Public Comments: December 2008 – GINA – Genetic Information Nondiscrimination Act
In response to a Request for Information (RFI) from U.S. federal agencies regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum filed a detailed response with suggestions on what aspects of GINA need clarification. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls “incidental collection” of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes “incidental collection,” and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a “medical database.”
or Read comments below
Comments of the World Privacy Forum regarding
Request for Information Regarding Sections 101 Through 104 of the Genetic Information Nondiscrimination Act of 2008
To the Department of Health and Human Services
Submitted via www.regulations.gov
December 9, 2008
The World Privacy Forum appreciates the opportunity to respond to the Request for Information Regarding Sections 101 Through 104 of the Genetic Information Nondiscrimination Act of 2008. The RFI notice appeared in the Federal Register on October 10, 2008 at 73 Federal Register 60208-60211.
The World Privacy Forum is a non-partisan, non-profit public interest research and consumer education organization. Our focus is on conducting in-depth research and analysis of privacy issues, in particular issues related to information privacy and health privacy. More information about the activities of the World Privacy Forum is available at our web site, <http://www.worldprivacyforum.org>.
Our comments are limited to selected areas regarding regulatory guidance in Part B of the RFI that relate to privacy.
I. Model notices and the content of the notices
The RFI, question 6, states:
6. Would a model notice be helpful to facilitate disclosure to plan participants and beneficiaries regarding a plan’s or issuer’s use of the research exception? In this regard, what information would be most helpful to participants and beneficiaries?
A model notice would be helpful to make certain that individuals receive all of the information they need. A model notice would also avoid asking each plan or issuer to reinvent the wheel and would be the most efficient way of assuring that all notices meet a minimum level of completeness.
We believe that a model notice should include requirements that, under GINA, the Secretary may by regulation require for activities conducted under this paragraph. Describing these specific requirements in a model notice would tell researchers and research subjects about the additional protections for research activities involving genetic testing.
We suggest three separate requirements for the notice.
A. Suggested model notice requirement: certificate of confidentiality
All research that is subject to the exception should be required to obtain a certificate of confidentiality under 42 U.S.C. § 241(d) or other applicable statutes. The World Privacy Forum strongly supports certificates of confidentiality for all qualifying research involving human subjects. We agree with this statement from the NIH Certificate Kiosk that “[C]ertificates of Confidentiality constitute an important tool to protect the privacy of research study participants.” <http://grants.nih.gov/grants/policy/coc/>.
We do not think that there is any doubt that research involving genetic testing should qualify for and have a certificate of confidentiality.
B. Suggested model notice requirement: independent privacy officer
The congressional determination to regulate some research involving genetic testing strongly suggests that additional protections for research subjects are needed for any research activity covered by the GINA research exception. We believe that genetic research covered by the GINA research exception should be overseen by an independent privacy officer who can respond to questions from research subjects, accept and investigate complaints from research subjects and others, and otherwise review compliance with any GINA or human subjects research requirements applicable to the research or its sponsor.
Most institutional review boards, despite their best intentions, are not capable of conducting the support and oversight activities that we propose for an independent privacy officer. We foresee the likelihood that independent research oversight organizations would emerge to fulfill the demand if there were a requirement for independent oversight.
If not, each research project, group of research projects, or entity conducting genetic research could establish a privacy officer. Not all research would require a full-time privacy officer, there could be a continuum of part-time to full-time privacy officers as required by the scope and complexity of the particular project.
C. Suggested model notice requirement: complete audit trails for all uses and disclosures of identifiable information
Any research subject to the GINA research exception should be required to maintain complete audit trails for all uses and disclosures of identifiable information. The audit trails for each research participant should be readily available to the participant. If there are legitimate research grounds for temporarily withholding audit trails from the participant, the audit trails should, at the request of the participant, be reviewed for compliance by the independent privacy officer suggested in the preceding paragraph.
Without a comprehensive system of audit trails, it will be difficult to determine if genetic research information is leaking into other areas where the use of genetic information is prohibited by GINA. The technology now exists to readily facilitate this task. Transparency in implementing GINA is going to be a crucial aspect of its success, and this will be greatly assisted by comprehensive audit trails being made available to the participant.
II. Model forms for reporting purposes and the contents of reported information
The RFI, question 7, states:
7. Similarly, would a model form be helpful for reporting to the Departments by a plan or issuer claiming the research exception? In this regard, what information should plans and issuers report?
