October 18, 2018

Healthcare Regulatory and Privacy Issues in Reproductive Technologies and Big Data

Kimberly J. Gold, Reed Smith LLP, New York, NY, Anna Rudawski, Norton Rose Fulbright US LLP, New York, NY

Assisted reproductive technologies (ART) and Big Data are revolutionizing women’s health and the ways in which babies are conceived.  People who are trying to conceive or those simply interested in health tracking apps now have a plethora of options to choose from, nearly all of which involve the exchange of personal information for services.  Moreover, women who face fertility issues now have multiple options, from fertility tracking to egg freezing.  All of these technologies are ascendant, as medical advances push the boundaries of fertility later in life for both sexes.

Regardless of any bioethical arguments surrounding these new technologies, there is no denying that more and more individuals are using ART and “Big Data” (described in more detail below) to plan families or gather more insights into their health.  Presently, there are a multitude of startups popping up that are focusing on ART, and dozens of fertility tracking mobile apps are used each day to assist in family planning – not only to help couples conceive but also to help individuals more closely monitor their reproductive health.  Accompanying this technology is increased attention from researchers and venture capital.  The data collected via these technologies offer opportunities to bring advances to ART and reproductive health, and provide companies with the potential to unlock the financial value of this data.  It may also present new treatment options, especially in the case of understudied populations, such as pregnant women.  Nonetheless, considering the potential to monetize this data, there are concerns about how individuals’ privacy is protected, especially with what is undoubtedly sensitive data.

As of today, the practice of ART operates largely outside the purview of regulation.  Many research organizations and clinics are not directly subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA),1  nor is most of the data that individuals willingly supply through ART apps.  Therefore, many players in ART and Big Data relating to women’s health are only governed by a patchwork of laws and regulations that are often designed for other sectors. 

This article reviews the current state of healthcare and privacy regulation in this space, potential risks to ART data, and how the industry can benefit from medical advances rooted in this data.

Regulation of ART

ART is an area in which the law has not yet caught up to the technology, and some countries have outright banned such practices rather than attempt to regulate them.  For example, several European countries have prohibited egg donation and surrogacy.  The United Kingdom (UK), however, has taken a more proactive approach and created the Human Fertilisation and Embryo Authority in 1991 to oversee fertility treatment and research.  Further, the European Union (EU) General Data Protection Regulation (GDPR) more tightly regulates how the personal data of European data subjects is processed and gives individuals robust rights in connection with their data.2  Indeed, individuals in the EU will receive additional protections when their genetic, health and biometric data are processed, including more stringent standards around the collection, use and sharing of that data.  Moreover, individuals may be able to restrict the processing of their sensitive data or request that a data controller delete it entirely.

In stark contrast, the United States has no federal laws or regulations that directly regulate the practice of ART; rather, ART at the federal level consists of an assortment of statutes and rules that apply to some extent.3  For example, the Federal Clinic Success Rate and Certification Act (FCSRCA), enacted in 1992, requires all ART clinics to report pregnancy success rate data to the U.S. Centers for Disease Control and Prevention (CDC).4  The U.S. Food and Drug Administration (FDA) has regulatory authority over reproductive cells and tissues, as well as drugs and medical devices that may be used in ART,5 but as is typical of federal laws, it does not, as a practical matter, regulate the practice of ART.

Many wrongfully assume that ART is regulated by HIPAA because it encompasses health data.  But HIPAA’s impact is limited and often does not apply, as noted above.  Adding to the confusion are state healthcare regulatory and privacy laws that differ from each other. For example, The View Co-Host Sherri Shepard’s surrogacy case involved a child support case in California, a divorce case in New Jersey and a parentage challenge in Pennsylvania.6  Each case was filed in a state where one of the affected parties resided.  The case highlighted the lack of rules or consistent rules among states. 

Without a common thread across states, the industry is effectively self-regulated.  In more complicated cases, there is a need to address multi-jurisdictional legal issues that emerge when the parties involved reside in multiple states.  As mentioned, it is no longer unheard of to have an egg donor, sperm donor, surrogate and parents all residing in different states.  The national, and at times international, headaches this causes form the basis of numerous disputes and point to a need for established and consistent rules. 

