Cases in Precision Medicine: Concerns About Privacy and Discrimination After Genomic Sequencing

Patients and research participants have indicated that privacy of their genetic test results is an important concern, particularly with respect to insurance coverage. 

Debbie Stiles, Paul Appelbaum
May 07, 2019

The full article can be found on the Annals of Internal Medicine website here or via PDF here.

Internists and other physicians whose patients ask about legal protections for information generated by genome sequencing for clinical purposes can provide both reassurance and caution. Protections for medical information in general, as well as laws in some states that provide additional safeguards for genetic data, should reassure patients that this information will remain private. Patients themselves will need to weigh the risks versus the benefits of generating genomic data in deciding whether to undergo exome sequencing.

Key Summary Points

  • Patients often have concerns about the privacy and confidentiality of genetic test results and whether they could negatively affect employment or insurance coverage.

  • Privacy of genetic information generated for clinical purposes is protected by the federal Health Insurance Portability and Accountability Act (HIPAA). Some state laws provide additional protections, but there is no uniform approach.

  • In limited circumstances, informing at-risk relatives or their clinicians of test results may be ethically appropriate if the patient fails to do so. However, the HIPAA Privacy Rule has been interpreted to preclude nonconsensual disclosure for this purpose, except by request of a relative's treating clinician.

  • The federal Genetic Information Nondiscrimination Act of 2008 protects against discrimination in the workplace and in health insurance coverage based on genetic information, but the law does not apply to life, disability, or long-term care insurance or any other insurance product.

  • Physicians can reassure, as well as caution, patients considering genetic testing about privacy and discrimination. Ultimately, patients will need to weigh the risks of generating genomic data against the benefits for themselves or for medical research.

A healthy 33-year-old woman hears about an executive health program that offers exome sequencing as a component of its health assessment. The service provides information to participants and their physicians about medically actionable results and carrier status for recessive conditions with reproductive significance, and she is curious about her genes. She consults her internist about the implications of enrollment. She is aware that if a mutation is detected, it might have ramifications for her siblings, with whom she is not close, and their children. In addition, she holds a responsible position in a major corporation that she fears may be in jeopardy if it becomes known that she has a mutation that increases her risk for a serious disorder. Moreover, she has concerns about the potential effect of the results on her insurability. Before having the test, she wants to know what protections exist for the confidentiality of the results submitted to her internist, including whether her physician will be obligated to reveal them to other members of her family, and whether her employer and insurers could use the information against her interests.

What Privacy Protections in the United States Apply to Genetic Information?

This patient's apprehension regarding the privacy of her genetic information and the ways in which it might be used to her disadvantage are by no means unusual. Patients (1) and research participants (2) have indicated that privacy of their genetic test results is an important concern, particularly with respect to insurance coverage. Physicians seem to share that worry. One survey showed that among physicians who had ordered genetic testing within the previous 6 months, nearly 80% were somewhat or very concerned about their patients' genetic privacy (3), and a similar proportion wanted to know what they could do to better protect it. A recent systematic review of the literature related to genetic privacy found that although most of the general public, patients, and professionals were apprehensive about genetic privacy, the reasons for their concerns remained unclear (4).

In addition to a physician's ethical responsibilities to guard the privacy of patients' medical information—which are embodied in every contemporary code of medical ethics—statutory, regulatory, and common law requirements compel U.S. physicians to maintain the confidentiality of health information (laws of other countries are not addressed here). The federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (the Privacy Rule) (5), which became operational in 2003, is the main statutory basis for protecting a patient's health information. Under the Privacy Rule, most uses and disclosures of protected health information, other than for treatment, payment, or health care operations, require written authorization from the patient. However, patients' access to certain goods or benefits, such as long-term care insurance or disability compensation, may depend on protected health information being released. Genetic data generated for the purpose of health care is deemed to be part of a person's health information and therefore is protected under the rule.

Although HIPAA overrides state laws that are less protective of patient privacy, states may provide additional safeguards beyond those in the Privacy Rule. Approximately half the states in the United States have policies governing genetic privacy per se, recognizing a need to protect the privacy of genetic data that transcends that of other medical information, but the protections afforded their citizens vary considerably. Because of the inconsistency among state laws, the United States does not have a standard or comprehensive approach to safeguard genetic information (6). For example, if our patient lived in New York, she would be covered by Section 79-L of the New York State Civil Rights Law, which states that all records, findings, and results of any genetic test are confidential and may not be disclosed to any person or organization without the patient's specific written consent. This law would apply even to circumstances under which HIPAA might permit unauthorized disclosure or if such results were obtained for research purposes. In contrast, in states without specific laws governing the privacy of genetic information, the Privacy Rule is controlling.

What Is the Responsibility of the Executive Health Program With Regard to Patient Privacy and Communication of Results?

