You’re Covered, Your Data Aren’t

A Data Privacy Policy Brief

From: American College of Medical Genetics and Genomics (ACMG)

To: The Office for Civil Rights (OCR)

Background

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to “address the use and disclosure of individuals’ health information – called ‘protected health information’…”⁵. This protected information was all “individually identifiable health information” including demographic data, data about an individual’s health care treatment, and genetic information. At the time, the Human Genome Project was in its infancy; the concept of direct-to-consumer (DTC) genetic testing was a pipe dream so it’s understandable why these protections didn’t include companies that collect genetic information. However, almost three decades after HIPAA’s enactment, nearly one in five Americans have taken a DTC genetic test and HIPAA’s protections still don’t include genetic information from outside of a clinic, despite DTC companies using Clinical Laboratory Improvement Amendments (CLIA) accredited labs and having FDA approval⁶. This means that companies that offer DTC testing can share customers’ genetic information which has implications for the customer as well as their families. In fact, using only publicly available anonymized results from DTC tests, about 60% of individuals of European descent can be identified down to a third cousin or closer². Ethically, this is a matter of nonmaleficence. Since health care providers must do no harm, DTC genetic testing companies with access to the most personally identifiable information should be held to the same expectation legally. We at the American College of Medical Genetics and Genomics recommend amending HIPAA to include all companies that collect, analyze, or share genetic information so that these companies are legally bound to meet the same privacy standards as healthcare organizations with genetic information including, but not limited to, DNA and RNA sequence data, single nucleotide polymorphisms (SNPs), alterations or variations to DNA or RNA, ancestry data, family history, and other results that come from an individual’s biological sample.

Support

Several states have implemented policies to provide these protections lacking from HIPAA. In Utah, S.B. 227 was signed into law in 2021 to protect genetic data collected through DTC genetic testing; Arizona enacted a genetic information privacy law in April 2021; and Florida has had H.B. 833 aka the Protecting DNA Privacy Act since October 2021^{3, 4, 8}. Most recently, California established the Genetic Information Privacy Act (GIPA), effective January 1, 2022, to address the potential “unintended security consequences” and “growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization”⁷. With the scientific community having these concerns, how is the everyday citizen supposed to feel? GIPA alleviates some of these concerns for residents of California by requiring express consent for collecting genetic data including describing who has access to the data, storing the biological sample, each use of the data or sample, each transfer of data or sample, mandating timely honoring after consent has been removed, and more. Some DTC companies have similar policies as part of their best practices but, why shouldn’t these protections exist commonly and be enforceable? California managed to enact this legislation without a single vote of no and some of the leading DTC genetic testing companies are supportive of national privacy legislation⁷. 23andMe even advertises its support and role in implementing genetic privacy laws in Arizona, California, and Utah¹. However, regardless of the support and existing examples, these concerns remain unaddressed by the federal government even though a clear solution exists.

Recommendation

The HIPAA privacy rule should be amended to apply to DTC genetic testing companies by making them a covered entity thereby implementing these protections nationally. The HIPAA privacy rule establishes procedures to protect personally identifiable health information and applies to health plans and health care providers, but these protections should be extended. DTC companies have best practices in place that are comparable to the privacy rule, but these practices are not enforceable. Genetic protection shouldn’t fall upon the states. Despite the process of updating HIPAA being slow and the fact that it has been almost a decade since the last major update, the time is now to make these changes. As technology continues to improve and more citizens utilize DTC genetic testing, the fears of today will become the problems of tomorrow.