Abstract
At one time, specialized health privacy laws represented the bulk of the rules regulating genetic privacy, Today, however, as both the field of genomics and the content of privacy law change rapidly, a new generation of general-purpose privacy laws may impose new restrictions on collection, storage, and disclosure of genetic data. This article surveys these laws and considers implications.
Get full access to this article
View all access options for this article.
References
1.
L.
Cartwright-Smith
et al ., “Health Information Ownership: Legal Theories and Policy Implications,” Vanderbilt Journal of Entertainment & Technology Law 19 (2016 ): 207 .
2.
S.
Fendrick
, “The Role of Privacy Law in Genetic Research,” I/S: A Journal of Law and Policy for the Information Society 4 (2008 ): 803 , available at <https://kb.osu.edu/bitstream/handle/1811/72811/1/ISJLP_V4N3_803.pdf> (last visited February 4, 2020 ).
3.
V. Gutmann
Kocha
and
K.
Todd
“Research Revolution or Status Quo?: The New Common Rule and Research Arising from Direct-To-Consumer Genetic Testing,” Houston Law Review 56 (2018 ): 81 .
4.
P.
Bailey
, “Big Brother or Big Pharma: The Lion Fight Over the Surveillance and Promotion of Pharmaceutical Use in America,” Florida State University Law Review 44 (2017 ): 1483 .
5.
S.D.
Schilly
and
M.J.
Khoury
“What Is Translational Genomics? An Expanded Research Agenda For Improving Individual and Population Health,” Applied Translational Genomics 3 , no. 4 (2014 ): 82 –83 , available at <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4694629/> (last visited February 4, 2020 ).
6.
A.
Regalado
, “2017 Was the Year Consumer DNA Testing Blew Up,” MIT Technology Review (2018 ), available at <https://www.technologyreview.com/s/610233/2017-was-the-year-consumer-dna-testing-blew-up/> (last visited June 19, 2019 ).
7.
A.
Regalado
, “More than 26 Million People Have Taken an At-Home Ancestry Test,” MIT Technology Review (2019 ), available at <https://www.technologyreview.com/s/612880/more-than-26-million-people-have-taken-an-at-home-ancestry-test/> (last visited October 6, 2019 ).
8.
S.
Zhang
, “Big Pharma Would Like Your DNA,” The Atlantic , July 27 , 2018 , available at <https://www.theatlantic.com/science/archive/2018/07/big-pharma-dna/566240/> (last visited February 4, 2020 ).
9.
See, e.g.,
S.
Zhang
, “The Loopholes in the Law Prohibiting Genetic Discrimination,” The Atlantic , March 13 , 2017 , available at <https://www.theatlantic.com/health/archive/2017/03/genetic-discrimination-law-gina/519216/> (last visited June 23, 2019 ).
10.
C. J.
Guerrini
,
J. O.
Robinson
,
D.
Petersen
, and
A. L.
McGuire
“Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique,” PLOS Biology 16 (2018 ): 10 , available at <https://doi.org/10.1371/journal.pbio.2006906> (last visited February 4, 2020 ).
11.
P. M.
Schwartz
, “Preemption and Privacy,” Yale Law Journal 118 (2009 ): 902 .
12.
See, e.g., Social Media Privacy Protection and Consumer Rights Act of 2019, S. 189, 116th Cong. (2019); Information Transparency & Personal Data Control Act, H.R. 2013, 116th Cong. (2019); “Consumer Data Privacy Legislation,” National Conference of State Legislatures (2019 ), available at <http://www.ncsl.org/research/telecommunications-and-information-technology/consumer-data-privacy.aspx> (last visited October 6, 2019 ).
13.
See also
C.
Farr
, “Facebook Sent a Doctor on a Secret Mission to Ask Hospitals to Share Patient Data,” CNBC (2018 ), available at <https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html> (last visited June 19, 2019 ).
14.
M.A.
Rothstein
, “Is Deidentification Sufficient to Protect Health Privacy in Research?” The American Journal of Bioethics 10 (2010 ): 3 .
15.“Federal Policy for the Protection of Human Subjects,” Federal Register 82 , no. 12 (2017 ): 7149 -7269 , available at <https://www.govinfo.gov/content/pkg/FR-2017-01-19/pdf/2017-01058.pdf> (last visited February 4, 2020 ).
