Journal of Law and the Biosciences, 1–36 doi:10.1093/jlb/lsz007 Advance Access Publication 14 May 2019 Original Article

The law of genetic privacy: applications, implications, and limitations

Ellen Wright Clayton1, Barbara J. Evans2, James W. Hazel3

and Mark A. Rothstein4,∗

1. Craig-Weaver Professor of Pediatrics, Center for Biomedical Ethics and Society, Vanderbilt University Medical Center, Nashville, TN 37203, USA

2. Mary Ann and Lawrence E. Faust Professor of Law; Professor of Electrical and Computer Engineering; Director, Center for Biotechnology & Law, University of Houston, Houston, TX 77004, USA

3. Postdoctoral Fellow, Center for Genetic Privacy and Identity in Community Settings, Vanderbilt University Medical Center, Nashville, TN 37203, USA

4. Herbert F. Boehl Chair of Law and Medicine, Director, Institute for Bioethics, Health Policy & Law, University of Louisville School of Medicine, Louisville, KY 40202, USA

∗Corresponding author. E-mail: mark.rothstein@louisville.edu

ABSTRACT Recent advances in technology have significantly improved the accuracy of genetic testing and analysis, and substantially reduced its cost, resulting in a dramaticincreaseintheamountofgeneticinformationgenerated,analysed, shared, and stored by diverse individuals and entities. Given the diversity of actors and their interests, coupled with the wide variety of ways genetic data are held, it has been difficult to develop broadly applicable legal principles for genetic privacy. This article examines the current landscape of genetic privacy to identify the roles that the law does or should play, with a focus on federal statutes and regulations, including the Health Insurance Portabil- ity and Accountability Act (HIPAA) and the Genetic Information Nondis- crimination Act (GINA). After considering the many contexts in which is- sues of genetic privacy arise, the article concludes that few, if any, applicable legal doctrines or enactments provide adequate protection or meaningful control to individuals over disclosures that may affect them. The article de- scribes why it may be time to shift attention from attempting to control ac- cess to genetic information to considering the more challenging question of howthesedatacanbeusedandunderwhatconditions,explicitlyaddressing trade-offs between individual and social goods in numerous applications.

K E Y W O R D S: DNA, genetics, genomics, GINA, HIPAA, privacy

C© TheAuthor(s)2019.PublishedbyOxfordUniversityPressonbehalfofDukeUniversitySchoolofLaw,Harvard Law School, Oxford University Press, and Stanford Law School. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited

D ow

nloaded from https://academ

ic.oup.com /jlb/article-abstract/6/1/1/5489401 by 81695661, O

U P

on 29 O ctober 2019

2 � The law of genetic privacy

I. INTRODUCTION People often view genetic information about themselves as private. Each person’s genome, or full complement of DNA, is unique,1 but the specific variants within an individual’s genome may be widely shared with biological relatives or even across the entire human population. This mixed character of the genome—as a uniquely indi- vidual assemblage of widely shared common elements—imbues it with a dual pri- vate and public significance that confounds any discussion of policy addressing genetic privacy.

On one hand, DNA has been conceptualized as a unique identifier2 and a person’s book of life,3 which provides insights into many aspects of the person’s future, although perhaps not as much as many people might think. This conceptualization leads many people to want to control who has access to genetic information about them and drives calls for strong privacy protection or even personal genetic data ownership. On the other hand, genetic data are not limited to one individual, with information about one person revealing information about the person’s close and distant biological relatives. Only by studying genetic information from many people can the significance of the in- dividual’s variants be discerned. The importance of understanding the causes of health and disease has led some to argue that people have some obligation to share data about themselves for low-risk research.4 This public nature and value of the genome makes it difficult to decide what level of control individuals should have and how to provide appropriate privacy protections.

