From Gattaca to GINA and CalGINA

Direct-to-Consumer Genetic Testing

DTC is a commercialized industry often targeted towards those who are curious about their lineage. These simplified tests often require a simple swabbing and then mailing of the DNA sample in a conveniently prepared envelope. This began fairly recently as something novel and unique to anyone who wanted to know their ancestry. Many of these consumers were unaware about what happened to their genetic data afterward and that it could be collected or repurposed after deidentification or anonymization by the DTC vendor. Were these curious consumers meaningfully informed and did they understand what they were consenting to when they placed their DNA sample for analysis in that mailing packet?

When DTC genetic testing kits first appeared to consumers, commercials and other advertisements deftly marketed them as a way for people to connect and learn about their ancestry or genetic factors. What was not disclosed were the unanticipated consequences and the privacy and security concerns regarding this genetic data that was received, maintained, and disclosed to third parties.

Genes, Genetic Information, and Genetic Sequencing

A gene is a segment of a DNA molecule that contains information for making a protein or, sometimes, an RNA molecule. The term continues to evolve as scientists learn about the complexities of molecular interactions. Genetic tests can reveal genetic information from a particular genotype to almost an entire genomic sequencing. A genetic test may involve a small sample of blood or saliva that is sent to a lab for processing and analysis by technicians who purify DNA from the sample. Innovative technology is applied to reveal whether the DNA contains specific genetic mutations. Genetic tests for more common health conditions like cancer, diabetes, and heart disease are more complex, however, and will require further time to develop. Oversight of this industry is performed by the Food and Drug Administration (FDA) and the Centers for Disease Control and Prevention (CDC), which promulgate and enforce regulations regarding genetic testing kits. The Federal Trade Commission Act prohibits unfair or deceptive trade practices through enforcement and has published industry best practices on its website.

Genetic Information and the Law

Genetic information generally includes information regarding an individual’s and family members’ genetic test and medical history. The definition of genetic data is found in the plain language of the statute or regulation that was enacted or promulgated as law on the federal and state level for the specified context

• Title II of federal GINA defines genetic information as “with respect to any individual, information about such individual’s genetic tests, the genetic tests of family members of such individual, and the manifestation of a disease or disorder in family members of such individual.” P.L. 110-233, Section 201(4)(A); 42 U.S.C. §2000ff(4).
• HIPAA at part 160.103:

Genetic information means:

1. Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information.
   (i) The individual's genetic tests;
   (ii) The genetic tests of family members of the individual;
   (iii) The manifestation of a disease or disorder in family members of such individual; or
   (iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.
2. Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:
   (i) A fetus carried by the individual or family member who is a pregnant woman; and
   (ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology.
3.  Genetic information excludes information about the sex or age of any individual.

• California GINA defines genetic information at Civil Code section 56.18(b)(7):
  (A). Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer or from genetic material. Genetic material includes, but is not limited to, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.
  (B). Genetic data does not include deidentified data…data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following…

Any countervailing or conflicting definitions of genetic information, including the access, use, maintenance, or disclosures must be analyzed considering federal and state preemption. This may also involve harmonizing the laws in light of complicated, outdated, or conflicting statutory, regulatory, or constitutional law, and public policy.

The Federal Genetic Information and Nondisclosure Act of 2008

GINA is the first federal law that protects individuals from being treated unfairly or discriminated against in health insurance and employment practices based upon their DNA. GINA was intended to enable people to take part in research studies without fear that their DNA information might be used against them in health insurance or the workplace. Concerns about genetic discrimination and reluctance toward genetic testing were meant to be alleviated. As the federal law, GINA sets a minimum standard of protection that must be met in all states.

GINA Genetic Data Testing Litigation in the Employment Context

The following are two GINA-related litigation cases that arose in Connecticut in the employment context: the first, a voluntary genetic testing, and the other a mandated testing for an employer wellness program.

Fink v. MXEnergy involved a health insurance plan disclosure to a closely held corporate employer regarding an employee’s genetic condition. The plaintiff’s genetic information was disclosed, and she was then perceived to have a disability in this reportedly first GINA complaint filed with the Equal Employment Opportunity Commission and Connecticut Commission on Human Rights and Opportunities in 2010. The 39-year-old woman plaintiff was terminated from her MXEnergy employer, which learned that she tested positive for the BRCA2 breast cancer gene. Because she was informed this increased her breast cancer risk, she underwent a prophylactic double mastectomy. Despite her prior positive evaluations, her employer targeted, demoted, and eventually terminated her when her genetic test results were disclosed. This plaintiff shared insight that there were others who were afraid of taking genetic tests because of they believed it would impact their employment and health insurance (even though this would be illegal under the Patient Protection and Affordable Care Act [ACA]).

Kwesell v. Yale University was a GINA and Americans with Disability Act (ADA) case involving 5,400 Yale University union employees and their spouses. These employees and their spouses participated in the wellness program and were required to submit medical testing results, such as mammograms and colonoscopies, or pay a fine. GINA and the ADA generally preclude employers from imposing medical exams or inquiries or acquiring employee genetic information, unless doing so is either job-related or part of a wellness program. The employees alleged that the employer rule that required them to participate in a wellness program or pay a fee violated the ADA and GINA, which resulted in a $1.3 million settlement discussion.

The Federal Health Insurance Portability and Accountability Act of 1996

HIPAA is the federal law that regulates the privacy and security of genetic information, which is included in the definition of protected health information. The limitations of HIPAA in the DTC genetic testing context is that it only applies to covered entities, defined as health insurance plans, medical providers, healthcare clearinghouses, and business associates. The HIPAA regulations address the access, maintenance, use, and disclosure of this genetic health information that requires patient consent, which may include the genetic testing process and data. Exceptions to the patient consent requirement include scientific research, fundraising, law enforcement purposes, public health reporting purposes, or treatment, payment, and operation purposes between medical providers or business associates. HIPAA does not directly apply to DTC vendors, unless the vendor is a business associate to a covered entity, and if so, then a business associate agreement must exist.

The subsequent HIPAA Final Omnibus Rule of 2013 was amended by GINA and further defined genetic information and its applicability to providers of healthcare and insurance plans. Consistent with HIPAA, GINA generally prohibits health insurers or health plan administrators from requesting or requiring genetic information of an individual or the individual’s family members or using it for decisions regarding coverage, rates, or preexisting conditions. Under HIPAA, insurance plans and healthcare providers are covered entities subject to regulatory enforcement from the federal Department of Health and Human Services (HHS) Office of Civil Rights and Centers for Medicare and Medicaid Services (CMS) for violations of the Privacy and Security Rule, respectively. There is no private cause of action under HIPAA. The federal and state departments of justice are charged with enforcing these violations.

Title I and II GINA Amendments to the HIPAA Final Rule

The HIPAA Final Rule was modified by GINA to prohibit discrimination based on an individual’s genetic information in both the health coverage and employment contexts. Title I of GINA generally prohibits discrimination in premiums of contributions for group coverage based on genetic information and prohibits the use of genetic information as a basis for determining eligibility or setting premiums in the individual and Medicare supplemental insurance markets. Group health plans, health insurance issuers, are limited in their ability to collect genetic information or request or require that individuals undergo genetic testing.

Title II of GINA explicitly prohibits issuers of health insurance from discrimination on the basis of the insured enrollee’s genetic information. Health insurance insurers are precluded from using genetic information to make eligibility, coverage, underwriting, or premium-setting decisions. Insurers may not request or require individuals or their family members to undergo genetic testing or provide genetic information.

Privacy and Security Protections for Genetic Information

In addition to those provisions, section 105 of Title I of GINA contains new privacy protections for genetic information that required the Secretary of HHS to reissue the Privacy Rule to clarify that genetic information is health information and to prohibit insurers (including HMOs) and issuers of MediCal supplemental policies from using or disclosing genetic information for underwriting purposes.

Moreover, the HHS made it very clear when it explained in the Final Rule that:

We continue to believe that individuals have a strong privacy interest in not having their genetic information used in an adverse manner for underwriting purposes and to believe that this privacy interest outweighs any adverse impact on most health plans covered by the Privacy Rule.

During the notice of proposed rulemaking (NPRM) process for GINA on October 7, 2009, the NPRM was published with the proposed rule to strengthen the privacy protections for genetic information under the HIPAA Privacy Rule by implementing the protection required by GINA and making related changes to the Rule. In particular, in accordance with section 105 of GINA and the department’s general authority under section, the HHS proposed to: (1) explicitly provide that genetic information is health information for purposes of the Privacy Rule, (2) prohibit all health plans covered by the HIPAA Privacy Rule from using or disclosing protected health information that is genetic information for underwriting purposes, (3) revise the provision relating to the Notice of Privacy Practices for health plans that perform underwriting and (4) make a number of conforming changes to definitions and other provisions of the rule.

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. This protection extends to an individual’s past, present, or future health information that may include demographic data, physical or mental health information, among other factors, in any medium, including paper, electronic, or even verbal communication.

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity, which includes insurance plans and medical providers. Medical providers include laboratories, pharmacists, physicians, surgeons, health vendors, and business associates who maintain, access, or use that information as well. Even technology partners such as cloud service providers are subject to this Rule if they are business associates of the HIPAA-covered entity. Any patient or insurance applicant medical information that is received, created, used, or maintained, or even disclosed by the HIPAA-covered entity, must comport with these rules.

The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. These safeguards are based upon federal best practices standards with which all covered entities must minimally comply. Accordingly, any genetic information in any medium should be protected by these safeguards, including digital data in an electronic format. Essentially, this rule sets the standards for all computer systems and additional business associates and subcontractors who handle the protected genetic information regarding unauthorized disclosures and data loss. Examples of this are computer hacking, negligent or willful data disclosures to unauthorized parties for illicit purposes, or disclosing more than the minimum necessary to accomplish the purpose of the disclosure.

Closing the GINA and HIPAA Gap in Consumer Protection: The FTC, FDA, and State Laws

Since HIPAA only applies to covered entities, how would the genetic data from a consumer be protected for someone whose privacy or security rights were violated through a DTC vendor process? Along with GINA and HIPAA, the Federal Trade Commission (FTC) and FDA provide federal protection for genetic testing consumers. State medical information privacy laws further define, protect, and regulate genetic information from being accessed, used, and disclosed by unauthorized persons in unauthorized ways. A majority of states have enacted laws that strictly prohibit the use of genetic information for risk selection and risk classification in health insurance and disclosure of protected health information through covered entities, many of which were passed before GINA was enacted.

The California Genetic Information Nondiscrimination Act of 2021

California enacted the Genetic Information Nondiscrimination Act (CalGINA), which went into effect on January 1, 2022, and was unopposed in the Senate and Assembly. This iteration of CalGINA legislation was supported by multiple parties ranging from industry vendors 23andMe.com and Ancestry.com, the Electronic Frontier Foundation, Privacy Rights Clearinghouse, ACLU California Action, and the University of California, among others. CalGINA specifically codified the following:

• Defines genetic data as any data, regardless of its format, that results from the analysis of a biological sample from a consumer or from another element enabling equivalent information to be obtained, and concerns genetic material, except deidentified data, as provided.
• Regulates DTC genetic testing companies, which are defined as entities that do any of the following:
  • Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers;
  • Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnoses or treatment of a medical condition; or
  • Collect, use, maintain, or disclose genetic data collected or derived from a DTC genetic testing product or service or directly provided by a consumer.

Genetic testing is defined in CalGINA as any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the blood sample, or any information extrapolated, derived, or inferred therefrom. Specifically, the term biological sample was defined to mean any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain DNA.

A DTC company that collects, uses, maintains, or discloses genetic data collected or derived from a DTC genetic testing product or service directly provided to a consumer must provide clear and complete information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data. This must be disclosed to the consumer whose express consent is required for the collection, use, and disclosure of the consumer’s genetic data. Consumer methods to revoke such consent must so be secure and separate. Specific definitions for terms of affirmative authorization, express consent, and service provider are codified and made clearer for industry, enforcement, and medical providers to apply the laws.

DTC entities are now required to implement and maintain reasonable security procedures and practices. CalGINA contractually obligates any genetic data recipients to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information. Procedures and practices must be developed to enable a consumer to easily access their genetic data, delete their account and genetic data, except as specified, and have their biological sample destroyed.

CalGINA prohibits these companies from disclosing a consumer’s genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment, or to any entity that provides advice to an entity that is responsible for performing those functions, except as provided. Discrimination against consumers by a person or public entity as a result of exercising their rights is prohibited by CalGINA.

CalGINA upholds consumer protection in the provision that articulates that it does not reduce a DTC genetic testing company’s duties, obligations, requirements, or standards under applicable state and federal laws for the protection of privacy and security. It makes clear that in the event of a conflict between its provision and any other law, the provision of the law that affords the greatest protection for the right of privacy for consumers shall control. Companies that violate these provisions are subject to civil penalties. This provision undergirds the preemption provisions in GINA and HIPAA.

Altogether, CalGINA provides clearer and more definitive guidelines for DTC companies and consumers regarding duties and responsibilities when collecting consumer genetic data. These DTC entity requirements provide more consistent expectations, provide consumers with more control over their genetic data, and further safeguard the privacy, confidentiality, security, and integrity of this data.

Additional California Privacy and Security Laws to Consider

CalGINA was codified to provide clearer guidance to DTC companies and their affiliates so that consumer privacy and security protection can be better effectuated. There are, however, additional California state laws that should be contemplated depending on the genetic data context. These laws may further define genetic information and provide additional statutory and regulatory requirements regarding express consent and responsibilities of data collection, use, collection, management, and disclosure. CalGINA contains similar and often harmonized definitions in the non-exhaustive list of relevant privacy and security consumer protection laws below.

• The California Constitution, Article 1, section 1, provides each citizen an inalienable right to pursue and obtain privacy: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
• The California Medical Information Act of 1981 (CMIA) protects the confidentiality of individually identifiable medical information obtained by healthcare providers, health insurers, and their contractors. Covered healthcare providers are prohibited from disclosing patient, enrollee, or subscriber medical information without first obtaining authorization. It also requires covered healthcare providers that create, maintain, store, or destroy medical information to do so in a manner that preserves the confidentiality of such information.
• The California Information Practices Act of 1977 (IPA) became effective July 1, 1978, and applies to the State of California government entity maintenance of personal information. The security rule and contractor responsibilities also require disclosure to California residents of any security breach or unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information.
• California’s Shine the Light law is a consumer protection law regarding how personal information can be shared by companies for marketing purposes and encourages businesses to let their customers opt out of such information sharing. Businesses must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies or 2) a privacy statement giving the customer a cost-free opportunity to opt out of such information sharing.
• The California Consumer and Protection Act (CCPA), enacted in 2018, subsequently amended in 2019, and effective in 2021, applies to businesses that collect the personal data of California residents and have annual gross revenues exceeding $25 million; annually buy, sell, or share personal information of 100,000 or more consumers or households; and derive 50% or more of their annual revenue from selling personal information. The CCPA also defines personal health information, genetic information referred to as sensitive personal information, contractor, and service provider, which are also found in the CalGINA.
• California Health and Safety Code, at sections 1280.15, et seq., and California Code of Regulations at Title 22, Section 79900, contain the Department of Public Health statutory authorization and promulgated regulations regarding medical information data, access, use and disclosure, within facilities and programs, including reporting and enforcement.
• California Business and Professions Code, at sections 1200, et seq., sets forth codified state law requirements for laboratory licensing or registration, which includes data and testing facilities. This code section references the federal law that also requires laboratories to be certified by the Clinical Laboratory Improvement Amendments (CLIA), among other requirements.
• The California Fair Employment and Housing Act (FEHA) and UNRUH Civil Rights Act prohibit genetic discrimination in employment and housing.

Unauthorized Access or Disclosure of Protected Genetic Information

With innovation in genetic research and consumer testing, ethical and legal issues arise, including privacy and security concerns regarding how this data is obtained, used, maintained, and disclosed, to whom, and on what basis. A frequent way that medical information can be compromised is through an unauthorized access or disclosure of the protected genetic health information. This can occur through incidents like an inadvertent verbal disclosure by a medical provider employee to a computer data breach in the cloud or stolen computer with patient information. HIPAA covers medical information in any medium, which includes verbal, electronic, or paper, for example. Consequently, a person’s genetic information could be unlawfully disclosed by someone who negligently leaves a patient’s chart in plain view, a careless doctor who does not have a password for their laptop that contains patient data that was stolen, or an insurer’s employee who downloads data onto an unencrypted USB for legitimate or illegitimate purposes. Data breaches or unlawful disclosures and uses as a result of external computer hacking or internal provider employee actions or inactions are not uncommon. State laws are often enacted or promulgated to address the specific data use or disclosure, and then those are either harmonized with the federal law, if not preempted, and may provide more stringent protection.

Future Collective Efforts Through Multiple Perspectives

Advances in genetic research and testing create innovation with promises to improve the quality and longevity of life worldwide. Genetic testing has become the norm, and this has made genetic data more available and more efficiently disclosed and used. DTC industry vendors will continue to market and sell these home testing kit products to the public, and more genetic data also means more opportunity for inappropriate and unauthorized uses and disclosures. While current federal and state laws are in place to regulate this industry and protect the privacy and security of this sensitive consumer genetic information, they are not always so easily applied or followed. Government regulators like the FTC and FDA, as well as those charged with enforcement authority, will continue to monitor and respond to this innovation. However, state-level collective dialogues amongst industry vendors, consumer advocacy groups, and government actors are necessary to bring perspective, balance the interests of the parties, and shed light on the necessary consumer protection and unintended consequences issues as they evolve. A more discerning and balanced review of the interests impacted and the applicability of the laws will involve the collective efforts of industry, legal counsel, government regulators, as well as enforcers, non-governmental organizations that include consumer privacy and protection groups, and legislators, as this momentum moves forward.