In May of 2018, the NIH opened enrollment for the All of Us initiative to collect health profiles of one million Americans (Gellman & Dixon, 2017). The goal of the project is to create a national database of personal records to facilitate medical research with an emphasis upon communities underrepresented in healthcare.  Amongst much other health information, the project includes participants’ genetic data.  The purpose of the genetic data is to drive research on personalized medicine—the practice of identifying which treatments will have the best response by tailoring therapeutic approaches to individual patients(Vogenberg, Isaacson Barash, & Pursel, 2010).  But collecting a million individuals’ genetic data, even for a goal as seemingly universally beneficial as scientific research for personalized medicine, raises serious privacy concerns about the protection of that data.  Neither the All of Us program nor the many companies who also sequence and store individuals’ genetic codes are regulated by existing privacy and medical information laws in the United States.  As the number of individuals whose entire genomes are stored in the cloud steadily grows, we must ask ourselves how we are ensuring the privacy and protection of genetic data.

There is great potential societal benefit from storing and studying individuals’ genetic data.  Large databases of genetic information can allow scientists to identify patterns of illness and susceptibility to more accurately prescribe drugs, discover potential therapeutic targets, or identify genetic risk factors (Facher, 2018).  Beyond the therapeutic benefits, genetic databases can aid law enforcement in correctly identifying criminals, as occurred in the famous Golden State Killer case as well as a double homicide from 1987 in Washington State (Murphy, 2018).  Suspects were identified through their relatives’ DNA which had been stored by commercial DNA companies and were accessible to law enforcement, who then subpoenaed the companies for the identities of the relatives and were able to trace the genealogies back to the suspects.  From an individual point of view, the technology that has made genetic sequencing cheap and accessible has also provided a level of personal investigation previously unimaginable: by sending a sample of saliva to Ancestry.com, individuals can receive their ethnographic histories as well as have the opportunity to connect with previously unknown relatives (Ancestry, n.d.).  A sample to 23andMe can do the same, as well as identify if an individual is a carrier for genetic diseases or risk factors such as BRCA1, a genetic mutation that results in an increased risk of breast cancer (23andMe, n.d.).  Individuals may then decide to see a healthcare professional about their potential cancer risk, whereas they may have been previously unaware without the genetic test.  Taken together, online databases that allow for the storing and analysis of human DNA offer significant private and public benefits.  But as of today, the security of that same DNA is woefully under-regulated.

While the benefits of genetic data are quickly being pursued, the ethical regulation of this information has fallen far behind.  The majority of individual health records are protected under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which requires appropriate safeguards on data, protects individuals’ rights over their information, and penalizes companies in the event of a data breach (Office for Civil Rights, 2015). But HIPAA does not apply to direct-to-consumer genetic testing companies such as 23andMe, nor does it apply to All of Us, because these companies do not act through physicians or healthcare companies and so do not qualify as “covered entities” under the Rule (Laestadius, 2016).  Additionally, there are extremely few laws preventing U.S. law enforcement from accessing public DNA records or subpoenaing companies like 23andMe to search their database; even fewer protections exist for genetic data if national security were at risk (Li & Marks, 2018). Once that genetic data is released, there is limited legal protection on preventing its use for discriminatory purposes: the Genetic Information Nondiscrimination Act of 2008 (GINA) does not protect against genetic discrimination for life, long-term care, or disability insurance plans (Laestadius, 2016).  There is additionally no standing regulation on what happens to that data once a company is shut down or purchased—the Icelandic company DeCODE had approximately half their country’s genetic information stored when it was purchased by Amgen in 2012, which now has access to the data individuals had originally entrusted to a locally-based organization (Li & Marks, 2018).  As genetic sequencing becomes increasingly popular, there remains a legal black hole around the expectations and potential risks for the companies in charge of protecting that data.

But why is the protection of genetic data so critical?  The most immediate concerns are privacy and security because DNA is an unalterable identifier.  If a credit card is lost, the owner can cancel the card and get a new one; there is no such option for an individual’s genetic code.  But without coverage under HIPAA, direct-to-consumer genetic sequencing companies have little incentive—via the threat of penalties in the event of a data breach—to securely protect their data.  At the most underground, hackers could access the data and blackmail individuals with their private health and medical records, and the data would almost certainly be unrecoverable (Chen, 2018).  Less underground but equally devastating could be insurance companies accessing or buying genetic records to evaluate individuals seeking coverage.  By increasing rates for high-risk individuals, insurance companies could privilege healthcare for the extremely wealthy or discourage individuals from receiving genetic testing at all for fear of losing insurance policies, resulting in substandard care (Norrgard, 2008).  Unprotected data could also fall into the hands of corrupt governments.  If at some point a government decided to target one ethnic group and could then easily access the existing genetic records of private companies—as the U.S. government can now—anyone from that group who had ever sequenced their DNA would be immediately identifiable.  The unknown unknowns of what could result from a despotic government or terrorist organization with access to that level of personal information are terrifying to imagine.  

