Tori Downey, Thora Johnson, Alyssa Wolfington, and Shannon Yavorsky of Orrick, Herrington & Sutcliffe write:
Interest in genetic data is on the rise, driven by the growth of direct-to-consumer (DTC) genetic testing and its value for AI in drug development and personalized medicine. Historically, gaps in privacy laws have sometimes left sensitive health information unprotected when individuals share it with companies outside the clinical setting. This issue has been brought into sharp relief with the 23andMe bankruptcy.
While HIPAA, at the federal level, generally protects health information, including genetic information, created and received by healthcare providers and health plans, it does not apply to data given to consumer genetics companies. Instead, consumers are treated as customers, not patients and plan enrollees, leaving their genetic information outside the reach of the nation’s strongest health data protections. The Genetic Information Nondiscrimination Act (GINA) offers some safeguards, but is limited to misuse by insurers or employers.
Moreover, state laws have also fallen short in filling the gaps in federal privacy protections. While twenty states have enacted comprehensive privacy laws, most of them do not prevent companies from selling genetic data in a bankruptcy proceeding.
Read more at JDSupra about recent and proposed laws to deal with the gaps between federal privacy laws and state laws.