Cyberbanks and other Virtual Research Repositories

Digitization has assumed great importance due to the shortage of samples, for reasons that include biopsies and other procedures that are extremely parsimonious.

For discussion of these issues see, e.g., Greenbaum D. S. , “The Database Debate,” Albany Law Journal of Science & Technology 13 (2003): 431–515.

The information concerning CHTN is derived from its website at <http://www-chtn.ims.nci.nih.gov/purpose.html> and from Eiseman E. Bloom G. Brower J. Clancy N. , and Olmstead S.S. , Case Studies of Existing Human Tissue Repositories: “Best Practices” for a Biospecimen Resource for the Genomic and Proteomic Era (Santa Monica, CA: RAND, 2003), available at <http://www.rand.org/publications/MG/MG120> (last visited January 6, 2005).

The information concerning the SPIN project is derived from two NCI websites, Shared Pathology Informatics Network, at <http://www.cancerdiagnosis.nci.nih.gov/spin>, and Shared Pathology Informatics Network (SPIN), at <http://spin.nci.nih.gov/>, and from the proposal for Consented High-performance Indexing and Retrieval of Pathology Specimens (CHIRPS), I. Kohane, Principal Investigator (July 2000), available at <http://spin.nci.nih.gov/CHIRPSGrant.pdf> (last visited January 6, 2005).

Shared Pathology Informatics Network (SPIN), at <http://www.cancerdiagnosis.nci.nih.gov/spin> (last visited January 6, 2005).

XML is a flexible text format derived from SGML, the international standard metalanguage for text markup systems. Originally developed for large-scale electronic publishing, it is increasingly the standard for exchange of data on the World Wide Web and can be processed or displayed by programs and browsers on all common operating systems. See Extensible Markup Language (XML), at <http://www.w3.org/XML/> (last visited January 6, 2005).

Anderlik M. R. , “Commercial Biobanks and Genetic Research,” American Journal of Pharmacogenomics 3 (2003): 203–15.

Anderlik M. R. , “Commercial Biobanks and Genetic Research: Banking Without Checks?” in Knoppers B. M. , ed., Populations and Genetics: Legal and Socio-Ethical Perspectives (The Hague: Kluwer, 2003): Pp. 345–376.

Typically, the term “user-based access controls” refers to password protections and other measures to limit access to authorized users. As the term suggests, “role-based access controls” limit the scope of access for authorized users based on role. For example, in a health system database, access to cells that contain psychotherapy notes might be limited to psychiatrists and psychologists.

Eiseman , supra note 3, at 85–91.

First Genetic Trust, Products & Services, at <http://www.firstgenetic.net/products_academic.html> (last visited January 6, 2005).

U.S. Patent No. 6,640,211, available through USPTO Patent Full-Text and Image Database, at <http://www.uspto.gov/patft/index.html> (last visited January 6, 2005).

Press Release, “First Genetic Trust Awarded $2M ATP Grant to Create Secure Genetic Data System,” (May 11, 2004), available through <http://www.firstgenetic.net/news_press.html> (last visited January 6, 2005).

Adam D. , “Online Tumor Bank Aims to Offer Ready Route to Tissues,” Nature 416 (2002): 464; Teodorovic I. Therasse P. Spatz A. Isabelle M. , and Oosterhuis W. , “Human Tissue Research: EORTC Recommendations on its Practical Consequences,” European Journal of Cancer 39 (2003): 2256–63.

Oosterhuis J. W. Coebergh J. W. , and van Veen E. , “Tumour Banks: Well-guarded Treasures in the Interest of Patients,” Nature Reviews Cancer 3 (2003): 73–77, at 75.

Clayton E. W. , “Informed Consent and Biobanks,” The Journal of Law, Medicine & Ethics 33, no. 1 (2005): 15–21.

Eiseman , supra note 3, at 132–34.

CHIRPS proposal, supra note 4, at 17–19. Appendix 5 of the CHIRPS grant proposal, supra note 4, puts forth these general guidelines for all requests for specimens:

• Review and evaluation of the protocol is necessary to protect against the use of identifiable research data when non-identifiable data would suffice; to establish the bona fides of the requestor and the requestor's capacity to protect confidentiality; and to prevent uses of the data for purposes other than those for which they were collected without any necessary additional review.

• The investigator and the party releasing the identifiable data should sign a binding research agreement specifying such matters as the terms for use and the means of maintaining confidentiality, and prohibiting re-release of identifiable data.

• There should be evidence of external review and approval of the data release by an IRB or equivalent.

• The researcher should be able to provide documentation that all members of the research group have been trained in confidentiality practices.

Anderlik M. R. and Rothstein M. A. , “Privacy and Confidentiality of Genetic Information: What Rules for the New Science?” Annual Review of Genomics & Human Genetics 2 (2001): 401–33, at 402.

Federal Policy for the Protection of Human Subjects, 45 C.F.R. § 46A (basic Department of Health and Human Services policy for protection of human research subjects; a number of other federal agencies have adopted similar regulations).

