By Devinder Hans
A genetic revolution has transformed a very expensive process available to scientists into a relatively inexpensive product sold to everyone. However, as collected genetic data increases, so do concerns about its unauthorized disclosure and use.
Privacy Laws
Early genetic privacy laws focused on health insurance discrimination. Some states passed such laws as early as the 1970s and California did so in 2011. The federal Genetic Information Nondiscrimination Act (GINA) was enacted in 2008, prohibiting genetic discrimination in employment and health insurance (for asymptomatic individuals). The Affordable Care Act went further and prohibited all health-based discrimination in health insurance.
Genetic data in health care is subject to the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). However, the Privacy Rule only applies to HIPAA-covered entities: healthcare providers, health plans, health clearinghouses, and business associates of these entities. Under GINA, genetic information is deemed to be “health information” subject to the Privacy Rule even when not clinically significant. Covered entities are required to provide a notice of their privacy practices, including uses and disclosures of protected health information.
Several states have enacted specific genetic privacy laws, but they vary widely, with some requiring informed consent for testing, regulating access to data, or providing that genetic information is the individual’s property. In California, the Confidentiality of Medical Information Act prohibits insurers from disclosing individually identifiable health information, which specifically includes genetic history. The California Genetic Information Nondiscrimination Act (CalGINA) expands on GINA to also prohibit genetic discrimination in housing, mortgage lending, education, and public accommodations.
The California Consumer Privacy Act of 2018 (CCPA) also applies to genetic testing companies and gives consumers a right to know how their information is usedand shared, request that it be deleted, and opt-out of sale to third parties.
Direct-To-Consumer (DTC) Genetic Testing Services Are Excluded from HIPAA’s Privacy Rule
DTC genetic testing is increasingly popular for claimed insights into health and ancestry, among other topics. Even as more people use services like 23andMe, Ancestry, and more than 90 others, DTC providers remain lightly regulated. HIPAA generally does not apply, and the Foodand Drug Administration (FDA) has only asserted authorityto regulate health-related testing disclosures.
The privacy implications of genetic data gained wide attention in 2018 with the capture of the so-called Golden State Killer, who had committed a series of rapes and murders 40 years earlier. The suspect, who pleaded guilty earlier this year, was identified through familial DNA search. Using GEDmatch, a public genetic database where users upload test results to research their family trees, officers matched crime scene DNA with the suspect’s distant relative. A traditional investigation followed to narrow in on the suspect. The same technique has helped identify almost 100 suspects and many victims.
As more genetic information becomes available, privacy repercussions only increase. In a 2018 study, researchers concluded that once GEDmatch included just 2% of Americans (from an estimated 0.5% at the time), more than 90% of Americans of European descent would be identifiable. Although several states have explored, and the U.S. Department of Justice (DOJ) released an interim policy regulating law enforcement use of forensic genetic genealogy, other users are primarily only regulated by the service’s own policies.
Efforts to Regulate Genetic Privacy in California
In 2013, broad genetic privacy legislation was considered by the California legislature but did not pass. Scientists in particular expressed concern that its consent requirement would hinder research. For example, under the legislation, genetic information collected to discover genes associated with a particular disease could not be reused for research related to other diseases.
This year, California considered a narrower regulation specific to DTC genetic testing companies and any genetic data collected or derived from such services. Although passed by the Legislature, the proposed Genetic Information Privacy Act (GIPA) was vetoed by the Governor over concerns that the bill’s opt-in provisions would interfere with mandatory reporting requirements related to COVID-19 testing. Governor Newsom expressed support for strong genetic privacy rights and directed state health agencies to work with the Legislature to develop new legislation that addresses his concerns. The GIPA would have required notice about the DTC company’s privacy practices, including use, disclosure, security, and whether deidentified genetic data would also be disclosed. It would have required user consent not only for collection, use, and disclosure of data but also for the purpose of such activity.Each use beyond that initial purpose would have required separate consent. Finally, it would have imposed criminal and civil liability, depending on the violation.
The Path Forward Is Uncertain
Although Gregor Mendel, a 19th century monk, is now known as the father of genetics, his research was virtually ignored when first published and not fully appreciated until rediscovered almost 40 years later. In the same way, it may take time to fully understand the implications of accumulated genetic data and decide on appropriate policy responses.
Devinder S. Hans (devinderh@gmail.com) is an attorney at law.