I belonged to a new underclass, no longer determined by social status or the color of my skin.
No, we now have discrimination down to a science. ~ Gattaca, 1997
Many movies, television, and books have shown worlds in which genetic testing is a regular occurrence, and soon, this may no longer be fiction. Technological innovation has resulted in medical provider- and vendor-driven genetic testing through medical insurance coverage and direct-to-consumer (DTC) genetic tests, where results can be used for unauthorized or unlawful purposes and render unintended consequences.
This article illustrates how unauthorized disclosures and unintended consequences may occur in these genetic testing contexts, by first contrasting the federal Genetic Information Nondiscrimination Act of 2008 (GINA) and Health Insurance Portability and Accountability Act (HIPAA) regulations with the recently enacted California Genetic Information Nondiscrimination Act (CalGINA) and applicable California state laws in DTC genetic testing.
Direct-to-Consumer Genetic Testing
DTC is a commercialized industry often targeted towards those who are curious about their lineage. These simplified tests often require a simple swabbing and then mailing of the DNA sample in a conveniently prepared envelope. This began fairly recently as something novel and unique to anyone who wanted to know their ancestry. Many of these consumers were unaware about what happened to their genetic data afterward and that it could be collected or repurposed after deidentification or anonymization by the DTC vendor. Were these curious consumers meaningfully informed and did they understand what they were consenting to when they placed their DNA sample for analysis in that mailing packet?
When DTC genetic testing kits first appeared to consumers, commercials and other advertisements deftly marketed them as a way for people to connect and learn about their ancestry or genetic factors. What was not disclosed were the unanticipated consequences and the privacy and security concerns regarding this genetic data that was received, maintained, and disclosed to third parties.
Genes, Genetic Information, and Genetic Sequencing
A gene is a segment of a DNA molecule that contains information for making a protein or, sometimes, an RNA molecule.Oversight of this industry is performed by the Food and Drug Administration (FDA) and the Centers for Disease Control and Prevention (CDC),
Genetic Information and the Law
Genetic information generally includes information regarding an individual’s and family members’ genetic test and medical history. The definition of genetic data is found in the plain language of the statute or regulation that was enacted or promulgated as law on the federal and state level for the specified context
- Title II of federal GINA defines genetic information as “with respect to any individual, information about such individual’s genetic tests, the genetic tests of family members of such individual, and the manifestation of a disease or disorder in family members of such individual.” P.L. 110-233, Section 201(4)(A); 42 U.S.C. §2000ff(4).
- HIPAA at part 160.103:
Genetic information means:
- Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information.
(i) The individual's genetic tests;
(ii) The genetic tests of family members of the individual;
(iii) The manifestation of a disease or disorder in family members of such individual; or
(iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.
- Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:
(i) A fetus carried by the individual or family member who is a pregnant woman; and
(ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology.
- Genetic information excludes information about the sex or age of any individual.
- California GINA defines genetic information at Civil Code section 56.18(b)(7):
(A). Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer or from genetic material. Genetic material includes, but is not limited to, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.
(B). Genetic data does not include deidentified data…data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following…
Any countervailing or conflicting definitions of genetic information, including the access, use, maintenance, or disclosures must be analyzed considering federal and state preemption. This may also involve harmonizing the laws in light of complicated, outdated, or conflicting statutory, regulatory, or constitutional law, and public policy.
The Federal Genetic Information and Nondisclosure Act of 2008
Concerns about genetic discrimination and reluctance toward genetic testing were meant to be alleviated. As the federal law, GINA sets a minimum standard of protection that must be met in all states.
GINA Genetic Data Testing Litigation in the Employment Context
The following are two GINA-related litigation cases that arose in Connecticut in the employment context: the first, a voluntary genetic testing, and the other a mandated testing for an employer wellness program.
involved a health insurance plan disclosure to a closely held corporate employer regarding an employee’s genetic condition. The plaintiff’s genetic information was disclosed, and she was then perceived to have a disability in this reportedly first GINA complaint filed with the Equal This plaintiff shared insight that there were others who were afraid of taking genetic tests because of they believed it would impact their employment and health insurance (even though this would be illegal under the Patient Protection and Affordable Care Act [ACA]).
was a GINA and Americans with Disability Act (ADA) case involving 5,400 Yale University union employees and their spouses. These employees and their spouses participated in the wellness program and were required to submit medical testing results, such as mammograms and colonoscopies, or pay a fine. GINA and the ADA generally preclude employers from imposing medical exams or inquiries or acquiring employee genetic information, unless doing so is either job-related or part of a wellness program. The employees alleged that the employer rule that required them to participate in a wellness program or pay a fee violated the ADA and GINA, which resulted in a $1.3 million settlement discussion.
