genetic testing – Workforce

April 8, 2020June 29, 2023

Maneuvering the complicated intersection of data privacy, health and technology

health data privacy; privacy laws; data protection

People share their experiences with depression on Twitter to show support for the mental health community. They join private Facebook groups to discuss similar health issues, without realizing that a “private” online group does not actually offer privacy protections. Companies encourage employees to be open about their health in an effort to create a “culture of health.” And employees join “HIPAA-compliant” wellness programs without realizing that the health data they log in various apps may not be protected by any law if the program is voluntary.

When the Health Insurance Portability and Accountability Act was enacted in 1996, today’s vast digital space didn’t exist. Even if organizations comply with HIPAA, the Genetic Information Nondiscrimination Act and other laws that protect health-related data, that doesn’t necessarily mean the data is protected in many contexts. There are gaps that have yet to be legally addressed. Meanwhile, employees increasingly share health information on digital health apps or online.

Also read: Fingerprint scanners risky amid coronavirus pandemic — it’s a touchy subject

A vast amount of employee data is not legally protected. As collectors of employee data, employers should be aware of the health data privacy landscape and the concerns employees may have.

“As much as it pains me to say, [data privacy] is probably nobody’s top priority,” said data privacy attorney Joseph Jerome. “It only becomes their priority when something goes wrong or they get concerned or they hear something in the news.”

Employers in the U.S. and internationally have increasingly more data privacy regulations to pay attention to — as laws like the General Data Protection Regulation in the European Union and the California Consumer Privacy Act and Illinois Biometric Privacy Act in the U.S. move the data privacy legal environment forward. In this constantly changing world, there’s information that can help organizations navigate this complicated intersection more intelligently.

Also read: How much do you know about your health data privacy?

Privacy Law Limitations

There is a lack of understanding of what HIPAA protections apply where, when and to what data, Jerome said. At its core, HIPAA was enacted to facilitate the portability and interoperability of health care records, not for any greater data privacy reason. “We act like this is a health data privacy law, but no. It’s designed to govern data in hospital systems,” he said.

Employers want to learn increasingly more data about their employees, he said. They have the opportunity to do so through commercial apps that capture wellness and fitness data. “These are things that people perceive as health data, but they’re not covered by HIPAA, and they were never designed to be covered by HIPAA,” he said.

HIPAA — and therefore what data is considered health information — is limited to covered entities like hospital systems and doctors’ offices. For example, within a health system, a patient’s email address is considered health information under HIPAA, but outside the health system, an email address is not considered health information and does not get HIPAA protection.

HIPAA also doesn’t apply to anonymized data — the data remaining after being stripped of personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

Further, anonymous data is fair game, legally. “There is no regulation of ‘anonymized’ data. It can be sold to anyone and used for any purpose.The theory is that once the data has been scrubbed, it cannot be used to identify an individual and is therefore safe for sale, analysis and use,” noted “Re-Identification of ‘Anonymized’ Data,” a 2017 Georgetown Law Technology Review article.

A concern here is that anonymous data can be easily re-identified, and it’s tough to hold bad actors accountable for doing so, Jerome said. Further, it’s hard to do anything about it once the data is already identified and public information. Unfortunately, there are realistically not enough reinforcement resources, he added.

“That’s a real problem right now, not just in health care or employment context, but you’ve got this giant ecosystem where a lot of companies are sharing information and they’re all saying they’re good actors, they’re all saying they’re not re-identifying information, they’re all saying they’re not even using personal information,” he said. “But there’s data leakage all over the place. People are recombining profiles, and it’s very hard to attribute where the information originally came from.”

According to the Georgetown Law Technology Review article, the re-identification of anonymous data can lead to sensitive or embarrassing health information being linked to one’s employer, spouse or community. “Without regulation of re-identified anonymized data, employers, neighbors, and blackmailers have an unprecedented window into an individual’s most private information,” the article said. One of the privacy concerns some people have about their health data is that it could eventually be used against them and that they could suffer real-world implications like the loss of job opportunities, the denial of insurance or higher premiums for insurance.

Also read: Do Employers Have a Duty to Protect Employees’ Personal Information?

Wellness Program Gaps

The idea behind employee wellness programs is supposed to be a win-win, said Anya Prince, associate professor of law and member of the University of Iowa Genetics Cluster. Employees get healthier, and employers get lower health care costs and a more productive workforce.

But wellness programs are often not effective at changing employee health, she said.

“If the premise is we’re doing this to benefit employees [but] there’s not actually evidence that it’s benefiting employees, the question then becomes why are [wellness programs] continuing to happen?” she said. “The evidence shows that what they’re doing is shifting health care costs back on to employees in various ways. That’s where the concern comes in.”

Digital health apps on employees’ phones play a part in many workplace wellness programs. But even though third-party health apps are common on people’s phones, the privacy landscape behind these apps is murky at best.

