Much of the discourse arising in connection with the new GMC guidance stems from a perceived breach of the patient’s right to privacy and an erosion of the ever sacred principle of doctor-patient confidentiality. While these are certainly valid concerns, the idea that certain medical information may be disclosed in the public interest is not a new concept in the U.K. or even the U.S. For example, most states in the U.S. require physicians to report to the local or state board of health cases of certain communicable or infectious diseases. Furthermore, at least six states require physicians to report to the Department of Motor Vehicles the diagnosis of diseases that may impair the patient’s ability to drive.⁴  These statutorily mandated disclosures may be made against the patient’s wishes and without the patient’s authorization.⁵

Perhaps the increased concern surrounding the GMC guidance is triggered because the disclosure of genetic information is specifically permitted. While many people can understand the “public interest” justification for disclosing cases of communicable diseases that may spread through the population or illnesses that might make the patient a danger to others on public roadways, maybe they are less willing to place genetic information in this category. One might argue that it is not really the public who benefits when the existence of a patient’s genetic disease is disclosed to his or her at risk relatives; instead, the potential benefit of disclosure reaches only a set of closely related individuals with whom the patient may share genetic traits. This is fundamentally different from laws permitting the disclosure of conditions that may affect the community at large.⁶  Moreover, genetic information is arguably about as personal as medical information gets, and concern over adverse effects should genetic information fall into the wrong hands (pdf) can run high. Accordingly, the “greater good” argument may not be sufficient to justify its disclosure to any third party—even family—without the patient’s consent.

In the U.S., many states have passed legislation aimed at protecting the confidentiality of genetic information specifically. Massachusetts prohibits the disclosure of physician records pertaining to any genetic information without the patient’s informed written consent. Likewise, in Nevada it is unlawful to disclose or to compel a person to disclose the identity of a person who was the subject of a genetic test or to disclose the genetic information of such person in a manner allowing identification of such person without his or her informed written consent. California even goes so far as to impose criminal penalties for certain willful or negligent disclosures of the results of a test for a genetic characteristic without the patient’s written authorization.

Actions at both the state and federal levels, including the passage of GINA (discussed below), suggest that the prevailing view amongst U.S. policy- and law-makers appears to be that genetic information deserves heightened forms of protection. Nearly all states that have enacted legislation addressing the disclosure of genetic information, like the several mentioned above, require informed written consent rather than the less stringent authorization required for disclosure of other protected health information.⁷  This fierce protection of the patient’s privacy in his or her genetic information seems a stark contrast to the GMC’s view that doctors should disclose a patient’s genetic illnesses if such disclosure is in the broad public interest. State legislation in the U.S. appears to take the contrary view that an individual’s genetic information belongs solely to the individual, not to the public at large. In fact, at least one state (Alaska) expressly recognizes in its statute this concept: “[A] DNA sample and the results of a DNA analysis performed on the sample are the exclusive property of the person sampled or analyzed.”

So, why the difference in philosophy between the U.S. and the U.K.? Over at The Cross-Border Biotech Blog, Jeremy Grushcow has suggested that the difference can be traced to the presence of universal healthcare in the U.K. (“In Praise of Universal Coverage From a Genomics Perspective”). Particularly in the U.S., a major impetus for protecting the confidentiality of genetic information is the fear of discrimination by insurers and others, a fear that was central in producing the passage of GINA last year. According to Grushcow, “universal coverage is the cure,” rendering individuals “(functionally) genomic equals when deciding on healthcare policy” and paving the way for the GMC’s altruistic, societal approach to the disclosure of medical information, including genetic test results. Universal healthcare coverage protects the patient from the risk of losing his or her health insurance or being forced to bear a higher cost of insurance and therefore, Grushcow contends, allows the patient, and others through the sharing of results, to benefit from the information obtained from genetic testing. Grushcow concludes: “if the U.S. moves into the genomic era without universal coverage, it will exacerbate existing inequalities and create new ones we haven’t even imagined.”

