Direct-to-consumer (DTC) genetic testing companies are now a fixture of U.S. consumer culture, with dozens of companies offering adults on-demand insights into their ancestry and health (sometimes loosely defined). While a compelling argument can be made for giving consumers the right to access information about their own genetic material, DTC-testing presents a range of legal and ethical concerns. Scholars and physicians have long been raising questions about the analytic validity, clinical validity, and clinical utility of these services. The FDA has increasingly worked to address these aspects of DTC-testing and has issued letters to multiple DTC genetic testing firms arguing that they are offering medical devices that should be subject to premarket review. Developments in this area continue to emerge and the FDA recently authorized marketing for 23andMe’s Bloom Syndrome carrier test, while also planning to exempt future carrier screening tests from premarket review.
These are clearly positive developments from the perspective of consumer protection, however, other aspects of DTC genetic testing remain largely unaddressed. Most notably, there are significant concerns about how firms handle consumer samples and data and how and if they use them for secondary purposes. To address this issue, Paul Auer, PhD, Jennifer Rich, MPH, and I set out to understand how transparent these firms are about their privacy, confidentiality, and secondary use policies. Recently published in Genetics in Medicine, this work offers an analysis of the terms-of-service and privacy policies of the top 30 DTC genetic testing firms that show up in a U.S. based web search.
While transparency about data practices varied across firms, a number of gaps appeared with regard to conveying information about the risks of data disclosure, the ultimate fate of samples and data, and use of data for research. Over the past decade, several major professional and governmental organizations have issued guidelines for transparency in these areas, including the American College of Medical Genetics and Genomics and the European Society of Human Genetics. At present, it does not appear that non-binding guidelines have been sufficient to encourage widespread compliance with best practices on these topics.
Unfortunately, limited transparency is a notable concern since U.S. consumers continue to face lacking legal protections for their genetic data. Individually identifiable genetic information is considered health information under the HIPAA Privacy Rule, however, the vast majority of DTC firms (by the very nature of their direct interactions with consumers rather than going through physicians) are not currently considered to be “covered entities” nor are they “business associates” of one. As a result, HIPAA does not currently apply to DTC genetic testing firms as a group. Disclosure of data is of critical importance given that the Genetic Information Nondiscrimination of 2008 (GINA) does not protect against discrimination for life, long-term care, or disability insurance plans.
Even if DTC genetic testing companies are able to perfect the clinical utility of their services, these underlying challenges to consumer privacy must be addressed. Several states have begun to adopt more stringent provisions relating to genetic information and privacy and may represent a model for future federal efforts. More immediately, it seems that some form of DTC genetic testing certification for companies that meet minimum standards for best practices would both encourage improved behavior by firms and allow consumers to make more informed decisions.