While it’s received nowhere near the saturation press coverage accorded to “dot-coms”, the application of computers to biology and health care is creating a revolution whose effects promise to be as profound as those predicted by the strongest evangelists of e-commerce. While various authors use different terminologies for this technology, in its most expansive definition, “bioinformatics” is used to describe the application of computing power to organize and analyze genetic information. There seems to be less agreement on a term for the use of computers to organize and analyze other medical and biological information. However, because the legal issues considered in this article pertain to both areas, we will use the term “bio-medical information systems” as we highlight the significant legal issues affecting all of these uses of computing power.
Because genetic and other health-related information about people starts with data collected from individuals, the use of bio-medical information systems necessarily implicates privacy concerns. In the United States, the privacy of personally identifiable medical information is governed largely by the Health Insurance Portability and Accountability Act (“HIPAA”) and the privacy regulations passed pursuant to it. HIPAA was passed in 1996, but the regulations that establish the operative privacy standards were not published in final form until December 28, 2000, and the deadline for compliance does not arrive until April 14, 2003. Accordingly, privacy requirements under HIPAA are relatively new and untested.
HIPAA limits the uses of individually-identifiable health information maintained by a health care provider, health plan, employer or health care clearinghouse (“Covered Entities”). The manner in which information can be disclosed is dependant upon the purpose for which it will be used. Generally, holders of protected health information (which includes not only health-specific information, but also identifiers such as name, address and other identifying codes) can disclose the information for purposes of treatment, payment or operations if a consent is first obtained from the person. If the information will be disclosed for other purposes (such as marketing or research), a more specific authorization is required which permits disclosure of specific information for particular purposes. Because bio-medical information systems may or may not link health information to specific individuals, the impact of these consent requirements will differ widely with respect to different systems.
The privacy rules enacted pursuant to HIPAA directly cover only Covered Entities, not the business entities with whom they may partner. Thus, a company operating computer servers that store protected health information is not directly subject to HIPAA requirements. However, the rules require that if a Covered Entity uses a third party to collect, store or process information, a contract must be used to ensure appropriate use of the information. Thus, the server company in our example would enter a contract with the Covered Entity, restricting the purposes for which protected health information could be used and agreeing to safeguard such information from misuse. Because many bio-medical information system companies will serve as “business associates,” and not as Covered Entities, the contours of their privacy obligations may vary from engagement to engagement with the terms of their contracts.
While these restrictions do not present insurmountable obstacles for the development and growth of bio-medical information systems, the HIPAA privacy rules establish a framework in which companies in this developing area will inevitably have to operate. The unspoken trust on which many technology-health care provider partnerships are currently based will be increasingly reduced to contract, and the lines of accountability will be more clearly drawn
University Policies on Intellectual Property
A considerable amount of genetics research is conducted at universities, most of whom are quite aware of the potential for generating income from this research, through third party sponsorship of the research (by the Federal government and private industry) and from licensing the results for commercial purposes. This in turn has led to increased attention to universities’ policies on ownership of the results of research conducted by faculty and students (usually referred to as “IP Policies”). In general, most university policies make the university the owner of research results generated with funding that comes in through the university, or which is conducted using university resources: The Bayh-Dole Act of 1980, which established a uniform Federal policy in favor of allowing universities to own the results of government-funded research, opened the door for mutually-advantageous relationships between the government, universities, and corporations, enabling universities to profit from research results by licensing them to companies that could bring the results to market. Teaching hospitals, which are usually associated with universities and have significant research conducted by doctors and scientists, have similar policies or fall under the IP policies of the associated university. These policies have encountered varying degrees of controversy over the years, but are now generally well-accepted, particularly with the advent of professional licensing offices at universities and teaching hospitals which devote full time efforts to implementing licensing to commercial entities of technology developed by faculty.
However, in what may be the opening salvo in a new battle over IP rights, Steven Brenner, a rising star in the bioinformatics field, successfully conditioned his acceptance of a post at Berkeley on an agreement by the university not to apply its IP policies to his work on bioinformatics software development, leaving him free to distribute it under the open source movement, discussed later in this article.
Not surprisingly, given the academic and scientific ethos of advancing knowledge by sharing information widely, bioinformatics has become a locus of the open source movement, which advocates the open publication of source code. A notable example is found at www.bioinformatics.org , which describes itself as “a community focused on the freedom of information as it pertains to the biosciences.” Open source advocates are motivated – sometimes simultaneously – by a philosophical belief in favor of the free exchange of information, an economic argument that the results of federally-funded research should be available to the public without further cost, and the practical consideration that source code, if widely published, will give rise to a better product, as numerous contributors furnish improvements. The widespread adoption of the Linux operating system, among other examples, lends substantial support for the “better product” thesis.
However, developing software under an open source regime does not provide insulation from legal issues. First, there are numerous open source systems in existence. At one end of the spectrum are systems which focus on a “kernel” of open, unrestricted code, while allowing proprietary add-ons from which the developers can profit; at the other end are arrangements which put at risk the copyright on unrelated code distributed with the open source materials. It gets particularly complicated to make commercial use of software when its component modules are subject to different open source licensing systems. Second, the liability issues attendant on open source, where each module of a program may be the product of numerous contributors, can best be summed up by the aphorism “if everyone is responsible, no one is responsible,” meaning that any company planning on building a business around open source may be best off following the existing business models of making money on service, support and customization.
Additional Legal Concerns
In addition to the privacy and IP rights issues already discussed, the deployment of computer systems for bio-medical information systems implicates the liability issues associated with other computer systems, but often with new twists. For example, while software and system vendors routinely impose stringent limits on their liability for damages from defects or outright failure of their products, some types of liability are considered so extreme, in terms of magnitude, likelihood of litigation, or both, that the vendors seek protection beyond the traditional mechanisms of contractual warranty disclaimers, disclaimers of incidental, consequential and punitive and other damages, and overall damage caps, and require affirmative indemnification from the customer. This is often found in contracts for software for medical applications, and was an issue in the contracting for air traffic control systems.
However, even that model may not be sufficient for some of the new applications. Notably, computer-based data analysis can be used to detect disease patterns that may be the first sign of bioterrorism attacks. For example, analyses of visits to emergency rooms could show a localized increase in a particular set of symptoms, such as those of anthrax, that would not be expected to occur normally, and further spot a common thread among the patients, such as employment at a particular kind of government facility. But while the software that would perform this analysis would likely be used by a particular organization, for example, a health insurance company tracking the pattern of the claims it is paying, the actions taken in response to a pattern being detected will be done by a host of others, including local and federal government agencies, and the effects — economic and otherwise — will be felt by people well beyond the members of the organization. In such cases, the software licensee would be faced with liability it may view as greatly disproportionate to the cost of the software or the direct economic benefit from deploying the software, and be no more willing or able to take on indemnification obligations to the software vendor than the vendor is to accept the liability. In such cases, the nuclear power industry arrangements may be a useful model. There, the potential liability for a catastrophe is so large that Congress has mandated that the nuclear power industry fund an insurance pool, to cover situations where the liability for a nuclear incident exceeds the insurance coverage maintained by the plant where the damage occurs. The Federal government then steps in where the amount of the pool, added to the insurance of the plant that incurred the damage, is still insufficient.
The improvements to human health and welfare to be accomplished through the use of bio-medical information systems may turn out to be the most significant effects yet made to people’s lives through computing power. The legal developments that attend these changes promise to be equally significant.