Public Comments: January 2010 – WPF files comments with Department of Labor regarding genetic regulations

 

Background:

The World Privacy Forum filed comments today with the Department of Labor requesting that the DOL expand its protections of how genetic information may be used by health insurance companies or group health plans. The World Privacy Forum urged the DOL to include genetic information posted on social networking sites in its consideration of the GINA regulations.

—–

Comments of the World Privacy Forum to the Department of Labor, Employee Benefits Security Administration 

Regarding

Interim final rules implementing sections 101 through 103 of the Genetic Information Nondiscrimination Act of 2008 to prohibit discrimination based on genetic information in health insurance coverage and group health plans, RIN 1210–AB27

Via Federal eRulemaking Portal

U.S. Department of Labor
Office of Health Plan Standards and Compliance Assistance,
Employee Benefits Security Administration
Room N-5653
200 Constitution Avenue NW
Washington, DC 20210

January 5, 2010

Re: Comments of the World Privacy Forum regarding Prohibiting Discrimination Based on Genetic Information; Interim Final Rules, RIN 1210–AB27.

 

The World Privacy Forum welcomes the opportunity to comment on the Department’s interim final rules implementing sections 101 through 103 of the Genetic Information Nondiscrimination Act of 2008 (GINA) to prohibit discrimination based on genetic information in health insurance coverage and group health plans. The rule and request for comment appeared in 74 Federal Register beginning on page 51663 (October 7, 2009).

The World Privacy Forum is a non-partisan, non-profit public interest research and consumer education organization. Our focus is on conducting in-depth research and analysis of privacy issues, in particular issues related to information privacy, health privacy, and financial privacy. More information about the activities of the World Privacy Forum is available at our web site, https://www.worldprivacyforum.org.

Our comments are limited to the definition of collect. The proposed definition is:
“(1) Collect means, with respect to information, to request, require, or purchase such information.”

The explanation of this term, (page 51666) is as follows:

a. Collect

The interim final regulations add the defined term “collect.” While “collect” was not defined in the statute, this term was added to paraphrase the longer phrase “request, require or purchase.” Thus, under the interim final regulations, “collect” means, with respect to information, to request, require, or purchase such information.

The World Privacy Forum supports the addition of a definition for collect, but we do not think that it goes far enough. The problem is that there are numerous other ways to obtain information other than by request, requirement, or purchase.

For example, an insurer could review information on an individual’s social networking page and learn genetic information posted there. The action might not meet the definition of collect because the insurer did not request, require, or purchase the information. Similarly, information found during a search using an Internet search engine might not qualify as collected under the proposed definition for the same reasons. One might quibble over whether either action qualifies as a request, but it would be simpler to clarify the regulations on this important point than to quibble.

We offer a second example to support our suggestion. An insurer could purchase or otherwise acquire information without overt identifiers. That action might not qualify as collection because the information is not deemed identifiable. However, it is possible today to reidentify information that lacks overt identifiers. For example, Professor Latanya Sweeney of Carnegie- Mellon University has demonstrated that 87% of Americans are uniquely identified by birth date, gender, and five-digit zip code. Tremendous amounts of data that may appear on the surface to be non-identifiable can be reidentified today because of the widespread availability of personal information in government and commercial databases and because of modern computer capabilities.

Even aggregate DNA data may be identifiable at times. In 2008, the National Institutes of Health took action to protect individuals by removing aggregated data from open-access GWAS databases because of research that showed a statistical method for resolving individual genotypes within a mix of DNA samples or data sets containing aggregate single-nucleotide polymorphism data. See Homer N, Szelinger S, Redman M, Duggan D, Tembe W, et al. (2008) Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS Genet 4(8): e1000167. doi:10.1371/journal.pgen.1000167. See, also, The National Institutes of Health removes patients’ genetic profiles from its website after a study reveals that a new type of analysis could confirm identities, LA Times (Aug. 29, 2009), http://www.latimes.com/news/nationworld/nation/la-me-dna29- 2008aug29,0,4364552.story.

We do not believe that the Department wrote the definition with any intention of allowing a loophole. Indeed, it is clear that the definition was added to broaden the concept of information collection. Our recommendation is that the definition be broadened further. We suggest the following wording:

Collect means, with respect to information, to request, require, or purchase, obtain, create, reidentify, or otherwise acquire such information.

We observe that the Federal Register publication we are commenting on makes regular use of the word obtain in connection with activities that involve the collection of information. At a minimum, the definition should include that same word.

Thank you for your attention to this important detail, and for the opportunity to comment. Please do not hesitate to contact us for additional information.

 

Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum