Privacy Problems in the Genetic Testing Industry

Experts debate oversight of direct-to-consumer genetic tests and access to genetic information.

Twenty years ago, health care providers conducted genetic testing for therapeutic purposes. Now, the public has access to direct-to-consumer (DTC) genetic testing that can help determine both health and non-health-related information.

Consumers order and self-administer DTC genetic tests, and commercial companies—not health care providers—process them afterward. Companies such as 23andMe, Color Genomics, and AncestryDNA sell genetic tests that determine the test taker’s ancestry, screen for certain health risks, and provide information on lifestyle factors such as nutritional needs, skincare, or sleep habits.

Though DTC tests expand consumers’ access to their genetic information, some experts worry that in the absence of guidance from qualified health care providers, information from these tests may cause confusion and do more harm than good among consumers. Others argue, however, that DTC genetic testing empowers individuals by giving them access to more information about themselves.

The DTC genetic testing industry has grown quickly, in part, because it exists in a regulatory vacuum. DTC genetic tests that do not provide health information are not considered medical devices by the U.S. Food and Drug Administration (FDA), so they are not examined prior to entering the market. FDA tends to review DTC tests that are used for “high risk medical purposes,” such as tests for a person’s genetic risk of diseases or conditions. To date, FDA has authorized only four high-risk medical DTC tests for marketing. This lack of regulation for non-medical DTC tests has contributed to wide variation in the accuracy of DTC testing and analysis.

The rise of genetic testing has also raised genetic data privacy concerns. In the absence of more comprehensive state or federal regulations, DTC genetic testing companies enjoy significant autonomy to decide how to collect, store, and share consumer data.

This week’s Saturday Seminar focuses on the regulation—or lack thereof—of DTC genetic testing.

  • Henry T. Greely of Stanford Law School predicts that in 10 to 20 years, genetic testing will be routine in the medical field, potentially threatening the future viability of DTC genetic testing companies. He explains that if health care providers routinely conduct genetic testing on patients, the market for DTC tests might shrink or disappear. Greely examines “how much effort” the regulatory community should devote to the issue when the field may become moot in the future. He argues that regulation of DTC genetic testing companies should be flexible enough to respond to “changing realities.”
  • The Federal Policy for the Protection of Human Subjects—or the Common Rule—governs human subjects research. In 2017, revisions to the Common Rule increased protections for individuals whose genetic data becomes part of a dataset used in medical research even if DTC genetic testing companies collected the genetic data. The revised Common Rule insufficiently protects the privacy of DTC genetic testing users, argue Valerie Gutmann Koch of the University of Houston Law Center and Kelly Todd of Duke University School of Law in an article in the Houston Law Review. Koch and Todd suggest that the revised Common Rule “does little to impose additional informed consent requirements for research conducted by direct-to-consumer genetic testing companies,” and does not provide adequate guidance to DTC genetic testing companies concerning informed consent.
  • 23andMe and Ancestry fail to protect consumers’ privacy adequately, conclude Samual A. Garner and Jiyeon Kim of The Cordell Institute. In an article in the Washington University Law Review, they explain that DTC genetic testing companies fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA), the main privacy law for health information. Without adequate regulation and oversight of the industry, Garner and Kim argue that the privacy policies of 23andMe and Ancestry do not fully inform consumers about the risks of giving their genetic information to DTC genetic testing companies. Some of these risks include inaccurate or unwanted health information reports, data breaches, and misuse of data. They recommend increasing Federal Trade Commission (FTC) oversight and implementing comprehensive data privacy laws that govern genetic information.
  • No significant regulations govern law enforcement’s access to genetic samples. Law enforcement has relied on government databases of DNA evidence to identify suspects for decades. Meanwhile, the rise of DTC genetic testing has increased the amount of genetic information that the government may access through third parties. In a recent paper in the Duke Law Journal, Christopher Slobogin and James Hazel of Vanderbilt University argue that the Fourth Amendment of the U.S. Constitution should protect genetic information held in medical records, private organizations, or public databases from government access. Without Fourth Amendment protection and subsequent regulation of genetic information, the protection of individuals’ right to privacy is incomplete, Slobogin and Hazel claim.
  • The rise of DTC genetic testing companies has created a market for third parties that interpret genetic data for consumers. These genetic interpretation services—such as “matching users to genetic relatives, selling customized diet and fitness plans, and providing health risk assessments”—are largely unregulated and raise privacy and safety concerns, Baylor College of Medicine’s Christi Guerrini and her coauthors argue in a Genetics in Medicine article. Guerrini and her team analyze how four federal agencies—the Centers for Medicare and Medicaid Services, the U.S. Department of Health and Human Services’ Office for Civil Rights, FDA, and the FTC—could provide regulatory oversight of these novel third-party genetic interpretation services. Since the full scope of risks associated with DTC genetic testing is still unknown, the authors recommend allowing existing agencies to regulate the market instead of developing a new, specialized agency.
  • DTC genetic testing can provide individuals with information about their health risks, which some experts worry will be used by insurance companies to set premiums. DTC genetic testing creates the possibility for insurance discrimination that could deter Americans from participating in medical research, Jean-Christophe Bélisle Pipon, Effy Vayena, Robert C. Green, and Glenn Cohen warn in Nature Medicine. They compare the Genetic Information Nondiscrimination Act of 2008 with genetic nondiscrimination legislation of five other countries with varying health insurance models. The authors conclude that the United States should form an agreement between the insurance industry and federal government to prevent rises in premiums based on genetic information, or by ensuring that the DTC genetic testing industry addresses these issues and concerns.

The Saturday Seminar is a weekly feature that aims to put into written form the kind of content that would be conveyed in a live seminar involving regulatory experts. Each week, The Regulatory Review publishes a brief overview of a selected regulatory topic and then distills recent research and scholarly writing on that topic.