Podcast: Who Owns Your DNA? Lessons Learned from 23andMe

Nathan Adams: Welcome to Holland & Knight's Florida Capital Conversations podcast series. Today we kick off a three-part series on healthcare privacy. Our guests are Shannon Hartsfield and Eddie Williams. My name is Nathan Adams. My co-host is Mia McKown. We are so pleased that you have joined us today to consider another interesting issue bearing on state government affecting Florida business and communities. There is none better than Shannon Hartsfield and Eddie Williams to kick off our discussion of healthcare privacy. This session will address protections of genetic data.

Mia McKown: This is Mia McKown. Good to be with everyone today. Shannon and Eddie, I was hoping that you could share with our listeners a little bit about yourself and your experience with DNA and protections with genetic data.

Shannon Hartsfield: Thanks, Mia. I practice in the area of health law in Florida. And Florida was one of the first states to implement and statute significant protection with respect to DNA, genetic analysis and the results of genetic testing. And the general rule in Florida is that the individual tested is the owner of their sample, is the owner of their test results. However, there are some new laws that make some pretty significant exceptions for DNA analysis done in connection with treatment or done by a clinical laboratory that's subject to CLIA [Clinical Laboratory Improvement Amendments] or done for certain research purposes. So we have been working with a number of clients to help them navigate and figure out the federal and state privacy implications with respect to work they want to do with DNA.

Eddie Williams: Hi Mia. Similar to Shannon, with similar experience and background, I've been working with clients in this particular area, providing them advice and guidance as it relates to Florida law, as well as any federal laws that will be applicable to the protection of their DNA and their DNA analysis and results. So we provide a lot of guidance to clients, particularly providers who are gathering this information, ensuring that they have the necessary consents at the beginning, as well as making sure all their documents detail how they're going to use the information, if they need additional consent for further disclosure, as Shannon mentioned, for research and a further DNA analysis. So we've been providing clients with this guidance and trying to keep them abreast of the new changes as other states are starting now to adopt their laws as it relates to protection of DNA and genetic information.

Nathan Adams: Tell us a little bit about the legal protections that currently exist for individuals' genetic data. And how do they apply to companies such as 23andMe?

Shannon Hartsfield: So we've been getting a lot of calls regarding 23andMe and what is happening with the genetic data that that particular company holds. That company is a for-profit entity that has filed for bankruptcy reorganization. And so in connection with that company in particular, a lot of the protections relate to the promises made to consumers in the company's contract with the consumers and their privacy policies that they've published on their website. The Federal Trade Commission has jurisdiction over companies like 23andMe that are in the for-profit space and that deal with consumer health information but are not necessarily subject to HIPAA. Eddie, do you want to talk a little bit about when a company is and isn't subject to HIPAA in this area?

Eddie Williams: Sure. Generally on the HIPAA, it applies to covered entities, and generally that includes health plan, a healthcare clearinghouse, as well as healthcare providers who transmit protected health information electronically. For a company like 23andMe, who do not provide any healthcare services, generally they will not be considered a covered entity under HIPAA. They would basically just be considered a consumer company, and typically HIPAA would not apply to the receipt of information provided to them directly by a customer or a consumer. As well as the Genetic Information Nondiscrimination Act, otherwise known as GINA, it typically applies to health insurers and employers to prevent them from discriminating against individuals based upon genetic information as it relates to determining claim coverage as well as any employer-employee decisions regarding an individual.

Shannon Hartsfield: HIPAA could potentially apply to a similar type of company because I think genetic testing would fall within HIPAA's broad definition of healthcare. But unless a healthcare provider transmits health information electronically in connection with certain standard transactions, as Eddie was referring to, like billing health plans and things like that, unless they're engaged in those sorts of electronic transactions in particular, it wouldn't be subject to HIPAA. So we looked to the Federal Trade Commission and we looked to Florida law and the law of other states where the consumers are located.

Nathan Adams: Can I ask for those who may not be familiar with the 23andMe controversy, what is that all about, and what did the company do?