However, Grushcow does not consider other avenues by which this particular discrimination issue may be addressed. Last year the U.S. took an alternative step to address the role of genetics in health insurance with the passage of the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits discrimination on the basis of genetic information by insurance companies or employers. (In the U.K., on the other hand, the House of Lords examined the issue of genetic discrimination in its recent report, Genomic Medicine, and concluded that there was no need at present for “specific legislation against genetic discrimination.”) While GINA does not prohibit all genetic discrimination (life insurance, long-term care and other areas do not fall under GINA), it does prevent discrimination in premium and underwriting decisions by health insurers. Although far from perfect, GINA has been largely well-received and represents a viable alternative to universal healthcare for the purpose of addressing the fears of health insurance discrimination among those who desire, or require, access to their genetic information. Yet despite GINA’s passage, the U.S. still seems to hold sacred the privacy of genetic information. There must be other factors at play.

The risk of losing one’s health insurance is certainly not the only risk that may arise if personal genetic information is disclosed to third parties, even if only to relatives. Disclosure could affect social interactions or relationships among family members. Furthermore, whether or not legal, the patient may be at risk of discrimination by a host of third parties in addition to health insurers. Although possible misuses of genetic information can be hypothesized (the Personal Genome Project’s informed consent protocol (pdf), for example, contains a lengthy list of potential “risks and discomforts” that might result from the disclosure of one’s genetic information), the reality is that in these early days of widely available personal genetic information, perceived risks may be non-issues and actual risks may be currently unknown.

The GMC’s new guidance also raises questions regarding the rights of the patient’s relatives not to know about their propensity for an inherited disease.⁸  Perhaps an individual has made a personal decision not to submit to a genetic test because he or she would rather not learn the probability of contracting a particular disease. A doctor following the GMC guidance may end up disclosing to the patient’s relative precisely the information he or she has chosen not to acquire. What if the reason the patient refuses to tell the relative about the patient’s genetic disease is because the patient knows that the relative has made this personal decision not to be tested? In these situations, the patient, rather than the doctor, may be in the best position to decide who should learn of the patient’s genetic illness.

GINA and especially universal healthcare are incapable of addressing these issues – neither can assuage both known and unknown fears about the misuse of genetic information or ensure that an individual’s right not to know their genetic information is respected. At least for a certain segment of patients and of the broader populace, maintaining the privacy of genetic information may represent the only way to fully address these issues. Although, as we have argued repeatedly here at the GLR, an absolute promise of genetic privacy would be irresponsible, there is a wide gulf between undertaking a concerted effort to maintain the privacy of an individual’s genetic information and the alternative proposed by the GMC’s guidance, which permits doctors to exercise considerable discretion in deciding whether an individual’s desire for genetic privacy outweighs the “public interest.” Without strong assurances of privacy, the various risks associated with third parties becoming privy to personalized genetic information may deter some patients from undergoing a genetic test in the first place. Such a result benefits neither the individual who desires the test nor the “public interest” that the GMC guidance hopes to protect. For many people, privacy is a critical factor in the decision to participate in a genetic test or genomic sequencing.

In summary, the ability of a doctor to reveal patients’ medical information in the “public interest” is particularly complicated in the realm of genetic medicine, and granting doctors the ability to override their patients’ preferences may not be a positive development overall. No one, neither the individual nor the general public, will benefit if patients are dissuaded from undergoing clinically indicated genetic testing. It is undoubtedly true that most patients would opt to share information with at risk family members, but those who choose not to might refuse testing altogether if they understood that results could be disclosed without their consent. Plus, there is potential that disclosure in the “public interest” could extend to third parties beyond the patient’s immediate family. This is an even greater disincentive. Whatever an individual patient’s reasons, it is clear that there is a firmly rooted belief, shared by many, that genetic information is uniquely personal and should be capable of being maintained in a private fashion. Attempting to run roughshod over that belief may discourage many from exploring the benefits of the emerging field of genomics and personalized medicine. In this particular respect, the GMC’s proposed approach to genetic information sharing may be misguided.

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

¹ The ability to disclose is probably triggered both by the discovery of a genetic disease that has already manifested in the patient and by the results of a genetic test showing a propensity for a genetic disease, even if such disease has not yet manifested. The GMC’s policy concerns would be the same in either scenario.

² The new guidance is discussed on the following websites, among others: PHG Foundation; Times Online (discussed here and here); e-Health Insider; and University of Glamorgan, Genomics Policy.

