Precision medicine promises to integrate genetic analysis information with electronic health records (EHRs), readings from mobile health apps, as well as other diverse data sources, and then use big data analytics to produce individually tailored medical care.1 In theory, individually designed measures will greatly improve individual risk assessment, disease prevention, disease surveillance, diagnostics, and therapeutics. This new approach to medicine, however, raises many concerns, including whether it will be valuable beyond oncology and rare disorders and whether there will be equitable access to these more costly technologies, including pharmacogenomics-derived therapies, at a time when tens of millions of Americans still lack access to basic health care.2 A somewhat less explored, but equally significant, concern is that precision medicine, by collecting, aggregating, storing, and using unprecedented amounts of sensitive health data, creates serious risks to privacy for which there are presently inadequate legal protections.
October 02, 2018 Feature
Precision Medicine and the Risk to Privacy
By Mark A. Rothstein
This article begins by reviewing the sources and privacy implications of the diverse data at the heart of precision medicine and then considers the harms from a lack of privacy protection, ranging from embarrassment to discrimination based on current and predictive health information. Finally, it reviews and evaluates the health privacy and nondiscrimination laws applicable to alleged privacy breaches associated with precision medicine. It concludes that it is imprudent to pursue all possible information sources for precision medicine in the absence of adequate evidence of the likelihood of widespread benefits, especially when the risks to privacy are substantial and remain unaddressed.
Sources of Information
There are four main elements of precision medicine, and the first three involve information. First, the movement for personalized or precision medicine emerged from the Human Genome Project (HGP).3 When scientists demonstrated the ability to identify human genetic variation with high resolution, some experts postulated that researchers and eventually clinicians would be able to calculate an individual’s susceptibility to disease and likely severity, future manifestation of disease, the appropriate type and dosing of medications, as well as various other patient-specific health measures.4 The starting point, genome sequence information and genetic analysis, has become increasingly affordable in both clinical practice and research (for example, the All of Us program of the Precision Medicine Initiative), as well as direct-to-consumer exome sequencing. Researchers and eventually clinicians also will add data from other newly developed sources, such as epigenetic and microbiome information.
Second, the widespread adoption of EHRs has facilitated increasingly detailed analysis of phenotypic information.5 This involves using metadata obtained from physical examinations, imaging studies, laboratory tests, pathology evaluations, and other measures to develop fine-grained information related to the constituent elements of prior diagnoses, prognoses, and interventional strategies. Comprehensive, longitudinal, and ultimately interoperable EHRs will be an integral part of this aspect of precision medicine.
Third, in addition to traditional health measures, precision medicine involves the accumulation and aggregation of other sources of data with a possible connection to individual health. These ancillary sources include information from mobile health apps, biometric measures captured from wearable devices, geolocation records, environmental exposure monitoring, and consumer and commercial information. Individuals are directly responsible for generating data from many of these nontraditional sources of data. Researchers and clinicians also may glean data from public and private sources often collected for purposes other than the health of the individual. These may include health histories and vital statistics of family members, military service records, employment records, financial information, educational records, travel information, social media posts, Internet search data, and government records, such as Social Security records, VA health data, criminal justice information, professional licensure information, drivers’ license information, and passport information.6
Fourth, precision medicine uses big data analytics to develop associations and correlations from the diverse data sets in the three prior categories. Unlike traditional research methods concerned with causation, big data algorithms often are hypothesis generating. The focus is often on correlation rather than causation. Translational research (bench to bedside) in precision medicine is proceeding on the assumption that more data sources will invariably lead to an increase in the number of associations and improved predictive power. There is little evidence, however, to support such unconstrained optimism about the use of ancillary data to improve health care. Moreover, some critics have raised concerns about whether the promise of precision medicine has been overstated7 and whether there are serious limitations of predictive analytics in health research.8
Implications for Privacy
The loss of informational health privacy can result in four types of harms. Specific harms, the most commonly discussed category, include embarrassment, familial and social upheaval, stigmatization, and discrimination. Although health-based discrimination often connotes disqualification from insurance or employment opportunities, “fine-grained” predictions of an individual’s future health could lead to adverse treatment in numerous areas, including educational programs,9 real estate transactions,10 and government programs. General harms, characterized by an individual’s anxiety and distrust of the health care system, can lead to a reluctance to support health care politically and financially (through taxes and donations) as well as an unwillingness to be a participant in medical research. Individual health harms often result when individuals, concerned about the privacy and security of sensitive health information, make incomplete disclosures of health information to their health care providers and thereby jeopardize their quality of care. Finally, public health harms can occur when individuals are reluctant to seek prompt, appropriate treatment for stigmatizing conditions, such as sexually transmitted infections, mental illness, and substance abuse, which can endanger the health or safety of others.