For the same reason that a model form would be helpful to researchers, a model reporting form would also be useful to plans, issuers, and others.
III. Incidental collection of genetic information
The RFI, question 8 states:
8. When might genetic information be collected incidentally?
We note that the same incidental collection language appears several times in the law.
INCIDENTAL COLLECTION.—If a group health plan, or a health insurance issuer offering health insurance coverage in connection with a group health plan, obtains genetic information incidental to the requesting, requiring, or purchasing of other information concerning any individual, such request, requirement, or purchase shall not be considered a violation of paragraph (2) if such request, requirement, or purchase is not in violation of paragraph (1).
Large volumes of health information about individuals and their families are available within the health care system. But information is also available outside the health care system, something that often is overlooked in contemplating regulations of health care information. The widespread availability – together with the broad scope of genetic information (including “manifestation of a disease or disorder in family members”) – must be taken into account because the incidental exception has the potential to swallow the rule.
A. Incidental collection within the health care sector
Because virtually any health information about a relative can be family history information, all or nearly all health information about the relative of a particular individual constitutes genetic information under GINA. Any specific request soliciting health information about a particular individual (or family member whether living or dead) who is or is likely to be the subject of an underwriting decision that obtains genetic information should be presumed to be for an underwriting purpose.
Genetic information could be revealed incidentally as part of any treatment, payment, health care operation, public health, research, law enforcement, or other activity recognized under HIPAA. The widespread and normal sharing of information during health care treatment, payment, oversight, and other activities is largely beyond fine control, and genetic information is likely to be swept along with other routine disclosures. The current inability of health information processors to segregate genetic information requires extra attention in any regulation or guidance issued for GINA.
B. Incidental collection from outside the health care sector
Genetic information might also be obtained incidentally as a consequence of the widespread collection and maintenance of personal information about individuals by public (e.g., Department of Motor Vehicles) and private sources (e.g., credit bureaus, banks, marketers, utility service providers, list brokers, supermarkets, gyms, and many others) that have health information outside the regulatory scheme of HIPAA and other health privacy laws.
If a plan or issuer or provider copies an individual’s driver’s license for patient authentication purposes and includes the copy in a health or other record, the codes on the license may reflect health information (including genetic information) that may or may not be otherwise available to the plan, issuer, or even provider.
Commercial data brokers already provide driver’s license information to insurers. The Driver’s Privacy Protection Act, 18 U.S.C. §§ 2721-23, allows insurers and insurance support organizations to obtain and use Department of Motor Vehicle records about an individual in connection with “underwriting” as a permissible use. 18 U.S.C. § 2721(b)(6). Nothing in the Act expressly limits underwriting to motor vehicle activities. Thus, any health insurer may be able to routinely obtain a copy of a driver’s license. Many insurers are likely to have contracts with data brokers that allow routine access to the driver’s license records of an individual without metering and possibly without any audit trail.
This illustrates how access to some health information – which will necessarily include genetic information on some individual and family members – is readily supported commercially.
Unless regulated under GINA, insurers may be able to troll DMV or other pertinent records of individuals and their family members for family history and other genetic information without any audit trail or possibility for oversight.
The use of search engines to obtain information about individuals may also provide a wealth of incidental information. For example, a web search may reveal the participation of an individual or family member in an Internet forum focused on particular diseases or health conditions. A social networking page for an individual or family member could reveal genetic information. Obituaries could also be a source of genetic information.
Health information may also be found in other unexpected places. For example, in 2007, the World Privacy Forum commented on the Federal Register’s publication of the Federal Motor Carrier Safety Administration’s request for comments on its notice of applications for exemption from the diabetes standard for truck drivers. The published information included notice included the full first and last name, the age of the applicant, the middle initial when available (most were), as well as the individual’s medical details, and finally, the state the individual is licensed in. Any search engine request for one of the named individuals would find pertinent medical information on the individual. The same search might also reveal information regarding relatives of the individuals whose personal health histories were published by the federal government for all to read. See generally the comments of the World Privacy Forum at <http://www.worldprivacyforum.org/pdf/WPF_DOT_comments03202007fs.pdf>.
Other information commercially available for sale is also a potential source of incidental genetic information. We want to provide a better idea of the scope of existing commercial activities that involve the collection, maintenance, sale, rental, and other uses of consumer data.