16.Id .
17.“KUMC Guidance Document for Exempt Research 2018 Common Rule Changes,” University of Kansas Medical Center (2018 ), available at <http://www.kumc.edu/Documents/hrpp/Topical%20Guidance/KUMC%20Guidance%20Document%20for%20Exempt%20Research%202018%20Common%20Rule%20Changes.pdf> (last visited February 4, 2020 ).
18.Id .
19.
W.
McGeveran
, Privacy and Data Protection Law (2016 ): 257 -258 .
20.
W.
McGeveran
, “Friending the Privacy Regulators,” Arizona Law Review 58 (2016 ): 973 –975 .
21.
See Charter of Fundamental Human Rights of the European Union, Arts. 7 and 8; European Convention on Human Rights, Art. 8. See also Google Spain SL v. AEPD , Court of Justice of the European Union, 2014 E.C.R. 317.
22.
15 U.S.C. § 45(n).
23.Id . at § 45(a)(2) and 15 U.S.C. § 44.
24.Id . at § 45(a)(2).
25.
See, e.g., In the matter of GeneLink, Inc. and Foru Corp., F.T.C. C-4456-4457 (2014), available at <https://www.ftc.gov/system/files/documents/cases/140512forutmcmpt.pdf> (last visited February 4, 2020 ); In the Matter of PaymentsMD, LLC, 2015 FTC LEXIS 24 (2015), available at <https://www.ftc.gov/enforcement/cases-proceedings/132-3088/paymentsmdllc-matter> (last visited February 4, 2020 ); HenrySchein Practice Solutions, Inc., F.T.C. No. 1423161 (2016) (consent order), available at <https://www.ftc.gov/system/files/documents/cases/160105scheinagreeorder.pdf> (last visited February 4, 2020 ); Accretive Health, F.T.C. No. C-4432 (2014) (consent order), available at <http://www.ftc.gov/system/files/documents/cases/140224accretivehealthdo.pdf> (last visited February 4, 2020 ).
26.
C.J.
Hoofnagle
, Federal Trade Commission Privacy Law and Policy (2016 ): 113 –114 .
27.
See also “FTC Approves Final Settlement With Facebook,” Federal Trade Commission , August 10 , 2012 , available at <https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook> (last visited February 4, 2020 ).
28.
C.
Carter
, “Consumer Protection in the States: A 50-State Evaluation of Unfair and Deceptive Practices Laws,” National Consumer Law Center Inc . (2018 ), available at <https://www.nclc.org/images/pdf/udap/udap-report.pdf> (last visited February 4, 2020 ).
29.
D. K.
Citron
, “The Privacy Policymaking of State Attorneys General,” Notre Dame Law Review 92 , no. 2 (2016 ): 754 .
30.
2018 N.J. S.B. 2834, available at <https://www.njleg.state.nj.us/2018/Bills/S3000/2834_I1.pdf> (last visited February 4, 2020 ).
31.
“Washington Privacy Act,” 2019 WA S.B. 5376, available at <http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate%20Bills/5376-S2.pdf> (last visited February 4, 2020 ).
32.
Information Transparency & Personal Data Control Act, H.R. 2013 (116th Cong. 2019).
33.
Cal. Civ. Code § 140(o)(1).
34.
Cal. Civ. Code § 140(o)(1).
35.
2018 N.J. S.B. 2834, available at <https://www.njleg.state.nj.us/2018/Bills/S3000/2834_I1.pdf> (last visited February 4, 2020 ).
36.
Washington Privacy Act, supra note 31.
37.
S.
Baird
, “GDPR Matchup: The Health Insurance Portability and Accountability Act,” International Association of Privacy Professionals (2017 ), available at <https://iapp.org/news/a/gdpr-match-up-the-health-insurance-portability-and-accountability-act/> (last visited February 4, 2020 ).
38.
GDPR, Recital 34, available at <https://gdpr-info.eu/recitals/no-34/> (last visited February 4, 2020 ).
39.
GDPR, Article 9, available at <https://gdpr-info.eu/art-9-gdpr/> (last visited February 4, 2020 ); “Special category data,” Information Commissioner's Office , available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-tothe-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/> (last visited February 4, 2020 ).
40.
41.