Precision medicine increases the likelihood and severity of harms associated with the loss of health privacy several ways. First, genome sequence and genetic analytics information are among the most sensitive of health information because, among other reasons, they also have implications for the health of family members. Second, the aggregation of large amounts of sensitive information in a single source magnifies the risk and severity of harm associated with wrongful (or even legitimate) uses and disclosures. The use of comprehensive and longitudinal EHRs means, assuming interoperability, that the records contain an individual’s clinical data from all health care providers from cradle to grave. Sensitive health information in EHRs remains indefinitely, in many cases well beyond any clinical utility, and may carry long-term risks of embarrassment. For example, a decades-old report of a sexually transmitted infection would continue to be accessible to numerous individuals in the course of treatment or pursuant to an authorization. Third, precision medicine includes collecting data from nontraditional sources.11 The rationale for doing so is that it is impossible to know, in advance, what types of data will be valuable. Nevertheless, in the absence of likely benefits, the clear risk to privacy militates against the heedless collection of ancillary information. Fourth, the use of health data analytics is a “black box” problem because there is generally little or no transparency regarding the analytical methodology used, and individuals will rarely have an opportunity to challenge the associations or conclusions.12
Legal Protections
Precision medicine, by requiring a substantial increase in the volume and variety of information in individual health records, will significantly increase the importance of effective health privacy laws. Unfortunately, the United States lacks comprehensive health privacy legislation and relies on a patchwork of laws designed to address only an aspect of the problem. The Health Insurance Portability and Accountability Act (HIPAA)13 was intended to ensure continuation of health coverage for individuals and their dependents with preexisting conditions when the participant in an employer-sponsored health plan changes jobs. Consequently, the law’s Privacy Rule14 applies only to entities involved in the payment chain of health care: health care providers, health plans, health clearinghouses, and their “business associates.”15 HIPAA does not provide a private right of action for individuals harmed by a violation of the Privacy Rule, and their only recourse is to file a complaint with the Office for Civil Rights of the Department of Health and Human Services.
The Privacy Rule requires covered entities to provide individuals with a notice of privacy practices, but there is no requirement of consent nor further restrictions on the uses and disclosures of individually identifiable health information in treatment, payment, and health care operations.16 The Privacy Rule also contains twelve public purpose exceptions, which permit uses and disclosures of protected health information (individually identifiable information) for the following reasons: (1) if required by law; (2) for public health activities; (3) about victims of abuse, neglect, or domestic violence; (4) for health oversight activities; (5) for judicial and administrative proceedings; (6) for law enforcement purposes; (7) for uses and disclosures about decedents; (8) for cadaveric organ, eye, or tissue donation; (9) for a limited number of research uses; (10) for averting a serious threat to health or safety; (11) for specialized government functions; and (12) for workers’ compensation.17 These disclosures are permissive, and any legal requirement for disclosure arises under some other law. Because of the Privacy Rule’s limitations and exceptions, the only three uses of health information with at least a minimum level of privacy protection are fund-raising, marketing, and research.18
Health information contained in individual patient records is essential to numerous third parties with an economic interest in the individual’s current or future health. These entities often have the legal ability to require that individuals sign a HIPAA-compliant authorization for the disclosure of their health information as a condition of applying for employment, insurance, government benefits, or other important uses. According to a 2017 study, in the United States there are at least twenty-five million compelled disclosures each year for employment entrance examinations, individual life insurance applications, individual long-term care insurance applications, individual disability insurance applications, individual and group disability insurance claims, automobile insurance claims, Social Security disability insurance applications, workers’ compensation claims, veterans’ disability claims, and personal injury lawsuits.19 Employment entrance examinations (12.3 million) and individual life insurance applications (5.0 million) are the categories with the most compelled disclosures.20 These disclosures are lawful and generally necessary, but the information released is not usually limited to health data directly related to the specific purpose of the disclosure.21 When presented with a general or specific request for disclosure of health information by a third party, the health care entity in possession of the health information commonly releases the individual’s entire record. Furthermore, there are few legal restrictions on the redisclosure of sensitive health information by an entity not subject to the HIPAA Privacy Rule. This gap in privacy protection is likely to take on greater significance with precision medicine because there will be more detailed health records, more analyses of “diverse data,” and probably more disclosures of unlimited scope.
The centrality of genomic analytical information in precision medicine increases the importance of laws dealing with genetic (including genomic) discrimination. There has been a lively discussion in the literature over whether it is desirable or counterproductive to enact genetic-specific laws to protect genetic privacy and to prohibit certain forms of genetic discrimination. Despite widespread academic opposition to genetic-specific laws (“genetic exceptionalism”), virtually all of the legislation related to genetics since the launch of the HGP in 1990 has been genetic-specific. The two main reasons for enactment of these kinds of laws are the public perceptions of the special attributes of genetic information and the fact that genetic-specific laws are narrower in scope than more broadly applicable legislation.22 Consequently, forty-seven states have enacted laws prohibiting genetic discrimination in health insurance and thirty-five state laws prohibit genetic discrimination in employment.23 Although not preempted by federal laws, these state laws often have weaker protections than the subsequently enacted federal law prohibiting genetic discrimination.
