In its July 29, 2016 decision in LabMD, Inc., the Federal Trade Commission clearly signaled its intent to get more involved in the regulation of health privacy. Specifically, the case indicates that the agency intends to go well beyond its traditional role of protecting consumers against deception and to begin scrutinizing the nuts and bolts of companies’ health data security practices.
In most cases, the privacy of individually identifiable health information is protected by HIPAA’s Privacy Rule, which is enforced by the Department of Health and Human Services. But HIPAA covers only data transactions between “covered entities” (providers, health plans, and health care clearinghouses) and their “business associates” (various kinds of service providers). A lot falls through the HIPAA cracks, including the communication of individual patient information between treating physicians and testing laboratories, which is not covered by the HIPAA Privacy Rule. (However, HHS has used HIPAA to determine that patients must be given access to their genetic testing data; see our prior coverage.) This is the crack that the FTC sought to fill in LabMD.
As I noted above, one piece of news in this case is the FTC’s move into the health privacy area. LabMD was in the clinical laboratory business from 2001 until 2014, when it suspended its testing business. However, it has retained its previously collected patient samples and data and continues to provide past test results to providers. Therefore, one lesson to be drawn from the decision is that if you are in the health business but not covered by HIPAA, you cannot assume that you are unregulated—the FTC will be watching, even if no one else is, for as long as you keep individual health data.
Now the FTC is telling you what you have to do. In a series of recent business cases (involving, for example, car dealers and hotels), the FTC has gone beyond posted privacy policies to closely examine just what companies are doing to protect consumers’ personal and financial information. The agency is insisting that privacy and data security practices be reasonable, a loosely defined and evolving standard that seems to focus on industry best practices. The regulatory algorithm is that unreasonable privacy practices=unfair trade practices, and thus violate section 5. (The most comprehensive—albeit somewhat dated—statement of the FTC’s outlook can be found in its 2012 report on consumer privacy.)
This is precisely the approach the FTC took in the LabMD case. Among the data security practices deemed unreasonable were: failing to use an intrusion detection system, neglecting to monitor file integrity or traffic coming across the firewalls, never deleting any data, and not training employees. One consequence of this inattention was that employees installed P2P file-sharing software that exposed thousands of health records to the outside electronic world.
Exposed is a key word here: there was no evidence of any actual data theft. The FTC found this irrelevant, however. Its decision relied on the rarely cited section 5(n) of the FTC Act, which provides that an act or practice can be held unfair if it “causes or is likely to cause substantial harm to consumers.” So the threat of harm is enough, and the absence of actual harm is no defense.
A couple of other legal issues in the LabMD case are worth mentioning. The first concerns the FTC’s authority to judge the substantive adequacy of privacy practices, as opposed to merely ensuring that companies live up to their privacy policies. A number of FTC targets have challenged this authority, including LabMD, which asked both the FTC itself and two different federal courts to rule that the agency was going too far. Its requests were rejected, as has happened in every other case. The leading case is Wyndham Hotels (2015), where the U.S. Court of Appeals upheld the FTC’s authority to regulate the substance of cybersecurity.
A second point concerns remedies. While the FTC has the power to fine offenders, it did not seek a monetary penalty against LabMD. Instead, it imposed (via injunction) detailed requirements for improved security practices. Prospective targets should not take much comfort from this: he agency can seek fines, and LabMD complained bitterly about the burden imposed by the injunction. One piece of good news for targets is that private parties cannot sue for violations of the FTC Act, although they may have comparable rights under similarly worded state “Little FTC Acts” (e.g., North Carolina’s).
Companies that collect, transfer, store, or use individual health information should keep these points in mind:
• The fact that you’re not a covered entity or business associate under HIPAA does not mean that you’re free from federal regulation—the FTC is aggressively asserting its authority in the interstices of privacy law.
• The FTC clearly believes that in privacy and data security, unreasonable=unfair and is thus illegal.
• Reasonableness is a fluid and evolving concept, likely to be tied to best practices in a given industry.
• To get a more specific idea of what the FTC thinks is and isn’t reasonable in the health context, read the full LabMD decision carefully, paying close attention to the technical details. In designing your own practices, avoid LabMD’s specific pitfalls, and whatever you do, do it better than LabMD did.
• The LabMD decision doesn’t mention this, but the FTC does not have jurisdiction to regulate nonprofits. Someone else—including your state government—will, however, and the FTC’s privacy standards are likely to provide a model for other regulators.
For years, and with increasing frequency, health care and information technology companies have touted the potential of mobile medical and health applications and technologies to improve the quality and delivery of health care through the use of technology. While the future of mobile health (frequently referred to as “mHealth”) is undoubtedly filled with promise, the legal and regulatory landscape in which mHealth technologies reside is only now beginning to take shape.
