Privacy Concerns Loom as Direct-to-Consumer Genetic Testing Industry Grows

The market for direct-to-consumer (“DTC”) genetic testing has increased dramatically over recent years as more people are using at-home DNA tests. The global market for this industry is projected to hit $2.5 billion by 2024.  Many consumers subscribe to DTC genetic testing because they can provide insights into genetic backgrounds and ancestry.  However, as more consumers’ genetic data becomes available and is shared, legal experts are growing concerned that safeguards implemented by U.S. companies are not enough to protect consumers from privacy risks.

Some states vary in the manner by which they regulate genetic testing.  According to the National Conference of State Legislatures, the majority of states have “taken steps to safeguard [genetic] information beyond the protections provided for other types of health information.”  Most states generally have restrictions on how certain parties can carry out particular actions without consent.  Rhode Island and Washington require that companies receive written authorization to disclose genetic information.  Alaska, Colorado, Florida, Georgia, and Louisiana have each defined genetic information as “personal property.”  Despite these safeguards, some of these laws still do not adequately address critical privacy and security issues relative to genomic data.

Many testing companies also share and sell genetic data to third parties – albeit in accordance with “take-it-or-leave-it” privacy policies.  This genetic data often contains highly sensitive information about a consumer’s identity and health, such as ancestry, personal traits, and disease propensity.

Further, despite promises made in privacy policies, companies cannot guarantee privacy or data protection.  While a large number of companies only share genetic data when given explicit consent from consumers, there are other companies that have less strict safeguards. In some cases, companies share genetic data on a “de-identified” basis.  However, concerns remain relative to the ability to effectively de-identify genetic data.  Therefore, even when a company agrees to only share de-identified data, privacy concerns may persist because an emerging consensus is that genetic data cannot truly be de-identified. For instance, some report that the existence of powerful computing algorithms accessible to Big Data analysts makes it very challenging to prevent data from being de-identified.

To complicate matters, patients have historically come to expect their health information will be protected because the Health Insurance Portability and Accountability Act (“HIPAA”) governs most patient information. Given patients’ expectations of privacy under HIPAA, many consumers assume that this information is maintained and stored securely.  Yet, HIPAA does not typically govern the activities of DTC genetic testing companies – leaving consumers to agree to privacy and security protections buried in click-through privacy policies.  To protect patient genetic privacy, the Federal Trade Commission (“FTC”) has recommended that consumers withhold purchasing a kit until they have scrutinized the company’s website and privacy practices regarding how genomic data is used, stored and disclosed.

Although the regulation of DTC genetic testing companies remains uncertain, it is increasingly evident that consumers expect robust privacy and security controls.  As such, even in the absence of clear privacy or security regulations, DTC genetic testing companies should consider implementing robust privacy and security programs to manage these risks.  Companies should also approach data sharing with caution.  For further guidance, companies in this space may want to review Privacy-Best-Practices-for-Consumer-Genetic-Testing-Services-FINAL issued by the Future of Privacy Forum in July 2018.  Further, the legal and regulatory privacy landscape is rapidly expanding and evolving such that DTC genetic testing companies and the consumers they serve should be watchful of changes to how genetic information may be collected, used and shared over time.

 

©2019 Epstein Becker & Green, P.C. All rights reserved.
This article written by Brian Hedgeman and Alaap B. Shah from Epstein Becker & Green, P.C.

FDA Issues Final Regulations Easing the Path for Direct-to-Consumer Genetic Testing

New regulations issued on November 7, 2017 by FDA will make it easier for companies to offer certain types of genetic tests directly-to-consumers, without a health-care provider intermediary.

The first regulation finalizes a new medical device classification for “autosomal recessive carrier screening gene mutation detection systems.”  This regulation essentially codifies classification already established by FDA in response to a request by 23andMe, and  enables other laboratories to offer their DTC tests according to the criteria specified in the classification regulation.  These tests may be offered without the need for FDA premarket review.

Similarly, the second regulation finalizes a new medical device classification for  DTC “genetic health risk assessment” (GHR)  (i.e., predictive) tests.  The classification specifies the conditions under which these tests may be marketed, and includes the requirement for a 510(k) premarket notification to FDA. However, in a Federal Register Notice, also issued yesterday, FDA proposes to exempt GHR tests from the 510(k) premarket submission requirement after a lab has successfully obtained FDA clearance of its first GHR assay.  Comments to this proposed exemption are being accepted by FDA until January 8. 

This post was written by Gail H. Javitt of Epstein Becker & Green, P.C. All rights reserved., ©2017
For more Health Care legal analysis, go to The National Law Review