BlogPrivacy vs. Personalization for MD Startups in Genomics and Precision Medicine

Privacy vs. Personalization for MD Startups in Genomics and Precision Medicine

On March 22, 2022, bi-partisan lawmakers introduced the Healthcare Cybersecurity Act, partially in response to President Biden’s warning that the nation needs to prioritize cyber defense in light of past and present cyberattacks, especially from Russia.

Data breaches and ransomware attacks affect healthcare more than any other sector, including the financial industry. The Healthcare Cybersecurity Act’s purpose is to strengthen healthcare cybersecurity by partnering the Cybersecurity and Infrastructure Security Agency (CISA) with Health and Human Services (HHS).

The medical device industry faces an interesting dilemma – patients, industry, and government all agree on the need for more personalized or precision medicine.

People want to learn more about their genetic makeup and overall health. They want to use the latest technologies to share results with their healthcare providers and families. And, 75% of respondents in a recent study believe that genetic testing can help people live longer with a better quality of life.

65% of employees would consider genetic testing if their employer offered easy and affordable access and the results were kept private from their employer or insurance company.

On the other hand, a recent poll found that more than 70% of adults believe the federal government should act to protect the privacy and security of individuals in an increasingly online world by establishing national standards for how companies collect, process, and share personal data.

The challenge is that precision medicine and other MD advances are evolving against a privacy regulatory landscape riddled with gaps. The current privacy protection legislation in the United States is primarily a product of the government’s reactive response to insurance industry regulation, rather than a proactive stance to safeguard individual privacy rights.

Precision Medicine and Patient Privacy

In 2015, President Obama launched the Precision Medicine Initiative (PMI) to incentivize public and private-sector research and encourage a broad range of citizens to share their patient data and participate in clinical trials. Precision medicine, the term gaining favor over the more general phrase “personalized medicine,” combines big data analytics, genomics, and population health data.

One ambitious element of the plan is the PMI Cohort Program. Industry stakeholders, such as the FDA and the National Institutes of Health (NIH), worked to recruit at least one million participants to contribute their data to a community-based information hub. The goal is to create diverse data sets and research outcomes that reflect the US population’s socioeconomic, racial, and ethnic diversity.

Genomic data is getting cheaper to collect. Providers and companies are collecting and sharing granular, highly personalized data, yet the United States has no comprehensive federal data privacy legislation.

It is important to understand that until recently, outside of HIPAA, it was legal to collect, sell and use most private data from US citizens.

Tech and social media companies capitalized on this fact, scaling incredibly valuable companies based on the unprecedented ability to collect data and target advertising more closely than ever before. Consumers and protectionist organizations took note and began to challenge these practices.

Across the globe, personal health data sources are multiplying, such as biometric data from wearable medical devices. In the European Union, the General Data Protection Regulation (GDPR) of 2016 sees protecting individual privacy rights as the baseline priority.

In the United States, numerous state and federal laws regulate specific industries and types of data, but there is currently no comprehensive national data privacy law in the United States.

Genomics Privacy Regulations and Trends Overview

Privacy regulation in the US is a patchwork of evolving legislation. Below are the major bills and trends.

1996 – 2013 Health Insurance Portability and Accountability Act (HIPAA)

Medical device manufacturers and startups are well aware of HIPAA regulations. HIPAA’s initial focus was to regulate the health insurance industry. The act also directed the Department of Health and Human Services (HHS) to set standards for identifiable health information and protect individual rights to their healthcare information. Lawmakers and regulatory agencies further defined HIPAA over the years with the Privacy Rule, Security Rule, HITECH Act, and other expansions of the original HIPAA law.

2008 Genetic Information Nondiscrimination Act (GINA)

In response to the increasing availability of inexpensive genetic tests, lawmakers enacted GINA in 2008. GINA prohibits employers and insurers from discriminating against employees based on the employee’s genetic information.

Some experts and patients criticize GINA for loopholes regarding predisposition to a disease vs. actually manifesting the disease. GINA also does not apply to life insurance or long-term care and disability insurers, who may still legally require genetic testing and deny coverage based on the results.

2010 Affordable Care Act (ACA)

Before the ACA, some health insurers could charge patients with a pre-existing condition higher premiums—or deny a policy altogether. The ACA also protects people enrolled in clinical trials.

The ACA is still a controversial bill. In the absence of federal privacy legislation not tied to the ACA, some patients are worried that insurers could use genetic or clinical trial information against them in the future if Congress repeals the ACA or passes new legislation favorable to the insurance industry.

2020 FTC Health Breach Notification

MDM stakeholders may be subject to the HIPAA (HHS) Breach Notification Rule, and even if not, they may need to comply with FTC regulations. In September 2021, the FTC updated its Health Breach Notification information to expressly point out that developers of digital health apps, connected devices, and other health products have obligations under the Health Breach Notification Rule.

2022 The Health Data Use and Privacy Commission Act

The Health Data Use and Privacy Commission Act seeks to create a commission to recommend updates to HIPAA. The commission reviews new perspectives and information to address digital health companies collecting health data from consumers. It will examine the privacy implications for new technologies like wearables, telehealth platforms, and smartphones.

Areas of inquiry for the commission include:

  • Effectiveness of existing health privacy statutes
  • Potential threats to individuals’ health privacy
  • Appropriate timing, beneficial results, and consequences of sharing health information
  • Recommendations on necessary new federal regulations
  • Financial analysis for additional regulations
  • legislative or regulatory changes cost analysis
  • Recommendations on non-legislative health privacy solutions
  • Review of third-party privacy statements and private sector self-regulatory efforts

This major update to HIPAA includes potential changes for existing covered stakeholders and business associates. The commission would also prioritize expanding HIPAA’s reach to health technology and app providers. This could mean health technology and app providers who do not currently have to comply with HIPAA may face new regulations.

States Moving Ahead on Privacy Legislation

In the absence of comprehensive federal guidelines or legislation, at least 15 states are preparing to consider data privacy legislation in 2022, with California leading the way. MDMs with national plans to market devices should keep track of state-level developments.

The map below shows state-level activity around enacting new privacy laws.

Privacy vs. Personalization in Genomics and Precision Medicine

Source: IAPP as used in this RPC paper

2018 California Consumer Privacy Act of 2018 (CCPA)

Drawing on many components of the GDPR, the CCPA gives consumers more control over the personal information that businesses collect about them and provides guidance on implementing the law.

2020 California Security of Connected Devices (SB-327)

SB-327 extends existing privacy laws to cover connected devices and the data they collect, store and transmit. SB-327 includes an important clause relevant to companies producing medical devices that communicate with cloud-based storage.

2021 California Genetic Information Privacy Act

California lawmakers passed the Genetic Information Privacy Act (CGIP) specifically to regulate direct to consumer genetic testing companies. It creates requirements for data collection, use, security, and disclosure on direct-to-consumer genetic testing companies. The CGIP also provides consumers with right to access and delete their data.

2023 States’ New Privacy Legislation

State-level developments to watch for in 2023 include the Colorado Privacy Act, going into effect in July, which will include more robust advertising opt-out options and rights to data portability.

The Virginia Consumer Data Protection Act goes into effect in January 2023, stipulating individual rights to access, correct, and delete their data and also opt-out of data collection schemes and funnels.

Navigating the Regulatory Maze

Governments rarely anticipate the consequences of disruptive innovation and rapidly evolving technology. There is always a period of uncertainty, regulatory complexity, and legislative updates as society adopts new technologies. This article from the OECD provides a comprehensive overview of the stakeholders and FDA Regulatory Developments in Genetic Testing in the United States.

For MDMs and MD startups, keeping track of evolving privacy legislation is important. Medical device startups and manufacturers that anticipate the evolving landscape will gain a valuable competitive edge.

Do you have questions about data storage security considerations such as compliance in an evolving landscape? Contact our experienced team for a personalized conversation about your situation.

ELEVATE YOUR BUSINESS WITH

The Galen Cloud

The ultimate solution for cloud-connected medical devices – fast, safe, powerful and easy to use, all at an incredibly attractive price.

Stay up to date on Galen happenings on LinkedIn!