As mHealth developers, funders and even users consider investing in the field, or including in particular mHealth technologies, they should keep in mind the emergent and fluid nature of the mHealth regulatory landscape. Here, we outline the likely key players and discuss several recent and projected initiatives with respect to the oversight of mHealth technologies:
The FDA’s public meeting on the future of clinical direct-to-consumer (DTC) genetic testing (which we have covered here, here and here) is continuing to draw significant attention from the media and other commentators. Most of the coverage, especially over the past 7-10 days, has added little that is new in the way of either reporting or analysis. One exception, however, comes from Robert VerBruggen of National Review in his column on “The FDA’s Genetic Paternalism.”
What’s new and interesting here is not the substance of VerBruggen’s analysis. Whether or not you agree with Verbruggen’s particular formulation, the “paternalism” critique of proposed FDA regulation of DTC genetic testing is not new. What caught our eye is a comment from deCODE genetics’ CEO Kári Stefánsson. When questioned by VerBruggen about his company’s marketing of its DTC genetic test offering, deCODEme (see screenshot) – which includes statements such as “your genes are a road-map to better health” – here is how Stefánsson responded:
“I think that is both cheesy and somewhat incorrect. I don’t know who came up with that, but whoever it is, is going to be duly punished,” [Stefánsson] said. “I think it’s safe to say we’ll probably be removing that statement and putting up something that at least sounds better.”
After its well-publicized 2009 bankruptcy, deCODE emerged in 2010 as a privately-held company and so it is unlikely the public will know whether Stefánsson follows through with his promise to “duly punish” the source of the “road-map” statement. On the other hand, whether and how deCODE follows through with Stefánsson’s not-quite-a-promise to change deCODEme’s marketing and claims is something that will happen in full view of the public.
The movement to confer greater legal protection to individuals’ genetic information has added another participant. Last month, we examined newly introduced legislation in Massachusetts which, if passed, would create a “Genetic Bill of Rights,” significantly expanding Massachusetts residents’ personal property and privacy rights in their genetic information. Since then, in what the Council for Responsible Genetics has termed a “groundswell for genetic privacy building in states,” state legislators in both California and Vermont have introduced new legislation that would confer greater protection upon individuals’ genetic information.
What should we make of this three state “groundswell?” Although not identical in scope or substance to the Massachusetts Genetic Bill of Rights (“MA GBR”), both the Vermont and California proposals appear to reflect a concern (shared by the MA GBR) that, at least when it comes to the use and misuse of genetic information, the current system of federal oversight is inadequate. Then again, as the legislative findings section of the California proposal (pdf) puts it, perhaps “the current explosion in the science of genetics” simply “compels legislative action in this area.”
In a few hours, the FDA will kick off a two-day public meeting to consider the future of clinical direct-to-consumer (DTC) genetic tests. Few corners of the personal genomics landscape have generated as much attention from regulators, consumers and, especially, the media as DTC genetic testing. Thus, when the meeting was first announced last month, we applauded the FDA’s attempt to examine DTC’s unique set of issues separate from other larger and ongoing regulatory conversations, including whether and how to regulate the far more numerous category of laboratory developed tests (LDTs).
So just what should we expect from the next two-days? 2010 saw a flurry of DTC-related regulatory and legislative activity but, ultimately, little in the way of new oversight or concrete guidance. Both regulators (including the FDA) and industry appear to have responded in 2011 with a more measured approach, and this week’s meeting is an opportunity to thoroughly examine the state of DTC genetic testing and develop a clear, sensible strategy for future oversight of the industry.
Over at Genetic Future, Daniel MacArthur has already weighed in, adopting a tone of cautious optimism in advance of the DTC meeting. Meanwhile, with just a few hours left until the meeting kicks off, here are three key points I’ll be emphasizing in my own talk tomorrow morning (slides):
The clock has run out the Secretary’s Advisory Committee on Genetics, Health, & Society (SACGHS). As reported by Turna Ray of Pharmacogenomics Reporter, the committee, which reports to Health and Human Services (HHS) Secretary Kathleen Sebelius, will have its charter extended only long enough to conduct one final meeting next month.
According to Ray, SACGHS members were notified this week that Secretary Sebelius and NIH Director Francis Collins had determined that “the major topics related to genetic and genomic technologies had been successfully addressed by the committee through its comprehensive reports and recommendations over the years” and, for that reason, the decision was made “to sunset the committee’s charter.”
Meggan Bushee is a student at the Wake Forest University School of Law.
This past May, Congressman Patrick Kennedy (D-RI) and Congresswoman Anna Eshoo (D-CA) re-introduced a personalized medicine bill to the U.S. House of Representatives. The bill was originally introduced in 2006 by then-Senator from Illinois Barack Obama. While HR 5440, also known as the Genomics and Personalized Medicine Act of 2010 (GPMA 2010), has retained the name of the bill originally introduced by Senator Obama, its approach to the regulation of personalized medicine has taken a new direction.
