Planning for Legal Issues

The workshop participants extensively discussed the legal issues linked to patient confidentiality and the sharing of data, as these issues will influence, in part, how many people will be willing to enroll in the study, what data should be collected, and how data will be shared. The Health Insurance Portability and Accountability Act (HIPAA) and other legal constraints associated with patient consent forms can limit the sharing of participant data between government agencies, such as the Occupational Safety and Health Administration (OSHA) and NIH, as well as between BP and NIH, Dale Sandler pointed out. Often, to meet patient privacy concerns, the data in various databases are deidentified, making it difficult to link data from more than one database to the same participant. In addition, participants may be pressured by their lawyers to withhold information if they want to make a legal claim, investigators may be pressured by the courts to provide information that they have gathered, and states may require the mandatory reporting of any incriminating health information ascertained, such as that indicating domestic abuse.

Bernard Goldstein noted that long-term follow-up of individuals in communities affected by the Exxon Valdez oil spill was hampered by the actions of a federal judge who required the release of the information gathered from those individuals, despite a promise of confidentiality from the investigators. Lynn Goldman added that those data used in the reconstruction of exposure, such as height, weight, and when the person was working at a specific location, may enable an employer or others to identify a participant. Mai-Nhung Le, a member of the IOM committee, noted that confidentiality will be hard to maintain without oversampling of small homogeneous groups, such as the Vietnamese fishermen.

Larry Engel, a coinvestigator of the GuLF study, responded that, to the extent that they can, investigators of the GuLF study will have representative groups large enough so that people at the aggregate level will not be identifiable at the individual level. Teri Manolio added that the data will not be available to the public and that those who receive the data in the study will not attempt to identify participants or use the data against them. However, she added that investigators cannot promise that the data will never become public and can make clear to the participants only what protections they do have for the data.

Stephen Cole noted the tension that exists between the availability of data to scientists and the ability to identify individual participants. He stressed that this tension needs to be faced. He added that in GWAS deidentified data were eventually identified by two engineers. Dr. Manolio noted other, similar incidents in which patient confidentiality was breached. It is important to be upfront with people and when there are problems take every step possible, she said.

Dr. Manolio pointed out that the Privacy Act determines the way in which government can use data and share them, although the constraints on the sharing of data within agencies can be exempted during emergencies. It is still not clear whether individual-level data from OSHA and the U.S. Department of the Interior can be shared, she said.

Leslie Wolf of the Georgia State University College of Law stressed that litigation on the Gulf of Mexico oil spill will occur and said that there may be ways in which someone participating in the study will become involved in litigation that may not have anything to do with the study, but what is acquired in the study may be relevant. Think deliberately about what information is being collected and why. Don’t ask questions unless the answers are necessary, especially if it might create a situation where it becomes necessary to report the information for legal cases.

Ms. Wolf recommended using certificates of confidentiality that offer investigators protection from compelled disclosure but added that the certificate may not be enough. Certificates are given on a project basis, she said, and subprojects may not be included under their domain. Ms. Wolf stressed that a plan for how investigators should respond if they get a legal request for data that they have collected should be in place. “You really want a protocol that is maximally protective, and everybody at every level understands that,” she said. She also noted that social media will be a useful tool to keep participants informed about the study but that it can be abused by those using social media to identify participants in the study. Ms. Wolf said that NIH is currently doing a study of the effectiveness and limitations of certificates of confidentiality and is beginning to form ideas of best practices in this regard. Ms. Wolf added, however, that NIH is only in the early stages of starting to accumulate evidence and make policies about this issue.

Dr. Goldstein summed up the discussion on legal issues by stating that a wide range of legal issues threaten the successful completion of the study, including the possibility that tort actions will result in significant limitations in confidentiality and enrollment of subjects. Francesca Dominici added comments on the importance of developing guidelines on how to protect personal information and formalize how the information will be collected and disclosed, as well as implementing a plan describing the type of information that is absolutely needed versus the type of information that is legally sensitive and that may not be necessary to collect.