Genetic Testing – Unintended Consequences?

Health Care   |   May 7, 2018
Share Page

The advent of 23andMe, ancestryDNA, and other direct-to-consumer genetic testing products permit patients, from the comfort of their own homes and personal computers, to identify and assess their unique risk of developing disease. For less than $200, these genetic testing companies claim to provide health in-sights. For example, 23andMe offers consumers “genetic health risk reports” that detect variants related to late-onset Alzheimer’s disease, Parkinson’s disease, alpha-1 antitrypsin deficiency, celiac disease, hereditary hemochromatosis, hereditary thrombophilia, and age-related macular degeneration. In March of 2018, the FDA authorized 23andMe to market its Personal Genome Service Genetic Health Risk Report for BRCA1/BRCA2 (Selected Variants).

According to the FDA, the test is the first direct-to-consumer FDA approved test to report on three specific BRCA1 and BRCA2 breast cancer gene mutations. In its approval, the FDA clarified that the test only detects three out of more than 1,000 known BRCA mutations, meaning that a negative BRCA mutation result from 23andMe does not rule out the chance that consumers have a BRCA mutation.

Previously, genetic testing was made available only through the recommendation of a healthcare provider, and a healthcare provider was required to interpret the test results before passing them onto the individual. However, the FDA’s approval of 23andMe BRCA testing allows consumers to order and perform genetic tests without needing to interact with a healthcare professional, indicating the potential expansion of genetic testing services to other applications and raising concerns about consent, privacy, and confidentiality.

The month after the FDA approved 23andMe’s BRCA mutation testing, investigators in California utilized genetic data submitted through an online ancestry website to identify the Golden State Killer. According to reports, the detective’s use of DNA had previously led to the wrong suspect. The use of genetic data for law enforcement purposes raises concerns about the privacy and confidentiality of genetic data submitted to websites like 23andMe. Patients may be surprised that current HIPAA regulations do not apply to companies that are not “covered entities” (health plans, health care clearinghouses, and most health care providers) or “business associates.” If de-identified data is used for research or other purposes, HIPAA does not apply to that information, either, so long as it cannot be traced back to the original patient. See 45 C.F.R. §§45 C.F.R. §§ 164.502(d)(2), 164.514(a) and (b). Further, there is no general legal prohibition on re-identification of individuals from their genetic data.

A spokeswoman for, which operates the website used by police to identify the Golden State Killer, reported that they had not been contacted by law enforcement to consent to the use of genetic data for such purposes. Company officials stated that “[w]hile [they] take … customers’ privacy and confidentiality extremely seriously, [they] support ethically and legally justified uses of groundbreaking advancements of scientific research in genetics and genealogy."

Published with permission of The Florida Bar Health Law Section Newsletter (Summer 2018)

©2020 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.