+1443 776-2705 panelessays@gmail.com


Use the following ethical scenario:

  • A company uses patient DNA for research without the patient’s knowledge or consent.

I have attached an article that relates to the ethical concerns of the chosen scenario or to the process step at which ethical issues may have begun. 

Answer the following question:

  • Explain external factors that have an impact on the ethical concern in the scenario.

Journal of Law and the Biosciences, 1–36
Advance Access Publication 14 May 2019
Original Article

The law of genetic privacy: applications,
implications, and limitations

Ellen Wright Clayton1, Barbara J. Evans2, James W. Hazel3

and Mark A. Rothstein4,∗

1. Craig-Weaver Professor of Pediatrics, Center for Biomedical Ethics and Society, Vanderbilt University
Medical Center, Nashville, TN 37203, USA

2. Mary Ann and Lawrence E. Faust Professor of Law; Professor of Electrical and Computer Engineering;
Director, Center for Biotechnology & Law, University of Houston, Houston, TX 77004, USA

3. Postdoctoral Fellow, Center for Genetic Privacy and Identity in Community Settings, Vanderbilt University
Medical Center, Nashville, TN 37203, USA

4. Herbert F. Boehl Chair of Law and Medicine, Director, Institute for Bioethics, Health Policy & Law,
University of Louisville School of Medicine, Louisville, KY 40202, USA

∗Corresponding author. E-mail: [email protected]

Recent advances in technology have significantly improved the accuracy of
genetic testing and analysis, and substantially reduced its cost, resulting in a
shared, and stored by diverse individuals and entities. Given the diversity of
actors and their interests, coupled with the wide variety of ways genetic data
are held, it has been difficult to develop broadly applicable legal principles
for genetic privacy. This article examines the current landscape of genetic
privacy to identify the roles that the law does or should play, with a focus on
federal statutes and regulations, including the Health Insurance Portabil-
ity and Accountability Act (HIPAA) and the Genetic Information Nondis-
crimination Act (GINA). After considering the many contexts in which is-
sues of genetic privacy arise, the article concludes that few, if any, applicable
legal doctrines or enactments provide adequate protection or meaningful
control to individuals over disclosures that may affect them. The article de-
scribes why it may be time to shift attention from attempting to control ac-
cess to genetic information to considering the more challenging question of
trade-offs between individual and social goods in numerous applications.

K E Y W O R D S: DNA, genetics, genomics, GINA, HIPAA, privacy

C© TheAuthor(s)2019.PublishedbyOxfordUniversityPressonbehalfofDukeUniversitySchoolofLaw,Harvard
Law School, Oxford University Press, and Stanford Law School. This is an Open Access article distributed under
the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which
permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

2 � The law of genetic privacy

People often view genetic information about themselves as private. Each person’s
genome, or full complement of DNA, is unique,1 but the specific variants within an
individual’s genome may be widely shared with biological relatives or even across the
entire human population. This mixed character of the genome—as a uniquely indi-
vidual assemblage of widely shared common elements—imbues it with a dual pri-
vate and public significance that confounds any discussion of policy addressing genetic

On one hand, DNA has been conceptualized as a unique identifier2 and a person’s
book of life,3 which provides insights into many aspects of the person’s future, although
perhaps not as much as many people might think. This conceptualization leads many
people to want to control who has access to genetic information about them and drives
calls for strong privacy protection or even personal genetic data ownership. On the
other hand, genetic data are not limited to one individual, with information about one
person revealing information about the person’s close and distant biological relatives.
Only by studying genetic information from many people can the significance of the in-
dividual’s variants be discerned. The importance of understanding the causes of health
and disease has led some to argue that people have some obligation to share data about
themselves for low-risk research.4 This public nature and value of the genome makes
it difficult to decide what level of control individuals should have and how to provide
appropriate privacy protections.

At the same time, the very concept of ‘privacy’ has evolved in recent decades and
a new model of privacy has gained ground. The traditional view of privacy as secrecy
or concealment—as a ‘right to be let alone’5—has grown increasingly strained in the
Information Age. The Internet and ubiquitous communication technologies facilitate
broad sharing of information, including highly personal information, often without
the individual’s knowledge or consent.6 A new theorization of privacy has emerged,
in which concealing one’s secrets ‘is less relevant than being in control of the dis-
tribution and use by others’7 of the data people generate in the course of seeking
healthcare, conducting consumer transactions, and going about their lives. ‘The leading
paradigm on the Internet and in the “real,”’ or off-line world, conceives of privacy as a

1 Even the genomes of monozygotic (‘identical’) twins often differ in some ways. See, eg F. Nipa Haque,
Irving I. Gottesman & Albert H.C. Wong, Not Really Identical: Epigenetic Differences in Monozygotic Twins
and Implications for Twin Studies in Psychiatry, 151C AM. J. MED. GENETICS PART C SEMIN. MED. GENETICS
136 (2009).

2 Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden,
pts. 46, 160, 164; 21 C.F.R. pts. 50, 56).

4 Ruth R. Faden et al., An Ethics Framework for a Learning Healthcare System: A Departure from Traditional

Research Ethics and Clinical Ethics, 43 HASTINGS CTR. REP. S16, S23 (2013).
5 Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 193 (1890).
6 Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. DAVIS L.

7 Bergelson, supra note 6, at 401 [quoting RAYMOND T. NIMMER, THE LAW OF COMPUTER TECHNOLOGY ¶

16.02, at 16-5 (2001)].


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

The law of genetic privacy � 3

personalrighttocontroltheuseofone’sdata’,8 includingenjoyingaccessandusingitby

Deciding how much control people should have over access to and use of genetic
data about themselves has taken on increased urgency in recent years. Until recently,
there simply was less genetic information to worry about, because a person’s genetic
makeup could be inferred only by studying his or her phenotypic characteristics and
family history. It was possible, for example, to tell something about people’s eye color
genes by looking at their eyes, but not whether they had a gene variant that modestly
elevated their cholesterol level or whether they were at increased risk of developing a
common complex disorder.

Dramatic advances in technology has now made it possible to examine DNA
directly with increasing accuracy and decreasing cost, thereby contributing to the
dramatic growth in genome-based approaches, such as exome- or genome-based
sequencing, which can provide dramatically more information than single-gene tests.
These genomic tests have already proven valuable in diagnosing disorders whose etiol-
ogy is unknown, as can be the case for some children with developmental disability or
critical illness as neonates.10 There is also growing interest in using genome-scale tests
to answer narrower clinical questions on the ground that these approaches are more
efficient than testing a more limited number of genes.11 But moving to genome-based
makes it possible to examine all the genetic variants regardless of the original reason for

As this technology and our understanding of genomics have improved, a growing
number of individuals and entities seek access to individual genetic information. For
example, millions of people have pursued testing to learn about their ancestry and to
identify previously unknown relatives, endeavors that require access to the informa-
tion of others as well as their own. In addition, clinicians might seek the data to refine a
mation to understand the ways that genetic variation contributes to health and disease.
Life insurers might want to use this information for underwriting. Parties in toxic tort
cases might try to use this information to establish or rebut causation. Law enforce-
ment might want to use the information to identify victims of mass attacks or criminal

Numerous studies show that many people are more comfortable sharing their ge-
netic data with physicians and researchers in the institution where they seek care than

8 Paul M. Schwartz, Internet Privacy and the State, 32 CONN. L. REV. 815, 820 (2000).
9 See, eg U.S. Dep’t of Health and Human Servs., Standards for Privacy of Individually Identifiable Health Infor-

mation, 65 FED. REG. 82,462, 82,606 (Dec. 28, 2000) (noting, in the preamble to the original HIPAA Privacy
Rule, that various industry and standard-setting organizations have recognized the need for individual access,
stating that, ‘Patients’ confidence in the protection of their information requires that they have the means to
know what is contained in their records’).

10 Laurie D. Smith, Laurel K. Willig & Stephen F. Kingsmore, Whole-Exome Sequencing and Whole-Genome Se-
quencing in Critically Ill Neonates Suspected to Have Single-Gene Disorders, 6 COLD SPRING HARBOR PERSP.MED.
2 (2016).

11 Jonathan S. Berg, Muin J. Khoury & James P. Evans, Deploying Whole Genome Sequencing in Clinical Practice
and Public Health: Meeting the Challenge One Bin at a Time, 13 GENETICS MED. 499 (2011)


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

4 � The law of genetic privacy

with the government or commercial entities.12 People also vary widely in how much
they are concerned about genetic privacy13 and privacy in general.14

Given the diversity of actors and their interests, the increasing power of genetic
technologies, and the wide variety of ways these data are held, it is difficult to develop
debates about genetic privacy, which began decades ago,15 public policy often involves
balancing the rights of individuals to maintain the privacy of their genetic information
with the rights of other individuals and the public to access the information. The trade-
offs often implicate both personal and societal interests, which vary depending on the
context. Whether the state can conduct newborn screening for genetic disorders raises
different questions from whether an insurer can use genetic information for underwrit-
ing health, life, disability, or long-term care insurance, each of which presents its own
challenges. In addition, the wide variety of actors and locations are subject to different
regulatory schemes.

This article examines the landscape of genetic privacy to identify the roles the law
does or should play. Because of the complexity of genetic privacy law, it is infeasible to
address all of the issues in a single article. Consequently, the article does not address
in detail genetic privacy in reproductive genetic testing,16 human subjects research in-
volving genetics, state statutes and regulations pertaining to genetic privacy, and com-
mon law actions for invasion of privacy. The article’s primary focus is on federal statutes
and regulations. After considering the many contexts in which issues of genetic privacy
arise, thearticleconcludesthatfew,ifany,applicablelegaldoctrinesorenactmentspro-
vide adequate protection. For simplicity, and to acknowledge the deep roots of these
debates, the article refers to ‘genetic’ privacy, but it clearly contemplates and gives spe-
cial attention to the implications of the expanding role of genomics and associated


II.A. Dimensions of Genetic Privacy
In order to understand genetic privacy, it is necessary first to delve into the complex
concept of privacy.17 Privacy is a state of limited access to an individual or information

12 Nanibaa’A. Garrison et al., A Systematic Literature Review of Individuals’ Perspectives on Broad Consent and
Data Sharing in the United States, 18 GENETICS MED. 663, 668–9 (2016); C. Sanderson et al., Public Attitudes
Toward Consent and Data Sharing in Biobank Research: A Large Multi-site Experimental Survey in the US, 100
AM. J. HUM. GENETICS 414, 421 (2017).

13 Ellen W. Clayton et al., A Systematic Literature Review of Individuals’ Perspectives on Privacy and Genetic In-
formation in the United States, PLOS ONE, https://doi.org/10.1371/journal.pone.0204417 (2018); Stacey
Pereira et al., Do Privacy and Security Regulations Need a Status Update? Perspectives from an Intergenerational
Study, PLOS ONE, https://doi.org/10.1371/journal.pone.0184525 (2017).

14 Mary Madden, Public Perceptions of Privacy and Security in the Post-Snowden Era, PEW RES. CTR.,
http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/ (2014).


16 For recent discussions, see Josephine Johnston, Ruth M.Farrell & Eric Parens, Supporting Women’s Autonomy
in Prenatal Testing, 377 NEW ENG. J. MED. 505 (2017); Ruth M. Farrell & Megan A. Allyse, Key Ethical Issues
in Prenatal Genetics, 45 OBSTET. & GYNECOL. CLIN. 127 (2017).

17 Many other countries, especially those in the European Union, use the term ‘data protection’ as an omnibus
concept that includes privacy, confidentiality, security, and other elements. These concepts are at the heart of


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

The law of genetic privacy � 5

about an individual.18 The right to privacy refers to the ethical and legal principles that
recognize the importance of limited access to an individual or information about an

Anita Allen has proposed four categories of privacy applicable to what she terms ‘the
ambiguous concept’ of genetic privacy.

When used to label issues that arise in contemporary bioethics and public policy, ‘privacy’
generally refers to one of four categories of concern. They are: (1) informational privacy
concerns about access to personal information; (2) physical privacy concerns about ac-
cess to persons and personal spaces; (3) decisional privacy concerns about governmental
cerns about the appropriation and ownership of interests in human personality.19

is the primary focus of this article. From the huge dataset that is every human’s genome
to family pedigrees and genetic test results, genetics is closely associated with informa-
transcriptomics, and epigenomics—greatly increase the amount of potential gene-
associated information about individuals. Often, genetic information is sensitive be-
cause it has implications for the current and future health of individuals and their family
members. The information may also have major social and economic consequences.20

Three other significant concepts within the realm of privacy and genetic privacy
are confidentiality, security, and anonymity.21 Confidentiality describes a situation in
which information is disclosed within a trusting relationship (eg physician–patient) on
the express or implied agreement that it will not be divulged to a third party without the
permissionofthesourceoftheinformation.22 Confidentiality,applicabletothenondis-
closureofgeneticinformation,23 isafoundationalprincipleintheethicalcodesofmany
health professions and a key element of a wide range of laws. The duty to protect confi-
dentiality is not absolute; however, and in certain circumstances recognized by law or

the European Union’s General Data Protection Regulation, which took effect in 2018. General Data Protec-
tion Regulation, 2018 O.J. (L 127), https://gdpr-info.eu (accessed Apr. 15, 2019). See generally Edward S.
Dove, The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital
Era, 46 J.L. MED. & ETHICS, 1013−30 (2018).

18 ‘Physical and informational privacy practices serve to limit observation and disclosure deemed inimical to
well-being’. Anita L. Allen, Privacy in Health Care, in 4 ENCYCLOPEDIA OF BIOETHICS 2067 (Warren Thomas
Reich ed., 1995).

19 Anita L. Allen, Genetic Privacy: Emerging Concepts and Values, in GENETIC SECRETS: PROTECTING PRIVACY AND
CONFIDENTIALITY IN THE GENETIC ERA 31, 33 (Mark A. Rothstein ed., 1997).

20 See infra Section V.
21 SeeBarthaMariaKnoppers&MadelaineSaginur,TheBabelofGeneticDataTerminology,23NATUREBIOTECH.

925, 925 (2005) (discussing the numerous terms used to describe measures to protect genetic information).
22 ‘Confidentialityconcernsthecommunicationofprivateandpersonalinformationfromonepersontoanother

where it is expected that the recipient of the information, such as a health professional, will not ordinarily dis-
close the confidential information to third persons’. William J. Winslade, Confidentiality, in 1 ENCYCLOPEDIA
OF BIOETHICS at 452 (Warren Thomas Reich ed., 1995). See also Mark A. Rothstein, Confidentiality, in MEDI-
et al. eds., 2001).

23 For a further discussion, see infra Section III.


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

6 � The law of genetic privacy

ethical codes, other interests may be paramount, such as the safety and health of third

Security, in the informational sense, is an increasingly important concept in the digi-
to access certain information are granted access to it, but those without such author-
ity are denied access. Security can be protected by various means, such as by training
implementing technical access controls, including passwords and encryption.25