At the same time, the very concept of ‘privacy’ has evolved in recent decades and a new model of privacy has gained ground. The traditional view of privacy as secrecy or concealment—as a ‘right to be let alone’5—has grown increasingly strained in the Information Age. The Internet and ubiquitous communication technologies facilitate broad sharing of information, including highly personal information, often without the individual’s knowledge or consent.6 A new theorization of privacy has emerged, in which concealing one’s secrets ‘is less relevant than being in control of the dis- tribution and use by others’7 of the data people generate in the course of seeking healthcare, conducting consumer transactions, and going about their lives. ‘The leading paradigm on the Internet and in the “real,”’ or off-line world, conceives of privacy as a

1 Even the genomes of monozygotic (‘identical’) twins often differ in some ways. See, eg F. Nipa Haque, Irving I. Gottesman & Albert H.C. Wong, Not Really Identical: Epigenetic Differences in Monozygotic Twins and Implications for Twin Studies in Psychiatry, 151C AM. J. MED. GENETICS PART C SEMIN. MED. GENETICS 136 (2009).

2 Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay,andAmbiguityforInvestigators,76Fed.Reg.143(proposedJuly26,2011)(tobecodifiedat45C.F.R. pts. 46, 160, 164; 21 C.F.R. pts. 50, 56).

3 FRANCISS.COLLINS,THELANGUAGE OF LIFE:DNAAND THEREVOLUTION INPERSONALIZEDMEDICINE (2010). 4 Ruth R. Faden et al., An Ethics Framework for a Learning Healthcare System: A Departure from Traditional

Research Ethics and Clinical Ethics, 43 HASTINGS CTR. REP. S16, S23 (2013). 5 Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 193 (1890). 6 Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. DAVIS L.

REV.379,401–2(2003);DanielJ.Solove,ConceptualizingPrivacy,90CALIF.L.REV.1087,1092–1126(2002). 7 Bergelson, supra note 6, at 401 [quoting RAYMOND T. NIMMER, THE LAW OF COMPUTER TECHNOLOGY ¶

16.02, at 16-5 (2001)].

D ow

nloaded from https://academ

ic.oup.com /jlb/article-abstract/6/1/1/5489401 by 81695661, O

U P

on 29 O ctober 2019

The law of genetic privacy � 3

personalrighttocontroltheuseofone’sdata’,8 includingenjoyingaccessandusingitby oneself.9

Deciding how much control people should have over access to and use of genetic data about themselves has taken on increased urgency in recent years. Until recently, there simply was less genetic information to worry about, because a person’s genetic makeup could be inferred only by studying his or her phenotypic characteristics and family history. It was possible, for example, to tell something about people’s eye color genes by looking at their eyes, but not whether they had a gene variant that modestly elevated their cholesterol level or whether they were at increased risk of developing a common complex disorder.

Dramatic advances in technology has now made it possible to examine DNA directly with increasing accuracy and decreasing cost, thereby contributing to the dramatic growth in genome-based approaches, such as exome- or genome-based sequencing, which can provide dramatically more information than single-gene tests. These genomic tests have already proven valuable in diagnosing disorders whose etiol- ogy is unknown, as can be the case for some children with developmental disability or critical illness as neonates.10 There is also growing interest in using genome-scale tests to answer narrower clinical questions on the ground that these approaches are more efficient than testing a more limited number of genes.11 But moving to genome-based technologieshasconsequencesforanindividual’sprivacybecausehavinggenomicdata makes it possible to examine all the genetic variants regardless of the original reason for testing.

As this technology and our understanding of genomics have improved, a growing number of individuals and entities seek access to individual genetic information. For example, millions of people have pursued testing to learn about their ancestry and to identify previously unknown relatives, endeavors that require access to the informa- tion of others as well as their own. In addition, clinicians might seek the data to refine a patient’sdiagnosisorcare.Biomedicalresearchersmightwanttoexaminegeneticinfor- mation to understand the ways that genetic variation contributes to health and disease. Life insurers might want to use this information for underwriting. Parties in toxic tort cases might try to use this information to establish or rebut causation. Law enforce- ment might want to use the information to identify victims of mass attacks or criminal suspects.

