Kathryn Parker (SC ‘23)
Human genetic data is in high demand for cutting-edge medical research, and genetic testing is important to diagnose and treat many diseases. As a result, genetic privacy laws are a necessity to protect the basic rights of citizens. However, in the United States, while genetic discrimination is expressly prohibited, privacy is not enforced. So, what can be done to protect genetic privacy in such a world?
Unfortunately, not much. Laws like GINA and the 2000 Executive Order attempt limit how genetic information can be used, but none truly protect a person’s privacy. With the ever-growing collection of genetic data in various directories, a high level of DNA security may not even be a possibility. This is because genetic information is unique to every individual. Once a person’s genetic code is obtained, it is tied to them for the rest of their lives – they cannot separate themselves from the information. Even identical twins do not have the exact same DNA code, as a result of genetic mutations in the womb. Even if a person’s genetic code is separated from assigned data – like a name and Social Security code – it is still forever linked to that singular human being. Access to, and the collection of, genetic data needs to be regulated in order to protect a person’s privacy. People can get their insurance rates, job compensation, and medical protection completely altered should their data become available. Genetic data can affect housing opportunities, mortgage lending, and even access to education. Every aspect of law has a tradeoff. In this case, research would be slowed to protect privacy. However, this is a necessary distinction.
Most people connect medical privacy to the Health Insurance Portability and Accountability Act (HIPAA). Signed into law by former president Bill Clinton in 1996, HIPAA is a federal law designed to prevent the disclosure of a patient’s health information to any non-permitted individuals. However, even the de-identification ‘checklist safe harbor’ in HIPAA does not include genetic information. Meaning, the nondisclosure of private health information disregards genetic code. Simultaneously, population-wide genetic information is also becoming more available due to the digitalization of an individual’s data given the growth of electronic health records (EHR).
In 2013, the HIPAA Omnibus Rule amended regulations to include genetic information in the definition of Protected Health Information (PHI). It prevents the use of genetic data in underwriting for almost all types of health insurance plans – but not for life, disability, or long-term care insurance. Therefore, individuals with a genetic predisposition to Alzheimer’s will be uninsurable for long-term care. According to the HIPAA definition, genetic information does not include your age and gender – but still allows all other information from any form of genetic testing to be available for research and insurance data.
A more recent piece of influential legislation is the Genetic Information Nondiscrimination Act of 2008 (GINA). Just as the name suggests, GINA is an anti-discrimination law that, while important, does little to protect privacy. GINA prevents group health and Medicare supplemental plans from using genetic information to discriminate for insurance – but, still not life, disability, or long-term care plans. Title II of Gina prohibits the use of genetic information regarding employment decisions such as hiring, promoting, and firing. However, GINA does not apply unless the employer has more than 15 employees Therefore, small businesses – should they discover an applicant or employees’ genetic predisposition – are able to reject or fire that individual and not provide reasoning.
As a state, California has taken extra steps to combat genetic discrimination, but not genetic information privacy. CalGINA not only incorporates the national aspects of GINA, but also prohibits discrimination in housing, education, provision of emergency services, elections and mortgage lending. CalGINA modifies the Unruh Civil Rights Act to include genetic information on the list of Californians’ civil rights that sanction “full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.”
The primary issue with GINA is that GINA is based on a genetic framework more than 20 years old. GINA only prohibits discrimination based on genetic information about someone who has not yet been diagnosed with a disease, meaning that the disease has yet to ‘manifest’ itself as any symptoms. Today, there are several genetic markers linked to disease that could be either prevented or limited with preemptive treatment. If the presence of a genetic marker is considered a ‘manifestation’ of the disease, then neither GINA nor HIPAA actually applies to the information. Not only is genetic discrimination barely covered in modern times – due to the technological and medical advancements we benefit from today – but privacy has been severely jeopardized.
