A recent decision of the Minnesota Supreme Court highlights a range of personal data privacy questions regarding what “persons” other than governmental agencies are covered by the terms of the Genetic Privacy Act.
On November 16, 2011, in Bearder v Minnesota1 the Minnesota Supreme Court held that the genetic information section of the Minnesota Government Data Practices Act, Minn. Stat. §13.386 (2010) (“Genetic Privacy Act” or “GPA”), restricts the collection, use, storage, and dissemination of blood samples collected by the Minnesota Department of Health (“department”) pursuant to Minnesota’s newborn screening statutes. The decision is focused on the interplay between Minnesota’s statute and rules applicable to Newborn Blood Screening (“NBS”) for heritable and congenital disorders and the informed consent provisions of the genetic information section of the Genetic Privacy Act. The Bearder decision may, however, have unintentionally created a new and significant hurdle for Minnesota’s biomedical research community by failing to limit its decision to the newborn screening program.
The hurdle is created by an ambiguity in the court’s opinion. First, the court found that all biospecimens that contain DNA are covered by the Genetic Privacy Act and require informed consent for their collection, storage, use and/or dissemination absent statutory authority. But the court then left unclear whether the Genetic Privacy Act requires nongovernmental entities to follow the same informed consent requirements as “other persons.” If the answer to the question is yes, all governmental and nongovernmental health care research in Minnesota involving biospecimens will need to adhere to the restrictive informed consent requirements of the Genetic Privacy Act and health care providers who need biospecimens, such as blood draws for diagnostic purposes, may also need to assure compliance with the GPA.
Biospecimens, DNA, & Consent
The case began with a lawsuit filed against the state of Minnesota and the Minnesota Department of Health on behalf of 25 children and their 17 parents. The suit claimed that (a) the biological specimens and genetic information obtained as part of NBS constituted “private data” on individuals subject to the Genetic Privacy Act and (b) that the state had violated the act by failing to get written informed consent for collecting, using, storing and disseminating the blood samples and test results.
Under the blood-screening program, parents were required to “opt-out” if they didn’t want their infant’s blood tested or if they wanted the blood specimens or test results destroyed following screening. The state contracted with Mayo Collaborative Services Inc. (“Mayo”) to conduct the screening tests on the samples and pursuant to the contract authorized Mayo to conduct research on unidentifiable samples without consent or to obtain written informed consent for research on samples whose source was identifiable.
District court Judge Marilyn Brown Rosenbaum found that the plaintiffs’ case failed in several respects and dismissed the case with prejudice on November 24, 2009. In the crux of her opinion, Judge Rosenbaum stated:
The blood samples taken pursuant to the NBS Program are biological samples, not genetic information as defined in the GPA. Even if these blood samples are considered genetic information under the GPA, the GPA expressly states that it applies to the collection, storage, use, and dissemination of genetic information “unless otherwise expressly provided by law.” Minn. Stat. §13.386, subd. 3. The GPA does not supersede specific existing law such as the NBS Program, Minn. Stat. §144.125-.128.
On August 24, 2010, the Minnesota Court of Appeals in Minor v. State2 affirmed Judge Rosenbaum’s decision. The court of appeals concluded that “Minn. Stat. §144.125-.128 and other governing legislation granting the commissioner broad authority to manage the newborn screening program amount to an ‘express’ provision of law that authorizes collection, retention, use and dissemination of blood specimens for the newborn screening program, making the genetic privacy act inapplicable … .” Significantly, the appellate court disagreed with Judge Rosenbaum’s conclusion that the blood samples were not “genetic information” under the Genetic Privacy Act; nor did the court agree that the blood samples could be disseminated without consent. The court of appeals found that
[w]hile the newborn screening statute permits use of newborn screening specimens for purposes related to that program, it does not provide for the specimen remainders to be used for purposes outside the newborn screening program. As such, any use of the specimens for purposes not related to the newborn screening program is subject to the written informed consent requirements of the genetic privacy act.
Under the facts of the case, none of the blood samples had been disseminated, so the issue was moot.
The Minnesota Supreme Court overturned the appeals court decision, upholding summary judgment for the department and agreeing with the appellants’ claim that the Genetic Privacy Act requires written consent before the department may do anything with newborn blood specimens other than their collection and use as expressly authorized by applicable statutes to conduct tests for heritable and congenital disorders and follow-up services. The court found that the newborn screening statutes “do not expressly authorize the Department to conduct any other use, storage, or dissemination of the blood samples.” The supreme court, in a broad reading of the act, held that the blood specimens themselves constituted protected genetic data since they contained DNA. As the court noted in its opinion, “[i]t is the DNA within the blood samples that is the information that brings the blood sample within the protection of the Genetic Privacy Act” since it might be used to provide medical care to the individual and therefore fits under 13.386 subd. 1(2)(b). The court’s holding means that research of any kind beyond the limited scope of the newborn screening statutory mandates requires informed written consent of the child’s parent(s) or legal guardian. The court remanded the case to the district court to determine if any of the plaintiffs were entitled to remedies.
