Protecting Consumer Privacy in DTC Tissue Testing
By Adithi Iyer
In my last piece, I discussed the hypothetical successor of 23andme — a tissue-based direct-to-consumer testing service I’ve called yourtissueandyou — and the promise and perils that it might bring in consumer health information and privacy. Now, as promised, a closer look at the “who” and “how” of protecting the consumer at the heart of direct-to-consumer precision medicine. While several potential consumer interests are at stake with these services, at top of mind is data privacy — especially when the data is medically relevant and incredibly difficult to truly de-anonymize.
As we’ve established, the data collected by a tissue-based service will be vaster and more varied than we’ve seen before, magnifying existing issues with traditional data privacy. Consumer protections for this type of information are, in a word, complicated. A singular “authority” for data privacy does not exist in the United States, instead being spread among individual state data privacy statutes and regulatory backstops (with overlapping sections of some federal statutes in the background). In the context of health, let alone highly sophisticated cell signaling and microenvironment data, the web gets even more tangled.
The HIPAA Problem
The privatization of next-generation medical technologies, especially in regenerative and precision medicine, further muddies the data-protection waters. Namely, legal protections concerning personal health data may not apply when the entity offering the service is decidedly not a “provider.” To illustrate the issue, consider that the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) expressly covers genetic information as a form of health data. But, remarkably, genetic testing companies like 23andme and Ancestry have largely succeeded in distinguishing themselves from health care providers, the “covered entities” under the act.
Turning to the FTC?
The innovation-security tradeoff is a familiar trope in biotechnology, but the main character of the direct-to-consumer tissue-based service story is less so. The regulation and administration of health care in the United States suggests a list of familiar institutional names — the Department of Health and Human Services, the Food and Drug Administration, Centers for Medicare & Medicaid Services, and the National Institutes of Health, to list a few. But especially as personalized medical services come to the forefront of the latest therapeutic revolutions, the Federal Trade Commission (FTC) should join that list.
The FTC’s role is particularly magnified in the context of privatized medical service provision. It may, in some cases, be the primary defender of patient privacy rights in biomatter and resultant data because it covers corporate entities. But, as the HIPAA problem illustrates, companies that already collect DNA and genetic samples for direct-to-consumer testing currently seem exempt from regulations specific to personal health data. Some developments might reshape this dynamic, like health-specific state privacy laws. But still, the (immense) overall value these services offer consumers, healthcare systems, and society warrants valid hesitation toward restricting their growth. After all, data collection and use is the bread and butter of these services.
This, of course, makes FTC mediation of privacy in biotech especially salient until other tools — FDA guidelines, HIPAA expansions, and state privacy laws — start to address these concerns. Lina Khan’s Commission has been actively expanding its portfolio of hundreds of cases to include biotech, having settled its first action pertaining to genetic information with 1health.io (formerly Vitagene) this summer. The initial complaint claimed that 1health.io abruptly changed its privacy policies without notifying existing customers, failed to destroy all saliva DNA samples after use, and used publicly accessible cloud services to store highly personal data. In the settlement, 1health.io agreed to put in place a “mandated information security program” subject to external assessment, while paying a $75,000 fine. This action is a starting point worth looking at for the future of corporate tissue-based services. The retention and potential misappropriation of cells and tissue raise serious concerns for both patients and shareholders. And post-hoc enforcement is not the only tool in the toolbox, so to speak. The FTC can also make rules to help prevent data breaches before they occur, and is in fact moving towards formal rulemaking in consumer privacy.
Open Questions for the Future
Think the FTC may be a formidable defender of patient rights in a consumer tissue-based testing service? Not so fast. Winter may be coming for the scope of agency power, which may see a first frost with the coming Supreme Court term. The sensitivity of our patchwork privacy framework to these potential changes is not to be understated; we are still missing a federal data privacy statute to codify such consumer protections. But even if we were to define a comprehensive set of national privacy regulations, the question remains whether we are ready to legislate on the decidedly new notion of completely privatized health offerings that go as far as using living human samples in-lab, or even on how to treat the types of data we can now obtain from living samples.
The future remains largely in flux for consumer privacy as it would pertain to a tissue-based offering like a yourtissueandyou, but these questions seem to recognize that consumers (ultimately, patients) have some kind of stake in their genetic, and potentially cell-derived, health information. I’ll discuss the nature of this claim, and what it could look like legally, in future installments.