Last week, we shared some of the pros and cons surrounding at home lab testing, also called direct-to-consumer (DTC) testing. Consumer privacy is a hot topic issue, with many questioning the efficacy of privacy policies, company transparency, and how individual data is used and stored. Right now, companies write their own privacy policies that consumers agree to when they buy a test. But few laws regulate what companies must do to keep your data private and secure. With few regulations, information can be sold and shared with other companies, used for internal research, and stored for future use per the company’s own guidelines.
Generally speaking, the current Federal protection offered to consumers sets basic guidelines surrounding the claims companies can make, operational and marketing integrity, and lab practices:
-The Food and Drug Administration (FDA) reviews the test kits and medical claims before a commercial in vitro diagnostic (IVD) product can be placed on the market to help ensure safety and efficacy
-The Centers for Medicare and Medicaid Services (CMS) helps to ensure the quality and accuracy of the laboratories performing these commercial tests and laboratory developed tests through inspections and oversight of laboratory performance with proficiency testing.
-The Federal Trade Commission (FTC) investigates deceptive marketing practices and false claims.
In August 2020, citing the pandemic and a desire to reduce bureaucracy, the Trump administration made an unexpected move to limit the Food and Drug Administration’s already minimal oversight over DTC lab testing products. This move decreased the opportunity for the government to protect consumer data, and there has yet to be any other regulation established to bridge the gap.
Some current regulations and laws include:
- The Genetic Information Nondiscrimination Act (GINA) prevents employers from discriminating against you on the basis of your genetic information. But it doesn’t say anything about what a third-party DTC genetic testing company can do with the information it collects about you. Also, GINA’s protections apply only if a person is displaying no symptoms of their genetic condition, says Ellen Clayton, a professor of health policy at Vanderbilt University Medical Center in Nashville. If a person becomes symptomatic, GINA’s protections against discrimination no longer apply.
- The Americans With Disabilities Act protects some people with genetic disorders, but generally only if those disorders cause significant limitations to daily life.
- With the Affordable Care Act (ACA), health insurance companies cannot refuse coverage or charge more for coverage based on a preexisting condition- a prohibition that applies to any condition discovered as the result of genetic testing, Clayton says.
- The federal Health Insurance Portability and Accountability Act (HIPAA) applies to the results of genetic tests administered by your doctor or another health-care provider, but it doesn’t apply to direct to consumer (DTC) genetic testing companies.
Today, no Federal law directly addresses consumer privacy issues resulting from DTC testing beyond the limited guidelines of the laws listed above. Ultimately, the states determine whether a consumer can order a laboratory test directly, without going through a healthcare provider. Arizona, for example is one state where consumers can also order labs a la cart. Consumers can coordinate directly with lab companies like Sonora Quest and Labcorps, which are physical lab locations found throughout cities, without first having to see a provider (read here to learn why discussing any concerns and results with a provider is so important). But, it is important to note that tests through labs like Sonora Quest and Labcorps (just to name two commonly found in Arizona) are protected within the HIPAA framework, while DTC tests are not. Some states like Utah, Virginia, and California have also moved to establish legal frameworks to better protect genetic information.
In one 2018 study of DTC genetic testing companies’ privacy policies, Vanderbilt University researchers found that 71% of companies used consumer information internally for purposes other than providing the results to consumers. 62% said they use data for internal research and development, while 78% said they provided genetic information to third parties in de-identified or aggregate forms without additional consumer consent. Many testing firms that generally don’t sell patient information, such as Ambry and Invitae, give it away to public databases. Additionally, there are few laws regulating how consumers’ genetic data should be stored and protected by the companies that collect it, and genetic testing companies have experienced data breaches.
So when breeches occur- and it is when, not if- the data falling into the hands of hackers provides loads of sensitive information. While initially anonymized, it’s relatively easy for them to de-anonymize it. One source shared that new lab techniques can unearth genetic markers tied to specific, physical traits, such as eye or hair color. Sleuths can then cross-reference those traits against publicly available demographic data to identify the donors.
Forbes reports that using this process, one MIT scientist was able to identify the people behind five supposedly anonymous genetic samples randomly selected from a public research database. It took him less than a day. Likewise, a Harvard Medical School professor dug up the identities of over 80% of the samples housed in his school’s genetic database. Privacy protections can only go so far, and in many cases prove to only be a company’s “best effort” to protect your data, with no guarantees. Even Linda Avey, a cofounder of 23andMe, has explicitly admitted that “it’s a fallacy to think that genomic data can be fully anonymized.”
If you’ve ever signed up for a service or visited a website, you’ve likely agreed to the terms and conditions of use or agreed to cookie policies without actually sifting though the pages and pages of what that means. For many, the habit of underestimating what that could actually mean has extended to their use of companies that process genetic data and other medical samples. This could ultimately be a serious oversight.
“An individual’s most personal information is still being bought, sold, and traded without clear understanding or consent,” Justin Brookman, Consumer Reports’ director of privacy and technology policy says. One article on the topic shared what some may consider extreme examples of how unregulated use of people’s information could be used,
“Your genetic information could also potentially be used against you in a court case. If you were to seek damages for a work-related injury, for example, a firm might try to use information from your genome to point to other potential causes for your symptoms. Law enforcement agencies have used genetic data to identify criminal suspects through their blood relatives. It’s even conceivable that sensitive information about your family or your health could be used in a blackmail scenario.”
It may sound wild, but as Brookman explains, “[genetic] information could reveal facts about you that you don’t want known. And right now, consumers don’t have many protections against that happening. Privacy should be a right. We’re not allowed to sell away our right to speech or our right to vote.”
These are all factors to to consider when deciding whether to use DTC testing kits. The Federal Trade Commission has brought many cases, challenging practices related to consumer privacy and data security, including reaching a settlement with a business that sold at-home genetic testing but allegedly failed to provide reasonable security for consumer information. If you believe a company isn’t carrying out its responsibility when it comes to privacy and data, you can report it to the FTC. Seriously consider the trade-off of gaining information about your health via DTC tests and the risks to your privacy. Speak to your provider about whether you can get the same information through labs coordinated through them, or a lab that adheres to Federal privacy laws, to maintain a more secure outcome when it comes to your health and genetic information.