Consequences and Conflicts
The supreme court’s decision, taken to its logical conclusion, means that all biospecimens fall under the purview of the Genetic Privacy Act, since DNA and biospecimens go together like breathing and oxygen—you can’t have one without the other. As noted above, the court’s failure to limit its decision to the four corners of the newborn blood-screening program and its failure to address the “other persons” language in the Genetic Privacy Act create an air of uncertainty and conflict both at the state and national levels.
What “Other Persons”? An open question is whether the Genetic Privacy Act is limited to Minnesota governmental entities as defined under Chapter 13.02, subd. 7a. The reason this is an open question is that the Genetic Privacy Act also explicitly extends to “other persons” without providing a definition for “other persons” or an expansion of the reach of the Government Data Practices Act. Under rules of statutory construction this language cannot be ignored since one has to assume the legislature inserted it for a purpose. As Justice Anderson noted in his concurrence and dissent in the Bearder opinon:
(“Every law shall be construed, if possible, to give effect to all its provisions.”); Cnty. of St. Louis v. Fed. Land Bank of St. Paul, 338 N.W.2d 741, 744 (Minn. 1983) (stating that “every word and phrase of the statute should be given meaning if possible”). … Minn. Stat. §645.16 (“Every law shall be construed, if possible, to give effect to all its provisions.”)
The statute cited by Justice Anderson, §645.16, has as its heading “Legislative Intent Controls.” The relevant language of the statute provides:
The object of all interpretation and construction of laws is to ascertain and effectuate the intention of the legislature. Every law shall be construed, if possible, to give effect to all its provisions.
When the words of a law in their application to an existing situation are clear and free from all ambiguity, the letter of the law shall not be disregarded under the pretext of pursuing the spirit. … .
If one were to construe the language “other persons” in its normal usage, the conclusion would be that the informed consent requirements of the Genetic Privacy Act apply to anyone in Minnesota that collects, uses, stores or disseminates biospecimens even if there is not an explicit enforcement mechanism attached to the act. An old Minnesota Supreme Court case, Anderson v. Settergren, 100 Minn. 294 (Minn., 1907), established the concept of the tort of “neglect of statutory” duty, which provides a mechanism for a private right of action if a statute is construed to create a duty for the benefit of private persons versus the public as a whole. One would find it hard to argue that the statutory protection of an individual’s genetic makeup is anything but for the benefit of the private individual since only the individual faces the informational risks associated with its disclosure. A prime example of informational risk is use of genetic information by third parties, such as employers and insurance companies, to discriminate against individuals.
Even if one were to take the position that the language is meaningless for nongovernmental entities, it is problematic for a wide variety of governmental entities, such as law enforcement and public health institutions that have to address whether the possession and use of a biospecimen falls under an express statutory provision or is limited by the terms of the Genetic Privacy Act.
In addition, many health care providers may indirectly find themselves bound to the requirements of the Genetic Privacy Act if they provide services to and are the recipients of biospecimens obtained from governmental entities. This is because Minn. Stat. §13.05, subd. 6, with a limited exception related to welfare data, requires that
in any contract between a government entity subject to this chapter and any person, when the contract requires that data on individuals be made available to the contracting parties by the government entity, that data shall be administered consistent with this chapter. A contracting party shall maintain the data on individuals which it received according to the statutory provisions applicable to the data.
Federal Preemption. On the national level, the Beader decision raises questions about whether current efforts by the United States Department of Health and Human Services (“DHHS”) to update “Common Rule” regulations governing human subjects research will be successful absent a parallel effort to have the rules preempt more restrictive state requirements governing the informed consent process that can be construed as providing “additional protection” for human subjects.3
One controversial provision envisioned by the DHHS in an Advance Notice of Proposed Rule Making (“ANPRM”) is a new requirement that there be written consent for future research use of biospecimens. This proposed requirement is based on the ANPRM’s conclusion that technology has or will make all biospecimens identifiable. As noted in the ANPRM:
Regardless of what information is removed, it is possible to extract DNA from a biospecimen itself and potentially link it to otherwise available data to identify individuals. Consequently, we are considering categorizing all research involving the primary collection of biospecimens as well as storage and secondary analysis of existing biospecimens as research involving identifiable information … .”4
The ANPRM would require “a standard, brief general consent form allowing for broad, future research.”5 “The general rule would be that a person needs to give consent, in writing, for research use of their biospecimens, though that consent need not be study-specific, and could cover open-ended future research.”6
Once the general consent was obtained, biospecimens would be incorporated in what is deemed a category 4 exemption under 45 CFR 46.101(b)(4) and would not require IRB review or routine administrative review, but would be subject to the ANPRM’s proposed data security and information protection standards.7
The problem is that the brief general consent for research use of biospecimens envisioned in the ANPRM will be anything but brief or general if it also has to meet the more restrictive informed consent requirements under Minnesota’s Genetic Privacy Act. What does this mean in practice in Minnesota if the “other persons” language applies and when there isn’t a specific statutory exception? First, nobody gets to collect biospecimens for any purpose, either clinically or for research, without written informed consent. Second, the biospecimens can only be used by the institution collecting them for the purposes for which the individual has given written informed consent. Third, storage of biospecimens is only for as long as the individual has given written informed consent. Finally, the biospecimens can only be disseminated to a third party with written informed consent that is good for no longer than a year unless otherwise provided by law. It is this last requirement that throws up a formidable, if not insurmountable, roadblock to the ANPRM’s proposal with respect to the future use of biospecimens.