Anonymity is a form of privacy protection in which the identity of the source of cer-
tain health information is not obtained or is removed by researchers or other custodi-
ans of the information. Anonymization, deidentification, and similar measures are fre-
quently applied to genetic information in an effort to protect individual privacy while
retaining the scientific value of the information. The use of anonymized genetic infor-
mation raises two main concerns. First, technical methods may not be completely ef-
fective in preventing the reidentification of genetic information.26 Second, there is a
plausible argument that individuals’ interest in autonomy should afford them the op-
portunity to learn about and to control the use of even their anonymized health infor-
mation or biospecimens.27

No matter how people choose to define ‘privacy’, there is a widespread sentiment
among legal and ethics scholars that existing privacy laws do not provide as much pri-
vacy as many people expect or erroneously believe they have.28 US federal privacy laws
data (through informed consent rights) while also allowing at least some unconsented
collection and use of people’s data (including their genetic information) for various
purposes that lawmakers consider socially beneficial.29 The ‘individual control’ these
laws provide is thus incomplete. In the 1970s, Congress commissioned a Privacy Pro-
tection Study Commission (PPSC) to recommend appropriate privacy protections for

24 For example, laws requiring the reporting of infectious diseases or suspected cases of child abuse to appropri-
ate governmental agencies override confidentiality.

25 See 45 C.F.R. pt. 164 (2018) (security and privacy provision of the HIPAA Privacy Rule). See generally
Sharona Hoffman & Andy Podgurski, In Sickness, Health and Cyberspace: Protecting the Security of Electronic
Private Health Information, 48 B.C. L. REV. 331 (2007); Nicolas P. Terry & Leslie P. Francis, Ensuring the
Privacy and Confidentiality of Electronic Health Records, 2007 U. ILL. L. REV 681 (2007).

26 See Ellen Wright Clayton & Bradley Malin, Assessing Risks to Privacy in Biospecimen Research, in SPECIMEN
Characterizing the Risks and Harms of Linking Genetic Information to Individuals, 15IEEESECURITY &PRIVACY
14, 16 (2017). For a further discussion, see Part VI-A.

27 Jennifer Kulynych & Henry T. Greely, Clinical Genomics, Big Data, and Electronic Medical Records: Reconciling
Patient Rights with Research When Privacy and Science Collide, J.L. & BIOSCIENCES 94 (2017); Mark A. Roth-
stein, Is Deidentification Sufficient to Protect Health Privacy in Research?, 10 AM. J. BIOETHICS 3 (2010).

29 See, eg the Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681b (enumerating permissible disclosure of

people’s credit information and conditions for such disclosures); Privacy Act of 1974, 5 U.S.C. § 552a(b)
(requiring governmental agencies to seek consent prior to disclosure of people’s personal data stored in gov-
ernmental databases, but then allowing various enumerated exceptions to the consent requirement); HIPAA
Privacy Rule, 45 C.F.R. § 164.512 (allowing unconsented use and disclosure of people’s health and genetic
information for an enumerated list of purposes—such as public health, law enforcement and judicial uses,
and research subject to IRB or privacy board approval).


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

The law of genetic privacy � 7

many types of data. The PPSC’s 1977 report30 acknowledged that unconsented uses of
people’s data, under certain circumstances, can be ethically justified, but it cautioned
that if data cannot be ‘totally protected’ against unconsented access by others, people
face privacy risks and need to be able to access their data themselves in order to as-
sess and manage those risks.31 Accordingly, many privacy laws, both in the USA and
elsewhere, offer individual access rights as a core part of their scheme of privacy protec-
tions.32 As a practical matter, however, healthcare institutions do not always provide
patients with access to their medical records in a timely manner,33 and patients often
encounter difficulty amending errors in their records.34

II.B. Genetic Exceptionalism
One of the earliest controversies surrounding genetic privacy in the academic literature
and policy domain was whether genetic information should be regarded as merely an-
information demand separate and more protective treatment. Among the allegedly
unique aspects of genetic information is the tremendous amount of information con-
tained in DNA, its immutability, its potential use as a unique identifier, and its implica-
tions for family members and others with a similar geographic ancestry.

Thomas Murray, recalling a debate in the 1980s about whether HIV information
was unique (termed ‘HIV exceptionalism’), coined the term ‘genetic exceptionalism’
inreferencetothecontroversysurroundingwhethergenetic information—atthattime
typically referring primarily to Mendelian or single-gene disorders—should be treated
separately.35 Murrayalsorecognizedthatthemaindifferencebetweengeneticandnon-
cial. ‘Genetic information is special because we are inclined to treat it as mysterious, as
having exceptional potency or significance, not because it differs in some fundamental
way from all other sorts of information about us’.36 A practical problem with the sepa-
rate treatment of genetic information is the difficulty in defining and separating it from

https://www.ncjrs.gov/pdffiles1/Digitization/49602NCJRS.pdf (accessed Apr. 15, 2019).
31 Id.at299.SeeMargaretO’Mara,TheEndofPrivacyBeganinthe1960s,N.Y.TIMES,Dec.6,2018,atA31(stating

thatasearlyasthe1960sCongressadoptedthepolicyofpushingfordatatransparency, includingsharingdata
with the person the data describe, rather than restrictions on sharing people’s data with third parties).

32 See, eg the Privacy Act of 1974, 5 U.S.C. 552a(d)(1) (granting an individual right of access to certain data
held in governmental databases); HIPAA Privacy Rule, 45 C.F.R. § 164.524 (granting an individual right of
access to certain data held by HIPAA-covered entities). See also European Union General Data Protection
Regulation (Regulation (EU) 2016/679), Art. 15 (providing an individual access right).

33 See Carolyn T. Lye et al., Assessment of US Hospital Compliance with Regulations for Patients’ Requests for Medi-
cal Records, 1 JAMANETWORK OPEN. e183014 (2018), DOI:10.1001/jamanetworkopen.2018.3014 (finding
widespread noncompliance with federal regulations by 83 hospitals studied).

34 UndertheHIPAAPrivacyRule, individualsmayrequestthattheirhealthrecordsberevisedorsupplemented,
fail to grant such requests by patients.

35 Thomas H. Murray, Genetic Exceptionalism and ‘Future Diaries’: Is Genetic Information Different from Other
(Mark A. Rothstein ed., 1997). See also Nicolas P. Terry, Big Data Proxies and Health Privacy Exceptionalism,
24 HEALTH MATRIX 65 (2014) (discussing the broader ‘health privacy exceptionalism’).

36 Murray, supra note 35, at 71. Although Mendelian conditions, especially Huntington disease, were cited ex-
tensively in the literature in the 1990s as justifying genetic exceptionalism, it is not a good example upon
which to construct an approach to genetic ethics and policy. For example, few other genetic conditions share


nloaded from

/jlb/article-abstract/6/1/1/5489401 by 81695661, O


on 29 O
ctober 2019

8 � The law of genetic privacy

other medical information in health records.37 Separate treatment of genetic informa-
tion also contributes to genetic reductionism38 and genetic determinism,39 thereby in-
creasing rather than reducing the seeming importance of genetic information and the
stigma of genetic disorders.

As with other types of information in emerging medical fields, many of the prob-
lems associated with the use of genetic information arise from two time lags. First is the
time lag between the discovery of a genetic basis for a condition and the development
of therapies to prevent, treat, or cure the disorder. Thus, genetic information may in-
dicate a risk, such as for Alzheimer’s disease, about which little or nothing can be done
to prevent or ameliorate the condition. Second is the time lag between a genetic test
that identifies the increased risk of disease in a particular individual and the onset of
symptoms. During this time period, when the individual is in medical limbo, numerous
ance companies, are inclined to use the genetic information to limit their risk. Neither
of these characteristics is unique to genetics.

Although most commentators have been critical of genetic exceptionalism,40 virtu-
ally all of the recent legislation enacted to deal with genetic privacy and genetic dis-
crimination has been genetic-specific. One of the main …