After spending the summer and fall batting around ideas, the joint House-Senate Legislative Commission on Data Practices has recommended three pieces of legislation to their colleagues.
One proposal deals with consumers’ genetic privacy. Another grapples with patients’ private medical information more generally. The third tweaks the statute to redefine what legally constitutes a reportable data breach.
A fourth issue—the use of the potent sedative ketamine by first responders to subdue out-of-control patients—was not on the final list. The commission debated that issue on Nov. 16.
Rep. John Lesch, DFL-St. Paul, said then that he thinks the state needs some kind of new law to make sure law enforcement and first responders can’t collude and make unwitting patients take the drug.
That issue blew up last summer when reports surfaced that Minneapolis police repeatedly asked Hennepin County first responders to administer the tranquilizer to agitated detainees. A later report said Hennepin Healthcare enrolled patient into clinical trials of the drug without consent. After that, the hospital suspended its ketamine study.
Rep. Peggy Scott, R-Andover, the commission’s chair, decided not to push for legislation on that issue after conversations with first responders, including Rep. Jim Newberger, R-Becker, a professional paramedic. Some patients are so agitated that they need to be sedated, she said.
“I think there are instances where people do get out of control and you have to get them under control or they will beat somebody up or harm somebody,” she said. “So there are two sides to that story.”
Her concern in bringing the matter to commission was that people were being subjected to research without consent. But in testimony, she said, the commission learned federal law allows for that.
Another reason that only three recommendations moved forward after half a year’s work is that commissioners couldn’t meet as often as Scott hoped over the interim between legislative sessions. “The elections got in the way,” she said.
Direct-to-consumer genetic testing companies would be regulated more strictly in Minnesota if that recommendation moves forward.
At their Dec. 7 meeting, members heard testimony from Kathy Hibbs, chief legal and regulatory officer for the genetic testing company 23andMe. Her company offers two main products: an ancestry test and an enhanced test that both pinpoints ancestry and identifies genetic health risks.
Hibbs said the company is highly regulated by the federal government. Its data has never been breached, she said, nor has any individual customer sued the company—though it was once the subject of a class-action suit. Customers’ genetic information is only used in research with their consent, Hibbs added.
Hibbs said that while her company has contracted with both government researchers and private companies, it does not sell individuals’ genetic data. “And frankly there isn’t a market for it,” said said.
That comment surprised Scott, who confronted Hibbs’ with the company’s recent $300 million deal with pharmaceutical giant GlaxoSmithKline to “leverage genetic insights for the development of novel medicines.”
Individual DNA has little value, Hibbs replied. Only massed and de-identified genetic information that can be studied broadly to detect common disease markers has any real value, she said.
Speaking after the hearing, Scott was unimpressed with Hibbs’ explanation. “I couldn’t believe that she just said that ‘We don’t sell the data,’” Scott said. “I’m like, then just do your work with GlaxoSmithKline for free.”
Scott’s multi-pronged genetic-regulation recommendation was unanimously adopted. Among its key changes:
- The still-undrafted bill would better define “informed consent” in Minnesota Statues Chapter 13.386. It would also more sharply define “genetic information” in that chapter.
- The bill would establish civil penalties and a private right for violations of the state’s revamped consumer DNA protections.
- It would clarify who owns and controls an individual’s genetic information and would require companies to get informed consent and show customers privacy policies before they sell test kits. All of a company’s collaborative partners also would have to be disclosed, among other provisions.
The commission also forwarded dramatically scaled back changes to Minnesota’s health records law, at least compared to an idea from Rep. Nick Zerwas, R-Elk River, which members debated on July 23.
Zerwas once had hoped to scrap the Minnesota Health Records Act in favor of the federal Health Insurance Portability and Accountability Act’s looser patient information restrictions. That didn’t fly.
He then offered a compromise amendment to adopt only the HIPAA provisions that permit providers to forego consent for treatment, payment and health care operations. That amendment was the subject of the commission’s July 23 discussion.
Minnesota Statutes sections 144.291 to 144.298 now require consent in most situations. What the commission recommended to the Legislature last week tilts closer to current law than the Zerwas plan.
Their plan would require that Minnesota providers all adopt a single, universal patient consent form. The form would let patients decide whether information gets shared for treatment, payment and health care operations and would allow them choose whether their records get used for research, among other changes.
Zerwas said Monday that the commission’s proposal is “pretty removed” from what he had in mind. “In fact, as I understand it, a big portion of their proposal would be a pretty big step backwards,” Zerwas said. He said he worries the plan, if passed, could block providers from billing for services if patients blocks records from being shared for payment.
Sen. Warren Limmer, who is in line to take the commission’s gavel when it rotates back to the Senate next year, sees things differently.
Limmer said he sees other states gravitating away from HIPAA’s permissive practices and toward Minnesota’s tougher privacy standards. “I think we are becoming the model for other states,” he said.
The final recommendation would tweak Minnesota Statutes Section 13.055 as it pertains to government data breaches.
As written now, the law says an “unauthorized acquisition” that triggers notification requirements only occurs if the person receiving data stolen from a government entity plans to use it “for nongovernmental purposes.”
Christopher Buse, a deputy state legislative auditor, spoke in support of the change. It would bring state law into line with generally accepted industry practices, he said.
“Specifically, there is an underlying principle that most organizations follow,” Buse said. “That is, if you expose someone’s public data then you notify people.” A recipient’s intentions generally are considered irrelevant, he said—except under Minnesota law.
“Following the logic of the law today, you could argue that anytime an accident or an error occurs that leads to exposure of data, it could be construed as not being a breach,” Buse said. “You could say recipients didn’t intend to use the data for bad purposes. So the law can be misconstrued.”
All three bill recommendations were adopted unanimously in what Scott said likely is the last Data Practices Commission meeting of 2018.