By Deborah Peel

Deborah C. Peel, MD, is founder and president of Patient Privacy Rights, a non-profit human and civil rights organization

Millions of Americans are using home DNA testing kits to discover their ancestry or uncover their risk of developing certain diseases.  Unbeknownst to them, testing companies are selling or giving away the personal genetic information gleaned from these kits.

This information, though theoretically anonymous, can easily be traced back to specific individuals. In the wrong hands, it could be used to discriminate against or even persecute law-abiding citizens. Patients deserve stronger protections to prevent such abuse.

Genetic testing companies bury disclosures about data sharing in their user agreement forms.

Invitae is a particularly egregious offender. The firm’s consent form promises patients that their sensitive genetic information “will NOT be used in FOR PROFIT research.”  But the form conveniently fails to mention that Invitae donates the data to the ClinVar public database — where it and other companies can use the information to profit.

Companies say they strip genetic test results of personally identifiable information before they share it. Indeed, they’re required to do so by the 1996 Health Insurance Portability and Accountability Act. People’s names, addresses, and other identifying details cannot be included in the shared files.  Sounds good, but it doesn’t work like that.

The scrubbed files still aren’t anonymous — not by a long shot. With today’s technology, tracing a genetic sample back to a specific patient takes little more than some Google searching.  A scientist at MIT recently took five randomly selected genetic samples and identified the donors in just a few hours. He even identified nearly 50 of their family members.

Employers and insurance companies could use this power for nefarious purposes. If an employer knew a job applicant had a health condition that would make him likely to miss work, would the firm extend an offer? In a post-Affordable Care Act world, would insurance companies sell a policy to someone at high risk of cancer?

Federal laws have attempted — and failed — to address such hidden corporate discrimination. Under the Genetic Information Nondiscrimination Act of 2009, employers and health insurance providers are not allowed to discriminate against people based on their genetic information unless it happens to already be part of their electronic medical records.

GINA is riddled with loopholes. It doesn’t cover disability or life insurance, or protect people serving in the military. It also doesn’t apply to small businesses.

Even these feeble protections are under assault. The Preserving Employee Wellness Programs Act, a proposed bill under consideration in Congress, would allow employers to penalize workers and their families who don’t submit to genetic tests.

For a solution, policy makers could look to Europe. The EU’s new General Data Projection Regulation ensures individuals have the right to control personal information and imposes severe penalties on corporations that violate patients’ privacy.

Our genetic code is a treasure trove of identifiable personal information. When testing companies make it readily available to outsiders without patients’ knowledge or meaningful informed consent, they expose them to a host of threats. To prevent rampant discrimination patients need far stronger protections for their genetic information.

For more stories like this subscribe to our print or e-edition.