But right now, the United States lacks comprehensive clinical and ethical guidelines for practitioners who are providing ART care.  This is, in part, due to the difficult ethical issues associated with the science, but also from a lack of consensus on how to regulate it generally.  This disagreement is evident in the state of insurance coverage; per the CDC, only 15 states have enacted legislation requiring private insurers to cover some or all costs associated with infertility treatments.7

From a privacy perspective, the tide may be changing.  Legislation recently passed in California, the California Consumer Privacy Act (CCPA), will take a European approach to data regulation.8  The law, which will apply to nearly all data collected on California residents, will likely change the regulatory regime in the United States.  California, on its own, could be one of the largest economies in the world, and entities that choose to do business in the United States may be forced to use California as a baseline.  Although the CCPA provides exceptions for entities with data on less than 50,000 consumers, the law will still apply to entities with over $25 million in annual gross revenue.9  Given the rapidly expanding financial impact of this field, even small-to-medium size organizations may be impacted.  And as several high-profile articles have shown, California is a hub for older first-time parent populations.10  This trend is undoubtedly accompanied by a growing reliance on ART.

Thus, like in other sectors, ART providers should be looking ahead and planning for more European-style privacy regulations.  Although the United States is unlikely to move away from a sectoral or patchwork approach to privacy, individuals and regulators have demonstrated that health data should be approached with more stringent controls. 

ART and Big Data

ART is not only big money – it is also Big Data.  Big Data is often defined by the three “Vs” – volume, variety, and velocity.  “Volume” is obvious – it’s the amount of data.  “Variety” refers to the huge variation in data sets available – data can be anything, such as personal information, Facebook posts, browser history, Uber ride histories, etc.  “Velocity” is the speed at which data can be collected, used, and analyzed.  Velocity has largely been enabled by advanced processing technologies, increased computing power, and artificial intelligence.  In the context of ART, new data sets that can be transformed into Big Data are now available. 

A tremendous amount of information, mostly sensitive, is collected through apps or in the course of providing ART to individuals.  Consider fertility tracking apps like Clue and Fertility Friend, which capture data about women’s menstrual cycles, sexual activity, pregnancy status, miscarriages, and more.  Forums on apps like Kindara allow women to share stories about their fertility journeys.  There is clearly a huge demand for these technologies and the data garnered from ART.

In this context of Big Data and potential medical discoveries, it is easy to lose track of the deeply personal data that is at stake.  Many individuals seeking the help of ART are already in vulnerable positions – they are seeking help after being unable to conceive, or perhaps see surrogacy and egg donation as a way to help families and earn money.  To give but one example, numerous organizations advertise egg donation as a way for young women to pay off their student debt.11  Individuals in vulnerable positions may consent to things they otherwise might not tolerate with their genetic data -- such as allowing it to be used by unknown third parties or for poorly defined research purposes.  Therefore, in order to avoid liability under data protection and consumer protection laws in the United States and abroad, app developers and professionals in this field must ensure that notice and consent are clear and robust.  Individuals should know what happens to their data after they leave a fertility clinic or provide it to an app, such as how it is shared and whether it is sold to third parties.  Just recently, in August 2018 UK data protection authorities fined an app that provides information and advice on pregnancy and childcare.  The app was fined for illegally selling data to Experian, which in turn used the data for targeting young mothers with political campaign ads.  Because that use of the data was not disclosed to users, the data protection commissioner fined the app £140,000.12

Another concern is the risk of data breaches.  Although many individuals are suffering from breach fatigue from the sheer number of notices they receive from companies that have experienced data breaches, individuals have been quick to act when their highly sensitive data is compromised.  In 2016, the fertility tracker app Glow was found to have serious security flaws that shared highly sensitive data on pregnancies, miscarriages, and treatments with other Glow users.13  Although the compromise was limited in scope, it still raises serious concerns about how this data is protected.

Also worth noting, particularly in the United States, is the threat of class action litigation.  While some plaintiffs have been unable to show that fallout from a data breach creates harm, several cases in the healthcare sector have been able to overcome that threshold.14  This is largely because harm from disclosure of health information is often apparent and irrevocable; it typically cannot be rectified with notice and credit monitoring.  Furthermore, there is a harm associated with publication of more stigmatized conditions, such as infertility.  Therefore, any significant breach of this type of data is likely to be ripe for class action litigation.