An executive health program offering genomic testing services has an obligation to obtain adequate informed consent from the patient after providing him or her information on how and to whom test results will be reported and under what circumstances they may be disclosed to others (7). The program is responsible for conveying the promised results (here, medically actionable variants and recessive carrier status) and their interpretation to the patient but should obtain the patient's consent as well to communicate the information to his or her primary care physician. Although the Privacy Rule allows protected health information to be communicated to another provider involved in the patient's care without patient authorization, state laws, as noted earlier, may require the patient's explicit consent, and the physician's ethical obligations usually mandate such consent as well.

An internist or other physician with ongoing responsibility for a patient's care is in the best position to situate genetic test results in the context of the patient's medical and family history, which can minimize the risk for misinterpretation of the findings and inaccurate assessment of disease risk. In addition, the primary care physician can ensure that needed follow-up occurs. However, many internists and other primary care physicians do not have sufficient expertise to interpret and assess risk conferred by genetic variants and to develop plans for further diagnostic work-up or ongoing surveillance tailored to a patient's needs (3). In the absence of such proficiency, the physician should refer the patient to a medical geneticist or genetic counselor for advice regarding disease management or prevention (8).

What Is a Physician's Responsibility If a Patient's Genetic Testing Reveals Information That Is Relevant to the Patient's Relatives?

Despite the medical profession's commitment to preserving patient privacy, exceptions have long been recognized, including cases in which failing to disclose information may result in harm to third parties (9). Since the advent of genetic testing, ethicists have acknowledged that nondisclosure of results to potentially affected relatives might fall into this category. Hence, a series of professional and scholarly bodies have considered whether and when disclosure of genetic results might be permissible without a person's consent.

In 1983, the President's Commission for the Study of Ethical Problems in Medicine and Biomedical and Behavioral Research suggested that when a patient refuses to inform an at-risk relative of potential harm, disclosure would be allowed under the following conditions: Reasonable efforts to elicit voluntary consent to disclosure have failed, the probability is high that harm would occur if the information were withheld and the disclosed information will actually be used to avert harm, the harm that would result to identifiable individuals would be serious, and appropriate precautions are taken to ensure that only the genetic information needed for diagnosis or treatment of the disease in question is disclosed (10). A decade later, a committee of the Institute of Medicine adopted a similar proposal, suggesting that information could be disclosed to relatives if the genetic disorder is highly penetrant and is treatable or preventable (11). Likewise, the American Society of Human Genetics suggested that disclosure to family members may be encouraged but that the following “exceptional” circumstances must be present to justify nonconsensual disclosure: Attempts to encourage disclosure by the patient have failed; the harm is likely to occur and is serious and foreseeable; the at-risk relative is identifiable; the disease is either preventable or treatable, or early monitoring would reduce the genetic risk; and the harm that may result from nondisclosure outweighs the harm of disclosure (12).

The law has been inconsistent in its guidance to physicians regarding their duties to nonpatient family members, especially when the implications of their patients' genetic test results are unclear (13). U.S. case law dealing with physicians' common law duty to warn at-risk relatives is limited, with only 2 frequently cited cases addressing disclosure of genetic risk per se. In Safer v. Estate of Pack (14), the daughter of a man who died of metastatic colon cancer due to polyposis of the colon—which usually is transmitted as an autosomal dominant condition—sued the estate of her father's physician for failing to inform her of the risk that she, too, might develop the disorder. She filed her suit after she was diagnosed with polyposis and already had colon cancer, which by then was metastatic. The New Jersey appellate court hearing the case held that a physician has a duty to warn persons known to be at risk for a genetic disorder, and that such duty may not always be fulfilled by simply warning the patient but may also require a warning to any relatives at risk. (This decision was later effectively overruled by the enactment in New Jersey of a broad genetic privacy statute.) The Florida Supreme Court took a different approach in Pate v. Threlkel (15), a case involving the daughter of a woman who had received treatment for medullary thyroid carcinoma, probably due to multiple endocrine neoplasia type 2, an autosomal dominant condition. After the daughter also received a diagnosis of medullary thyroid carcinoma, she sued her mother's physician for failing to inform her that she had a 50% risk for the disease. The court held that a duty to warn a relative at risk exists if a reasonably prudent physician would do so but that the duty may be fulfilled if the physician warns the patient about the risk to his or her relatives, with the expectation that the patient would inform such relatives, thus fulfilling the physician's obligation of confidentiality. A recent survey of medical malpractice litigation in the United States indicates that the question of whether physicians have a duty to warn their patients' relatives of genetic risks, at least by informing the patients and recommending that they warn their relatives, remains a litigated and unsettled issue. Most courts contend that such a duty may exist, but with the contours of that duty are still very uncertain (16).