Companies providing goods and services to consumers have a vast appetite for consumer information, and especially for information about health conditions. A large and lucrative industry of list brokers, consumer profilers, and other commercial data brokers satisfies that appetite. We selected diabetes to provide some examples of these activities, but we could have used many other ailments to make the point.
We include below just a few of the lists for sale that are available to those who want to communicate with identifiable consumers who have diabetes. These marketing lists typically give the name, address, email, phone number, number of children, age, income level, and other categories of demographic information about the individuals on the list.
The information below is taken directly from the “data cards” accompanying the lists that were actually for sale. The descriptions of each list were provided by the list sellers. It is our experience that few outside the marketing business know about this resource for health information of identifiable individuals. We have testified before the Secretary’s Advisory Committee on Genetics, Health and Society on this issue, noting that many of the diseases on these marketing lists have a genetic component. Some lists for sale refer directly to genetic tests.
Ailment Medical Health – Diabetes Type 1
People who have Diabetes Type 1. Self reported on a household level. These people have genuine concerns about their lifestyle habits. They must be careful with every decision that they make when it comes to their health. As a result, it is safe to assume that they have been encouraged to change their lifestyle habits in the way they live and the products they buy. This opens an avenue for marketers offering health products, treatments and medications to assist these individuals with daily living and/or convalescence. If you do not see a specific ailment listed, call today for more information. 
Diabetes Ailment Sufferers – Prime Health Solutions
The audience of the # 2.0 DIABETES Ailment Sufferers – Prime Health Solutions Database has an average age of 57 and gender on this file is a 50/50 split. Selections within the # 2.0 DIABETES Ailment Sufferers – Prime Health Solutions database include over 400 Data Points. Buying habits, OTC and Rx are selectable. Type 1 or Type 2 Diabetes selectable. Income segmentation on the file covers a wide range with average HHI of $48,000. 
Absolute Diabetes Ailment List
Derived from a proprietary survey, these are all responders who clearly stated either themselves or someone in their household suffers from some type of Diabetes. This is the ideal list for health and diet offers, healthy cooking books, medications and more! Reach the people who have given permission to receive additional offers and/or information via direct mail, telemarketing, and email! 
The number of consumers’ names on these lists ranges from more than 100,000 to more than 1.5 million individuals. A search on the DirectMag website (http://listfinder.directmag.com/market) for mailing lists using diabetes as the keyword produced results pages with 464 lists on the particular day we searched.  Some of the lists focused on health care professionals, donors, and others, but a large percentage of lists offered data on consumers known or suspected to have diabetes. These kinds of lists are available on many diseases and conditions.
As mentioned earlier, some of the list descriptions mention the availability of other data on the consumers, data that often includes income, age, family size, ethnicity, buying habits, and dozens or even hundreds of other personal characteristics. The availability of this range of personal information is standard today because information about consumers is organized into profiles rather than flat files, which typically reflect only one or two fields. Those who rent the marketing lists can select subsets of other personal or household characteristics to suit a particular marketing campaign.
The traditional list and consumer profiling industry has both traditional and new sources of supply for health (and other) consumer information. Health information may find its way into commercial databases through Web profiling of consumers and customers; monitoring of consumer use of Internet search engines; social networking sites; unwitting disclosure of health information by individuals; personal health records held outside of HIPAA and subject to marketing; and the outright sale of health information by other entities not subject to HIPAA.
For example, frequent shopper cards issued by retailers such as supermarkets and drug stores may collect considerable amounts of personal information relating to health (including purchases of non-prescription drugs or foods that reveal various health conditions) that is not regulated by HIPAA or otherwise for privacy. Social networking sites could easily be a source of family history information. (“Picked up my uncle at the dialysis center this afternoon.”).
The point is that there is a significant market demand for consumer information, including health information, and that there is a corresponding commercial and non-commercial supply of information. That demand will surely extend to genetic testing information as it becomes more readily available from any source.
Because some family history information is included in the definition of genetic information, nearly any routine current source of health information will contain genetic information covered by GINA. Existing enterprises that collect and sell consumer information will seek and sell genetic testing information in the same way that they already seek and sell other health and consumer information, as in the diabetes lists. In short, genetic information will likely become another profit center for consumer list and consumer profile sellers. The health information collected and sold through list marketers in this manner is not subject to HIPAA or any other general privacy law.