Numerous studies show that many people are more comfortable sharing their ge- netic data with physicians and researchers in the institution where they seek care than

8 Paul M. Schwartz, Internet Privacy and the State, 32 CONN. L. REV. 815, 820 (2000). 9 See, eg U.S. Dep’t of Health and Human Servs., Standards for Privacy of Individually Identifiable Health Infor-

mation, 65 FED. REG. 82,462, 82,606 (Dec. 28, 2000) (noting, in the preamble to the original HIPAA Privacy Rule, that various industry and standard-setting organizations have recognized the need for individual access, stating that, ‘Patients’ confidence in the protection of their information requires that they have the means to know what is contained in their records’).

10 Laurie D. Smith, Laurel K. Willig & Stephen F. Kingsmore, Whole-Exome Sequencing and Whole-Genome Se- quencing in Critically Ill Neonates Suspected to Have Single-Gene Disorders, 6 COLD SPRING HARBOR PERSP.MED. 2 (2016).

11 Jonathan S. Berg, Muin J. Khoury & James P. Evans, Deploying Whole Genome Sequencing in Clinical Practice and Public Health: Meeting the Challenge One Bin at a Time, 13 GENETICS MED. 499 (2011)

D ow

nloaded from https://academ

ic.oup.com /jlb/article-abstract/6/1/1/5489401 by 81695661, O

U P

on 29 O ctober 2019

4 � The law of genetic privacy

with the government or commercial entities.12 People also vary widely in how much they are concerned about genetic privacy13 and privacy in general.14

Given the diversity of actors and their interests, the increasing power of genetic technologies, and the wide variety of ways these data are held, it is difficult to develop broadlyapplicablelegalprinciplesforgeneticprivacy.Ashasbeentruesincetheearliest debates about genetic privacy, which began decades ago,15 public policy often involves balancing the rights of individuals to maintain the privacy of their genetic information with the rights of other individuals and the public to access the information. The trade- offs often implicate both personal and societal interests, which vary depending on the context. Whether the state can conduct newborn screening for genetic disorders raises different questions from whether an insurer can use genetic information for underwrit- ing health, life, disability, or long-term care insurance, each of which presents its own challenges. In addition, the wide variety of actors and locations are subject to different regulatory schemes.

This article examines the landscape of genetic privacy to identify the roles the law does or should play. Because of the complexity of genetic privacy law, it is infeasible to address all of the issues in a single article. Consequently, the article does not address in detail genetic privacy in reproductive genetic testing,16 human subjects research in- volving genetics, state statutes and regulations pertaining to genetic privacy, and com- mon law actions for invasion of privacy. The article’s primary focus is on federal statutes and regulations. After considering the many contexts in which issues of genetic privacy arise, thearticleconcludesthatfew,ifany,applicablelegaldoctrinesorenactmentspro- vide adequate protection. For simplicity, and to acknowledge the deep roots of these debates, the article refers to ‘genetic’ privacy, but it clearly contemplates and gives spe- cial attention to the implications of the expanding role of genomics and associated technologies.

II. CONCEPTIONS OF GENETIC PRIVACY

II.A. Dimensions of Genetic Privacy In order to understand genetic privacy, it is necessary first to delve into the complex concept of privacy.17 Privacy is a state of limited access to an individual or information

12 Nanibaa’A. Garrison et al., A Systematic Literature Review of Individuals’ Perspectives on Broad Consent and Data Sharing in the United States, 18 GENETICS MED. 663, 668–9 (2016); C. Sanderson et al., Public Attitudes Toward Consent and Data Sharing in Biobank Research: A Large Multi-site Experimental Survey in the US, 100 AM. J. HUM. GENETICS 414, 421 (2017).

