Originally published in Healthcare Michigan, Volume 40, No. 6
As the intersection of technology and healthcare becomes increasingly nuanced, the field of genomic medicine is rapidly evolving and expanding. Genomic medicine, or personalized medicine focusing on the data holding information on base sequence in an individual’s genome, uses an individual’s genetic information to guide healthcare decisions. This revolutionary medical field promises immense benefits to patients, researchers, and healthcare providers. Nevertheless, it brings with it a number of complex privacy concerns that must be adequately addressed in law to ensure that patient data remains confidential and secure.
This article examines the current legal landscape, identifies the unique challenges genomic data privacy poses, and explores the opportunities for developing legal frameworks for genomic medicine.
Genomic Data and Privacy Concerns
Genomic data is sensitive personal information that can reveal not just an individual’s current health status but also potential future health risks, including predispositions to specific genetic conditions. It can also reveal information about an individual’s family members, which extends privacy considerations beyond the individual.
These issues present unique challenges inherent in the privacy of genomic data – including the highly predictive nature and permanency of this data. Unlike other health data, which can change and be modified by lifestyle and environmental factors, genomic data does not change over time and, other than in identical twins, each individual’s DNA sequence is different, heightening the risk and potential impact of unauthorized access or misuse as no sample of DNA can be anonymized.
Current Use and Sharing Landscape
Currently, genomic information is used in a number of ways, including by the legal system and law enforcement agencies, to investigate criminal activity and adjudicate same. For those familiar with CBS’s variety of CSI television programs, this may seem familiar as genomic tools are used with criminal forensic analysis.
Another increasingly popular type of genomic sharing is by Direct-to-Consumer (DTC) genetic testing companies, such as 23andMe and AncestryDNA, which allow individuals to voluntarily provide their DNA to these genetic testing companies to analyze and determine the individual’s genetic ancestry.
In fact, 23andMe shared data with GlaxoSmithKline for developmental drug purposes, and in 2018, 23andMe was investigated by the Federal Trade Commission (FTC) for its privacy practices. Although the inquiry was closed after the FTC determined the company followed best practices for data privacy, this underscores the necessity of a more robust legal framework governing the collection and sharing practices of such data because “best practices” are not legal requirements, and notably, 23andMe was not required to comply with the Health Insurance Portability and Accountability Act (HIPAA) when sharing genomic data with GlaxoSmithKline, and here is why.
Current Legal Landscape
Current laws do not adequately address the specific nature of genomic data. In the U.S., there are three main laws governing genomic data: (1) the Common Rule, which established the ethical baseline for government-funded human subject research; (2) HIPAA; and (3) the Genetic Information Nondiscrimination Act (GINA). All of which attempt to balance patient privacy on one hand with scientific progress on the other.
HIPAA is the primary legal safeguard for health information in the United States. It limits when protected health information, which includes genomic information (collectively PHI), can be shared and with whom, but de-identified data does not have such limits. This de-identification is one of the main issues with genomic data privacy sharing.
While HIPAA provides certain protections for genetic information, its reach is limited to “covered entities.” The reality is that genomic data is often generated by entities not subject to HIPAA, such as DTC genetic testing companies and research institutions, leaving a significant amount of genetic data unprotected.
Even with the FTC’s oversight, the fact remains that the FTC is limited to enforcing Section 5 of the Federal Trade Commission Act, which prohibits companies from making false and misleading statements regarding their data privacy and security policies. It does not require them to provide any particular level of safeguards or prohibit certain types of data sharing; it merely allows the FTC to take action in the event the companies misrepresent their privacy and security practices, mainly through their website privacy policies.
Similarly, GINA provides only mild protection against the misuse of genetic information, and it is primarily focused on discrimination by employers and health insurers. GINA does not cover areas such as long-term care insurance, life insurance, or disability insurance.
As such, the current regulatory environment fails to fully account for the unique characteristics of genomic data, leaving gaps in privacy protection that can lead to misuse and unauthorized disclosure.
Genomic data is frequently used for research, often without the explicit consent of the individual. While de-identified data may be used, the risk of re-identification is always present.