Standards for Privacy of Individually Identifiable Information: Final Rule, 65 Fed. Reg. 82462 (Dec. 28, 2000) and 67 Fed. Reg. 53182 (Aug. 14, 2002) (codified at 45 C.F.R §§ 160, 164).

45 C.F.R. § 46.102(f).

Office for Human Research Protections (OHRP), Department of Health and Human Services, “Guidance on Research Involving Coded Private Information or Biological Specimens” (August 10, 2004), available at www.hhs.gov/ohrp/humansubjects/guidance/cdebiol.pdf (last visited January 6, 2005).

45 C.F.R. § 46.101(b)(4).

45 C.F.R. §§ 46.111(a)(7), 46.116(a)(5).

Eiseman , supra note 3, at 124.

45 C.F.R. § 160.103.

45 C.F.R. § 164.514(b)(2).

45 C.F.R. § 164.514(c).

See OHRP, supra note 23, at 7.

45 C.F.R. § 164.514(e). Also, the rule permits disclosure for public health purposes, such as reporting to state disease registries, 45 C.F.R. § 164.512(b), and it is worth noting the existence of a grandfathering provision, § 45 C.F.R. 164.532.

Department of Health and Human Services, “Research Repositories, Databases, and the HIPAA Privacy Rule,” available at <http://privacyruleandresearch.nih.gov/pdf/research_repositories_final.pdf>; Bledsoe M. , “HIPAA Models for Repositories,” International Society for Biological and Environmental Repositories (ISBER) Newsletter, available at <http://www.isber.org/Newsletters/Fall2004.pdf> (last visited January 6, 2005); Aamodt R. , “The Health Information [sic] Portability and Accountability Act of 1996 Privacy Rule,” International Society for Biological and Environmental Repositories (ISBER) Newsletter, Summer 2003, available at <http://www.isber.org/newweb/Newsletters/Summer2003.pdf>(last visited January 6, 2005).

Eiseman , supra note 3, at 131.

Sweeney L. , “Weaving Technology and Policy Together to Maintain Confidentiality,” Journal of Law, Medicine & Ethics 25, no. 2 & 3 (1997): 98–110.

Lin Z. Hewett M. , and Altman R. B. , “Using Binning to Maintain Confidentiality of Medical Data,” Proceedings of the American Medical Informatics Association Annual Symposium (2002): 454–58.

Mitchell M. , “Medical Privacy Law Stirs Controversy,” Knight-Ridder Newspapers, March 3, 2003.

Setness P. A. , “When Privacy and the Public Good Collide: Does the Collection of Health Data for Research Harm Individual Patients?” Postgraduate Medicine On-line 113, no. 5 (May 2003), at <http://www.postgradmed.com/issues/2003/05_03/editorial_may.htm> (last visited January 6, 2005).

Katyal N. K. , “Digital Architecture as Crime Control,” Yale Law Journal 112 (2003): 2261–89.

Davis J. B. , “Cybercrime Fighters,” ABA Journal 89 (Aug. 2003): 37–42.

Department of Health and Human Services, Security Standards: Final Rule, 68 Fed. Reg. 8334 (Feb. 20, 2003) (codified at 45 C.F.R. § 160, 162, and 164).

This does not mean that the security of information in other formats escapes regulatory attention. The privacy rule includes some security provisions, which would apply to all protected health information. An example would be employee training on information handling under the heading of confidentiality.

See 68 Fed. Reg. 8337, 45 C.F.R. § 164.302.

68 Fed. Reg. 8341.

Grove T. , “Summary Analysis: The Final HIPAA Security Rule, Phoenix Health System's HIPAAdvisory,” (February 2003), available at <http://www.hipaadvisory.com/regs/finalsecurity/summaryanalysis.htm> (last visited January 6, 2005).

Lewis M. , “Digital Signatures: Meeting the Traditional Requirements Electronically,” Asper Review of International Business & Trade Law 2 (2002): 63–84, at 70.

HIIDIT Health Information Identification De-Identification Toolkit, at <http://www.chip.org/projects/hiidit/> Gast visited January 6, 2005).

Kort E. J. Campbell B. , and Resau J. H. , “A Human Tissue and Data Resource: An Overview of Opportunities, Challenges, and Development of a Provider/Researcher Partnership Model,” Computer Methods and Programs in Biomedicine 70 (2003): 137–50.

CHIRPS proposal, supra note 4, at 23–24.

Anderlik M. R. , supra note 8.

For example, the U.S. Computer Fraud and Abuse Act criminalizes certain activities that undermine the confidentiality, integrity, and availability of data. See Geist M. , “Cyberlaw 2.0,” Boston College Law Review 44 (2003): 323–58.

Harmon A. , “Digital Vandalism Spurs a Call for Oversight,” New York Times, Sept. 1, 2003, A1.

For example, the liability framework does nothing to place restrictions on use by those who receive information in breach of a duty of confidentiality. See, e.g., Janger E. J. , “Privacy, Property, Information Costs, and the Anticommons,” Hastings Law Journal 54 (2003): 899–929.

Boyle J. Shamans , Software and Spleens: Law and the Construction of the Information Society (Cambridge: Harvard University Press, 1996): at 177.