GPMA 2010 is the fourth version of the GPMA since the original bill of 2006, and includes the most ambitious initiatives of all of its predecessors. Why has the GPMA re-surfaced after three prior versions failed to make it out of committee? According to Representative Kennedy, the bill has been re-introduced in response to increased public awareness and use of genomic tests. At present, GPMA 2010 is before the House Committee on Energy and Commerce. This is the same committee that recently conducted high-profile hearings to review the current state of the direct-to-consumer (DTC) genetic testing registry.
[Editor’s Note: Newsweek science editor Mary Carmichael has a DNA Dilemma. As Carmichael debates whether to take a direct-to-consumer (DTC) genetic test, she is soliciting feedback from the DTC community, from the public and from other commentators, including myself. At the end of the week, she will make her decision.
On Tuesday, Carmichael and five commentators examined what can be learned from a DTC genetic test. Yesterday, the topic was whether DTC genetic tests are trustworthy, and whether the results can be cause for concern. Today’s topic is the regulation of DTC genetic tests. In addition to several short commentaries, including a much shorter version of the piece below, Carmichael has also posted a lengthy interview with two top FDA officials on the subject of DTC genetic testing regulation.
The column below is an expanded version of what appears over at Newsweek. To see all of the commentaries in Carmichael’s series, click here.]
The recent media attention focused on direct-to-consumer (DTC) genetic tests has left companies, investors, consumers and even regulators scrambling to figure out what comes next.
As the situation stands today, companies and their investors live in a climate of unprecedented regulatory uncertainty, causing delays in the introduction of new products and rendering an already inhospitable economic climate – for both fundraising and sales – even more challenging. Commentators and regulators caution consumers that some DTC genetic tests may be unreliable or, worse, harmful, but have yet to provide clear tools and guidelines for evaluating competing tests. And regulators, including the FDA, must balance their mandate to protect the health and safety of the public with that same public’s desire for autonomy, while also recognizing that innovation is a prerequisite for a healthcare system that must continue to improve outcomes while reducing costs.
Clearly, something must change. But what will that change be? And how will the field of DTC genetic testing evolve? Will DTC be able to continue its current business while regulators and companies engage in protracted negotiations? Will oversight weed out the “snake oil salesmen” and permit legitimate companies to flourish? Will it drive all genetic testing (temporarily) out of the hands of consumers?
Or will the field change in a dramatic and completely unexpected way?
It has been a busy week in Washington for direct-to-consumer (DTC) genetic testing companies. Following public FDA meetings and a new round of FDA device notification letters earlier in the week, representatives from three major DTC genetic testing companies (23andMe, Navigenics and Pathway Genomics) were hauled in front of Congress today to defend their companies, their industry and the practice of DTC genetic testing.
The hearing on “Direct-To-Consumer Genetic Testing and the Consequences to Public Health” was conducted by the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations. The meeting was chaired by Representative Bart Stupak of Michigan. Materials from the hearing, including a briefing memorandum, opening statements from Stupak and Representative Henry Waxman of California and witness testimony are available on the Committee’s website. Also available are materials from the Government Accountability Office (GAO) investigation into DTC genetic tests. These materials include the report the GAO submitted to Congress – “Direct-to-Consumer Genetic Tests: Misleading Test Results Are Further Complicated by Deceptive Marketing and Other Questionable Practices” (pdf) – as well as a YouTube video featuring excerpts from undercover phone calls made by the GAO to DTC companies as part of their investigation (both of which are discussed in detail below).
These are hectic days for the field of direct-to-consumer (DTC) genetic testing. Every week, and sometimes every day, seems to bring a new development. Two weeks ago it was pharmacy giants Walgreens and CVS unveiling agreements with Pathway Genomics to offer Pathway’s genetic testing kits in drugstores nationwide, to which the FDA responded first by declaring such a strategy illegal and, shortly thereafter, launching an investigation. Last week, on the same day that the University of California, Berkeley announced it would be offering genetic tests to all incoming freshmen, a House of Representatives committee announced it was launching its own investigation into three prominent DTC genetic testing companies.
These developments reflect an uncertainty about the regulatory status of DTC genetic testing that is dramatic, although it is not new. In the summer of 2008, public health officials in New York and California sent warning letters to a number of DTC companies, including 23andMe and Navigenics (both targets of the current Congressional investigation). These state regulatory activities prompted concern that other states might follow suit, potentially subjecting DTC companies to the nightmare scenario of inconsistent state-by-state regulation. Nearly two years later, those particular concerns appear to be unfounded.