³ In a press release issued last month, the chair of the GMC’s working group on confidentiality, Dr. Henrietta Campbell, stated, “This guidance makes clear that, in the first instance, doctors should explain to a patient if their family might be at risk of inheriting a condition. In those circumstances, most will readily share information about their health. However, if a person refuses, it is the responsibility of the doctor to protect those who may be at risk.”

⁴ California, Delaware, Nevada, New Jersey, Oregon and Pennsylvania require such reports to the DMV.

⁵ Generally, the Health Insurance Portability and Accountability Act (“HIPAA”) prohibits disclosure by a health care provider of a patient’s health information without the patient’s authorization. See 45 C.F.R. §164.502. However, HIPAA excepts from the general rule disclosure of protected health information as required by law. Id. at §164.512. Patient authorization and opportunity to agree or object is not required for any disclosure required by law. Id.

⁶ Furthermore, the above mentioned mandatory disclosures of certain communicable diseases and driver impairments are narrow and specifically defined by statute. A broad “public interest” exception to doctors’ duty of confidentiality to their patients is probably unacceptable to most people even if genetic information is not involved. This concept, however, is beyond the scope of this discussion, which focuses only on the disclosure of genetic information.

⁷ See, e.g., ALASKA STAT. §18.13.010 (“[A] person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person’s legal guardian or authorized representative, for the collection, analysis, retention, or disclosure.”); MINN. STAT. §13.386 (prohibiting collection and dissemination of genetic information unless individual gives written informed consent).

⁸ Guidance from the U.K. Joint Committee on Medical Genetics, Consent and Confidentiality in Genetic Practice: Guidance on Genetic Testing and Sharing Genetic Information (April 2006), recognizes the right of a person not to learn of their genetic propensities for certain diseases and indicates that “an insistence on imparting unwanted information could be interpreted as a breach of a person’s right to private and family life.” However, this guidance, like the GMC guidance, condones the disclosure of genetic information over the patient’s refusal to consent if “disclosure substantially outweighs the patient’s claim to confidentiality.” An example given in the guidance is a person who refuses to inform relatives of a genetic risk of which they are unaware.

1. Is DTC Getting HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the most prominent federal regulation governing the privacy of medical records, established the Privacy Rule to provide national standards for protected medical records. HIPAA’s Privacy Rule currently applies only to “covered entities” and business associates of covered entities. A covered entity is a health plan, health care clearinghouse, or a health care provider. Since a company providing genomic sequencing services is not a health plan or a health care clearinghouse, HIPAA will apply only if such a company is determined to be a health care provider or a business associate of a covered entity.

Direct-to-consumer (DTC) genomics companies are not likely to be considered business associates of HIPAA covered entities. HIPAA defines a business associate as a person or organization that, on behalf of a covered entity, performs an activity involving the use or disclosure of individually identifiable health information, or otherwise performs services for a covered entity where the covered entity provides such health information to the business associate. The American Recovery and Reinvestment Act (ARRA) expanded the definition of business associate for purposes of the Privacy Rule and the Security Rule to include

• entities providing data transmission of protected health information to covered entities (or such entity’s business associate) and requiring access on a routine basis to such information, and
• vendors contracting with a covered entity to allow the covered entity to offer personal health records to its patients.

DTC genomics companies typically do not act on behalf of a covered entity, nor do they provide services to covered entities. Rather, as the DTC name suggests, companies such as 23andMe provide services directly to the consumer. However, this is not always the case. For example, California-based Navigenics, commonly referred to as a DTC genomics company, has announced a number of partnerships with healthcare clinics through which it offers its genotyping services to the clinic for use in developing personalized diagnostic, management and treatment strategies for patients. Just last week, Navigenics announced a partnership with Beth Israel Deaconness Medical Center in Boston to familiarize practicing physicians with its DTC offerings, among other goals. Looking at Navigenics’ list of collaborators reveals a number of relationships where Navigenics appears to be performing services (genotyping and risk prediction) and providing identifiable health information (the genotyping results) to health care providers. Whether or not a particular DTC genomics company qualifies as a business associate depends on the particulars of the services it offers, particularly those that it makes available directly to health care providers; particulars which are subject to change at a moment’s notice in this rapidly evolving field.

