As Bioinformatics Matures, New Laws and Regulations Follow

As Bioinformatics Matures, New Laws and Regulations Follow


Many observers predict that bioinformatics – the computerized collection and analysis of genetic and health-related information – will become the next rapid-growth technology sector. Already, bioinformatics companies are creating alliances among universities, pharmaceutical companies, health care providers, and pioneering biotechnology firms. This growth is being fueled by the increasing availability of vast amounts of electronic health data transmitted across the Internet.

Bioinformatics may involve the use of genetic and health-related information from identifiable human subjects. New laws and regulations are shaping the bioinformatics industry by simultaneously restricting the use and disclosure of some types of information while eliminating some of the technical difficulties in collecting and processing electronic genetic and health records. For example, most states already prohibit the discriminatory use of genetic information by employers and health insurers. In addition, a federal Executive Order prohibits genetic discrimination in federal employment. Georgia and Oregon ( see Sec. 659.715(1)) have also enacted laws declaring that a person "owns" his or her unique DNA sequence.

Meanwhile, a recent federal initiative is making it easier to assemble and analyze large databases of electronic health information from different sources. The "Administrative Simplification" provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA) will result in regulations mandating a uniform nationwide system for recording electronic health information, including standardized code sets and national identifiers for health plans, health care providers and employers. To protect patients from improper uses of their health information, HIPAA also calls for national minimum health data security standards and privacy safeguards. These rules were proposed in 1998 and 1999, but implementing them has proven difficult:

  • National technical standards for electronic health care transactions were issued in August 2000 and are slated to become effective in October 2002, but state health authorities are seeking a delay to provide more time to modify their computer systems.
  • Minimum national health data privacy standards were proposed in the fall of 1999, as discussed in our November 2, 1999 Internet Alert. The final standards were issued in December 2000, but were delayed by the incoming Bush Administration in January 2001. However, in April 2001, the Bush Administration announced that these privacy standards would become effective, with compliance required by April 2003.
  • The other Administrative Simplification rules have yet to be finalized. A proposed individual health identifier code was so controversial that its implementation has been postponed indefinitely.

Although it comprises only one part of the Administrative Simplification program, the federal health data privacy standards have emerged as the focus of a major national policy debate since the rules were first proposed in 1999. While the privacy standards will apply directly only to health plans, health care providers, and health data processing clearinghouses, bioinformatics companies may be indirectly affected if they obtain personally-identifiable health information from covered providers or health plans. The privacy standards will implement the Fair Information Practice principles discussed in our May 2, 2000 Internet Alert, by providing notice of the potential uses and disclosures of health information, allowing patients to access information about themselves, and requiring a patient’s consent for most uses and disclosures. The privacy standards will not apply to records that cannot identify an individual, either because identifying fields are removed or because the risk of reidentification is found to be minimal. Click here for a summary of these health privacy standards.

A key element of the federal health privacy standards is that states are allowed to enact their own stricter health data privacy rules. As a result, the bioinformatics industry is facing an onslaught of state legislation. As hundreds of bills are debated in statehouses across the country, the new bioinformatics industry is working to balance the rights of individual patients against the promise of scientific discoveries resulting from large-scale analyses of newly-accessible genetic and health-related data.