Hostname: page-component-cd9895bd7-p9bg8 Total loading time: 0 Render date: 2024-12-26T07:50:16.642Z Has data issue: false hasContentIssue false
  • English
  • Français

General-Purpose Privacy Regulation and Translational Genomics

Published online by Cambridge University Press:  01 January 2021

William McGeveran  and
Caroline Schmitz
Get access Rights & Permissions [Opens in a new window]

Abstract

At one time, specialized health privacy laws represented the bulk of the rules regulating genetic privacy, Today, however, as both the field of genomics and the content of privacy law change rapidly, a new generation of general-purpose privacy laws may impose new restrictions on collection, storage, and disclosure of genetic data. This article surveys these laws and considers implications.

Type
Symposium Articles
Information
Journal of Law, Medicine & Ethics , Volume 48 , Issue 1: LawSeq: Building a Sound Legal Foundation for Translating Genomics into Clinical Application , Spring 2020 , pp. 142 - 150
Copyright
Copyright © American Society of Law, Medicine and Ethics 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Cartwright-Smith, L. et al., “Health Information Ownership: Legal Theories and Policy Implications,” Vanderbilt Journal of Entertainment & Technology Law 19 (2016): 207.Google Scholar
National Human Genome Research Institute, Privacy in Genomics, available at <https://www.genome.gov/about-genomics/policy-issues/Privacy> (last visited June 19, 2019); Norrgard, K., “Protecting Your Genetic Identity: GINA and HIPAA,” Nature Education 1 (2008): 21, available at <https://www.nature.com/scitable/topicpage/protecting-your-genetic-identity-gina-and-hipaa-678> (last visited June 19, 2019); Fendrick, S., “The Role of Privacy Law in Genetic Research,” I/S: A Journal of Law and Policy for the Information Society 4 (2008): 803, available at <https://kb.osu.edu/bitstream/handle/1811/72811/1/ISJLP_V4N3_803.pdf> (last visited February 4, 2020).Google Scholar
Kocha, V. Gutmann and Todd, K., “Research Revolution or Status Quo?: The New Common Rule and Research Arising from Direct-To-Consumer Genetic Testing,” Houston Law Review 56 (2018): 81.Google Scholar
Cech, M., “Genetic Privacy in the ‘Big Biology’ Era: The ‘Autonomous’ Human Subject,” Hastings Law Journal 70 (2019): 851; Bailey, P., “Big Brother or Big Pharma: The Lion Fight Over the Surveillance and Promotion of Pharmaceutical Use in America,” Florida State University Law Review 44 (2017): 1483.Google Scholar
Schilly, S.D. and Khoury, M.J., “What Is Translational Genomics? An Expanded Research Agenda For Improving Individual and Population Health,” Applied Translational Genomics 3, no. 4 (2014): 8283, available at <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4694629/> (last visited February 4, 2020).CrossRefGoogle Scholar
Regalado, A., “2017 Was the Year Consumer DNA Testing Blew Up,” MIT Technology Review (2018), available at <https://www.technologyreview.com/s/610233/2017-was-the-year-consumer-dna-testing-blew-up/> (last visited June 19, 2019).+(last+visited+June+19,+2019).>Google Scholar
Regalado, A., “More than 26 Million People Have Taken an At-Home Ancestry Test,” MIT Technology Review (2019), available at <https://www.technologyreview.com/s/612880/more-than-26-million-people-have-taken-an-at-home-ancestry-test/> (last visited October 6, 2019).+(last+visited+October+6,+2019).>Google Scholar
Zhang, S., “Big Pharma Would Like Your DNA,” The Atlantic, July 27, 2018, available at <https://www.theatlantic.com/science/archive/2018/07/big-pharma-dna/566240/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