The Bearder decision serves as a prime example of the law of unintended consequences. Bearder demonstrates the need for the Minnesota Legislature to clarify what exactly is meant by “other persons” under the Genetic Privacy Act and make clear whether it applies only to governmental entities. Although one can imagine that to do so will open a broader discussion on the issues of personal data privacy and security, it is a discussion worth having. At the federal level, the Bearder decision serves as an important warning that the updates to the Common Rule that seek to balance the need to provide enhanced protections for research subjects while easing the burdens for research investigators may depend on the willingness of Congress and the President to make the politically difficult decision to assure that the Common Rule regulations governing informed consent preempt more stringent state laws.
Gordon J. Apple is a health law attorney in private practice in St. Paul, Minnesota. He served two terms as chair of the Health Law Section of the Minnesota State Bar Association in the 1990s and served as a vice chair of the American Health Lawyers Association Health Information and Technology Practice Group from 2002-2006. He is a 1982 graduate of the University of Wisconsin School of Law and has an AV® rating with Martindale-Hubbell. He has been a member of the Minnesota Bar since 1985. GApple@HealthLawGeek.com
Notes 1 Bearder v. Minnesota, A10-101 slip op. (Minn. 11/16/2011), www.lawlibrary.state.mn.us/archive/supct/1111/OPA100101-1116.pdf 2 Minor v. State, 788 N.W.2d 144 (Minn. App. 2010). 3 Advance Notice of Proposed Rulemaking, 76 Fed. Reg. 44,512 (07/26/2011). Under current regulations, 46 CFR Subpart A, Section 46.101(f), the Common Rule “does not affect any state or local laws or regulations which may otherwise be applicable and which provide additional protection to human subjects.” Under the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) that apply to research institutions that are required to comply with HIPAA as “Covered Entities”, state privacy laws that are contrary to and more stringent than the corresponding federal requirements are not preempted. (45 CFR 160.203(b). Researchers who work for Covered Entities have to comply with both HIPAA and Common Rule requirements. 4 76 Fed. Reg. 44,525. 5 76 Fed. Reg. 44,515. 6 76 Fed. Reg. 44,512. 7 Even the enhanced standards are seen as lacking in that they would be modeled on HIPAA’s Privacy and Security Rules. Comments to the ANPRM by the Data Privacy Lab at Harvard University note that: “It is unrealistic to hope for a one-size-fits-all set of technical requirements for data sharing. The standards and solutions that are appropriate for one form of data in one context are typically inapplicable to the others. ” http://dataprivacylab.org/projects/irb/Vadhan.pdf (last visited 04/02/2012).
1 Bearder v. Minnesota, A10-101 slip op. (Minn. 11/16/2011), www.lawlibrary.state.mn.us/archive/supct/1111/OPA100101-1116.pdf
2 Minor v. State, 788 N.W.2d 144 (Minn. App. 2010).
3 Advance Notice of Proposed Rulemaking, 76 Fed. Reg. 44,512 (07/26/2011). Under current regulations, 46 CFR Subpart A, Section 46.101(f), the Common Rule “does not affect any state or local laws or regulations which may otherwise be applicable and which provide additional protection to human subjects.” Under the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) that apply to research institutions that are required to comply with HIPAA as “Covered Entities”, state privacy laws that are contrary to and more stringent than the corresponding federal requirements are not preempted. (45 CFR 160.203(b). Researchers who work for Covered Entities have to comply with both HIPAA and Common Rule requirements.
4 76 Fed. Reg. 44,525.
5 76 Fed. Reg. 44,515.
6 76 Fed. Reg. 44,512.
7 Even the enhanced standards are seen as lacking in that they would be modeled on HIPAA’s Privacy and Security Rules. Comments to the ANPRM by the Data Privacy Lab at Harvard University note that: “It is unrealistic to hope for a one-size-fits-all set of technical requirements for data sharing. The standards and solutions that are appropriate for one form of data in one context are typically inapplicable to the others. ” http://dataprivacylab.org/projects/irb/Vadhan.pdf (last visited 04/02/2012).