The Presidential Commission for the Study of Bioethical Issues (PCSBI) has issued a report on one of the intersections between genetic testing and privacy. The PCSBI was established by President Obama; to date, their only other report focused on the regulatory landscape for synthetic biology (more here). Now, the Commission has published Privacy and Progress in Whole Genome Sequencing, which examines how the increasing availability of whole genome sequencing (WGS, where the full DNA sequence of a genome is obtained) in both clinical and research settings has to be matched with an attention to how such data is used in a manner that protects the privacy of the patient and/or research subject. The report illustrates the legal complexity of privacy in American law generally – a very mixed portfolio of (sectoral) protections. The legal concerns with the widespread introduction of genetic information into science and medicine are several and concern whether an individual has control of when genetic testing occurs, when genetic information can be disclosed, and how genetic information can be used. With respect to genetic information, much of the legal attention has focused on the issue of genetic discrimination, which concerns use, and has not focused on genetic privacy. Most simply, privacy is concerned with disclosure, while discrimination is concerned with misuse. Can the privacy of “genetic information” be protected with existing law? Is a genomic DNA sequence a category of "personally identifiable information" (PII), meriting special protection from unauthorized disclosure? In general, medical information generated during patient care is protected by the Health Insurance Portability and Accountability Act (HIPAA), which makes a provider accountable for maintaining both patient confidentiality and privacy of medical records. But, as the commission notes, it is not clear whether genetic or genomic information is always included in the protected health information that HIPAA addresses. Since 2008, the U.S. has the Genetic Information Nondiscrimination Act (GINA), which protect individuals from discrimination based on the use of their genetic information in employment and health insurance. Notably, it does not extend to the provision of life, long-term care or disability insurance.
The PCSBI report particularly focuses on how genetic information derived in the research setting will be protected from unauthorized disclosure, a project that not only requires the cooperation of researchers and health institutions, but auxiliary participants, such as database managers. Very generally, the U.S. does have norms for the protection of human subjects generally, most notably the Common Rule, which establishes standards to protect human research subjects and is applicable to all federally-funded research. While a patient can rely on HIPAA for some medical privacy, the research subject needs to be protected against the unauthorized disclosure of personally identifiable genetic information outside the medical care setting. One of its most significant recommendations is that no WGS be conducted without the consent of the individual. While that may sound straightforward and sensible, this point is relevant to the uses of surreptitious genetic testing that occur in criminal law, for example, but could be performed in other contexts (e.g., this issue addressed with the pending California bill on genetic privacy, SB 1267, which would “prohibit any person, as defined, from obtaining, analyzing, or disclosing genetic information without the written authorization of the individual to whom the information pertains”). The report notes a very uneven set of protections against unauthorized genetic testing and disclosure across the states. In total, the report calls attention to the wide array of entities that are involved in the processing of genetic information – not only scientific and medical, but third party data handlers – and calls for standardization of informed consent procedures to protect individual choice regarding genetic testing and its disclosure. It asks funders of such research to monitor privacy protections as a part of their review. While the report did focus on the ethical introduction of WGS into wider use, its recommendations are relevant to all types of genetic information and might serve to incorporate privacy safeguards as a routine dimension of genetically-based medical care and research.