Policy Science

Policy Memo: Genetic Privacy Consumer Protections

By , and
Growth of Direct-to-Consumer Customers 2013-2019. Source

In April 2020, two teams of ProSPER members participated in the National Science Policy Network‘s policy memo competition. This is the memo by Hannah Frye, Emilee Kotnik, and Rachel Rahn; the memo by Ananya Benegal, Kevin Blake, and Lauren Koenig can be found here.

Executive summary

Direct-to-consumer genetic testing companies have become increasingly popular in the U.S. as DNA sequencing technology has become more advanced and less expensive. But this growth in the market comes with increased risks for consumers who have their unique and personal genetic information shared with companies and public databases. Currently there are no federal protections for consumers to protect their right to privacy regarding their genetic data when it is obtained by private companies. This leaves consumers vulnerable to companies sharing their genetic information with other entities and can have implications for consumers’ identity, family members, and wellbeing. Federal regulations like the Genetic Information Nondiscrimination Act (GINA) and the Health Insurance Portability and Accountability Act (HIPAA) provide regulations for how genetic information can be used and shared, but these laws do not apply to commercial direct-to-consumer genetic testing companies. We recommend that these already existing federal laws be amended to include any company that obtains genetic sequencing information.

Statement of the issue

In the United States, commercial genetic tests have become more popular and widely available, as the cost of testing has decreased and the number of companies offering direct-to-consumer (DTC) genetic testing has increased. Ancestry.com, just one company in the DTC genetic testing market, claims to have DNA-tested more than 16 million people.1 Figure 1 demonstrates the estimated number people that have used DTC testing services and its expansion over recent years. However, consumers’ personal genetic information, when shared with DTC genetic testing companies, is not protected under federal law. This creates the potential for personal genetic information to be commercialized and distributed without the informed consent of consumers.

There are only limited policies currently in place to protect individuals’ genetic information and protect consumers from incorrect application of these testing results.5 Both the American Medical Association (AMA) and Centers for Disease Control and Prevention (CDC) have expressed concern about the risk of DTC genetic testing results being misinterpreted. The AMA claims that results can be difficult to interpret without a physician’s or genetic counselor’s help, and the CDC cautions that these are not diagnostic tests and do not guarantee the presence or absence of a disease.3,4 The possibility that without oversight, individuals’ data could then be leveraged and interpreted inappropriately for commercial purposes is a serious danger to individuals’ privacy.

Genetic data is different in nature from most personally identifiable health information, since it cannot truly be de-identified as its code is unique to every individual.8 Genetic information can also provide details about immediate or extended family member’s genetic makeup, which raises questions regarding consent. While the individual undergoing a commercial genetic test may agree to the testing company’s terms and conditions, their immediate relatives, whose genetic information could be surmised from the customer’s details, have not provided consent. In 2018, a research study found that 60 percent of Americans of European descent could have their DNA matched to a third cousin or closer relative, using the 1.28 million samples available in a consumer gene database.5 That number has only risen in recent years, but the exact number of individuals represented in consumer gene databases is not known because of the lack of required transparencies. Consumer companies dealing with genetic information are not required to disclose the number of DNA samples they have collected or banked. Therefore, many Americans’ genetic information may be available, in part, through their relatives and reasonable inferences about their disease risk and other genetic factors can be made and distributed without their consent.

Political and Legal status

Currently there are no federal laws to specifically protect one’s genetic privacy, but there are some laws that regulate how genetic data can be used. The Genetic Information Nondiscrimination Act (GINA) protects individuals from discrimination based on their genetics by prohibiting employers and health insurers from using genetic information in their decisions or asking for or buying genetic information from individuals or their family members.7 However, GINA does not apply to life, disability, or long-term care insurance and does not cover privacy concerns.

The Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996 protects the privacy of individuals’ medical information in the U.S. healthcare system.6 Genetic information does not fall under the HIPAA checklist safe harbor for de-identification, but it does qualify as Protected Health Information (PHI).7,8 This means there are limits on when and with whom genetic information can be shared by health providers and insurance companies. However, private DTC companies that collect genetic information, such as 23andMe, do not fall under entities that must follow HIPAA regulations, which leaves customers of DTC genetic testing agencies vulnerable.7,8

Federal genetic privacy laws have been proposed, the most recent of which was the Genetic Information Privacy Act of 2019 (H.R.2155) introduced in the House of Representatives Representative Bobby Rush (D-IL-1) in the 116th Congress session.9 The Act states that any “genetic testing service”, defined as any entity that conducts a genetic test to consumers or analyzes genetic information from genetic tests given directly to consumers, cannot disclose this genetic information to third parties or conduct research without expressly informed consent. This bill was referred to the Subcommittee of Consumer Protection and Commerce in April 2019, but was never voted on in the House.9 Genetic privacy laws vary from state-to-state, and a total of 18 states have laws with specific penalties for violating genetic privacy and 26 states require consent to disclose genetic information.10

Policy Options

Option 1: Expand the definition of covered entities for HIPAA to include companies which provide, analyze, and store data from DTC genetic testing services. This would mandate DTC genetic testing companies to follow the HIPAA Privacy and Security Rules to protect consumer genetic data as PHI. As genetic data obtained even for the purposes of investigating ancestry, ethnic background, or other consumer interests can contain medically relevant data, genetic testing for these reasons would still necessitate HIPAA compliance.

i.i. Advantages: Genomic and genetic data obtained in a clinical setting is already covered by HIPAA protections, therefore an expansion of the definition of covered entities to include DTC genetic testing companies would further protect consumer genetic data using regulations already integrated into the current healthcare system. In addition, the federal Health and Human Services Office of Civil Rights would be granted enforcement authority over DTC genetic testing companies to ensure compliance with the Privacy and Security Rules.

i.ii. Disadvantages: DTC genetic testing companies will likely be resistant to government oversight over private sector business in the United States. This would require investment of significant resources by these companies to ensure HIPAA compliance, which may be difficult for smaller startup enterprises. In addition, this could severely limit the ability of researchers to access large datasets of genetic information.

Option 2: Modify the Genetic Information Nondiscrimination Act (GINA) to include restrictions on how genetic information can be shared with employers and insurance agencies. Currently, GINA only protects individuals from genetic discrimination, it does not protect the privacy of this information. GINA can be amended to further limit the sharing of genetic information with employers and insurers and require explicit consumer consent in order for genetic testing companies to share genetic data.

ii.i. Advantages: This would provide some protections for consumers using DTC genetic testing services over how their genetic information is shared and with whom their genetic data is shared. In addition, this would strengthen consumer control over their distribution of their genetic data.

ii.ii. Disadvantages: GINA is already quite limited in scope, as it only applies to genetic discrimination in health insurance and employment prior to the onset of symptoms. Therefore, amending GINA to improve genetic privacy would still leave many gaps in how this data is protected and under what circumstances these protections will apply to consumers.

Option 3: Pass the Genetic Information Privacy Act of 2019 H. R. 2155. In the spring of 2019, Congressman Bobby L. Rush proposed this bill to the House Committee on Energy and Commerce. This bill seeks to require consumer consent for 3rd party distribution of personally identifiable genetic information, ensure notification to both new and existing customers about consumer genetic privacy rights, and grants enforcement authority for the protection of consumer genetic information to the Federal Trade Commission and State attorneys general.

iii.i. Advantages: H.R. 2155 would require DTC genetic testing services to obtain explicit consent for sharing genetic information with third parties. In addition, H.R. 2155 specifies that companies cannot require that consumers must consent to share genetic information in order to for the company to provide genetic testing services. Finally, this bill would enable consumers with the ability to consent to share genetic data for research purposes, which is critical for many population-wide genetic studies.

iii.ii. Disadvantages: Following the proposal of H.R. 2155 to Congress in April of 2019, no publicly available action has been taken to bring this bill to a vote in the House of Representatives. Regarding the content of the bill, data security requirements for the storage and distribution of genetic information are only vaguely specified.