See, e.g., Zhang, S., “The Loopholes in the Law Prohibiting Genetic Discrimination,” The Atlantic, March 13, 2017, available at <https://www.theatlantic.com/health/archive/2017/03/genetic-discrimination-law-gina/519216/> (last visited June 23, 2019).+(last+visited+June+23,+2019).>Google Scholar
Guerrini, C. J., Robinson, J. O., Petersen, D., and McGuire, A. L., “Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique,” PLOS Biology 16 (2018): 10, available at <https://doi.org/10.1371/journal.pbio.2006906> (last visited February 4, 2020).CrossRefGoogle Scholar
Schwartz, P. M., “Preemption and Privacy,” Yale Law Journal 118 (2009): 902.Google Scholar
See, e.g., Social Media Privacy Protection and Consumer Rights Act of 2019, S. 189, 116th Cong. (2019); Information Transparency & Personal Data Control Act, H.R. 2013, 116th Cong. (2019); “Consumer Data Privacy Legislation,” National Conference of State Legislatures (2019), available at <http://www.ncsl.org/research/telecommunications-and-information-technology/consumer-data-privacy.aspx> (last visited October 6, 2019).+(last+visited+October+6,+2019).>Google Scholar
Ohm, P., “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57 (2010): 1701. See also Farr, C., “Facebook Sent a Doctor on a Secret Mission to Ask Hospitals to Share Patient Data,” CNBC (2018), available at <https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html> (last visited June 19, 2019).Google Scholar
Rothstein, M.A., “Is Deidentification Sufficient to Protect Health Privacy in Research?” The American Journal of Bioethics 10 (2010): 3.CrossRefGoogle Scholar
“Federal Policy for the Protection of Human Subjects,” Federal Register 82, no. 12 (2017): 71497269, available at <https://www.govinfo.gov/content/pkg/FR-2017-01-19/pdf/2017-01058.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
Id.Google Scholar
Riddle, J., “Final Rule Material: Secondary Research with Identifiable Information and Biospecimens,” Biomedical Research Alliance of New York LLC (2017), available at <https://about.citiprogram.org/wp-content/uploads/2018/07/Final-Rule-Material-Secondary-Research-with-Identifiable-Information-and-Biospecimens.pdf> (last visited February 4, 2020); “KUMC Guidance Document for Exempt Research 2018 Common Rule Changes,” University of Kansas Medical Center (2018), available at <http://www.kumc.edu/Documents/hrpp/Topical%20Guidance/KUMC%20Guidance%20Document%20for%20Exempt%20Research%202018%20Common%20Rule%20Changes.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020);+“KUMC+Guidance+Document+for+Exempt+Research+2018+Common+Rule+Changes,”+University+of+Kansas+Medical+Center+(2018),+available+at++(last+visited+February+4,+2020).>Google Scholar
Id.Google Scholar
McGeveran, W., Privacy and Data Protection Law (2016): 257258.Google Scholar
McGeveran, W., “Friending the Privacy Regulators,” Arizona Law Review 58 (2016): 973975.Google Scholar
See Charter of Fundamental Human Rights of the European Union, Arts. 7 and 8; European Convention on Human Rights, Art. 8. See also Google Spain SL v. AEPD, Court of Justice of the European Union, 2014 E.C.R. 317.Google Scholar
15 U.S.C. § 45(n).Google Scholar
Id. at § 45(a)(2) and 15 U.S.C. § 44.Google Scholar
Id. at § 45(a)(2).Google Scholar
