsent participants and hope that they agree to the suspension. Institutional review boards face novel decisions, such as whether to demand the use of non-HIPAA laboratories for studies that involve especially sensitive findings that would be ethically problematic to return. Bioethicists will debate the ironies of being forced to move research to non-HIPAA environments that offer less privacy and data security protection in order to protect subjects from the perceived risks of returning results.

Laboratory directors may need to review their business arrangements. For example, can a research laboratory attain non-HIPAA-covered status—and free itself from § 164.524 disclosure obligations altogether—by spinning itself off from its surrounding academic medical center? Is it really worth it to bill the one insurer that covers an experimental test if doing so transforms a research laboratory into a HIPAA-covered entity? Assuming HHS takes action to excuse non-CLIA research laboratories from having to comply with § 164.524, will non-CLIA laboratories become the preferred venue for NGS research and, if so, should CLIA-certified research laboratories de-certify themselves to take advantage of the exception? What will be lost if the trend to seek CLIA certification for research laboratories reverses itself in response to the recent amendments? These and many more questions await further study.

Above all, there is the question of what duties laboratories owe to patients and research subjects who insist on accessing the entire DRS, with all of the uninterpreted genetic information it contains. HHS imposed no legal duty for laboratories to help these people make sense of the data they receive, but is there an ethical duty for laboratories to do so? Some individuals undoubtedly will be upset or misinterpret their results, and perhaps laboratories as well as clinicians should help guide these interpretive journeys, but is it even practical for laboratories to do so?

The ethical debate about this issue may soon be overwhelmed by another looming HHS policy change. On 31 July 2014, the US Food and Drug Administration (FDA) notified Congress that it intends to publish, within 60 days, its long-awaited draft guidance on FDA regulation of laboratory-developed tests,17 a category that includes most NGS technologies, particularly those used in research. The agency disclosed anticipated details of the draft guidance and, while these details are still subject to change, they offer insight into where policy may be heading. Among other things, the agency stated that “if test results are returned to patients without confirmation by a medically accepted diagnostic product or procedure,” then the FDA Investigational Device Exemption requirements at 21 C.F.R. Part 812 will apply (ref. 17 at 36).

What may that mean? Suppose an individual requests the entire DRS, including the VCF file, and asks the laboratory for help in understanding the significance of a gene variant whose clinical significance is not yet well established. Suppose there is considerable evidence suggesting that the variant is associated with an important health condition that it would be ethical to tell the person about, but there is no way to confirm those suspicions using a medically established diagnostic product because none yet exists. If the laboratory shares its suspicions with the individual, the FDA seems to be saying that the laboratory will be required to seek FDA approval of an Investigational Device Exemption covering investigational use of that gene variant to diagnose the suspected health condition. Any bioethical imperative that may once have existed for laboratories to help individuals make sense of their incidentally identified gene variants may soon be trumped by a new legal imperative to obtain an FDA-approved Investigational Device Exemption before returning results.

The soon-to-be-published draft guidance on laboratory-developed tests has the potential to hit the reset button on the long bioethical debate about return of genetic test results. The Investigational Device Exemption requirements may limit the return of results to a process in which laboratories can supply analytically valid but uninterpreted information about the gene variants detected during testing, along with clinical claims about any variants whose significance has been confirmed using medically accepted diagnostic products and procedures. In a striking convergence with the recent HIPAA and CLIA amendments, the return of analytically valid information about gene variants basically corresponds to returning the VCF and BAM files to which individuals now have access under § 164.524. If individuals wish to explore the potential significance of variants whose meaning is still speculative, they will need to discuss this with their clinicians, whose conversations in the course of physician–patient relationships are not regulated by the FDA.18 It is futile to debate the broader ethical impacts of the recent HIPAA and CLIA amendments until the FDA weighs in by publishing its draft guidance in the coming weeks.

Conclusion

Recent amendments to HIPAA and CLIA will soon plunge many laboratories into a different world that seems poised to grow more different still. An important lesson to be drawn is that it is crucial for medical geneticists and investigators to take an active interest in regulatory proceedings that are now under way and that are rewriting the ground rules for genomic testing. The recent HIPAA and CLIA amendments were in the works for over two years and nothing about them was a surprise. Those who experienced surprise while reading this article should resolve to keep a very close eye on what the FDA may be doing in the near future. After the agency publishes its draft guidance on laboratory-developed tests, there will be an opportunity to comment on it, and medical geneticists should seize the opportunity to help shape the policies that will profoundly affect us all.

Disclosure

The authors declare no conflict of interest.