Moreover, it is conceivable that a DTC genomics company could be considered a health care provider itself. Although we are not aware of any regulative body that has found a DTC genomics company to be covered by HIPAA (as a health care provider or otherwise), the term “health care” is defined broadly under HIPAA regulations:

Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:

(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body….

If a DTC genomics company provides diagnostic or analytical information to a customer in connection with the customer’s genomic sequence, it may be considered to be offering “diagnostic care” or “counseling with respect to the physical or mental condition of an individual”—and thus, to be a health care provider subject to the HIPAA regulations. Existing DTC providers do offer substantial information that could fall into those categories, including relative risk and lifetime risk calculations for serious diseases (23andMe’s testing service, for instance, includes “carrier reports” for 32 conditions including several cancers, Parkinson’s Disease and diabetes) and the determination of carrier status for alleles with reproductive implications. In addition, other companies such as Navigenics, provide access to board-certified genetic counselors to assist customers in interpreting their results.

The provision of clinical diagnostic information and genetic counseling, even when delivered over a website rather than in a doctor’s office, may constitute the provision of health care. In recent weeks the Genomics Law Report has focused on the recurring calls for standards that would have the effect of blurring the distinction between direct-to-consumer genetic testing and the clinical practice of medicine (also see here, here, here and here). One potential effect of confusing the clinical/non-clinical divide in the DTC setting would likely be to bring DTC service providers unambiguously under the purview of HIPAA as a health care provider. As described below, however, despite the increasingly clinical nature of the services offered by DTC providers, there does not appear to be much enthusiasm for subjecting genomics companies to HIPAA or to other clinical regulations.

2. Why Does HIPAA Matter? Even if a DTC genomics company is deemed to provide a level of service sufficient to make it a covered entity under HIPAA, it may still disclose confidential protected health information (such as a customer’s genetic or genomic results) for the purpose of carrying out “health care operations.” Health care operations are broadly defined in HIPAA Section 164.501 to include business management and general administrative activities. Specifically disclosure is permitted relating to the “sale, transfer, merger or consolidation of all or a part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.” Among the amendments to HIPAA contained in the ARRA is a specific prohibition on the sale of protected health information, except for the sale of information in connection with the sale, transfer or consolidation of the covered entity. Therefore, even when HIPAA applies, patient or customer authorization is not required for disclosure of protected health information in the sale of the company’s assets.

HIPAA does not specifically address the bankruptcy of a covered entity; however, it seems that the sale or transfer exception would likely apply. A liquidation in bankruptcy requires the sale of the debtor’s assets. As long as the protected information is transferred to another covered entity in connection with a sale of the assets, presumably individual authorization from the DTC genomics company’s customers would not be required.

For the moment, it does not appear that HIPAA regulations are restricting much if any of the activity currently taking place in the DTC genomics space. However, as a host of factors, including both internal and external pressures, continue to drive many DTC genomics companies closer and closer to activities indistinguishable from the clinical practice of medicine, at least some DTC companies may soon find themselves subject to HIPAA’s regulations. The implications of HIPAA coverage for DTC genomics companies is the subject for another post, but in the limited case of a bankruptcy scenario, even HIPAA coverage would not appear to prohibit a DTC genomics company from transferring its customers’ genomic information.

3. DTC Escapes Stimulus Bill Unscathed? Part of the Stimulus Bill enacted this past spring directed the Department of Health and Human Services (HHS), in conjunction with the Federal Trade Commission (FTC), to conduct a study on privacy, security, and breach-notification requirements for vendors of personal health records (PHRs) and related entities that are not subject to HIPAA. In the meantime, the Act required the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached.

The FTC issued a proposed notification rule (pdf) in April 2009, applying to PHR vendors, PHR-related entities, and third party service providers. All three categories, however, are restricted to firms that handle personal health information.

