Privacy and the Law — When DNA Testing Companies Share Your Genetic Data, What’s Next?
by Angela C. Schulz, Associate Attorney
Privacy of health and genetic data has long been the subject of data protection laws.
However, FamilyTreeDNA, a consumer DNA-testing company has recently announced that it will be voluntarily sharing access to its vast repository of genetic information with the Federal Bureau of Investigation. (1)
Only months after law enforcement’s identification and capture of the California serial killer known as the “Golden State Killer” by using data collected from the consumer DNA site GED-match, the FamilyTreeDNA-FBI partnership reveals yet another critical health data privacy point of exposure that remains largely unregulated when it comes to the collection, storage, and use of genetic information.
In the U.S., the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) governs the use and disclosure of personally identifiable health information by health care providers, health plans, and their business associates. Various state laws also add layers of privacy protection surrounding genetic testing disclosures. In December 2016, as part of the 21st Century Cures Act (the “Cures Act”), Congress even revised the federal requirements for protecting sensitive, federally funded research involving genetic data from compelled disclosure in court proceedings through the use of “Certificates of Confidentiality”. In addition to authorizing funding to encourage the acceleration of medical product development and innovation, the Cures Act requires researchers to issue “Certificates of Confidentiality” to protect the privacy of research subjects and data, rendering the data inadmissible in legal proceedings without participant consent. Such legislation not only protects the privacy of individuals from unauthorized third-party use of health information, but also ensures principles of fairness, evidentiary reliability, and the integrity of the judicial system.
However, despite such federal and state regulations, significant gaps still leave individual privacy and genetic health data exposed to commercial and law enforcement third parties. Existing legal frameworks do not adequately address the plethora of privacy and security concerns that come with the explosion of health data accessibility and the multitude of ways in which health data are collected, stored, shared, and used.
HIPAA generally only protects medical information collected by HIPAA-covered entities and their business associates. DNA samples collected by a doctor or laboratory for the purposes of diagnosis and treatment are likely subject to strict data privacy requirements.
However, consumer DNA testing entities (e.g., Ancestry.com, 23andMe, or FamilyTreeDNA) and device manufacturers (e.g., Fitbit, Apple iPhones, etc.) do not fall within the meaning of a HIPAA-covered entity or business associate, leaving much of the medical data collected by such entities and devices exposed for third-party use through DNA dragnets inconspicuously tucked away in terms and conditions documentation and informed consent disclosures.
In July 2018, international pharmaceutical company GlaxoSmithKline announced a $300 million deal with another consumer genetic testing website, 23andMe, for genetic drug research. Nearly 80 percent of the 5 million 23andMe customers consented to participating in research. (2) On one hand, the 23andMe-GlaxoSmithKline partnership represents a significant milestone in the health community toward developing and advancing precision health care. On the other hand, FBI-FamilyTreeDNA partnership exposes the tension between innovative medical developments and individual privacy rights.
In the wake of such genetic testing company and law enforcement partnerships, despite federal and state legislative protections, it remains to be seen whether and how future legislation will shield health and genetics data from use or disclosure by law enforcement.
Posted: February 5, 2019