Option 4: Inaction. Multiple states have already set up state-level genetic privacy laws with varying levels of protections for consumers of DTC genetic testing services.

iv.i. Advantages: Private businesses and individual states will be allowed to set in place policies which grant them greater flexibility in how they collect and secure genetic health information, and states will be able to tailor policies to the interests of their constituents. In addition, this information would be more accessible for researchers looking to study large amounts of genomic and genetic data.

iv.ii. Disadvantages: Leaving genetic privacy policies to the states or the courts will result in inconsistent, if any, protections for the genetic privacy of individuals. In addition, genetic information on individuals also contain significant familial information, and family ties often stretch across state borders, leading to inconsistencies in how family genetic privacy is handled across states with different policies for genetic privacy.

Policy Recommendation

We recommend that the definition of “covered entities” for HIPAA compliance be expanded to include DTC genetic testing companies. Patients’ genetic information is already protected under HIPAA when genetic testing is conducted in a healthcare setting, and HIPAA has comprehensive systems in place to ensure the privacy and security of PHI. Therefore, amending the definition of HIPAA covered entities to include DTC genetic testing companies will provide improved protections for consumers through the utilization of pre-existing regulatory systems.

DTC genetic testing services can provide valuable information on ancestral origin, familial heritage, and personal identity, but without adequate privacy protections this information can come at great risk to consumers. Therefore, DTC genetic testing companies must be held to a higher standard to protect consumers’ genetic information.

References

  1. “Company Facts”, Ancestry.com, Accessed 30 Mar 2020. https://www.ancestry.com/corporate/about-ancestry/company-facts
  2. “Consumer Genetic Testing Is Gaining Momentum”. Statista, Accessed 13 April 2020. https://www.statista.com/chart/17023/commercial-genetic-testing/
  3. “Direct-to-consumer genetic testing,”AMA-Assn.org. Accessed 30 Mar 2020. https://www.ama-assn.org/delivering-care/precision-medicine/direct-consumer-genetic-testing
  4. Khoury, Muin J.  2017. “Direct to consumer genetic testing: Think before you spit, 2017 edition!” Centers for Disease Control and Prevention. Accessed 30 Mar 2020. https://blogs.cdc.gov/genomics/2017/04/18/direct-to-consumer-2/
  5. Erlich, Yaniv, Tal Shor, Itsik Pe’er, and Shai Carmi, “Identity inference of genomic data using long-range familial search.” Science362 (2018): 690-4. Accessed 29 Mar 2020. doi: 10.1126/science.aau4832.
  6. “Health Information Privacy.” HHS.gov, Accessed 29 Mar 2020, https://www.hhs.gov/hipaa/index.html
  7. Institute, N. H. G. R. 2020. “Privacy in Genomics.” Retrieved April 10, 2020, 2020, from https://www.genome.gov/about-genomics/policy-issues/Privacy.
  8. “Genetic Information Privacy.” Retrieved April 10, 2020, from https://www.eff.org/issues/genetic-information-privacy.
  9. Rush, Bobby L. 2019. “H.R.2155 – 116thCongress (2019-2020): Genetic Information Privacy Act of 2019” Congress.gov. Accessed 13 April 2020. https://www.congress.gov/bill/116th-congress/house-bill/2155/text
  10. “State Genetic Privacy Laws”.National conference of State Legislatures, Accessed 13 April 2020. http://pierce.wesleyancollege.edu/faculty/hboettger-tong/docs/hbt%20public%20folder/FYS/State%20Genetic%20Summary%20Table%20on%20Privacy%20Laws.htm

Leave a Reply

Your email address will not be published. Required fields are marked *