With regards to genetic data, HIPAA only applies to an organization if it is either a ‘covered entity’ or the business associate of one. Many non-covered entities collect genetic information, such as online genetic testing and genealogy companies, like 23andMe and Ancestry.com. At the moment, such businesses are solely self-regulated, although the Food and Drug Administration (FDA) recently announced that 23andMe’s over-the-counter saliva collection kit and Personal Genome Service was being marketed in violation of the Federal Food, Drug and Cosmetic Act.
Obviously, the existing laws that deal with genetic information fall short in several ways. One collective approach to the limits of GINA and HIPAA would be to apply protections to the data itself, rather than making them dependent on who has the data. This helps in the dispersion of ‘covered entities.’
There are many major unaddressed issues concerning genetic information privacy in a world where the accessing and recording of genetic information progresses rapidly. Lawful uses of information based on overly broad authorizations, such as in situations where individuals must sign a release for their health records as a condition of employment or when applying for life insurance or government benefits, is a commonly cited problem. In the context of EHRs, lifetime individual records filled with genetic and medical data can be exposed.
Newborn screening is another avenue by which the issues with a lack of genetic privacy laws arises. All states must screen for at least 21 disorders by federal law. Currently, these tests are limited to diseases and conditions that require childhood intervention. However, if this practice changes, the lack of privacy implications become enormous for children and adults. This also might cause mental turmoil for those aware of their predisposition at birth to suffer from severe illness as an adult.
There is also a growing practice in law enforcement of collecting genetic data from suspects when they are initially arrested and storing that information in a database to use at a later time. The Supreme Court ruled in Maryland v. King that such DNA collection, while subject to the Fourth Amendment does not require a warrant (when there is already probable cause for a valid arrest for a serious offense). While this may seem reasonable – several problems and questions emerge. What constitutes probable cause? At what point is a crime deemed a ‘serious offense’? Could law enforcement organizations then use this data at later times, or purely for the specific purpose of genetic testing? Some believe that this lawful practice could lead to bias based on the genetic predisposition toward crime or antisocial behavior.
Of all the prominent issues with genetic discrimination and privacy, the most notable is consent for disclosure. We are accustomed to understanding consent as an individual right, which makes health information mainly about a specific person. However, genetic information is different. Analysis of an individual’s DNA reveals familial information as well. Genetic information also bears on demographic categorization. Therefore, issues arise when we realize that while DNA is specific to an individual, there are inherited connections between family members and people who grew up in the same areas of the world.
To explain: Say that two individuals are related and one gives consent for their DNA information to be retained in a database. Currently, the second related individual is not considered in this consent. However, certain elements of their genetic data are nonetheless going to be contained in this database by proxy. There have been cases of individuals getting arrested for a crime based off of genetic data from their relatives on genealogy company websites – the most famous being the arrest of the Golden State Killer. The police are able to follow the DNA breadcrumbs to arrest criminals. While this may appear to be solely positive, since the criminals were apprehended, the privacy of the criminal and their relatives was nonetheless encroached upon. If an insurance company were to commit the same act, rates could skyrocket for individuals with relatives that have genetic diseases.
There also arises inquiries surrounding informing at-risk relatives, genetic exceptionalism, and commercial transactions. The areas in which genetic information invades grows daily with the constantly changing scientific world. So far, the U.S. has made few attempts to catch up to this growth. And, as a result, has fallen drastically behind in the legislative protection of its citizens’ privacy. State laws do differ on genetic information safety, however, the results are abysmal. Several states do not require individual consent to obtain, retain, or disclose genetic information – a clear breach of personal privacy.
A balance must be struck that maximizes scientific exploration and the protection of privacy. Unfortunately, in the United States, research was chosen over privacy. This is evidenced by the U.S.’s lack of any reliable genetic privacy laws. While the NIH Genome Data Sharing Policy sets guidelines on how to protect participant privacy – that does not mean they are always successful, nor does it mean that every genomic organization has a similar policy. The current in-between state that we live in is a grand national experiment that could potentially be devastating to the conception of ‘privacy’ that most citizens hold. The United States requires some form of genetic privacy laws to resolve this issue.