See, e.g., In the matter of GeneLink, Inc. and Foru Corp., F.T.C. C-4456-4457 (2014), available at <https://www.ftc.gov/system/files/documents/cases/140512forutmcmpt.pdf> (last visited February 4, 2020); In the Matter of PaymentsMD, LLC, 2015 FTC LEXIS 24 (2015), available at <https://www.ftc.gov/enforcement/cases-proceedings/132-3088/paymentsmdllc-matter> (last visited February 4, 2020); HenrySchein Practice Solutions, Inc., F.T.C. No. 1423161 (2016) (consent order), available at <https://www.ftc.gov/system/files/documents/cases/160105scheinagreeorder.pdf> (last visited February 4, 2020); Accretive Health, F.T.C. No. C-4432 (2014) (consent order), available at <http://www.ftc.gov/system/files/documents/cases/140224accretivehealthdo.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020);+In+the+Matter+of+PaymentsMD,+LLC,+2015+FTC+LEXIS+24+(2015),+available+at++(last+visited+February+4,+2020);+HenrySchein+Practice+Solutions,+Inc.,+F.T.C.+No.+1423161+(2016)+(consent+order),+available+at++(last+visited+February+4,+2020);+Accretive+Health,+F.T.C.+No.+C-4432+(2014)+(consent+order),+available+at++(last+visited+February+4,+2020).>Google Scholar
Hoofnagle, C.J., Federal Trade Commission Privacy Law and Policy (2016): 113114.CrossRefGoogle Scholar
Bartz, D., “Facebook Facing 20-Year Consent Agreement after Privacy Lapses: Source,” Reuters, May 13, 2019, available at <https://www.reuters.com/article/us-facebook-ftc/facebook-facing-20-year-consent-agreement-after-privacy-lapses-source-idUSKCN1SJ2C2> (last visited February 4, 2020). See also “FTC Approves Final Settlement With Facebook,” Federal Trade Commission, August 10, 2012, available at <https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook> (last visited February 4, 2020).+(last+visited+February+4,+2020).+See+also+“FTC+Approves+Final+Settlement+With+Facebook,”+Federal+Trade+Commission,+August+10,+2012,+available+at++(last+visited+February+4,+2020).>Google Scholar
Carter, C., “Consumer Protection in the States: A 50-State Evaluation of Unfair and Deceptive Practices Laws,” National Consumer Law Center Inc. (2018), available at <https://www.nclc.org/images/pdf/udap/udap-report.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
Citron, D. K., “The Privacy Policymaking of State Attorneys General,” Notre Dame Law Review 92, no. 2 (2016): 754.Google Scholar
2018 N.J. S.B. 2834, available at <https://www.njleg.state.nj.us/2018/Bills/S3000/2834_I1.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
“Washington Privacy Act,” 2019 WA S.B. 5376, available at <http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate%20Bills/5376-S2.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
Information Transparency & Personal Data Control Act, H.R. 2013 (116th Cong. 2019).Google Scholar
Cal. Civ. Code § 140(o)(1).Google Scholar
Cal. Civ. Code § 140(o)(1).Google Scholar
2018 N.J. S.B. 2834, available at <https://www.njleg.state.nj.us/2018/Bills/S3000/2834_I1.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
Washington Privacy Act, supra note 31.Google Scholar
Baird, S., “GDPR Matchup: The Health Insurance Portability and Accountability Act,” International Association of Privacy Professionals (2017), available at <https://iapp.org/news/a/gdpr-match-up-the-health-insurance-portability-and-accountability-act/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
GDPR, Recital 34, available at <https://gdpr-info.eu/recitals/no-34/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
GDPR, Article 9, available at <https://gdpr-info.eu/art-9-gdpr/> (last visited February 4, 2020); “Special category data,” Information Commissioner's Office, available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-tothe-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/> (last visited February 4, 2020). (last visited February 4, 2020).' href=https://scholar.google.com/scholar?q=GDPR,+Article+9,+available+at++(last+visited+February+4,+2020);+“Special+category+data,”+Information+Commissioner's+Office,+available+at++(last+visited+February+4,+2020).>Google Scholar
GDPR, Article 7, available at <https://gdpr-info.eu/art-7-gdpr/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