Opportunities Offered by ART, Overcoming an Historical Lack of Data

While this article recounts the risks and lack of regulation, there are obvious benefits to reproductive technologies and data collection on women’s reproductive health.  First, the technology itself has helped millions of couples around the world have families.  Second, conditions that affect women have been underrepresented in clinical research.  For years, women’s health has suffered from underinvestment.  The availability of this data can be a boon to researchers.  There are countless examples of conditions where doctors and scientists lack understanding, such as endometriosis and polycystic ovarian syndrome (PCOS).  Both of these conditions are cited as frequent culprits in infertility, yet remarkably little is known about them.  Even PCOS, which is thought to affect up to 12 percent of women of reproductive age, has no firm diagnostic criteria.15  Information gathered through ART, including from ART apps, could help provide better information to enable researchers to develop more new treatments as well as allow healthcare practitioners to diagnose women more accurately and provide more effective therapies.

Also, because of ethical restrictions, very few studies have ever been conducted on pregnant women.  As of this writing, only two medications have been approved by the FDA to treat pregnancy complications.16  Nearly all drugs prescribed to pregnant women, therefore, are “off-label.”17  The lack of research, or even data collection of how these drugs are used, can leave doctors treating women based on guesswork rather than on data.  Researchers have actually coined a term for pregnant women – “therapeutic orphans” – because their participation in clinical trials is limited and very little data is collected from them.  However, the FDA has issued draft guidance with recommendations on how and when to include pregnant women in clinical trials for drugs and biologics.18  Even so, researchers have not been able to sufficiently capitalize on real-time data collection from women who use drugs off-label.  New technology, even including apps, and the ease with which research data can be aggregated can be leveraged to determine treatments that are effective during pregnancy and what medications are safe for prenatal use. 

Right now, the CDC estimates that fewer than “10 percent of medications have enough information to determine their safety for prenatal use.”19  This means that doctors essentially conduct experiments of one, with no clinical significance.  The FDA is working to alleviate this problem.  Recognizing the potential importance of this data, the FDA has created pregnancy registries which seek to collect data from women who take prescription medications and vaccines during pregnancy.20 Currently, the FDA is collecting information on a huge range of drugs essential to women’s health that must be continued through a woman’s pregnancy, such as medications for asthma, diabetes and cancer.  Women living with serious health conditions often have no choice but to continue treatment.  This data can provide valuable insights about what medications are safest during pregnancy and provide better outcomes for mothers and newborns.

Thus, while there are risks related to the collection of this data, it is undeniable that there are potentially huge upsides to using Big Data to help women who are or may become pregnant. 

Conclusion

Like most new technologies, ART and Big Data of this kind present opportunities and challenges.  Because the regulation is behind the technology, organizations that work in this field should invest in technologies that are designed with privacy best practices in mind.  While regulation does not provide a comprehensive answer, nor is it necessarily the only option, the world’s strictest data protection laws, such as those in Europe, do provide a benchmark for companies looking to use this data while also protecting the individuals who provide it.  After all, this type of data deals with some of the most private and intimate information and it deserves to be protected and used to help women, families, and healthcare practitioners.

***

Kimberly J. Gold is a partner in Reed Smith’s Life Sciences Health Industry Group, and co-leads the firm’s HIPAA and Health Privacy & Security Practice. She focuses on transactional, regulatory, data privacy and cybersecurity matters, primarily for healthcare and life sciences companies.  She provides privacy and security advice in connection with corporate/M&A and technology transactions, regulatory investigations, vendor management, and incident planning and response.   Ms. Gold’s practice also involves counseling healthcare and life sciences companies on regulatory and compliance matters, including developing and implementing compliance programs, defending clients in government investigations, and advising on regulatory and privacy considerations in connection with clinical research initiatives. She may be reached at kim.gold@reedsmith.com.

* * *

Anna Rudawski advises clients in the financial services, healthcare, and technology industries on data protection, privacy, cybersecurity, and governance issues. Her expertise encompasses the secure handling of confidential and personally identifiable information, as well as compliance with international, federal and state privacy regulations including HIPAA, CAN-SPAM and GDPR. She has worked closely with companies to audit their privacy practices, conduct privacy impact assessments, and map the use and processing of personal information. Ms. Rudawski has also advised companies on cross border data issues and the use of data transfer mechanisms.  She may be reached at anna.rudawski@nortonrosefulbright.com.

* * *

1

See HHS’s website at https://www.hhs.gov/hipaa/index.html. HIPAA governs how certain entities process health information in the course of providing treatment and related services.  It also provides individuals certain rights in connection with information collected by entities subject to HIPAA.

