Genetic Information Databases and Privacy Concerns
Dramatic advances in the science and technology associated with genetic analysis have brought important improvements to the quality of human life. Those same advances, however, create significant legal controversies. As the size and scope of genetic databases continue to expand rapidly, a growing number of legal and regulatory compliance issues emerge.
There are two federal laws which currently provide the core legal requirements affecting collection and use of human genetic information in the United States: the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Health Information Portability and Accountability Act (HIPAA). GINA provides an important, yet limited, set of prohibitions against discrimination based on genetic information. HIPAA, as that legislation was amended in 2013, applies key information privacy and data security obligations to protected genetic information.
GINA prohibits group health insurance programs and Medicare supplemental insurance plans from using personal genetic information to discriminate against specific individuals with regard to health and medical insurance coverage. Significantly however, GINA does not apply to other forms of health and medical insurance coverage, such as life and disability insurance and long-term care coverage. Accordingly, while GINA prevents insurers from using genetic information as a basis for coverage decisions in the context of group health and Medicare supplemental insurance, it does not prevent use of that information with regard to other forms of health and medical insurance coverage decisions.
Title II of GINA addresses use of personal genetic information for employment decisions. Title II prohibits use of an individual’s genetic information in decisions regarding employment, including hiring, termination, promotion, and compensation. GINA claims are handled by the Equal Employment Opportunity Commission.
HIPAA is federal legislation which imposes data security and information privacy requirements on certain forms of personal health and medical information. In 2013, HIPAA was amended to include personal genetic information as “Protected Health Information,” within the scope of HIPAA coverage. Thus the HIPAA data protection and information privacy requirements now apply to personal genetic information. It is important to recognize, however, that the data security and information privacy requirements of HIPAA apply only to the organizations specifically identified as the targets of HIPAA. Those organizations are defined by HIPAA as “covered organizations” and the business associates of those organizations. In general, “covered organizations” are organizations that provide health and medical care services.
An increasing number of organizations now routinely collect, store, distribute, and use personal genetic information. Many of those organizations are commercial enterprises that do not qualify as “covered organizations” within the scope of HIPAA. These organizations include prominent and popular commercial businesses such as 23andMe and Ancestry.com. As these organizations fall outside the current scope of HIPAA coverage, they are not, at present, bound by the data protection and information privacy restrictions for personal genetic information provided by HIPAA. Thus federal privacy law for genetic information is currently incomplete.
In addition to GINA and HIPAA, Executive Order 13145, issued in 2000, provides federal law protection for U.S. government employees with regard to their genetic information. That Executive Order prohibits federal government agencies from obtaining personal genetic information from their employees. It also bars federal agencies from collecting personal genetic information from job applicants.
Some state governments have also enacted legal constraints on collection and use of genetic information. California for example, established its version of the federal GINA legislation, CalGINA. CalGINA provides significantly broader prohibitions against discriminatory use of genetic information than does the federal GINA legislation. CalGINA bars use of personal genetic information to discriminate against individuals in all matters associated with employment, housing, education, mortgage lending, elections, and emergency services.
One of the ongoing issues affecting both GINA and CalGINA is the challenge associated with determining when a genetically-caused disease has “manifest” its presence. Both GINA and CalGINA provide protections for individuals only when a genetically-caused disease has not yet become identifiable in that individual. Under these laws, it is illegal to use genetic information to discriminate against individuals provided that the genetic condition at issue has not yet manifest its presence. If the condition is identifiable through symptoms, the protections under GINA and CalGINA are not available. Advances in genetic testing continue to make it possible at earlier stages to identify genetic “markers” for specific diseases. It is currently unclear to what extent presence of identifiable gene markers constitutes manifestation of a genetically-caused disease. If presence of identifiable gene markers is deemed to be manifestation of a genetically-caused disease, then the scope of protection offered by GINA and CalGINA may be substantially limited.
Genetic databases have substantial criminal law implications, as well. In the case, Maryland v. King, the United States Supreme Court took the position that collection of DNA from individuals who have been arrested is comparable to taking their photograph and fingerprints. The Supreme Court concluded that, although DNA collection from an individual constitutes a search, no specific warrant for that collection is required if there was already probable cause sufficient to justify an arrest. Thus an arrested party can be subject to mandatory DNA sampling without a warrant, in the same way in which that individual can be photographed and fingerprinted.
The Ninth Circuit, in its ruling in the case, Haskell v. Harris, also endorsed widespread collection of DNA from individuals who have been arrested. In that case, a California law requiring collection of DNA samples from all individuals arrested for any felony, even for non-violent felonies, was challenged. The Ninth Circuit determined that the California law was not unconstitutional.
Collection of DNA through law enforcement activities has facilitated development of large-scale genetic databases controlled by federal and state governments in the United States. Government genetic databases in the U.S. also obtain material from sources in addition to law enforcement, collections of DNA from military personnel, for example. Reportedly, the U.S. government’s DNA database is now the largest in the world, containing samples from more than 12 million people.
Expansion of commercial collection of genetic information also raises the issue of the extent to which such collection should be treated as a medical service, for regulatory purposes. The business, 23andMe for example, now offers services that identify potential gene-based health risks directly to individual consumers. In an April 2017 determination, the U.S. Food and Drug Administration approved direct marketing of those genetic risk identification services by 23andMe directly to consumers for a limited number of genetically-based diseases and conditions. The FDA authorized 23andMe to market and provide gene identification services for ten specific diseases and conditions, including Parkinson’s disease, Celiac disease, and late-onset Alzheimer’s disease.
As commercial companies such as 23andMe and Ancestry.com expand the range of their genetic sampling, archiving, and analysis activities, the range of their legal and regulatory compliance obligations will expand substantially. For example, the interaction between 23andMe and the FDA illustrates the regulatory challenges associated with offering genetic-based services to consumers that border on traditional medical diagnostic activities. Additionally, as these commercial enterprises build vast collections of genetic material from numerous individuals, those collections will be increasingly subject to subpoenas and other compulsory legal disclosures, actions which will likely have significant impact on the businesses and individuals involved. Those collections will also likely prove to be attractive targets for criminals and other malicious parties seeking to access collection content illegally.
Advances in the science and technology supporting genetic analysis will continue to expand the range of uses and users associated with personal genetic information. In that highly dynamic environment, expect an increasing number of legislative, regulatory, and judicial actions as the terms associated with access to and use of genetic information evolve. It seems almost certain that the debates and controversies associated with management of personal genetic information will prove to be even more vigorous and challenging than those currently underway with regard to our digital records and communications.
 “Genetic Information Privacy” at www.eff.org/issues/genetic-information-privacy
 HIPAA Definitions at www.law.cornell.edu/cfr/text/45/160.103
 23andMe at www.23andme.com
 Ancestry.com at www.ancestry.com
 Maryland v. King at https://www.law.cornell.edu/supremecourt/text/12-207
 Haskell v. Harris at http://cdn.ca9.uscourts.gov/datastore/general/2014/03/20/10-15152_opinion.pdf