Over the past few years, genetic testing services have become a widespread phenomenon. Companies providing these services gather certain biological data from consumers who sign up for their services and then analyze this data to ascertain information about the consumer’s ancestry and/or genetic traits, among other things. These companies, however, are typically considered “non-covered entities” (NCEs), meaning the Health Insurance Portability and Accountability Act (HIPAA) generally does not apply to nor protect the collected biological data. This presents a whole host of issues, particularly with respect to the question of how we ensure the data remains protected. Biological data of this nature is susceptible to breaches in light of the format in which it is stored, and some genetic testing companies are disclosing this data to pharmaceutical companies to facilitate research and the development of new drugs.
In July of 2016, the Department of Health and Human Services (DHHS) issued a report entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA” in which it highlighted this gap in the current legal landscape—the gap where HIPAA ends and modern technology begins. The report focused on two categories of NCEs: “mHealth technologies” and “health social media”:
“The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.”
Relevant here, the report specifically examined the differences in the security and disclosure standards applicable to covered and non-covered entities, such as the “mHealth technologies” and “health social media” organizations.
Now we fast-forward to June of 2019. Just last month, Senator Amy Klobuchar introduced the Protecting Personal Health Data Act (S. 1842, 116th Congress). The Act specifically applies to “consumer devices, services, applications, and software,” which include “direct-to-consumer genetic testing services.” The Act calls for the Secretary of HHS to “promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.” It also explicitly requires that, in promulgating these regulations, the Secretary keep a number of enumerated considerations in mind, as well as those points outlined in the initial 2016 DHHS report, which is referenced in the Act. If passed, the Act would also provide for the creation of a 15-member task force to monitor and contribute to the development of such regulations and standards.
While it is still very early on in the legislative process, the Act’s introduction will (hopefully) further a very important conversation among legislators regarding the current state of the protections afforded to biological data, and the protections that still need to be implemented to keep up with the modern age. The Act was referred to the Committee on Health, Education, Labor, and Pensions. You can track the Act’s progress here.