The federal Genetic Information Nondiscrimination Act (GINA)24 prohibits discrimination based on genetic information in health insurance (Title I) and employment (Title II). Significantly, GINA does not apply to life insurance, disability insurance, long-term care insurance, or other uses. Another limitation of GINA is that it only applies to individuals who are at the asymptomatic stage of disease, thereby markedly lessening its value. The enactment of the Affordable Care Act25 largely superseded Title I of GINA because it prohibits any health-based discrimination. One study of claims alleging genetic discrimination in employment under Title II of GINA found that there were only twenty-four nonfrivolous complaints filed with the Equal Employment Opportunity Commission between the law’s effective date in 2009 and 2015, and all but three cases involved alleged discrimination based on family health information.26 If public policy remains committed to genetic-specific legislation, then Congress should amend GINA to increase its protections.27
Other federal and state laws directly or indirectly extend privacy protection to health information. At the federal level, these include provisions of the Privacy Act,28 the Comprehensive Drug Abuse Prevention and Control Act,29 and the Americans with Disabilities Act.30 In addition, every state has a medical records act specifying maintenance of records and procedures for their disclosure. Many state laws, similar to the HIPAA Privacy Rule, grant individuals a right of access to their health records. Some states also have health privacy laws, but there is wide variation in the nature and stringency of the provisions.31 Common law actions for invasion of health privacy are theoretically possible, but there have been few cases brought, and such actions are not a viable way to protect health privacy.32
All of Us
Precision medicine in the clinical setting will not be widely available for an unknown number of years as it is still very much in the discovery and translational stages. The federal government–sponsored All of Us research program is one of several national precision medicine research programs around the world. It involves using next-generation genome sequencing and analytics in combination with EHRs and ancillary information, such as health app data, to build a longitudinal infrastructure for the study of one million research participants.33 All of Us has taken laudable initial steps in attempting to enroll a diverse and representative group of participants, to obtain meaningful informed consent, and to share research findings with participants, including by returning genomic information. This is where the “All of Us” privacy problems begin.
To have clinical utility, the information generated by All of Us needs to be integrated into an individual’s EHR. The All of Us researchers will not deposit their results into individual EHRs, but by returning results to participants, they will enable individuals to do so if permitted by their health care providers. Once integrated in a patient’s EHR, the information will be widely accessible within the health care system as well as be obtainable by third parties pursuant to an authorization that the individual might be compelled to execute. Other privacy problems could arise even if individuals do not deposit these results into their EHRs. For example, suppose an All of Us participant who received the results of his or her genetic information then applied for life insurance. The life insurer might ask all applicants if they ever had genetic testing and, if so, to submit the results. What should the All of Us participant do?
To implement a provision of the 21st Century Cures Act,34 the NIH has issued guidance that all federally funded research undertaken after December 13, 2016, involving biomedical, behavioral, clinical, or other research containing “identifiable, sensitive information” “is deemed to be issued” a certificate of confidentiality.35 The certificate prevents the researcher from having to disclose the information in response to a subpoena or other legal process, but certificates do not apply to information in the possession of the research participant. Therefore, the insurer might consider it fraudulent for the individual to respond untruthfully by denying participation in the All of Us program, but by admitting participation and refusing to supply the information this could result in denial of coverage. In this regard, All of Us participants would be on the same footing as individuals who obtain direct-to-consumer exome sequencing because they possess genetic information generated outside of the clinical setting. Insurers fear that “off-record,” next-generation sequencing and genetic analytics can result in information asymmetry and adverse selection. For precision medicine, including the All of Us research program, to succeed, it will be necessary to protect privacy and prevent discrimination from disclosures of sensitive information, such as for life insurance underwriting.36
Conclusion
Precision medicine holds great promise, but there has been inadequate attention paid to at least three serious risks to privacy it creates or exacerbates. First, precision medicine will substantially increase the volume and variety of accessible data used for health purposes, including the addition of numerous diverse and largely unproven sources of ancillary information. Second, the HIPAA Privacy Rule, with its weak protections and numerous exceptions, is applicable to covered entities, but it does not apply to numerous entities beyond the payment chain of health care. Third, inadequate privacy protection can give rise to risks ranging from embarrassment to discrimination, and current federal and state legislation addressing health-based discrimination remain inadequate. Future legislation to address the privacy challenges of precision medicine requires the delicate balancing of numerous complicated and contested issues and interests, and it needs to be addressed sooner rather than later.