Upon publication of the proposed rule, the FTC solicited comments from the public. One of the comments was from a nonprofit health privacy watchdog group, Patient Privacy Rights, on behalf of the Coalition for Patient Privacy (a group that includes the American Civil Liberties Union and the American Association for People with Disabilities). The Patient Privacy Rights comment (pdf) objected to the limitation of the proposed rule to “the organization and sharing of personal health records,” because the definition of personal health records did not explicitly include genetic or genomic information. As the group explained:

Personal genomics companies such as 23andMe, Navigenics, Knome, and deCODE offer individual genetic testing that can provide customers with novel health services—from determining the likelihood of contracting diabetes, to identifying ancestral roots. Such companies rely on (HIPAA-compliant) labs to analyze patient DNA, which they receive directly, analyze, and store online for access by the patient.

A patient whose genetic information is leaked, stolen, or disclosed could clearly suffer harm as great as that associated with any other PHR health data, as recognized by the various state and federal laws around genetic privacy. The Commission should accordingly determine that personal genomics companies constitute [Personal Health Record] related entities insofar as they ‘access[] information in a personal health record’ or ‘offer[] or maintain[] a personal health record.’

However, when the final notification rule (pdf) was published in August of this year, the FTC had declined to modify the rule as requested by Patient Privacy Rights. The Commission’s final rule contains no mention of genetic data or genomics companies.

While we will have to wait for the completion of the joint HHS/FTC study in February 2010 to see whether it explicitly covers genomics companies in any of its privacy or security regulations, the FTC’s security breach rule suggests that it is unlikely that any such regulations will be immediately forthcoming.

Accordingly, the genomic information supplied by DTC companies is likely to be covered by the FTC’s regulations only to the extent such information constitutes personal health information (thus making a genomics company a firm that handles PHI and subject to the regulations.) This is where GINA comes in.

4. GINA and the Privacy Rule: Did Anything Really Change? The Genetic Information Nondiscrimination Act of 2008 (GINA) requires that the HHS Secretary revise the HIPAA Privacy Rule to make clear that “[g]enetic information shall be treated as health information.” Although GINA required that HHS issue implementing regulations not later than May 2009, it wasn’t until this month that HHS’ Office of Civil Rights issued its proposed rules (pdf). The background discussion of the proposed rule points out, however, that although the term “health information” would be amended “to explicitly provide that such term includes genetic information,” that does not mean that all disclosures of genetic information would necessarily be protected under HIPAA’s Privacy Rule:

We note, however, that as before, genetic information, while health information, is only covered by the Privacy Rule to the extent that it meets the definition of “protected health information.” That is, the genetic information must be individually identifiable and maintained by a HIPAA covered entity (or business associate of a covered entity) (and not otherwise fall within one of the exceptions to the definition).

Thus, although GINA amended the Privacy Rule to cover genetic information, the type of entities covered by the Privacy Rule did not change: it still only applies to HIPAA’s “covered entities.” And so we have come full circle: the key question remains whether DTC Genomics companies are considered to be covered entities, either as health care providers or as business associates of health care providers. While that question remains unsettled, the tone of the note suggests that HHS is not actively seeking ways to apply its regulations to genomics companies.

5. What Does It All Mean? As discussed above, the trend toward clinical activity on the part of many DTC genomics companies could ultimately bring them within the ambit of HIPAA and its Privacy Rule. However, at present it does not appear that there is any federal regulation—including HIPAA—that clearly restricts the transfer of customers’ information as part of a sale of assets by a troubled DTC genomics company.

As we concluded last time, the true test for the handling of individuals’ genetic and genomic information collected by DTC companies will be the first actual bankruptcy. Until then it will remain extremely difficult to predict how regulators and bankruptcy courts will address such a scenario, and the most practical advice at this time, for existing and potential customers, continues to be to understand the terms and conditions offered by each individual DTC genomics company with respect to their customers’ information—and to recognize that, in bankruptcy, genomic data may be transferred to a similar company without regard to those terms and conditions..

As for the DTC companies themselves, the possibility that they may be subjected to regulation under HIPAA and the Privacy Rule—as well as, potentially, a host of other regulations and sources of liability associated with the provision of health care—has implications far beyond the bankruptcy scenario. In the coming weeks the Genomics Law Report will begin to investigate what it might mean for DTC genomics companies if the blurry line between clinical and non-clinical activity in the DTC space finally resolves itself, with the DTC companies on the clinical side of that line.