The foregoing cases and position statements predate the adoption of the Privacy Rule, which would probably preempt the state law considerations on which these court rulings were based. The Privacy Rule does have several “public interest” exceptions to its nondisclosure policy, including when disclosure is necessary for “preventing or controlling disease, injury or disability,” such as in situations of infectious diseases, domestic violence, or child abuse or neglect (17). However, additional exceptions to the nondisclosure rules relating to family members were introduced in the 2013 Privacy Rule amendments. If a patient's genetic information is needed for treatment decisions regarding a family member, the patient's health care provider can disclose such information, “subject to any agreed-upon restriction,” at the request of another provider treating other family members seeking to identify their own genetic health risks, provided that the patient has not requested and the health care provider has not agreed to a restriction on such disclosure (18). The Office for Civil Rights, which oversees compliance with the Privacy Rule, has made clear that the physician does not have to agree to the requested restriction (19), thereby effectively giving the physician veto power over the patient's wishes. This interpretation is controversial, because it seems to undermine the physician–patient relationship and contradicts the commonly assumed ethical duty of a physician to maintain patient confidentiality; however, it seems to represent current regulatory law (20).

Given the ethical and legal uncertainties surrounding disclosure of genetic information to relatives, the best guidance may come from the American Medical Association's Council on Ethical and Judicial Affairs. In its opinion regarding disclosure of familial risk in genetic testing, the council does not believe that finding and notifying family members are a physician's duty. However, it recommends that physicians inform patients in advance of what they expect patients to disclose to their families and that physicians subsequently be available to assist in this communication (21). In certain circumstances, a physician may find it helpful to consult with an attorney.

Are There Protections Against Discrimination by Insurers, Employers, or Other Entities Based on a Person's Genetic Test Results?

Discrimination in employment and insurance coverage has been a major worry of persons asked to consider genetic testing (22). This concern led to the adoption of the federal Genetic Information Nondiscrimination Act of 2008 (GINA), which protects against discrimination in employment and health insurance coverage based on genetic data. The act defines genetic information broadly to include both genetic testing results and family history of disease, but not a person's manifest disease or condition—that is, a disorder that has been diagnosed, is being treated, or is symptomatic.

With regard to employment, Title II of GINA provides protections against genetic discrimination in the workplace. To be specific, an employer may not use genetic information to make decisions regarding hiring, promotion, terms or conditions of employment, privileges, compensation, or termination. In addition, an employer may not request, require, or purchase genetic data about an employee or an employee's family members. Subsequent, controversial regulatory changes promulgated by the U.S. Equal Employment Opportunity Commission (EEOC) allow employers to request genetic information in connection with employee wellness programs that may offer reduced premiums or enhanced benefits of health insurance as incentives, although GINA's ban on the use of any information that is provided for employment decisions remains (23). The question of what constitutes a permissible incentive (as opposed to a coercive means of forcing employees to divulge health information) in employer wellness programs is currently being litigated, but for now, a federal district court's decision vacating the EEOC wellness regulations does not change the current regulatory posture (24). In any case, proving that employment decisions were made on the basis of genetic information is a daunting challenge for many employees, leading many advocates to argue that the wellness program exception constitutes a major breach in GINA's protective wall.

With regard to insurance, Title I of GINA provides protections against discrimination in health insurance, but not other types of insurance coverage. In particular, group health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies may not require persons to provide the insurer with genetic information about themselves or a family member for eligibility, coverage, underwriting, or premium-setting decisions, nor may a health insurer require a person to have genetic testing as a condition of coverage. Despite passage of GINA, surveys show that large portions of the public remain unaware of these protections and that their lack of awareness may lead to a decision against genetic testing (25). Of note, GINA does not include protections against genetic discrimination in life, disability, or long-term care insurance or any other insurance product. Insurers typically request access to medical records for applicants desiring many types of insurance and, other than for health coverage, are free to use information in the medical records (including the results of genetic tests) in their underwriting decisions.

How Should This Patient's Internist Advise Her?

Internists and other physicians whose patients ask about legal protections for information generated by genome sequencing for clinical purposes, such as the patient described here, can provide both reassurance and caution. Protections for medical information in general, such as the Privacy Rule, as well as laws in some states that provide additional safeguards for genetic data, should reassure patients that this information will remain private. Current regulatory interpretations of HIPAA seem to allow physicians to disclose genetic data, without patient consent, to health care providers of relatives whose medical treatment may be affected by that information. However, physicians have the discretion not to disclose it. The internist in our case should make his or her policy on this issue clear to the patient. Additional reassurance should come from the knowledge that GINA generally precludes the acquisition and use of genetic information, broadly defined, by employers and health insurers. However, our patient also should be told that GINA does not apply to other kinds of insurance and that insurers may request access to medical records as a condition of coverage. Patients themselves will need to weigh the risks versus the benefits of generating genomic data in deciding whether to undergo exome sequencing.