Carson Martinez is FPF’s Health Policy Fellow. She works on privacy challenges surrounding health data, particularly where it is not covered by HIPAA, as is the case with consumer-facing genetics companies, wearables, mobile health and wellness applications, and connected medical devices. Carson also leads the FPF Genetics Working Group and Health Working Group.
How did you come to work on consumer genetic testing issues at FPF?
During my time as Master’s student studying Bioethics and Science Policy at Duke University, I focused on the ethical and policy challenges of technological innovations in healthcare. At Duke, I had the pleasure of taking an Information Privacy Law class with David Hoffman, Associate General Counsel and Global Privacy Officer at Intel Corporation, who introduced me to the pioneering discussions surrounding data privacy. I ended up writing my Master’s thesis at Intel on how government entities and cloud service providers can take steps to promote use, enhance trust, and foster innovation in cloud storage technologies for medical imaging data.
David, who is also on FPF’s Advisory Board, introduced me to Jules Polonetsky and John Verdi. FPF had already worked with industry to create best practices around wearables, and they wanted to expand FPF’s healthcare work.
As the only Policy Fellow at FPF without a law degree, I come at privacy from a unique perspective. My experience with bioethics gives me a good understanding of the research world and the important balance between making data available to advance scientific fields and protecting patient privacy. I work on challenges related to technologies that are outpacing our health privacy laws, like HIPAA and how best to protect this sensitive data without specific guidelines or regulations. That means working with stakeholders to develop best practices and help companies follow them.
What are some of the privacy challenges around consumer genetic tests?
As the price of consumer genetic tests continues to drop, they have become very popular purchases and gifts. Millions of people have used consumer genetic tests to learn about their heritage, identify risk for future medical conditions, and connect with family members. Unlike other personal data, genetic data may implicate future generations and have cultural significance for particular groups. This uniquely sensitive data deserves a high level of privacy protection.
Beginning in 2017, we led a process to develop privacy best practices for the consumer genetic testing industry. Stakeholders who participated in that process included the leading consumer genetic testing companies – some of whom originally approached FPF about the project – as well as experts on the science from the National Society of Genetic Counselors and the American Society of Human Genetics and advocates, from groups like Consumers Union.
What did the stakeholders agree should be in the best practices?
The best practices establish standards for genetic data generated in the consumer context that require:
- Detailed transparency about how genetic data is collected, used, shared, and retained;
- Educational resources about the basics, risks, benefits, and limitations of genetic and personal genomic testing;
- Access Rights;
- Valid legal process for the disclosure of genetic data to law enforcement and transparency reporting on at least an annual basis;
- A ban on sharing genetic data with third parties (such as employers, insurance companies, educational institutions, and government agencies) without consent or as required by law;
- Restrictions on marketing based on genetic data; and
- Strong data security protections and privacy by design.
Recently, FamilyTreeDNA’s president apologized to customers for not disclosing an agreement with the FBI to allow agents to test DNA samples and access consumer genetic data without a warrant. That agreement is out of step with the best practices, and we have removed FamilyTreeDNA a supporter to them.
What new privacy issues could arise around consumer genetic tests?
The science of genetics is still evolving. Someday, we may have access to additional insights from genetic data that we can’t see today. We don’t yet know about many health conditions that may have a genetic component.
In the future, there will be more people taking consumer genetic tests and the tests will offer more extensive analytics. More companies will seek FDA approval to validate the efficacy and safety for identifying markers for health issues. With more people participating in testing, the ability to identify individuals who have not taken tests also will increase. All of that points to the need for a big push on consumer education.
What do you foresee as rising health privacy issues, beyond genetic data?
Looking beyond genetic information, to health data broadly, I expect to see a focus on the Internet of Health Things, fueled by tremendous growth in telehealth, including services tied to wearable or implantable monitoring devices. Those devices could transmit information to doctors, insurers, or employers. As more data is generated, privacy and security concerns may grow as well.
Another rising issue is the interoperability of data. If data is more portable, it can be more easily analyzed. Hopefully, consumer access and the development of third-party APIs to facilitate consumer-directed exchanges will empower people to take control of their own health and biological information and enhance interoperability.
In the medical world, there are more and more opportunities to opt-in to data sharing. Increasingly, I think we will see the development and application of strong privacy engineering solutions to protect sensitive health data and promote sharing for research, such as secure multi-party computation and differential privacy.
Many companies with health data are implementing ethical review processes for their research, which is a positive development. Consumer participation in research should be voluntary, informed, and follow established ethical standards.
FPF will be holding its 10th Anniversary Celebration on April 30th in Washington, DC. Join us to look back on the last decade of privacy and for a glimpse of what will be ahead.
Ticket and registration information for the 10th Anniversary Celebration can be found here.