Legislation Covering Genomic Data

concepts of personhood and privacy

Personhood is a wide-ranging concept and has been encapsulated in legal literature. It forms the basis of the law and bioethics in modern democratic countries.

The concept of privacy is closely related and is recognized in the Universal Declaration of Human Rights. It is central to professional codes and the body of law regarding patient–clinician confidentiality.

United States Legislation
GINA (2008)

The Genetic Information Nondiscrimination Act (GINA) of 2008 protects Americans from discrimination based on their (and their family’s) genetic information, in both health insurance (Title I) and employment (Title II).

However, there are exceptions to the acquisition of genetic data by employers.  One exception is where employers acquire genetic information through Employee Wellness Programs. 

However, GINA does not prevent genomic data being acquired and used for Life Insurance assessment and underwriting decisions.

GINA also requires that genetic information is kept confidential where it is collected. 

GINA and Clinical Research

Under GINA it is essential to respect the rights and interests of research participants as that genomic data may;

• Be stored and used indefinitely.
• Inform individuals about susceptibility to a broad range of conditions (some of which are unexpected given personal or family history).
• Carry with them risks that are uncertain or unclear.
• Be reinterpreted and change in relevance over time.
• Raise privacy concerns (in part because of the risk of re-identification).
• Be relevant for family members and reproductive decision-making.

HIPAA (1996)

In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of health information.  HIPAA is not specific to genomic data but covers genomic data as part of health information.

The two key rules are the Privacy Rule and the Security Rule.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

The Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. 

UK and Europe Legislation – GDPR (2018)

GDPR (General Data Protection Regulations, 2018) forms part of current EU and UK law.  It governs the processing of personal data of all EU citizens and has significant global impact. Ever since its introduction, the genomics community have raised concerns: how exactly does the concept of ‘personal data’ apply to genomics, and what does the regulation mean for research and healthcare?  Issues with the processing of genomic data in healthcare and medical research are still being worked out.

Developing appropriate standards for genomic data processing under GDPR has the potential to have a positive impact on genomics: reassuring data subjects and patients that their rights to privacy and data protection are safeguarded at the same time as facilitating ethical and lawful uses of genomic data.

One of the main debates relates to how identifiable ‘de-identified genomic data’ could be and therefore whether it can be defined as ‘personal data’ if it were processed in large datasets.

Legislative Requirements over Genomic Data

What are the legislative requirements for healthcare providers over genomic data?

There are several pieces of legislation in the US and Europe that cover genomic data security, including HIPAA, GINA, and GDPR.

HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that sets national standards for the protection of sensitive health information, including genomic data. HIPAA establishes rules for the use, disclosure, and security of protected health information (PHI) and applies to healthcare providers, health plans, and healthcare clearinghouses. HIPAA includes provisions for data security, privacy, and breach notification, and requires covered entities to implement appropriate safeguards to protect PHI.

GINA, or the Genetic Information Nondiscrimination Act, is a US federal law that prohibits discrimination based on genetic information in employment and health insurance. GINA prohibits employers and health insurance providers from requesting, requiring, or using genetic information to make decisions about employment or insurance coverage. GINA also includes provisions for the confidentiality and security of genetic information.

GDPR, or the General Data Protection Regulation, is a European Union regulation that governs the collection, use, and storage of personal data. GDPR applies to any organization that processes personal data of EU citizens, regardless of where the organization is located. GDPR includes provisions for the protection of sensitive personal data, including genetic data, and requires organizations to implement appropriate technical and organizational measures to ensure the security of personal data.

HIPAA, GINA, and GDPR are all relevant legislation that cover genomic data security in the US and Europe. These laws establish rules for the use, disclosure, and security of genomic data, and require organizations to implement appropriate safeguards to protect sensitive data. Compliance with these laws is essential for ensuring the privacy and security of genomic data in research and healthcare settings.