Shannon Hartsfield: The company 23andMe sells DNA testing kits where you can send off a DNA sample and receive a report and learn all kinds of things about yourself. And for whatever reason the company has gone bankrupt. And so now the concern is that some other company is going to come in and purchase the assets of 23andMe and they will get custody of all of this personal information of the consumers. The 23andMe privacy policy on its website makes it clear that they are allowed to disclose the genetic data that they hold if they're in bankruptcy, if they're sold someone can come along and take custody of that information. But in the public-facing documents that they put out regarding the bankruptcy, they are committed to making sure that whoever buys them, or ends up with their assets, will protect the data in the same way. They will still be bound by that contract. They're also restricting buyers and not considering bids from buyers in certain countries. And additionally, they have asked for the appointment of an independent consumer data privacy monitor of some sort, who would sort of, I would think, represent the interests of the consumers and make sure that the information will be protected in accordance with the promises made to the consumers when they bought the kit.

Mia McKown: Shannon, you talked a lot about what the company says they're going to do or what the proceedings say. Is there anything that individuals need to do to protect their information in this situation, or do they just have to rely on 23andMe and their attorneys and all this stuff that's going on that you described? Is there anything they need to do?

Shannon Hartsfield: They can, if they want to, delete their data. There is a process on the 23andMe website to delete their data. But going beyond this particular situation, I think this illustrates a couple of things. One, it illustrates the importance of companies that hold data that's protected by state or federal law to make sure they're doing what they're required to do under their legal obligations, and if they're not subject to HIPAA, it's extremely important that they are complying with their online privacy policies as well as any privacy provisions in the contracts with consumers. But this is a perfect situation where people are concerned, they're upset, but the reality is they signed, theoretically, they signed the agreement that said that if the company goes bankrupt, somebody else can get their data. So —

Mia McKown: Sorry to interrupt, but that kind of begs a question, too: Do individuals really even continue to own their DNA information once it's shared with a company? Seems to me that's somewhat of a wrinkle, or is it not?

Shannon Hartsfield: I think the question of ownership of data, I would argue that at least the DNA data for Florida people, that they in a lot of ways do own their data. But ownership is really a bundle of rights regarding property or regarding something else. You have certain rights, and the company has certain rights. And so I think the concept of ownership when it comes to data is a little bit fuzzy because once you provide a third party like 23andMe with rights to your data, you sort of lose some of the benefits of ownership, that there is ownership.

Eddie Williams: Just to piggyback on what Shannon indicated, like she said, under Florida law, it spells out that the DNA analysis performed with express consent is really considered the exclusive property of the person that's tested, it's deemed confidential and cannot be re-disclosed without their express consent. However, the law has exceptions to that. So if you give — like Shannon indicated — you give someone your express consent to perform the DNA analysis, then there is an avenue for it to be shared for medical diagnosis, for various other purposes in connection with your treatment. Again, if you provided that express consent for them to perform that analysis, as well as conducting research. So there are still avenues for the data to be shared and disclosed even though an individual like Shannon and Nate can make the argument that it's their exclusive property.

Nathan Adams: Is Florida unusual in this respect, or is this a very state-specific question or how does that work?

Shannon Hartsfield: Florida was one of the first states to obligate special protections for DNA and protections against discrimination by insurance companies and things like that. But I believe that more and more states are imposing protection, not only on DNA data, but through the Washington My Health, My Data law and things like that. They're imposing more stringent privacy requirements for their residents in general.

Mia McKown: This is unlike all the issues that seem to be coming at us fast and furious as technology grows, which is great, but this also I think highlights some concerns and issues with using this type of technology. Do you think there are lessons that other genetic testing companies can learn from the 23andMe bankruptcy in terms of data privacy and security?