2

See https://www.eugdpr.org/ for the complete text of the regulation.  GDPR was designed to “to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Id.

3

See Ima E. Nsien, Navigating the Federal Regulatory Structure of Assisted Reproduction Technology Clinics, ABA Health eSource (Vol. 14 No. 3), https://www.americanbar.org/groups/health_law/
publications/aba_health_esource/2016-2017/november2017/reproduction.html.

4

See The Fertility Clinic Success Rate and Certification Act, Centers for Disease Control and Prevention, https://www.cdc.gov/art/nass/policy.html (last visited Aug. 14, 2018). 

5

See Nsien, supra n. 3.

6

Jessica Grose, The Sherri Shepherd Surrogacy Case Is a Mess. Prepare for More Like It., http://www.slate.com/blogs/xx_factor/2015/04/28/sherri_shepherd_surrogacy_case_there_s_little_consensus_on_the_ethical_dimensions.html (Apr. 28. 2015).

7

ART and Insurance, Centers for Disease Control and Prevention, https://www.cdc.gov/art/key-findings/insurance.html (last visited Aug. 14, 2018).

8

See Press Release, California Consumer Privacy Act, AB 375 Signed – Californians for Consumer Privacy Applauds Successful Passage of Groundbreaking Legislation (Jun. 28, 2018), https://www.caprivacy.org/post/ab-375-signed-californians-for-consumer-privacy-applauds-successful-passage-of-groundbreaking-legislation.

9

See AB375 dated Feb. 9, 2017, https://leginfo.legislature.ca.gov/faces/billVersionsCompareClient.xhtml?bill_id=201720180AB375&cversion=20170AB37599INT.

10

See, e.g., Quoctrung Bui And Claire Cain Miller, The Age That Women Have Babies: How a Gap Divides America, The New York Times (Aug. 4, 2018), https://www.nytimes.com/interactive/2018/08/04/
upshot/up-birth-age-gap.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=
first-column-region&region=top-news&WT.nav=top-news.

11

Here is just one website advertising egg donation as a way to pay down student debt: https://www.extraconceptions.com/egg-donation-student-debt/.

12

Press Release, Emma’s Diary fined £140,000 for selling personal information for political campaigning, Information Commissioner’s Office (Aug. 9, 2018), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/08/emma-s-diary-fined-140-000-for-selling-personal-information-for-political-campaigning/.

13

Lora Kolodny, Series Privacy Flaws Discovered in Glow Fertility Tracker App, TechCrunch (Jul. 30, 2016), https://techcrunch.com/2016/07/30/serious-privacy-flaws-discovered-in-glow-fertility-tracker-app/.

14

For example, in 2017 the insurer Anthem agreed to a record-setting $115 million settlement of class action data breach litigation resulting from a 2015 cyberattack. Brendan Pierson, “Anthem to pay record $115 million to settle U.S. lawsuits over data breach,” Reuters (Jun. 23, 2017), https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML.

15

PCOS and Diabetes, Heart Disease, Stroke…, Centers for Disease Control and Prevention, https://www.cdc.gov/diabetes/library/spotlights/pcos.html (last visited Aug. 14, 2018); PCOS: An Infertility Issue that is Little Understood, New York Times, (Nov. 24, 2014), https://well.blogs.nytimes.com/2014/11/24/pcos-an-infertility-issue-that-is-little-understood/.

16

FDA Approved Drugs by Medical Condition, Pregnancy Complications, https://www.centerwatch.com/drug-information/fda-approved-drugs/medical-conditions/P.

17

Most Drugs Aren't Tested on Pregnant Women, ProPublica (May 26, 2016), https://www.propublica.org/article/most-drugs-not-tested-pregnant-women-anti-nausea-cure-why-thats-a-problem.

18

Pregnant Women: Scientific and Ethical Considerations for Inclusion in Clinical Trials Guidance for Industry (Draft), U.S. Department of Health and Human Services Food and Drug Administration (Apr. 2018), https://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/
UCM603873.pdf (last visited Aug. 14, 2018).

19

Treating for Two: Medicine and Pregnancy, Centers for Disease Control and Prevention, https://www.cdc.gov/pregnancy/meds/treatingfortwo/facts.html (last visited Aug. 14, 2018).

20

Pregnancy Registries, US Food and Drug Administration, https://www.fda.gov/ScienceResearch/SpecialTopics/WomensHealthResearch/ucm251314.htm (last visited Aug. 14, 2018).