United States: Privacy Issues In The Sharing Of Genetic Information

Scientific breakthroughs and technological advancements have led to the emergence of personalized medicine — a practice based on the use of an individual's genetic profile to guide health care decisions made about the prevention, diagnosis, and treatment of disease.

Genomic DNA sequencing, the technology that launched the biomedical revolution, has accelerated rapidly and the costs of sequencing continue to decrease. It took $1 billion and 13 years to sequence the first draft of the human genome.¹ In January 2014, Illumina introduced technology that can sequence a human genome for $1,000. ² Now that the sequencing of human genomes is getting faster and less expensive, the health care industry is coming closer to realizing the promise of personalized medicine.

By integrating gene sequencing and historical treatment from a patient's electronic health record, big data analytics have built upon the advances in genomic sequencing to facilitate research on more effective treatments for diseases, such as cancer. Such efforts, however, offer just one example of the multitude of initiatives by government and industry in the areas of genomic research, clinical decision making, and consumer health tracking with data generated by wearable devices, smartphones and low-cost diagnostic kits, including genetic data. All of these initiatives depend to some degree on the ability of organizations to aggregate, integrate, and use genetic information. They also depend on and the permissible uses of genetic information as governed by state and federal privacy laws.

This white paper describes key issues in privacy law related to genetic information³ that should be considered in the use and dissemination of genetic information for secondary uses, including research and other data sharing initiatives.

Federal Privacy Law

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was amended in 2013 by the Omnibus Final Rule to address genetic information.

The Omnibus Final Rule expressly defines genetic information as health information protected by the HIPAA Privacy Rule. ⁴ Like other health information, to be protected by HIPAA, genetic information must meet the definition of protected health information (PHI). In other words, it must be individually identifiable and maintained by a covered entity or a business associate. ⁵ It is important to remember that the HIPAA Privacy Rule only directly applies to persons or entities that are defined as "covered entities," including health plans, health care clearinghouses, and any health care provider that electronically transmits health information in connection with a transaction — such as billing a health plan for reimbursement for services — for which there is a HIPAA standard transaction and code set. Covered providers include physicians, genetic testing laboratories, genetic counselors, and other organizations.

In addition, the Omnibus Final Rule incorporated the ban on use and disclosure of genetic information for underwriting purposes by health plans and insurers, including employer-sponsored health plans, as set forth in the Genetic Information Nondiscrimination Act. (GINA). Health plans and insurers are prohibited from using genetic information when determining eligibility and measuring premiums, contributions, cost sharing, or benefit, but, as will be discussed below, disclosures of genetic information may be made consistent with the rules governing PHI generally. ⁶

In general, the HIPAA Privacy Rule limits the uses and disclosures of PHI (including genetic information) without individual authorization. Concerning the use and disclosure of PHI, there are no special restrictions on the use and disclosure of sensitive information, such as genetic information. All PHI is protected according to essentially the same standards. Covered entities are permitted to use and disclose PHI (with exceptions for psychotherapy notes) for treatment, payment, and health care operations. ⁷

The Privacy Rule also permits a covered entity to use and disclose PHI for research purposes⁸, without an individual's authorization, under certain conditions. ⁹ The Omnibus Final Rule expanded the use of PHI for research and harmonized HIPAA with the Common Rule¹⁰ by allowing covered entities to obtain individual authorization for the uses and disclosures of PHI for future research purposes, so long as the authorization adequately describes the future research such that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for future research purposes. The revised Privacy Rule provides considerable flexibility regarding 1) description of the PHI to be used, and 2) description of the recipients of the PHI (which may be unknown) for the future research. ¹¹

The Privacy Rule provides several key "pathways" that permit use of PHI to create research databases for future research purposes:

• Pursuant to an Institutional Review Board (IRB) or privacy board waiver of authorization. An IRB operating under a federal-wide assurance or a privacy board that functions under the Privacy Rule may grant a waiver or alteration of written authorization if the proposed use or disclosure will pose minimal risk to participants' privacy, the research could not practicably be conducted without the waiver or alteration of authorization and cannot be conducted using de-identified information, and other specified criteria are met.
• With authorization from an individual to create the research repository. According to the Department of Health and Human Services (HHS), the development of research repositories and databases for future research purposes is itself a "research activity," thereby requiring authorization or waiver of authorization (discussed just above) to the extent PHI would be involved.
• Collection and use of a limited data set (which may include geographic information other than street address, all elements of dates and ages, and certain other unique identifying characteristics or codes). A Covered entity may release a limited data set if the researcher signs a data use agreement (DUA), which assures the Covered entity that the recipient will protect the limited data set and will not make any effort to re-identify individuals using the data set.
• Collection and use of de-identified data. Under HIPAA, data that is de-identified is not considered PHI and thus is not subject to HIPAA protections. HIPAA provides two methods through which data may be de-identified: 1) the Safe Harbor Method, which requires the removal of identifiers and an absence of actual knowledge that the remaining information could be used to identify the individual, and 2) the Expert Determination Method, which involves a formal determination by a qualified expert. ¹²