For the Common Rule's “informed consent” standard, see For the Common Rule, see Department of Health and Human Services (DHHS), “Protection of Human Subjects,” 45 C.F.R. Part 46 § 116, available at <http://www.hhs.gov/ohrp/human-subjects/guidance/45cfr46.html> (last visited February 4, 2020). (last visited February 4, 2020).' href=https://scholar.google.com/scholar?q=For+the+Common+Rule's+“informed+consent”+standard,+see+For+the+Common+Rule,+see+Department+of+Health+and+Human+Services+(DHHS),+“Protection+of+Human+Subjects,”+45+C.F.R.+Part+46+§+116,+available+at++(last+visited+February+4,+2020).>Google Scholar
“WP29 Guidelines on Consent,” International Association of Privacy Professionals (2018), available at <https://iapp.org/resources/article/wp29-guidelines-on-consent/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
“Burden of Proof and Requirements for Consent,” available at <https://gdpr-info.eu/recitals/no-42/> (last visted February 4, 2020).+(last+visted+February+4,+2020).>Google Scholar
“Sharing Consumer Health Information? Look to HIPAA and the FTC Act,” Federal Trade Commission (2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act (last visited February 4, 2020).Google Scholar
Sheber, S., “OCR Releases Guidance for HIPAA-Covered Entities to Follow FTC Regulations When Sharing Patient Data,” Journal of AHIMA, October 27, 2016, available at <https://journal.ahima.org/2016/10/27/ocr-releases-guidance-forhipaa-covered-entities-to-follow-ftc-regulations-when-sharing-patient-data/>..>Google Scholar
Jillson, E., “Selling genetic testing kits? Read on.” Federal Trade Commission (2019), available at <https://www.ftc.gov/news-events/blogs/business-blog/2019/03/selling-genetic-testing-kits-read> (last visited February 4, 2020). See also Malek, L. A. and Johnson, J. E., “Genetic Testing Is On FTC's Radar,” Law360, April 18, 2019.+(last+visited+February+4,+2020).+See+also+Malek,+L.+A.+and+Johnson,+J.+E.,+“Genetic+Testing+Is+On+FTC's+Radar,”+Law360,+April+18,+2019.>Google Scholar
In the Matter of Rite Aid Corp., F.T.C. C-4308 (2010) available at <https://www.ftc.gov/sites/default/files/documents/cases/2010/11/101122riteaidcmpt.pdf> (last visited February 2, 2020). See also Press Release, “Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees,” Federal Trade Commission, July 27, 2010, available at <https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial> (last visited February 4, 2020).+(last+visited+February+2,+2020).+See+also+Press+Release,+“Rite+Aid+Settles+FTC+Charges+That+It+Failed+to+Protect+Medical+and+Financial+Privacy+of+Customers+and+Employees,”+Federal+Trade+Commission,+July+27,+2010,+available+at++(last+visited+February+4,+2020).>Google Scholar
Id.Google Scholar
Rite Aid Corp. complaint, supra note 47.Google Scholar
Health Information Technology for Economic and Clinical Health Act, Pub. Law No. 111-5, §§ 13001–424, 123 Stat. 226 (2009) (codified as amended at 42 U.S.C. §§ 300jj–300jj-51, 17901–53). See, e.g., Commonwealth v. Beth Israel Deaconess Med. Ctr., Civ. No. 14-3627 (Mass. Sup. Ct. Nov. 20, 2014); State v. Innova Hosp., No. 2010CI-13714 (Tex. Cty. Ct. Oct. 11, 2010); State v. HealthNet, Civ. No. 2:11-CV-16 (Vt. Dist. Ct. Jan. 14, 2011); Press Release, “Eye Care Retailer Settles in Data Security Lapse,” Office of the Attorney General of Maryland (Aug. 19, 2015), available at <https://mdoag-public.sharepoint.com/press/2015/081915.pdf> (last visited March 24, 2020); Press Release, “A.G. Schneiderman Announces Settlement with University of Rochester to Prevent Future Patient Privacy Breaches,” Office of the Attorney General of New York, December 2, 2015, available at <https://ag.ny.gov/press-release/2015/ag-schneiderman-announces-settlement-university-rochester-prevent-future-patient> (last visited February 4, 2020).+(last+visited+March+24,+2020);+Press+Release,+“A.G.+Schneiderman+Announces+Settlement+with+University+of+Rochester+to+Prevent+Future+Patient+Privacy+Breaches,”+Office+of+the+Attorney+General+of+New+York,+December+2,+2015,+available+at++(last+visited+February+4,+2020).>Google Scholar