Endnotes
1. Nat’l Research Council, Toward Precision Medicine: Building a Knowledge Network for Biomedical Research and a New Taxonomy of Disease (2011); Evan A. Ashley, Towards Precision Medicine, 17 Nature Revs. Genetics 507 (2016).
2. Kyle B. Brothers & Mark A. Rothstein, Ethical, Legal and Social Implications of Incorporating Personalized Medicine into Healthcare, 12 Personalized Med. 43 (2015); Mark A. Rothstein, Some Lingering Concerns About the Precision Medicine Initiative, 44 J.L. Med. & Ethics 520 (2016).
3. See Eric Juengst, From “Personalized” to “Precision” Medicine: The Ethical and Social Implications of Rhetorical Reform in Genomic Medicine, 46 Hastings Ctr. Rep. 21 (2016).
4. See Francis S. Collins & Harold Varmus, A New Initiative on Precision Medicine, 372 New Eng. J. Med. 793 (2015).
5. See Peter N. Robinson, Deep Phenotyping for Precision Medicine, 33 Human Mutation 777 (2012).
6. Mark A. Rothstein, Structural Challenges of Precision Medicine, 45 J.L. Med. & Ethics 274, 276 (2017).
7. Jeneen Interlandi, The Paradox of Precision Medicine, Sci. Am. (Apr. 1, 2016), https://www.scientificamerican.com/article/the-paradox-of-precision-medicine; Jocelyn Kaiser, Is Genome-Guided Cancer Treatment Hyped?, 360 Sci. 365 (2018).
8. Mark A. Rothstein, Ethical Issues in Big Data Health Research, 43 J.L. Med. & Ethics 425 (2015); Nilay D. Shah, Ewout W. Steyerberg & David M. Kent, Big Data and Predictive Analytics: Recalibrating Expectations, 320 JAMA 27 (May 29, 2018).
9. Laura F. Rothstein, Genetic Information in Schools, in Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic Era (Mark A. Rothstein ed., 1997).
10. Mark A. Rothstein & Laura Rothstein, How Genetics Might Affect Real Property Rights, 44 J.L. Med. & Ethics 216 (2016).
11. Precision Medicine Initiative, Nat’l Insts. Health, https://allofus.nih.gov.
12. See Cathy O’Neil, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy (2016); Frank Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (2015).
13. Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936 (1996).
14. 45 C.F.R. pts. 160, 164.
15. 45 C.F.R. § 164.104.
16. Mark A. Rothstein, The End of the HIPAA Privacy Rule?, 44 J.L. Med. & Ethics 352 (2016); Julie L. Agris, Extending the Minimum Necessary Standard to Uses and Disclosures for Treatment, 43 J.L. Med. & Ethics 263 (2014).
17. 45 C.F.R. § 164.512.
18. See Rothstein, supra note 16.
19. Mark A. Rothstein & Meghan K. Talbott, Compelled Disclosures of Health Records: Updated Estimates, 45 J.L. Med. & Ethics 149 (2017).
20. Id.
21. Mark A. Rothstein, Access to Sensitive Information in Segmented Electronic Health Records, 40 J.L. Med. & Ethics 394 (2012).
22. Mark A. Rothstein, Genetic Exceptionalism and Legislative Pragmatism, 35 Hastings Ctr. Rep. 27 (July–Aug. 2005).
23. Genome Statute and Legislation Database Search, Nat’l Human Genome Research Inst. (NHGRI), https://www.genome.gov/policyethics/legdatabase/pubsearchresult.cfm.
24. Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-233, 122 Stat. 881.
25. 42 U.S.C. § 18001 et seq.
26. Mark A. Rothstein, Jessica Roberts & Tee L. Guidotti, Limiting Occupational Medical Examinations Under the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act, 41 Am. J.L. & Med. 523, 552–54 (2015).
27. See Mark A. Rothstein, GINA at Ten and the Future of Genetic Nondiscrimination Law, 48 Hastings Ctr. Rep. 5 (May–June 2018).
28. 5 U.S.C. § 552a (limited to federally maintained records).
29. 42 U.S.C. § 290dd-2; 42 C.F.R. pt. 2 (limited to alcohol and drug treatment programs).
30. Id. §§ 12101–12213 (containing detailed provisions only for employment records).
31. Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 Yale J. Health Pol’y L. & Ethics 327 (2002).
32. Neil Richards, The Limits of Tort Privacy, 9 J. Telecomms. & High Tech. L. 357 (2011).
33. See Precision Medicine Initiative, supra note 11.
34. 21st Century Cures Act, Pub. L. No. 114-255, § 2012, 130 Stat. 1033, 1049–50 (2016).
35. Nat’l Insts. Health, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality, Notice No. NOT-OD-17-109 (Sept. 7, 2017), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html.
36. Mark A. Rothstein, Time to End the Use of Genetic Test Results in Life Insurance Underwriting, 46 J.L. Med. & Ethics (forthcoming 2018).