Federal Privacy Regulation and the Financially Troubled DTC Genomics Company

LockLast month, the Genomics Law Report prepared a three-part series entitled What Happens if a DTC Genomics Company Goes Belly Up?  The series, which was originally published on Genetic Future (see Parts 1, 2 and 3), reviewed the privacy policies of several genomics companies to determine whether they prohibit the transfer of private data to third parties. We also discussed the fact that a bankruptcy court may approve such a transfer notwithstanding a policy to the contrary. In this post, we examine whether federal regulations may restrict the dissemination of private genomic data—including the new rules proposed earlier this month under the Genetic Information Nondiscrimination Act of 2008.

1. Is DTC Getting HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the most prominent federal regulation governing the privacy of medical records, established the Privacy Rule to provide national standards for protected medical records. HIPAA’s Privacy Rule currently applies only to “covered entities” and business associates of covered entities. A covered entity is a health plan, health care clearinghouse, or a health care provider. Since a company providing genomic sequencing services is not a health plan or a health care clearinghouse, HIPAA will apply only if such a company is determined to be a health care provider or a business associate of a covered entity.

Direct-to-consumer (DTC) genomics companies are not likely to be considered business associates of HIPAA covered entities. HIPAA defines a business associate as a person or organization that, on behalf of a covered entity, performs an activity involving the use or disclosure of individually identifiable health information, or otherwise performs services for a covered entity where the covered entity provides such health information to the business associate. The American Recovery and Reinvestment Act (ARRA) expanded the definition of business associate for purposes of the Privacy Rule and the Security Rule to include

  • entities providing data transmission of protected health information to covered entities (or such entity’s business associate) and requiring access on a routine basis to such information, and
  • vendors contracting with a covered entity to allow the covered entity to offer personal health records to its patients.

DTC genomics companies typically do not act on behalf of a covered entity, nor do they provide services to covered entities. Rather, as the DTC name suggests, companies such as 23andMe provide services directly to the consumer. However, this is not always the case. For example, California-based Navigenics, commonly referred to as a DTC genomics company, has announced a number of partnerships with healthcare clinics through which it offers its genotyping services to the clinic for use in developing personalized diagnostic, management and treatment strategies for patients. Just last week, Navigenics announced a partnership with Beth Israel Deaconness Medical Center in Boston to familiarize practicing physicians with its DTC offerings, among other goals. Looking at Navigenics’ list of collaborators reveals a number of relationships where Navigenics appears to be performing services (genotyping and risk prediction) and providing identifiable health information (the genotyping results) to health care providers. Whether or not a particular DTC genomics company qualifies as a business associate depends on the particulars of the services it offers, particularly those that it makes available directly to health care providers; particulars which are subject to change at a moment’s notice in this rapidly evolving field.

Moreover, it is conceivable that a DTC genomics company could be considered a health care provider itself. Although we are not aware of any regulative body that has found a DTC genomics company to be covered by HIPAA (as a health care provider or otherwise), the term “health care” is defined broadly under HIPAA regulations:

Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:

(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body….

If a DTC genomics company provides diagnostic or analytical information to a customer in connection with the customer’s genomic sequence, it may be considered to be offering “diagnostic care” or “counseling with respect to the physical or mental condition of an individual”—and thus, to be a health care provider subject to the HIPAA regulations. Existing DTC providers do offer substantial information that could fall into those categories, including relative risk and lifetime risk calculations for serious diseases (23andMe’s testing service, for instance, includes “carrier reports” for 32 conditions including several cancers, Parkinson’s Disease and diabetes) and the determination of carrier status for alleles with reproductive implications. In addition, other companies such as Navigenics, provide access to board-certified genetic counselors to assist customers in interpreting their results.

The provision of clinical diagnostic information and genetic counseling, even when delivered over a website rather than in a doctor’s office, may constitute the provision of health care. In recent weeks the Genomics Law Report has focused on the recurring calls for standards that would have the effect of blurring the distinction between direct-to-consumer genetic testing and the clinical practice of medicine (also see here, here, here and here). One potential effect of confusing the clinical/non-clinical divide in the DTC setting would likely be to bring DTC service providers unambiguously under the purview of HIPAA as a health care provider. As described below, however, despite the increasingly clinical nature of the services offered by DTC providers, there does not appear to be much enthusiasm for subjecting genomics companies to HIPAA or to other clinical regulations.

2. Why Does HIPAA Matter? Even if a DTC genomics company is deemed to provide a level of service sufficient to make it a covered entity under HIPAA, it may still disclose confidential protected health information (such as a customer’s genetic or genomic results) for the purpose of carrying out “health care operations.” Health care operations are broadly defined in HIPAA Section 164.501 to include business management and general administrative activities. Specifically disclosure is permitted relating to the “sale, transfer, merger or consolidation of all or a part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.” Among the amendments to HIPAA contained in the ARRA is a specific prohibition on the sale of protected health information, except for the sale of information in connection with the sale, transfer or consolidation of the covered entity. Therefore, even when HIPAA applies, patient or customer authorization is not required for disclosure of protected health information in the sale of the company’s assets.

HIPAA does not specifically address the bankruptcy of a covered entity; however, it seems that the sale or transfer exception would likely apply. A liquidation in bankruptcy requires the sale of the debtor’s assets. As long as the protected information is transferred to another covered entity in connection with a sale of the assets, presumably individual authorization from the DTC genomics company’s customers would not be required.