13 Ellen W. Clayton et al., A Systematic Literature Review of Individuals’ Perspectives on Privacy and Genetic In- formation in the United States, PLOS ONE, https://doi.org/10.1371/journal.pone.0204417 (2018); Stacey Pereira et al., Do Privacy and Security Regulations Need a Status Update? Perspectives from an Intergenerational Study, PLOS ONE, https://doi.org/10.1371/journal.pone.0184525 (2017).

14 Mary Madden, Public Perceptions of Privacy and Security in the Post-Snowden Era, PEW RES. CTR., http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/ (2014).

15 PHILIP REILLY, GENETICS, LAW, AND SOCIAL POLICY (1977); GENETIC SECRETS: PROTECTING PRIVACY AND CONFIDENTIALITY IN THE GENOMIC ERA (Mark A. Rothstein ed., 1997).

16 For recent discussions, see Josephine Johnston, Ruth M.Farrell & Eric Parens, Supporting Women’s Autonomy in Prenatal Testing, 377 NEW ENG. J. MED. 505 (2017); Ruth M. Farrell & Megan A. Allyse, Key Ethical Issues in Prenatal Genetics, 45 OBSTET. & GYNECOL. CLIN. 127 (2017).

17 Many other countries, especially those in the European Union, use the term ‘data protection’ as an omnibus concept that includes privacy, confidentiality, security, and other elements. These concepts are at the heart of

D ow

nloaded from https://academ

ic.oup.com /jlb/article-abstract/6/1/1/5489401 by 81695661, O

U P

on 29 O ctober 2019

The law of genetic privacy � 5

about an individual.18 The right to privacy refers to the ethical and legal principles that recognize the importance of limited access to an individual or information about an individual.

Anita Allen has proposed four categories of privacy applicable to what she terms ‘the ambiguous concept’ of genetic privacy.

When used to label issues that arise in contemporary bioethics and public policy, ‘privacy’ generally refers to one of four categories of concern. They are: (1) informational privacy concerns about access to personal information; (2) physical privacy concerns about ac- cess to persons and personal spaces; (3) decisional privacy concerns about governmental andotherthird-partyinterferencewithpersonalchoices;and(4)proprietaryprivacycon- cerns about the appropriation and ownership of interests in human personality.19

Informationalprivacyisaparticularlyimportantdimensionofgeneticprivacy,andit is the primary focus of this article. From the huge dataset that is every human’s genome to family pedigrees and genetic test results, genetics is closely associated with informa- tion.Genomicsandrelatedanalyticalapproaches—suchasproteomics,metabolomics, transcriptomics, and epigenomics—greatly increase the amount of potential gene- associated information about individuals. Often, genetic information is sensitive be- cause it has implications for the current and future health of individuals and their family members. The information may also have major social and economic consequences.20

Three other significant concepts within the realm of privacy and genetic privacy are confidentiality, security, and anonymity.21 Confidentiality describes a situation in which information is disclosed within a trusting relationship (eg physician–patient) on the express or implied agreement that it will not be divulged to a third party without the permissionofthesourceoftheinformation.22 Confidentiality,applicabletothenondis- closureofgeneticinformation,23 isafoundationalprincipleintheethicalcodesofmany health professions and a key element of a wide range of laws. The duty to protect confi- dentiality is not absolute; however, and in certain circumstances recognized by law or

the European Union’s General Data Protection Regulation, which took effect in 2018. General Data Protec- tion Regulation, 2018 O.J. (L 127), https://gdpr-info.eu (accessed Apr. 15, 2019). See generally Edward S. Dove, The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital Era, 46 J.L. MED. & ETHICS, 1013−30 (2018).

18 ‘Physical and informational privacy practices serve to limit observation and disclosure deemed inimical to well-being’. Anita L. Allen, Privacy in Health Care, in 4 ENCYCLOPEDIA OF BIOETHICS 2067 (Warren Thomas Reich ed., 1995).

19 Anita L. Allen, Genetic Privacy: Emerging Concepts and Values, in GENETIC SECRETS: PROTECTING PRIVACY AND CONFIDENTIALITY IN THE GENETIC ERA 31, 33 (Mark A. Rothstein ed., 1997).