Press Release, “McLean Hospital to Implement New Security and Training Programs After Data Breach Exposed Sensitive Health Information,” Office of the Attorney General of Massachusetts, December 12, 2018, available at <https://www.mass.gov/news/mclean-hospital-to-implement-new-security-and-training-programs-after-data-breach-exposed> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
Id.Google Scholar
Complaint, States of Ariz. v. Med. Informatics Eng'g, No. 3:18-cv-969-RLM-MGG, 2019 U.S. Dist. LEXIS 97107 (N.D. Ind. May 28, 2019), available at <https://images.law.com/contrib/content/uploads/documents/292/Indiana-Suit.pdf> (last visited February 4, 2020). (last visited February 4, 2020).' href=https://scholar.google.com/scholar?q=Complaint,+States+of+Ariz.+v.+Med.+Informatics+Eng'g,+No.+3:18-cv-969-RLM-MGG,+2019+U.S.+Dist.+LEXIS+97107+(N.D.+Ind.+May+28,+2019),+available+at++(last+visited+February+4,+2020).>Google Scholar
Id.Google Scholar
Dennis, C. and Johnson, E., “Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption,” International Association of Privacy Professionals, July 25, 2018, available at <https://iapp.org/news/a/paging-all-health-care-privacy-pros-cacpa-deserves-your-attention-despite-hipaa-exemption/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar
Linnea, L., “Transparency and Direct-to-Consumer Genetic Testing Companies,” Harvard Law Petrie-Flom Center, November 22, 2016, available at <http://blog.petrieflom.law.harvard.edu/2016/11/22/transparency-and-direct-to-consumer-genetic-testing-companies/> (last visited February 2, 2020).+(last+visited+February+2,+2020).>Google Scholar
Pitts, P., “The Privacy Delusions Of Genetic Testing,” Forbes, February 15, 2017, available at <https://www.forbes.com/sites/realspin/2017/02/15/the-privacy-delusions-of-genetic-testing/#670caf2e1bba> (last visited Febrary 4, 2020); Elfin, D., “DNA Testing? You Might Want to Wait for More Legal Protection,” Bloomberg Law, January 7, 2019, available at <https://news.bloomberglaw.com/pharma-and-life-sciences/dna-testing-you-might-want-to-wait-for-more-legal-protection> (last visited February 4, 2020); Ornstein, C., “Privacy Not Included: Federal Law Lags Way Behind New Health-Care Technology,” Pacific Standard Magazine, June 14, 2017, available at <https://psmag.com/social-justice/privacy-not-included-federal-law-lags-way-behind-new-health-care-technology> (last visited February 4, 2020).+(last+visited+Febrary+4,+2020);+Elfin,+D.,+“DNA+Testing?+You+Might+Want+to+Wait+for+More+Legal+Protection,”+Bloomberg+Law,+January+7,+2019,+available+at++(last+visited+February+4,+2020);+Ornstein,+C.,+“Privacy+Not+Included:+Federal+Law+Lags+Way+Behind+New+Health-Care+Technology,”+Pacific+Standard+Magazine,+June+14,+2017,+available+at++(last+visited+February+4,+2020).>Google Scholar
Hoffman, S., “Electronic Health Records and Medical Big Data,” Cambridge Bioethics and Law (2016): 131134.Google Scholar
“Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges,” National Committee on Vital and Health Statistics, December 13, 2017, available at <https://www.ncvhs.hhs.gov/wp-content/uploads/2018/02/NCVHS-Beyond-HIPAA_Report-Final-02-08-18.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar