Jack Haisman

Volume 73, Issue 6, 1761-1790

Since the human genome was first sequenced in 2003, millions of consumers and medical professionals have swarmed the field of medical genetics, seeking to peer into the crystal ball and see what their own, or their patients’, futures may hold. Also rushing in are direct-to-consumer genetic testing companies like 23andMe and AncestryDNA, which can circumvent medical privacy laws by offering genetic testing without a medical provider.

Medical privacy regulations, such as the Health Information Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Discrimination Act of 2008 (GINA), and those promulgated by the Federal Trade Commission, do not regulate these companies adequately for a litany of reasons. These loopholes and shortcomings in regulation leave American consumers substantially less protected, less medically informed, and in some instances can jeopardize national security.

This Note proposes that Congress should enact legislation overhauling the current regulatory regime in at least three ways: (1) the “covered entity” approach should be abandoned and replaced with a data-driven model; (2) the Safe Harbor provision of HIPAA should explicitly exclude genomic data; and (3) consumers should be given a “right to be forgotten” and compel companies to delete their data. These reforms would significantly strengthen consumers’ genetic privacy and give them an escape hatch to safeguard the core of their identity.