Commercial genetic testing companies will also create and maintain genetic testing information. This is already happening today. How this information may be made available to third parties remains to be seen. What is stopping these companies from providing their data to anyone who is able to wheedle a consent from an individual? There is little if any law regulating these companies.
Even non-profit and public sources of DNA analysis exist. The Personal Genome Project proposes to maintain a public and identifiable genomic database.  As genetic testing becomes less expensive, other more commercial and less scrupulous sources of genetic testing information are certain to arise and provide data for commercial sale and use.
It is not too dramatic to suggest that in the near future, genetic testing information that GINA wants to keep from being used for underwriting will be readily and cheaply available. Sources will include commercial data brokers, websites of every type, and free or non-commercial sources. As discussed, other health information is already available in this fashion.
Preventing the incidental collection of information that either is readily available today or will become readily available will be a real challenge. A number of existing commercial activities are already using genetics for dubious weight loss merchandising.  When genetic testing becomes so inexpensive that vendors can offer free T-shirts in exchange for a hair sample for genetic testing, the high likelihood is that commercial data brokers and consumer profilers will be awash in unregulated genetic information.
C. Key suggestions regarding incidental collection
The World Privacy Forum is concerned about incidental collection both inside and outside the health care sector. We offer these suggestions as a starting point.
1. We suggest that any discussion of incidental collection of genetic information address information collection activities occurring outside of the health care sector. As discussed in these comments, collection inside the health care system should be examined, but collection activities that exist outside the health care sector should be examined as well.
2. We further suggest that any plan or issuer be expressly prohibited from engaging in conduct that will knowingly or may likely lead to the collection of genetic information. That would include web searching for personal information about any current or potential plan participants or insured and their families.
3. List purchasing should also be banned, along with the acquisition of other consumer information and profiles that may include any form of health information.
4. If a consumer profile available for a data broker includes genetic information, the plan or issuer should be expressly banned from purchasing the profile. The goal is to prevent data brokers from providing genetic information as part of the disclosure of other consumer information under the guise that the genetic information was incidentally obtained.
5. For entities regulated under the Act, searching for information about any current or potential plan participants or insured and their families on social networking sites should be banned or strictly limited because of the likelihood that family history information will be included.
6. If a plan or insurer has a legitimate reason for engaging in activities likely to give rise to the incidental collection of genetic information (e.g., web searching, list buying, or consumer information acquisition), it should be allowed only if there is a strict and documented separation (with audit trails) between the functions and records of those components that are legitimately engaging in the specific activities and any other part of the same company that may be able to use that data in a way that is prohibited by GINA. If a separation is not possible, then no activity that may give rise to collection of genetic information (incidental or otherwise) should be allowed.
7. The provisions in Title II of the Act that address employer acquisition and use of genetic information also need similar attention. We are concerned about the language that allows acquisition of genetic information “where an employer purchases documents that are commercially and publicly available (including newspapers, magazines, periodicals, and books, but not including medical databases or court records) that include family medical history.” This is another exception that has the potential to swallow the intended restriction on the collection of personal information.
We suggest that the sources in the statute – newspapers, magazines, periodicals, and books – be interpreted as narrowly as possible and that the words purchases and commercial be read to exclude information that is freely available or posted by individuals. We urge that lists of consumers with medical conditions should be treated as medical databases and not subject to the exclusion.
8. The restrictions we suggest above to limit the possibility of the collection of incidental genetic information should also be considered in describing limits on employer acquisitions. It is one thing for an employer to buy a daily newspaper that happens to include obituaries and other sources of genetic information. It is something else for an employer to go to a newspaper website and engage in a search for family history information about a particular employee or prospective new hire. The exception in the law cannot apply when there is a specific intent to look for information on a particular individual or family member. If the restriction on employer acquisition is not interpreted strictly and narrowly, the law may have little effect.
9. Incidental genetic information could also become available to an employer because of employer, plan, or issuer involvement in disease management activities or other comparable activities that have the potential to allow the flow of health information. If an employer offers a wellness program that includes incentives or disincentives for participation, confirmation of an employee’s participation could result in the disclosure of genetic information. Similarly, an employer, plan, or issuer sponsorship of a gym membership for an employee or participant could also lead to the disclosure of genetic information. Express prohibitions on the sharing of any health information are appropriate here as well. Any employer role in the sponsorship or operation of personal health records also needs express attention so that employee information cannot leak back to an employer.
