Barbara Evans is one of our preeminent privacy scholars (with a pretty nifty sideline in FDA law). She specializes in intricate and precise analysis, very carefully mixing “big picture” policy arguments with deft doctrinal detail. This article on the Genetic Information Nondiscrimination Act (GINA) is no exception. GINA, of course, was one of the products of The Ethical, Legal and Social Implications (ELSI) Research Program funded by the NIH under the Genome project. The Genetic Information Nondiscrimination Act at Age 10: GINA’s Controversial Assertion that Data Transparency Protects Privacy and Civil Rights is a timely reminder not only of GINA’s tenth anniversary but also, increasingly, the proliferation of genetic information across clinical, research, and consumer domains. As Evans notes, “If GINA failed in its first decade to save us from genetic discrimination, it may have been a harmless error, because the human genome was too poorly understood at the time to lend itself to very many nefarious uses. If GINA failed, then so did the science, and it all somehow worked out. This does not imply, however, that GINA’s civil rights protections are unimportant; they may simply have been premature.” Another reminder inherent in the article is that health care suffers from a poorly synchronized combination of data protection models, including the HIPAA Rules, the Substance Use rule (aka 42 CFR Part 2), GINA, the Americans with Disabilities Act, and the Common Rule.
At the core of the article is a most perceptive observation—that GINA expanded the federal regulatory program for genetic and genomic testing from safety regulation to civil rights regulation, including privacy protections and prohibitions on discrimination. At first sight, the specific legal issue to which Evans turns her attention does not seem particularly earth-shattering—a GINA-authorized amendment to the HIPAA Privacy Rule. HIPAA had already allowed patients to access their healthcare data held by physicians. However, the GINA-initiated regulatory change in 2014 granted them access to “laboratory-held data, including genetic and genomic information as well as assorted other diagnostic test results that laboratories hold in their files.” This change did not sit well with a range of health regulators (or the laboratories). They viewed much of the assembled genetic data as incomplete or of sub-clinical quality, yet here were patients being granted legal access to it!
Expertly, Evans uses this example to illustrate that the underlying problem was a failure to view the access right, not as a safety regulation, but as a “regulation that aims to balance privacy and transparency in a way that allows socially beneficial uses of genomic data while protecting people’s civil rights.” GINA didn’t necessarily care about reliability or clinical significance because “[p]eople can be deprived of civil rights based on unreliable as well as reliable information that is attributed to them.” Safety regulation and civil rights regulation are different and sometimes their intersection will be messy.
Drawing the distinction between safety and civil rights regulation can be enormously helpful. For example, it helps to explain the recent Common Rule revisions that according to Evans, sought to “disentangle safety and civil rights by ceding civil-rights oversight to the HIPAA regulations and focusing the Common Rule on the physical risks of research—that is, on safety issues.” Evans also has an interesting take on HIPAA privacy. It is true that GINA primarily uses a transparency rule to promote privacy (in contrast to GINA’s far more prescriptive approaches to health and employment discrimination) and that GINA adopted HIPAA’s (transparency) access provision. However, it may be an overstatement to assert that the latter “was designed, from its inception, to serve competing values of privacy and data transparency, giving considerable weight to the latter.” The Privacy Rule is imperfect and riddled with exceptions. Yet, at its core, it does provide reasonably robust downstream confidentiality data protection, albeit with rights attaching to HHS’ Office for Civil Rights (OCR) rather than to the data subjects themselves.
Notwithstanding, Evans’ core transparency point is correct—that the “primary purpose of HIPAA’s access right is to force entities that store individually identifiable data to display respect for the individuals’ autonomy.” For example, Evans argues that furthering this autonomy can empower citizen science and improve data quality. However, what Evans amusingly describes as the “Consumer Safety Regulatory Empire” struck back against the autonomy-though-transparency HIPAA-GINA access rule. Soon, laboratories holding genetic data found themselves caught in “crossfire” from different regulatory directives or models from the Department of Health and Human Services, the Food and Drug Administration, the Centers for Medicare and Medicaid Services, the OCR, and even local Institutional Review Boards. Evans pushes back against the Empire, noting “[t]he individual’s civil right of access to genetic information has one of the most unimpeachable statutory pedigrees of any U.S. federal regulation: Congress thrice authorized it.” The last section of the article is dedicated to suggesting routes that can respect or balance that autonomy with the broad consensus of researchers that there should be very limited access to their own genetic data. Evans’ suggestions are cogent and practical.
Professor Evans’ carefully constructed arguments aside, her article also contains some delicious nuggets that are worth digesting on their own. Examples include: “GINA enters its second decade like a misunderstood teenager, struggling to be taken seriously as a civil rights law,” and “GINA, in many respects, was Congress’s response to a mass delusion that genetic information is more informative than, at least to date, it has proved to be.” And, finally, a nugget that also serves as fitting coda to an exemplary piece of legal scholarship: “As GINA enters its second decade, its civil rights protections are more important than they were ten years ago: people’s genomic data are widely used in research, often without their consent; bioinformatics algorithms grow more efficient at re-identifying de-identified data, and progress of genetic science is expanding the range of privacy-invasive inferences that can be drawn when data are wrongly shared or misappropriated.”