So, who is benefitting from the unregulated nature of genetic data as it stands?  First and foremost, the companies such as 23andMe benefit from limited regulation because they can sell their data in an “anonymized” form to biotech and pharmaceutical companies: in 2019, 23andMe signed a 4-year, $300-million dollar deal with pharmaceutical giant GlaxoSmithKline to analyze 23andMe’s genetic data (Redmore, 2019).  It is debatable if genetic data can ever be truly anonymized (Lee, 2018).  But the federal government is also benefitting because as long as the genetic data goes unregulated, they too have unhindered access in moments of criminal investigations or national security risks. The scientific community benefits as well—the mining of a greater number of records, such as that being undertaken by All of Us, increases the amount of available data and potential for therapeutic discovery.  The only entities who seem to be truly unrepresented in this case are individuals whose genetic data is under-protected, shared with third parties under disputable promises of anonymization, and most likely irrecoverable to the point of making individual control and rights over the information impossible.  

Taking the current status of genetic data privacy into consideration, there is a clear and immediate need for increased regulation of companies that are not covered in HIPAA, as well as significant consideration for limits upon government access to genetic DNA.  As these are two separate and distinct issues, I propose two separate solutions.  For the problem of companies not covered by HIPAA, I suggest expanding the approach taken by California in 2018 to a national level.  California passed the Consumer Privacy Act of 2018, requiring all companies that have some role in processing personal information—including genetic data—to comply with certain specific privacy rights and regulations (Holtzman, 2018).  This is one of the most stringent regulations on personal health data as has been passed and requires that individuals have the ability to delete their personal data from the company’s database.  By expanding these legal requirements to all companies who handle genetic information throughout the country, we hopefully could limit the dissemination and deregulation of genetic data, thereby protecting individual privacy.  

‍

‍

Works Cited

23andMe. (n.d.). Our Health + Ancestry DNA Service. Retrieved March 26, 2019, from https://www.23andme.com/dna-health-ancestry/

Ancestry. (n.d.). DNA Tests for Ethnicity & Genealogy DNA Test. Retrieved March 26, 2019, from https://www.ancestry.com/dna/

Calderon, I. An act to amend Section 56.06 of the Civil Code, relating to personal information, Pub. L. No. 658, Section 56.06 Civil Code (2013).

Chen, A. (2018, June 6). Why a DNA data breach is much worse than a credit card leak.The Verge. Retrieved from https://www.theverge.com/2018/6/6/17435166/myheritage-dna-breach-genetic-privacy-bioethics

Facher, L. (2018, May 1). NIH opens nationwide enrollment for huge precision medicine initiative. Retrieved March 16, 2019, from https://www.statnews.com/2018/05/01/nih-precision-medicine-all-of-us-enrollment/

Gellman, R., & Dixon, P. (2017). Privacy, the Precision Medicine Initiative, & the All of Us Research Program: Will Any Legal Protections Apply?(p. 39). The World Privacy Forum.

Holtzman, D. (2018, November 1). New California Privacy Law Exempts Some Healthcare Organizations. Retrieved March 28, 2019, from https://cynergistek.com/blog/changes-to-new-california-privacy-law-exempts-some-healthcare-organizations/

Laestadius, L. (2016, November 22). Transparency and Direct-to-Consumer Genetic Testing Companies. Retrieved March 26, 2019, from http://blog.petrieflom.law.harvard.edu/2016/11/22/transparency-and-direct-to-consumer-genetic-testing-companies/

Lee, S. W. (2018). Ethical Implications of Clinical Genomic Information, Records Research, and Informed Consent. The Ochsner Journal, 18(3), 196–198. https://doi.org/10.31486/toj.18.0052

Li, T., & Marks, M. (2018, May 20). DNA donors must demand stronger protection for genetic privacy. Retrieved March 16, 2019, from https://www.statnews.com/2018/05/30/dna-donors-genetic-privacy-nih/

Murphy, H. (2018, May 18). Technique Used to Find Golden State Killer Leads to a Suspect in 1987 Murders. The New York Times. Retrieved from https://www.nytimes.com/2018/05/18/science/ancestry-site-arrest-washington.html

Norrgard, K. (2008). Protecting Your Genetic Identity: Federal Privacy Laws | Learn Science at Scitable. Nature Education, 1(1), 21.

Office for Civil Rights. (2015, April 16). The HIPAA Privacy Rule [Text]. Retrieved March 26, 2019, from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Redmore, S. (2019, February 13). AI in Healthcare: Data Privacy and Ethics Concerns. Retrieved March 26, 2019, from https://www.lexalytics.com/lexablog/ai-healthcare-data-privacy-issues

Vogenberg, F. R., Isaacson Barash, C., & Pursel, M. (2010). Personalized Medicine. Pharmacy and Therapeutics, 35(10), 560–576.

‍