20 See infra Section V. 21 SeeBarthaMariaKnoppers&MadelaineSaginur,TheBabelofGeneticDataTerminology,23NATUREBIOTECH.

925, 925 (2005) (discussing the numerous terms used to describe measures to protect genetic information). 22 ‘Confidentialityconcernsthecommunicationofprivateandpersonalinformationfromonepersontoanother

where it is expected that the recipient of the information, such as a health professional, will not ordinarily dis- close the confidential information to third persons’. William J. Winslade, Confidentiality, in 1 ENCYCLOPEDIA OF BIOETHICS at 452 (Warren Thomas Reich ed., 1995). See also Mark A. Rothstein, Confidentiality, in MEDI- CAL ETHICS:ANALYSIS OF THE ISSUES RAISED BY THE CODES,OPINIONS, AND STATEMENTS 171(Baruch A. Brody et al. eds., 2001).

23 For a further discussion, see infra Section III.

D ow

nloaded from https://academ

ic.oup.com /jlb/article-abstract/6/1/1/5489401 by 81695661, O

U P

on 29 O ctober 2019

6 � The law of genetic privacy

ethical codes, other interests may be paramount, such as the safety and health of third parties.24

Security, in the informational sense, is an increasingly important concept in the digi- talage.Itreferstoaconditioninwhichindividualsorentitieswithappropriateauthority to access certain information are granted access to it, but those without such author- ity are denied access. Security can be protected by various means, such as by training employees,adoptingadministrativeproceduresforhandlingsensitiveinformation,and implementing technical access controls, including passwords and encryption.25

Anonymity is a form of privacy protection in which the identity of the source of cer- tain health information is not obtained or is removed by researchers or other custodi- ans of the information. Anonymization, deidentification, and similar measures are fre- quently applied to genetic information in an effort to protect individual privacy while retaining the scientific value of the information. The use of anonymized genetic infor- mation raises two main concerns. First, technical methods may not be completely ef- fective in preventing the reidentification of genetic information.26 Second, there is a plausible argument that individuals’ interest in autonomy should afford them the op- portunity to learn about and to control the use of even their anonymized health infor- mation or biospecimens.27

No matter how people choose to define ‘privacy’, there is a widespread sentiment among legal and ethics scholars that existing privacy laws do not provide as much pri- vacy as many people expect or erroneously believe they have.28 US federal privacy laws datingbacktotheearly1970sstrikeabalancethatgrantspeoplesomecontrolovertheir data (through informed consent rights) while also allowing at least some unconsented collection and use of people’s data (including their genetic information) for various purposes that lawmakers consider socially beneficial.29 The ‘individual control’ these laws provide is thus incomplete. In the 1970s, Congress commissioned a Privacy Pro- tection Study Commission (PPSC) to recommend appropriate privacy protections for

24 For example, laws requiring the reporting of infectious diseases or suspected cases of child abuse to appropri- ate governmental agencies override confidentiality.

25 See 45 C.F.R. pt. 164 (2018) (security and privacy provision of the HIPAA Privacy Rule). See generally Sharona Hoffman & Andy Podgurski, In Sickness, Health and Cyberspace: Protecting the Security of Electronic Private Health Information, 48 B.C. L. REV. 331 (2007); Nicolas P. Terry & Leslie P. Francis, Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. ILL. L. REV 681 (2007).

26 See Ellen Wright Clayton & Bradley Malin, Assessing Risks to Privacy in Biospecimen Research, in SPECIMEN SCIENCE:ETHICSANDPOLICYIMPLICATIONS143(HollyFernandezLynchetal.eds.,2017);SaraReneeSavage, Characterizing the Risks and Harms of Linking Genetic Information to Individuals, 15IEEESECURITY &PRIVACY 14, 16 (2017). For a further discussion, see Part VI-A.