Direct-to-consumer testing companies’ privacy policies leave many consumers unaware their genetic information may be shared with third parties
Clinical laboratories and anatomic pathologists that perform genetics testing know they are responsible for protecting their patients’ privacy and securing the test results data. However, when it comes to direct-to-consumer (DTC) testing companies, patient privacy is not so clearly defined. This leave some patients vulnerable when their health data gets loose on the Internet.
One example involves a Bloomberg reporter who attempted to erase her genetic footprint online and found it to be very difficult to accomplish completely. She published her results in “Deleting Your Online DNA Data Is Brutally Difficult.”
The Bloomberg report provides medical laboratory managers and owners with another example of the importance of staying current with federal and state laws governing the privacy of patients’ protected health information (PHI).
Erasing Genetic Data Footprint ‘Not So Easy,’ Notes Bloomberg Reporter
In her article, Bloomberg health reporter Kristen V. Brown detailed her attempt to delete her genetic information from the websites and databanks of nearly a dozen genetic testing companies where she had shared her genetic information, while writing articles for various publications. They included:
- 23andMe; and,
In an article for Bloomberg, Future of Health reporter Kristen V. Brown (above) said, “Recently, I started feeling uneasy about how freely my DNA data flowed. So, I decided to try to erase my DNA data footprint from all the websites and databases and laboratories in which it was stored. It turns out that isn’t so easy.” (Photo copyright: Cayce Clifford/Bloomberg.)
Privacy Policies of DTC Genetics Companies ‘Well Short of Ideal’
Interest in direct-to-consumer genetic testing is booming, with dozens of companies offering tests ranging from helping consumers understand their genetic information and ancestral background to receiving wine recommendations tailored to taste preferences and DNA data. Healthcare market research firm Kalorama Information estimates the market for such testing will reach $310 million by 2022.
DTC customers sign agreements allowing genetics testing companies to use their DNA data for selected services. However, “informed consent” must be given for companies to use consumer data for third-party research projects, whether academic or commercial. These consent agreements typically also address the risk of data becoming public as the result of a security breach.
However, for research published in Cornell Journal of Law and Public Policy, James Hazel, PhD, JD, a Post-Doctoral Fellow at Vanderbilt University Medical Center, and Christopher Slobogin, Milton Underwood Professor of Law at Vanderbilt University, surveyed the privacy policies of 90 U.S. direct-to-consumer genetic-testing companies. They concluded most of the privacy policies “fall well short of ideal.”
“The language in their policies permits selling or sharing information with third parties in many cases. That could be, in theory, anyone,” Hazel told Bloomberg.
Hazel explained that because DNA information gets shared anonymously with third parties, it typically is not possible to purge information from all the secondary companies or research institutions that have received the data.
“They’ve already bundled it with other users’ data and stripped it of your name and aggregated it, and either sold it or shared it with other third parties,” he told Bloomberg.
CLIA Requirements and Stored DNA Data
Brown discovered that not only was deleting her data difficult, having her samples destroyed was next to impossible because she had consented for her information to be shared with other companies.
She was able to delete her Ancestry.com information with just a click, but a required phone call to have her sample destroyed ended in the request still being “in process” a week later. Because she had agreed to share information from the DNA sample she provided to 23andMe, the company told Brown they were unable to fully delete her data due to federal and state regulations.
“The federal Clinical Laboratory Improvement Amendments (CLIA) of 1988 and California laboratory regulations require the lab store your de-identified genotyping test results and to keep a minimal amount of test result or analysis information,” 23andMe stated. “Our laboratory will retain your genetic information and a randomized identifier on their secure servers for a limited period of time—10 years pursuant to CLIA regulations.”
Of the companies Brown contacted, only one told her it could delete her information entirely, leaving Brown to conclude that once DTC customers share their DNA information, it no longer belongs to just them.
“When you delete your DNA information, you are mainly hiding your information from yourself,” she wrote in Bloomberg.
Lawmakers Get Involved
Dark Daily has covered issues related to DTC genetic testing and clinical laboratories in many e-briefings. Now, lawmakers are responding to growing pressure from consumers demanding DTC genealogy and genetic testing companies identify and resolve privacy and security issues.
“Much more often than not, Congress acts after the horse is out of the barn,” U.S. Rep. Dave Loebsack of Iowa told STAT. “I want to try to partner with genetic testing services to address any potential challenges before there are actually breaches of trust.”
And last year, U.S. Senator Charles Schumer of New York called on the Federal Trade Commission to investigate genetic testing companies’ privacy policies and standards for sharing consumer DNA information.
“When it comes to protecting consumers’ privacy from at-home DNA test kit services, the federal government is behind,” Schumer said in a statement. “Besides, putting your most personal genetic information in the hands of third parties for their exclusive use raises a lot of concerns, from the potential for discrimination by employers all the way to health insurance.”
As the spotlight increases on DTC genetic testing companies’ use of their customers’ DNA data, medical laboratories and anatomic pathology practices should prepare to answer patients’ requests for information on policies that protect their privacy and data, and the state and federal regulations restricting sharing of information.
—Andrea Downing Peck