For the moment, it does not appear that HIPAA regulations are restricting much if any of the activity currently taking place in the DTC genomics space. However, as a host of factors, including both internal and external pressures, continue to drive many DTC genomics companies closer and closer to activities indistinguishable from the clinical practice of medicine, at least some DTC companies may soon find themselves subject to HIPAA’s regulations. The implications of HIPAA coverage for DTC genomics companies is the subject for another post, but in the limited case of a bankruptcy scenario, even HIPAA coverage would not appear to prohibit a DTC genomics company from transferring its customers’ genomic information.

3. DTC Escapes Stimulus Bill Unscathed? Part of the Stimulus Bill enacted this past spring directed the Department of Health and Human Services (HHS), in conjunction with the Federal Trade Commission (FTC), to conduct a study on privacy, security, and breach-notification requirements for vendors of personal health records (PHRs) and related entities that are not subject to HIPAA. In the meantime, the Act required the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached.

The FTC issued a proposed notification rule (pdf) in April 2009, applying to PHR vendors, PHR-related entities, and third party service providers. All three categories, however, are restricted to firms that handle personal health information.

Upon publication of the proposed rule, the FTC solicited comments from the public. One of the comments was from a nonprofit health privacy watchdog group, Patient Privacy Rights, on behalf of the Coalition for Patient Privacy (a group that includes the American Civil Liberties Union and the American Association for People with Disabilities). The Patient Privacy Rights comment (pdf) objected to the limitation of the proposed rule to “the organization and sharing of personal health records,” because the definition of personal health records did not explicitly include genetic or genomic information. As the group explained:

Personal genomics companies such as 23andMe, Navigenics, Knome, and deCODE offer individual genetic testing that can provide customers with novel health services—from determining the likelihood of contracting diabetes, to identifying ancestral roots. Such companies rely on (HIPAA-compliant) labs to analyze patient DNA, which they receive directly, analyze, and store online for access by the patient.

A patient whose genetic information is leaked, stolen, or disclosed could clearly suffer harm as great as that associated with any other PHR health data, as recognized by the various state and federal laws around genetic privacy. The Commission should accordingly determine that personal genomics companies constitute [Personal Health Record] related entities insofar as they ‘access[] information in a personal health record’ or ‘offer[] or maintain[] a personal health record.’

However, when the final notification rule (pdf) was published in August of this year, the FTC had declined to modify the rule as requested by Patient Privacy Rights. The Commission’s final rule contains no mention of genetic data or genomics companies.

While we will have to wait for the completion of the joint HHS/FTC study in February 2010 to see whether it explicitly covers genomics companies in any of its privacy or security regulations, the FTC’s security breach rule suggests that it is unlikely that any such regulations will be immediately forthcoming.

Accordingly, the genomic information supplied by DTC companies is likely to be covered by the FTC’s regulations only to the extent such information constitutes personal health information (thus making a genomics company a firm that handles PHI and subject to the regulations.) This is where GINA comes in.

4. GINA and the Privacy Rule: Did Anything Really Change? The Genetic Information Nondiscrimination Act of 2008 (GINA) requires that the HHS Secretary revise the HIPAA Privacy Rule to make clear that “[g]enetic information shall be treated as health information.” Although GINA required that HHS issue implementing regulations not later than May 2009, it wasn’t until this month that HHS’ Office of Civil Rights issued its proposed rules (pdf). The background discussion of the proposed rule points out, however, that although the term “health information” would be amended “to explicitly provide that such term includes genetic information,” that does not mean that all disclosures of genetic information would necessarily be protected under HIPAA’s Privacy Rule:

We note, however, that as before, genetic information, while health information, is only covered by the Privacy Rule to the extent that it meets the definition of “protected health information.” That is, the genetic information must be individually identifiable and maintained by a HIPAA covered entity (or business associate of a covered entity) (and not otherwise fall within one of the exceptions to the definition).

Thus, although GINA amended the Privacy Rule to cover genetic information, the type of entities covered by the Privacy Rule did not change: it still only applies to HIPAA’s “covered entities.” And so we have come full circle: the key question remains whether DTC Genomics companies are considered to be covered entities, either as health care providers or as business associates of health care providers. While that question remains unsettled, the tone of the note suggests that HHS is not actively seeking ways to apply its regulations to genomics companies.

5. What Does It All Mean? As discussed above, the trend toward clinical activity on the part of many DTC genomics companies could ultimately bring them within the ambit of HIPAA and its Privacy Rule. However, at present it does not appear that there is any federal regulation—including HIPAA—that clearly restricts the transfer of customers’ information as part of a sale of assets by a troubled DTC genomics company.

As we concluded last time, the true test for the handling of individuals’ genetic and genomic information collected by DTC companies will be the first actual bankruptcy. Until then it will remain extremely difficult to predict how regulators and bankruptcy courts will address such a scenario, and the most practical advice at this time, for existing and potential customers, continues to be to understand the terms and conditions offered by each individual DTC genomics company with respect to their customers’ information—and to recognize that, in bankruptcy, genomic data may be transferred to a similar company without regard to those terms and conditions..

As for the DTC companies themselves, the possibility that they may be subjected to regulation under HIPAA and the Privacy Rule—as well as, potentially, a host of other regulations and sources of liability associated with the provision of health care—has implications far beyond the bankruptcy scenario. In the coming weeks the Genomics Law Report will begin to investigate what it might mean for DTC genomics companies if the blurry line between clinical and non-clinical activity in the DTC space finally resolves itself, with the DTC companies on the clinical side of that line.