For the Common Rule's “informed consent” standard, see For the Common Rule, see Department of Health and Human Services (DHHS), “Protection of Human Subjects,” 45 C.F.R. Part 46 § 116, available at <http://www.hhs.gov/ohrp/human-subjects/guidance/45cfr46.html> (last visited February 4, 2020 ).
42.“WP29 Guidelines on Consent,” International Association of Privacy Professionals (2018 ), available at <https://iapp.org/resources/article/wp29-guidelines-on-consent/> (last visited February 4, 2020 ).
43.“Burden of Proof and Requirements for Consent,” available at <https://gdpr-info.eu/recitals/no-42/> (last visted February 4, 2020 ).
44.“Sharing Consumer Health Information? Look to HIPAA and the FTC Act,” Federal Trade Commission (2016 ), available at https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act (last visited February 4, 2020 ).
45.
S.
Sheber
, “OCR Releases Guidance for HIPAA-Covered Entities to Follow FTC Regulations When Sharing Patient Data,” Journal of AHIMA , October 27 , 2016 , available at <https://journal.ahima.org/2016/10/27/ocr-releases-guidance-forhipaa-covered-entities-to-follow-ftc-regulations-when-sharing-patient-data/>.
46.
See also
L. A.
Malek
and
J. E.
Johnson
“Genetic Testing Is On FTC's Radar,” Law360 , April 18 , 2019 .
47.
In the Matter of Rite Aid Corp., F.T.C. C-4308 (2010) available at <https://www.ftc.gov/sites/default/files/documents/cases/2010/11/101122riteaidcmpt.pdf> (last visited February 2, 2020 ). See also Press Release , “Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees,” Federal Trade Commission , July 27 , 2010 , available at <https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial> (last visited February 4, 2020 ).
48.Id .
49.
Rite Aid Corp. complaint, supra note 47.
50.Press Release , “A.G. Schneiderman Announces Settlement with University of Rochester to Prevent Future Patient Privacy Breaches,” Office of the Attorney General of New York , December 2 , 2015 , available at <https://ag.ny.gov/press-release/2015/ag-schneiderman-announces-settlement-university-rochester-prevent-future-patient> (last visited February 4, 2020 ).
51.Press Release , “McLean Hospital to Implement New Security and Training Programs After Data Breach Exposed Sensitive Health Information,” Office of the Attorney General of Massachusetts , December 12 , 2018 , available at <https://www.mass.gov/news/mclean-hospital-to-implement-new-security-and-training-programs-after-data-breach-exposed> (last visited February 4, 2020 ).
52.Id .
53.
Complaint, States of Ariz. v. Med. Informatics Eng'g , No. 3:18-cv-969-RLM-MGG, 2019 U.S. Dist. LEXIS 97107 (N.D. Ind. May 28, 2019), available at <https://images.law.com/contrib/content/uploads/documents/292/Indiana-Suit.pdf> (last visited February 4, 2020 ).
54.Id .
55.
C.
Dennis
and
E.
Johnson
“Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption,” International Association of Privacy Professionals , July 25 , 2018 , available at <https://iapp.org/news/a/paging-all-health-care-privacy-pros-cacpa-deserves-your-attention-despite-hipaa-exemption/> (last visited February 4, 2020 ).
56.
L.
Linnea
, “Transparency and Direct-to-Consumer Genetic Testing Companies,” Harvard Law Petrie-Flom Center , November 22 , 2016 , available at <http://blog.petrieflom.law.harvard.edu/2016/11/22/transparency-and-direct-to-consumer-genetic-testing-companies/> (last visited February 2, 2020 ).
57.
C.
Ornstein
, “Privacy Not Included: Federal Law Lags Way Behind New Health-Care Technology,” Pacific Standard Magazine , June 14 , 2017 , available at <https://psmag.com/social-justice/privacy-not-included-federal-law-lags-way-behind-new-health-care-technology> (last visited February 4, 2020 ).
58.
S.
Hoffman
, “Electronic Health Records and Medical Big Data,” Cambridge Bioethics and Law (2016 ): 131 –134 .
59.“Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges,” National Committee on Vital and Health Statistics , December 13 , 2017 , available at <https://www.ncvhs.hhs.gov/wp-content/uploads/2018/02/NCVHS-Beyond-HIPAA_Report-Final-02-08-18.pdf> (last visited February 4, 2020 ).