The Federal Health Insurance Portability and Accountability Act of 1996
The HIPAA regulations address the access, maintenance, use, and disclosure of this genetic health information that requires patient consent, which may include the genetic testing process and data. HIPAA does not directly apply to DTC vendors, unless the vendor is a business associate to a covered entity, and if so, then a business associate agreement must exist.
was amended by GINA and further defined genetic information and its applicability to providers of healthcare and insurance plans. Consistent with HIPAA, GINA generally prohibits health insurers or health plan administrators from requesting or requiring genetic information of an individual or the individual’s family members or using it for decisions regarding coverage, rates, or preexisting conditions. Under HIPAA, insurance plans and healthcare providers are covered entities subject to regulatory enforcement from the federal Department of Health and There is no private cause of action under HIPAA. The federal and state departments of justice are charged with enforcing these violations.
Title I and II GINA Amendments to the HIPAA Final Rule
was modified by GINA to prohibit discrimination based on an individual’s genetic information in both the health coverage and employment contexts. Title I of GINA generally prohibits discrimination in premiums of contributions for group coverage based on genetic information and prohibits the use of genetic information as a basis for determining eligibility or setting premiums in the individual and Medicare supplemental insurance markets. Group health plans, health insurance issuers, are limited in their ability to collect genetic information or request or require that individuals undergo genetic testing.
Title II of GINA explicitly prohibits issuers of health insurance from discrimination on the basis of the insured enrollee’s genetic information. Health insurance insurers are precluded from using genetic information to make eligibility, coverage, underwriting, or premium-setting decisions.
Privacy and Security Protections for Genetic Information
In addition to those provisions, section 105 of Title I of GINA contains new privacy protections for genetic information that required the Secretary of HHS to reissue the Privacy Rule to clarify that genetic information is health information and to prohibit insurers (including HMOs) and
Moreover, the HHS made it very clear when it explained in the Final Rule that:
During the notice of proposed rulemaking (NPRM) process for GINA on October 7, 2009, the NPRM was published with the proposed rule to strengthen the privacy protections for genetic information under the HIPAA Privacy Rule by implementing the protection required by GINA and making related changes to the Rule. In particular, in accordance with section 105 of GINA and the department’s general authority under section, the HHS proposed to: (1) explicitly provide that genetic information is health information for purposes of the Privacy Rule, (2) prohibit all health plans covered by the HIPAA Privacy Rule from using or disclosing protected health information that is genetic information for underwriting purposes, (3) revise the provision relating to the Notice of Privacy Practices for health plans that perform underwriting and
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically.This protection extends to an individual’s past, present, or future health information that may include demographic data, physical or mental health information, among other factors, in any medium, including paper, electronic, or even verbal communication.
HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity, which includes insurance plans and medical providers. Medical providers include laboratories, pharmacists, physicians, surgeons, health vendors, and business associates who maintain, access, or use that information as well. Even technology partners such as cloud service providers are subject to this Rule if they are business associates of the HIPAA-covered entity. Any patient or insurance applicant medical information that is received, created, used, or maintained, or even disclosed by the HIPAA-covered entity, must comport with these rules.
These safeguards are based upon federal best practices standards with which all covered entities must minimally comply. Accordingly, any genetic information in any medium should be protected by these safeguards, including digital data in an electronic format. Essentially, this rule sets the standards for all computer systems and additional business associates and subcontractors who handle the protected genetic information regarding unauthorized disclosures and data loss.
Closing the GINA and HIPAA Gap in Consumer Protection: The FTC, FDA, and State Laws
Since HIPAA only applies to covered entities, how would the genetic data from a consumer be protected for someone whose privacy or security rights were violated through a DTC vendor process? Along with GINA and HIPAA, the Federal Trade Commission (FTC) and FDA provide federal protection for genetic testing consumers. State medical information privacy laws further define, protect, and regulate genetic information from being accessed, used, and disclosed by unauthorized persons in unauthorized ways.
The California Genetic Information Nondiscrimination Act of 2021
and was unopposed in the Senate and Assembly. This iteration of CalGINA legislation was supported by multiple parties ranging from industry vendors 23andMe.com and Ancestry.com, the Electronic Frontier Foundation, Privacy Rights Clearinghouse, ACLU California Action, and the University of California, among others. CalGINA specifically codified the following:
- Regulates DTC genetic testing companies, which are defined as entities that do any of the following:
- Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers;
- Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnoses or treatment of a medical condition; or
A DTC company that collects, uses, maintains, or discloses genetic data collected or derived from a DTC genetic testing product or service directly provided to a consumer must provide clear and complete information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data.is required for the collection, use, and di
DTC entities are now required to implement and maintain reasonable security procedures and practices.
CalGINA prohibits these companies from disclosing a consumer’s genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment, or to any entity that provides advice to an entity that is responsible for performing those functions, except as provided. Discrimination against consumers by a person or public entity as a result of exercising their rights is prohibited by CalGINA.
CalGINA upholds consumer protection in the provision that articulates that it does not reduce a DTC genetic testing company’s duties, obligations, requirements, or standards under applicable state and federal laws for the protection of privacy and security. It makes clear that in the event of a conflict between its provision and any other law, the provision of the law that affords the greatest protection for the right of privacy for consumers shall control.This provision undergirds the preemption provisions in GINA and HIPAA.
Altogether, CalGINA provides clearer and more definitive guidelines for DTC companies and consumers regarding duties and responsibilities when collecting consumer genetic data. These DTC entity requirements provide more consistent expectations, provide consumers with more control over their genetic data, and further safeguard the privacy, confidentiality, security, and integrity of this data.
Additional California Privacy and Security Laws to Consider
CalGINA was codified to provide clearer guidance to DTC companies and their affiliates so that consumer privacy and security protection can be better effectuated. There are, however, additional California state laws that should be contemplated depending on the genetic data context. These laws may further define genetic information and provide additional statutory and regulatory requirements regarding express consent and responsibilities of data collection, use, collection, management, and disclosure. CalGINA contains similar and often harmonized definitions in the non-exhaustive list of relevant privacy and security consumer protection laws below.
- provides each citizen an inalienable right to pursue and obtain privacy: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
- protects the confidentiality of individually identifiable medical information obtained by healthcare providers, health insurers, and their contractors. Covered healthcare providers are prohibited from disclosing patient, enrollee, or subscriber medical information without first obtaining authorization. It also requires covered healthcare providers that create, maintain, store, or destroy medical information to do so in a manner that preserves the confidentiality of such information.
- became effective July 1, 1978, and applies to the State of California government entity maintenance of personal information. The security rule and contractor responsibilities also require disclosure to California residents of any security breach or unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information.
- is a consumer protection law regarding how personal information can be shared by companies for marketing purposes and encourages businesses to let their customers opt out of such information sharing. Businesses must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies or 2) a privacy statement giving the customer a cost-free opportunity to opt out of such information sharing.
- enacted in 2018, subsequently amended in 2019, and effective in 2021, applies to businesses that collect the personal data of California residents and have annual gross revenues exceeding $25 million; annually buy, sell, or share personal information of 100,000 or more consumers or households; and derive 50% or more of their annual revenue from selling personal information. The CCPA also defines personal health information, genetic information referred to as sensitive personal information, contractor, and service provider, which are also found in the CalGINA.
- contain the Department of Public Health statutory authorization and promulgated regulations regarding medical information data, access, use and disclosure, within facilities and programs, including reporting and enforcement.
- sets forth codified state law requirements for laboratory licensing or registration, which includes data and testing facilities. This code section references the federal law that also requires laboratories to be certified by the Clinical Laboratory Improvement Amendments (CLIA), among other requirements.
- prohibit genetic discrimination in employment and housing.
Unauthorized Access or Disclosure of Protected Genetic Information
A frequent way that medical information can be compromised is through an unauthorized access or disclosure of the protected genetic health information. HIPAA covers medical information in any medium, which includes verbal, electronic, or paper, for example. Consequently, a person’s genetic information could be unlawfully disclosed by someone who negligently leaves a patient’s chart in plain view, a careless doctor who does not have a password for their laptop that contains patient data that was stolen, or an insurer’s employee who downloads data onto an unencrypted USB for legitimate or illegitimate purposes. Data breaches or unlawful disclosures and uses as a result of external computer hacking or internal provider employee actions or inactions are not uncommon.
Future Collective Efforts Through Multiple Perspectives
Advances in genetic research and testing create innovation with promises to improve the quality and longevity of life worldwide. Genetic testing has become the norm, and this has made genetic data more available and more efficiently disclosed and used. DTC industry vendors will continue to market and sell these home testing kit products to the public, and more genetic data also means more opportunity for inappropriate and unauthorized uses and disclosures. While current federal and state laws are in place to regulate this industry and protect the privacy and security of this sensitive consumer genetic information, they are not always so easily applied or followed. Government regulators like the FTC and FDA, as well as those charged with enforcement authority, will continue to monitor and respond to this innovation. However, state-level collective dialogues amongst industry vendors, consumer advocacy groups, and government actors are necessary to bring perspective, balance the interests of the parties, and shed light on the necessary consumer protection and unintended consequences issues as they evolve. A more discerning and balanced review of the interests impacted and the applicability of the laws will involve the collective efforts of industry, legal counsel, government regulators, as well as enforcers, non-governmental organizations that include consumer privacy and protection groups, and legislators, as this momentum moves forward.