As set forth above, de-identification of genomic data is one of the main concerns with genomic data privacy. This stems from the fact that being able to identify an individual from whom the genomic data was taken can have significant consequences, including social stigmas associated with certain mental health conditions, identifying genetic detectors of disease such as the APOE-gene associated with Alzheimer’s disease or the BRCA gene associated with breast and ovarian cancer, and being able to identify sperm donors as biological parents, just to name a few. Given the genetic markers that can be uncovered, the privacy issues are not limited to the person from whom the sample was taken, and can extend to their blood relatives.
Current laws often do not require specific consent for secondary uses, creating a gap in individual control over genomic data. The laws also do not require relatives to consent to the collection of their genomic data, though, given the longevity of the genomic data, which does not change, privacy breaches can impact relatives, including those who are not even born.
Another privacy issue is who owns genomic data as it is not clearly defined in current legal frameworks. While some laws imply that individuals from whom the data was collected should own it and have control over it, others argue that the organizations that collect and process the data should. This issue is more settled outside the United States, including in the Eastern Economic Area (EEA), which, in adopting the General Data Protection Regulation (GDPR), made clear that individuals have more explicit control over their data.
A number of U.S. states, including California and Colorado, are making strides toward more control, but the question of whether individuals own their genomic data, and thus can control its use and sale, is largely unaddressed.
Another concern is that genomic data is frequently transferred across borders, especially in the context of international research collaborations. However, data protection laws vary considerably between jurisdictions, including when data is transferred to the U.S. since the U.S. does not have an adequacy decision, meaning standard contractual clauses or similar measures are oftentimes required before such data transfers can take place. While this sounds simple, the mechanisms for legally transferring data internationally are complex and often do not specifically address the nuances of genomic data.
Given the sensitivity and permanence of genomic data, data security is of paramount importance. Yet, outside the protections required for data held by “covered entities” under HIPAA, current laws often do not have specific standards for genomic data security, leading to a risk of data breaches and unauthorized access.
Genomic data is valuable not just for current health care and research but also for future studies. As such, it is often stored for extended periods. However, legal standards for the long-term storage of genomic data, including data security and consent for future uses, are often lacking.
Considering the current challenges, we find ourselves at a crucial crossroad where we must adapt our legal systems to better protect genetic privacy. This requires embracing innovation and creating comprehensive and adaptive regulatory frameworks, including the following
- Expanding the Scope of Existing Legislation: HIPAA and GINA should be amended to broaden their scope to include genomic data generated outside traditional healthcare settings. Alternatively or in addition, new laws should be passed addressing the issue. While some states are taking up the charge, those laws are typically consumer-facing and do not provide for the same level of consent and security protections that HIPAA requires.
- Enhancing Data Security Standards: Laws should enforce higher data security standards tailored explicitly for genomic data, given its sensitive nature. The use of de-identified genomic data should also be regulated to prevent re-identification.
- International Cooperation: Genomic data often crosses borders, necessitating international agreements on privacy standards and protections, including Standard Contractual Clauses under the GDPR. This is increasingly important when transferring data to the U.S. Harmonizing data privacy laws across jurisdictions would streamline research collaboration while ensuring robust privacy protection.
- Establishing Genomic Data Ownership: Clarifying legal ownership and control of genomic data can empower individuals to control how their data is used, including the right to withdraw their data from certain uses.
While the challenges are significant, the opportunities genomic medicine presents for advancing healthcare are vast. Legal frameworks must evolve to keep pace with technological advancements and ensure that the promise of genomic medicine does not come at the cost of privacy and security. Only through thoughtful legislation and regulation can we protect patient privacy while encouraging innovation in this exciting field of medicine.
About the Author:
Sara H. Jodka (Member, Columbus) is a member of the firm’s labor and employment department and regularly counsels employers and litigates all types of employment-related cases. Sara is the editor of the firm’s All Things HR Blog and the Chair of the Ohio State Bar Association’s Labor and Employment Section Council. She can be reached at 614-744-2943 or SJodka@dickinsonwright.com. Her biography can be viewed here.