Kelly Straub, MPA, Staff Writer, Brief Policy Perspectives

Has your DNA been compromised? The recent rise in popularity of commercial DNA testing companies is transforming the medical field, but few consumers are aware of the privacy implications of using these services. Since the Food and Drug Administration (FDA) authorized commercial genetic testing for hereditary diseases in April 2017, the market for these services has boomed. While commercial genetics tests already existed for tracing ancestry, this ruling contributed to an explosion of new medical technology companies, with more than 500 laboratories testing for over 2,000 possible conditions. This market has expanded from $117 million in 2017 to an estimated $611 million by 2026. However, lawmakers have been slow to address the legal and ethical ramifications of this new frontier.

DNA Collection Services on the Rise

Currently, commercial DNA testing companies like 23andMe, AncestryDNA, and Geno 2.0  exist in a medical and legal gray area. While they manage vast databases of genetic information, they are not healthcare providers, and like any tech company, the data they collect from you are monetized. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to ensure that the medical community would protect sensitive medical information. However, in the past 20 years, breakthroughs in medical technology, especially genetics, have outpaced HIPAA’s ability to protect consumers.

One provision of HIPAA is that medical data can be sold to outside organizations, provided the data are made anonymous, but there is nothing truly anonymous about DNA. Unless you have an identical twin, your DNA is completely unique and traceable to you. Commercial DNA testers  collect and sell this information sell this information to pharmaceutical companies, research labs, and other commercial medical organizations. Of course, these companies do ask for consent before they share your genetic information with outside entities, but it is buried in the fine print of their initial legal disclaimer and there is no way to opt out if you want to use their services. Even companies preforming ancestral DNA tests with no medical applications maintain these large data sets, and the protections on these are even weaker.

Unravelling the Genetic Chain

While these massive databases of genetic code are not attached directly to the names of customers, researchers have been able to recreate physical profiles from anonymous DNA samples. Of course, genetic information can be compared to existing, already identified DNA samples, including samples belonging to close relatives. This is especially worrying given the unknown future applications of genetic medicine and genetic identification. Tech behemoths like Apple, Google, and Amazon already use biometric identifiers such as fingerprints, iris scans, and facial recognition to unlock cell phones and track purchases. As genetic sequencing becomes cheaper and faster, an individual’s DNA profile may be used to access sensitive information, including financial, legal, and criminal records, beyond the trove of medical data DNA provides.

Commercial genetic testing facilities already have large, commercially available databases of peoples’ genetic disorders. Consumers can use genetic testing to identify a host of hereditary diseases such as Parkinson’s, or increased susceptibility to certain cancers, all without stepping foot in a doctor’s office. Even if these data sets remain superficially anonymous, academic studies have been able to trace DNA samples back to their owners, based solely on the limited biographic information provided in the datasets and inferring physical characteristics from the genetic code. Even without that ability, any time a large set of valuable data is digitized and stored in a central location, it is vulnerable to hackers. It is unclear if DNA testing companies are taking enough steps to protect the valuable information they hold.

In 2008, Congress passed the Genetic Information Non-Discrimination Act (GINA), which prohibits employers and health insurers from mandating genetic tests or using the results of genetic tests to discriminate. However, as genetic testing becomes more commonplace, insurers have lobbied to chip away at certain provisions. In the past year, Republican representatives introduced a bill to allow workplaces to collect genetic information as part of their workplace wellness programs and levy financial penalties against those who choose not to participate. While this bill is unlikely to pass in its current form, it does offer a stark glimpse of potential DNA applications. Genetic testing is becoming cheaper and more reliable as the costs of healthcare continue to grow. Insurers, employers, and commercial entities already see the profit in building consumer genetic profiles.

Policy Needed to Protect Your DNA

Several further steps should be taken to protect genetic data. First, Congress should ensure full HIPAA privacy protections to any genetic testing. Additionally, HIPAA rules on anonymized genetic information should be strengthened to allow only select organizations to access genetic data for medical research and require compliance with stringent information security protocols. Congress should also look toward future potential uses of commercial genetic identification and insure that companies collecting data on biometric identifiers are safeguarding that information responsibly. Finally, while GINA is a good baseline for protections against genetic discrimination, any law passed by one Congress can be overturned by another. Beyond Congress, privacy and consumer advocates need to make sure the public is aware that by using commercial genetic testing, they are putting their personal information at risk. As it stands, few consumers realize the extent they are jeopardizing their future privacy, as well as anyone who shares their DNA.