10. If an employer has a legitimate reason for engaging in activities likely to give rise to the incidental collection of genetic information (e.g., web searching, list buying, or consumer information acquisition), it should be allowed only if there is a strict and documented separation (with audit trails) between the functions and records of those components who are legitimately engaging in the specific activities and any other part of the same company that may be able to use that data in a way that is prohibited by GINA. If a separation is not possible, then no activity that may give rise to collection of genetic information (incidental or otherwise) should be allowed. For example, if a company wants to buy a list of consumers with medical problems to use for marketing purposes, the company must have a way to keep that list from being reviewed by the company’s employment or insurance component and have the audit trail to prove no inappropriate accesses occurred.
IV. Suggestions for additional clarifications
The RFI, question 9, states:
9. What terms or provisions (such as genetic information, genetic test, genetic services, or underwriting) would require additional clarification to facilitate compliance? What specific clarifications would be helpful?
We have several suggestions.
A. Clarify definition of underwriting purposes
First, the definition of underwriting purposes should be clarified so that it expressly includes decisions not to renew an existing policy. The statute may not be as clear as it could be.
B. Clarify the term “family history”
“Family history” is a difficult term. An employer who collects information about the reasons for sick leave taken by an employee because of the employee’s illness or illnesses in the employee’s family compiles a family history. Without more clarification, routine activities – including casual discussions with supervisors or even follow employees – could lead to the compilation of family histories in an employment context.
A worker who comes in late because and says it is because his or her child has a cold or other illness has disclosed “the manifestation of a disease or disorder in family members of such individual.” The inadvertent request exception to the limit on employer acquisition of genetic information will need a considerable amount of clarification both to secure compliance with the law and to avoid allowing a loophole that will swallow the law.
C. Clarify the potentially conflicting legal requirements regarding research use of genetic information
There are potential inconsistencies in the treatment of research and research activities in the law.
First, the research exception for plans and issuers states that a plan or issuer cannot not request or require an individual or a family member of such individual to undergo a genetic test. But it says nothing about the use of existing genetic test information for research that is obtained without a request or requirement. Genetic test information in existing records could be used for research without being subject to the Common Rule and other requirements in the research exception.
Second, in the employer part of the Act, an employer, employment agency, labor organization, or joint labor-management committee is prohibited from disclosing genetic information concerning an employee or member except “****to an occupational or other health researcher if the research is conducted in compliance with the regulations and protections provided for under part 46 of title 45, Code of Federal Regulations.”
It should be made absolutely clear that any research using genetic information by any entity regulated by GINA must be subject to the Common Rule.
There may also be a need to make sure that the ability of a plan that is a HIPAA-covered entity does not abuse the health care operations disclosure provision to conduct research-like activities using genetic information without the controls on research that the law requires. There are ways in which it is possible that research or research-like activities could go on without following the GINA research exception controls.
The World Privacy Forum appreciates this opportunity to provide comments. We stand ready to offer assistance and help, should it be required.
World Privacy Forum
 DirectMag, DirectListfinder 2.0, “#1 Ailment Medical Health – Diabetes Type 1,” NEXTMARK ID: 119135, <http://listfinder.directmag.com/market;jsessionid=DCD110A5C001B08C02F7E833D600AB63?page=research/dat acard&id=119135>.
 DirectMag, DirectListfinder 2.0, “# 2.0 DIABETES Ailment Sufferers – Prime Health Solutions,” NEXTMARK ID:211336, <http://listfinder.directmag.com/market;jsessionid=1E4AED4FD93B39F3AB51E0C6ED4C6DE2?page=research/da tacard&id=211336>.
 DirectMag, DirectListfinder 2.0, “Absolute Diabetes Ailment List,” NEXTMARK ID: 117538, <http://listfinder.directmag.com/market;jsessionid=1E4AED4FD93B39F3AB51E0C6ED4C6DE2?page=research/da tacard&id=117538>.
 From a Listfinder search December 9, 2008.
 See, e.g., Ellen Nakashima, Genome Database Will Link Genes, Traits in Public View, Washington Post, Page A01, (October 18, 2008), <http://www.washingtonpost.com/wp- dyn/content/article/2008/10/17/AR2008101703345.html>.
 GeneWatch.org <http://www.genewatch.org/article.shtml?als[cid]=558225&als[itemid]=558234 >.