Shannon Hartsfield: I think the most important lesson is to make sure that their consumer-facing documentation, whether it be the actual contract with the consumer or the website privacy policy, actually saying in an accurate way what they anticipate doing with the data. There have been Federal Trade Commission enforcement actions in the past against companies that have just put language on their websites that they may have cut and pasted from somewhere else that says things like we'll never, never, never sell your data, essentially. And yet when they sell the company that information is going to go to the purchaser, and so the Federal Trade Commission has jurisdiction if you are not complying with the public-facing statements that you made regarding data use.

Nathan Adams: What future legal developments or regulations do you foresee in the realm of genetic data privacy, and how might they impact consumers and companies alike?

Eddie Williams: Other states are beginning to review this area, as well as adopt laws to strengthen their current laws to provide more oversight over companies similar to 23andMe — it may not be your typical healthcare provider, just a consumer company. So bringing those companies like that into their purview of their laws is something that we will likely see going forward. I believe that those laws probably also give consumers greater protection related to their genetic data, granting them rights to request immediate destruction of their DNA samples and information, having the providers provide notice regarding these rights, anytime that they're requesting that individual to provide consent to receive their DNA and provide a DNA analysis and also imposing time restrictions on any retention of the DNA samples and the results. So those are some of the type of laws that I anticipate seeing be incorporated into the governing structure or the oversight regulatory structure going forward.

Shannon Hartsfield: And some of the things that I think about in terms of where the laws and rules might be going relate to what it means to actually de-identify data. So a lot of times companies that handle genetic information and DNA samples take the position that the information is completely de-identified, a lot of times, and they can do with it what they want. And that may be true today. The HIPAA Privacy Rule provides for a couple different ways to de-identify data, and one requires — it's called the safe harbor method — it requires removal of 18 specific identifiers relating to the information. So you can have a DNA sample where you've removed the patient's name, the patient date of birth, the date that the sample was collected, et cetera, et cetera, a lot of those potential identifiers. But one of the items in the list includes biometric identifiers, as well as any other unique characteristic or code regarding the patient. And I think it's getting harder and harder to argue that DNA is not a unique characteristic or code. It could even potentially someday be a biometric identifier. So I think right now it's important for companies to consider whether they need to bring in an expert to analyze whatever information they're going to use to determine if it truly is de-identified. And I think de-identification can potentially change in the future. Also for lawyers and others who are interested in this topic, I would strongly recommend that you go read a book called The Immortal Life of Henrietta Lacks by Rebecca Skloot. It's an interesting story about a woman whose cells were taken without permission and they continue to be used even today for scientific purposes and there have been a number of lawsuits brought by her descendants or family relating to this, and I think it brings home the idea that just like we own our cells, potentially we also — someone may be able to argue someday — that we own our data and we own whatever's done with our data. And so I think that makes it really important that companies that want to use patient information or patient DNA samples, make sure that they have obtained the permissions that might be required under the law and those laws may be changing down the road. So we'll see.

Mia McKown: Well, and really as fast as technology is changing and all these things are happening, when it really gets right down to it, when we are signing these forms and reading these contracts, you need to read what you're signing and what the document says and still continue to be careful. But this is such an interesting topic. We could have a lot more questions and who knows, maybe we might have an opportunity to do another session on this at another time. Nate, I don't know if you had any other questions, but I found this very, very interesting, especially — it has gotten a lot of traction on social media and people somewhat freaking out — so I appreciate the guidance that Eddie and Shannon have been able to give today.

Nathan Adams: My question is can we expect a Jurassic Park in the future after Mia and I are passed away where the tourists are passing through looking at us through electric fences and will those electric fences fail again when the tourists are going through that?

Mia McKown: We'll never die.

Shannon Hartsfield: At this point, nothing would shock me, Nate. Anything can happen, especially in healthcare.

Nathan Adams: Thanks to Shannon Hartsfield and Eddie Williams for their informative and interesting comments on healthcare privacy. And thanks to my co-host, Mia McKown. Most of all, thanks to you for joining us today. Please plan to join us for our next Florida Capital Conversations podcast. Have a great day.