[Ip-health] 21st Century Cures Act and the FOIA

James Love jamespackardlove at gmail.com
Thu Dec 8 23:41:18 PST 2016


One of the many issues in this dense and complex legislation.
---------- Forwarded message ----------
From: "Bob Gellman" <bob at bobgellman.com>
Date: Dec 9, 2016 02:35
Subject: 21st Century Cures Act and the FOIA
To: <FOI-L at listserv.syr.edu>
Cc:

There's a FOIA (b)(3) exemption in the 21st Century Cures Act just cleared
by the Congress and soon to become law.

SEC. 2013. PROTECTION OF IDENTIFIABLE AND SENSITIVE INFORMATION.

Section 301 of the Public Health Service Act (42 U.S.C. 241)
is amended by adding at the end the following:
(f)(1) The Secretary may exempt from disclosure under section 552(b)(3) of
title 5, United States Code, biomedical information
that is about an individual and that is gathered or used during the course
of biomedical research if—
    (A) an individual is identified; or
    (B) there is at least a very small risk, as determined by current
scientific practices or statistical methods, that some
combination of the information, the request, and other available data
sources could be used to deduce the identity of an individual.
(2)(A) Each determination of the Secretary under paragraph (1) to exempt
information from disclosure shall be made in writing
and accompanied by a statement of the basis for the determination.
    (B) Each such determination and statement of basis shall be available
to the public, upon request, through the Office of
the Chief FOIA Officer of the Department of Health and Human Services.

The most noteworthy thing here (if you ask me) is the requirement for a
report on the basis for a determination for exempting information from
disclosure.  I don't recall seeing any similar provision in a (b)(3)
statute before, but that's not to say that there are none.

This requirement for a publicly available determination may provide an
interesting model in the future for some new (and maybe some old) (b)(3)
statutes.  It would be better if the law required the determination to be
posted on the HHS website rather than made available upon request.  Maybe
HHS will do that anyway, maybe not.

On the other hand, I suspect that determinations will quickly become
standardized and are likely to say nothing much.  And on the third hand,
there's not much of a case to be made (IMHO) for disclosing identifiable
information about biomedical research participants.  In the end, I doubt
that there will be much of a need to invoke this protection.  All the
information exempted by the provision would be exempt from disclosure under
standard FOIA principles.  Whoever stuck this in the bill either didn't
know that or needed this language to silence a critic.

Finally, the standard for determining whether data is identifiable is
somewhat new, differing a bit from the standard in the HIPAA health privacy
rule.  There's a lot to be said about identifiability standards, but I
don't think it would be a great interest here.

Bob

-- 
Robert Gellmanbob at bobgellman.com
Privacy and Information Policy Consultant
Washington, DC 202-543-7923 <(202)%20543-7923>
(landline)https://www.bobgellman.com



More information about the Ip-health mailing list