The HIPAA requirement to obtain informed consent for future research uses, intended to harmonize the standard with the Common Rule, is also consistent with the National Institutes of Health (NIH) policy announced in August of 2014 on future research using genomic data. NIH expects scientists to seek informed consent for the genomic data they collect to allow for future research use and broad sharing to the "greatest extent possible," under its final Genomic Data Sharing Policy (GDS policy). The final GDS policy applies to all NIH-funded, large-scale human and non-human projects that generate genomic data, starting with funding applications submitted for a January 25, 2015 receipt date. ¹³

It is important to note, however, that not all health information or genetic information is subject to the HIPAA Privacy Rule. Among other exceptions, PHI does not include health information maintained in employment records. The Privacy Rule also does not apply to information maintained in certain personal health records (PHR) or information gathered through certain online applications. In general, a PHR is an electronic record of an individual's health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his or her own health care. HHS clarifies that the HIPAA Privacy Rule applies solely to PHRs that are offered by health plans or health care providers that are covered by the HIPAA Privacy Rule, but not to those offered by employers (separate from the employer's group health plan) or by PHR vendors directly to an individual. PHR vendors are governed by the privacy policies of the entity that offers them, and subject to the jurisdiction of the Federal Trade Commission (FTC). FTC regulations have established health breach reporting obligations and applied these requirements to PHR vendors, PHR-related entities that offer products through the vendor's Web site, or access or send information to a PHR (such as Web-based applications that allow patients to upload a reading from a blood pressure pedometer into a PHR), or thirdparty service providers to vendors of PHRs. The FTC treats a violation of the breach reporting regulation as an unfair or deceptive act or practice. ¹⁴ Under the existing legal framework, organizations that are not covered entities have fewer restrictions regarding the research and other secondary uses of data. However, as will be discussed below, because state law generally imposes additional restrictions on genetic information, state law privacy issues are paramount in any consideration of use and sharing of genetic information.

State-Specific Restrictions on the Use and Disclosure of Genetic Information

GENERAL RESTRICTIONS ON THE USE AND DISCLOSURE OF GENETIC INFORMATION

Although data may be shared for treatment, payment, health care operations, and research under HIPAA, the sharing of genetic information may also be subject to state-specific restrictions. Most states have genetic privacy laws, and those laws that generally more stringent than HIPAA are not preempted. State genetic privacy laws typically require an individual's specific written consent for the collection, retention, use, or disclosure of genetic information about an individual, with certain exceptions, (i.e., when the use or disclosure of genetic information is necessary to a criminal investigation, necessary to comply with a court order, or in connection with anonymous medical research). In most cases, the state laws governing use and disclosure of genetic information apply to anyone who handles genetic information, although in some states, the law applies only to health care providers and health care facilities.

In all, 35 states have laws that specifically restrict disclosure of genetic information. ¹⁵ The vast majority of these states require written consent from the subject of the information prior to the disclosure of genetic information. For example, Massachusetts law prevents health care providers and facilities from identifying the person being tested or disclosing the results of a genetic test to any person other than the subject of the test without first obtaining the informed written consent from the subject, with certain exceptions for confidential research information. ¹⁶

In 20 of these states, the restrictions on disclosures without consent apply to any person or to genetic information generally, rather than to health care providers or insurers. ¹⁷ Therefore, not only health care providers, but any entity that obtains genetic information requires consent for the re-disclosure of such information.

Of these states, 12 also specifically restrict the redisclosure of genetic information without consent. For example, Delaware law restricts the disclosure of genetic information regardless of the manner of receipt or the source of genetic information, including information received from an individual. ¹⁸ Therefore, if a PHR vendor receives genetic information from an individual, it is prohibited from re-disclosing such information without the individual's consent.

Finally, some states have specific requirements for the consent of the authorization. In some states, the specific elements of written "informed consent" are established in the statutes. ¹⁹

The consequence of the unlawful disclosure of genetic information varies among the states. Many states impose civil liability, criminal punishment, or both for violation of the applicable statute, and some provide equitable relief for violations of the statute. ²⁰ One statute authorizes monetary penalties up to $250,000, ²¹ and others authorize jail time for up to one year. ²² Some states adopt a different approach, treating unlawful disclosure as an unfair trade practice. ²³

In summary, if an organization operates nationally or across multiple states, consent for the disclosure and/or redisclosure of genetic information is likely required. Such consent should comply with the most stringent requirements of the applicable states.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.