Prince cited Lori Andrews, professor of law at the University of Chicago and director of Illinois Tech’s Institute for Science, Law and Technology. Andrews has conducted work on the types of data that medical apps collect from users, including employees in workplace wellness programs.

“Some of the medical apps are just completely bogus and don’t give you anything helpful back,” Prince said about the general health data privacy environment. “But they are collecting data on you, not just health information but geolocation and other data that’s worth money.”

Another trend in wellness programs is employers offering employees consumer-directed genetic tests to help them understand what medical issues they may be predisposed to and what preventative measures they can take to combat them. According to the Society for Human Resource Management, 18 percent of employers provided a health-related genetic testing benefit in 2018, up from 12 percent in 2016.

Many studies have shown that people are not aware of the Genetic Information Nondiscrimination Act or what privacy protections they have through the law, Prince said. “GINA is quite protective in employment in the sense that employers are not allowed to use genetic information to discriminate, so they can’t make hiring, firing, promotion, wage, any decisions based on genetic information,” she said, adding that genetic information includes family medical history, genetic test results and more.

Still, she said, there are some exceptions with GINA, including private employers with fewer than 15 employees and any employee in a voluntary wellness program.

There is currently a legal debate on whether wellness programs are voluntary or if employees feel coerced to join them, Prince said. Some wellness programs are participatory — meaning that employees don’t need to hit a certain health outcome target to earn the incentive — but others are health contingent. Employees need to lose some amount of weight or accomplish another target measurement to get the financial benefits of the wellness program.

These programs are more participatory currently, she said. But if programs that collect genetic information become health contingent, that could bring up ethical issues and become more invasive.

“If you think of [Breast Cancer gene] testing, which is a predisposition to breast and ovarian cancer, one of the preventive measures right now is to prophylactically remove your breast and ovaries. My dystopian future is the employer saying, ‘Have you finished having kids yet? Get on that, so that you can remove your ovaries,’” she said.

This discussion begs the question of who is ultimately the best actor to push people toward better behaviors and health outcomes, she said. Society has to ask if employment is the best place to do this.

“In a way the answer is yes because we’ve created a system where health insurance and employment are so intertwined, but maybe employment isn’t the right space to be encouraging people to make the right health choices,” she said. “Maybe that should be a public health system or your primary care physician or researchers.”

The Pentagon has advised service members not to engage in 23andMe genetic tests, said Glenn Cohen, professor of law at Harvard Law School, and faculty director of the Petrie-Flom Center for Health Law Policy, Biotechnology and Bioethics.

There’s a major national security reason for this, he said, but part of the reasoning also has to do with protecting service members’ privacy. The military is exempted from GINA, which is the law which prohibiting genetic discrimination by employers.

Also read: The Ethics of Artificial Intelligence in the Workplace

Consent, Transparency and Communication

Employers could communicate with employees better, Jerome said. Privacy is more than just legal compliance, which may include a disclaimer in the company handbook or on the employees’ computers that inform them “All this can be tracked and monitored.” This can help set up the expectation for employees that they should have no expectation of privacy in anything they do at work.

While most employers have done their legal duty, they’ve yet to have a conversation with employees about what they’re actually doing with this data, Jerome said.

Also read: Are You Part of the Cybersecurity Solution … Or Part of the Problem?

“I get that those conversations can be difficult and uncomfortable and frankly might get employees riled up, but I think that’s probably a good thing in the end,” he said.

Employers — who sit on large troves of employee health data — may have the legal right to share data, but that doesn’t mean employees and other parties won’t criticize them, said Cohen. “They have to be worried a little bit about how it’s going to play as a PR matter and, in an industry where they’re competing for talent, how employees feel about [it],” he said.

When Ascension Health partnered with Google for the “Project Nightingale” initiative late last year — allowing the tech company access to the detailed personal health information of millions of Americans — it received a lot of backlash. It could be dangerous for an organization like Google, which already has so much of people’s personal data, to get access to people’s health records as well, critics argued. Supporters said it was perfectly legal.

“My recommendation in general is even if you legally have the right to share the data, you may want to think about creating some internal governance mechanisms that have employees involved in trying to decide what gets shared or not,” Cohen said.

Practically, this could mean that the organization charters a committee that includes employers, employees and subject matter experts who can explain both the uses and the risks of adopting a certain solution, he said.

This could be a valuable decision for employers because better decisions get made and it’s better for the employer’s reputation, he said. When people find out a company has sold its employees data, it could look bad if there hasn’t been employee input in the decision.

For most organizations dealing with health data and other personal data, their reputation is based on how they treat that data, said Ed Oleksiak, senior vice president at insurance brokerage Holmes Murphy. A data breach or misuse of data would be bad press, so the company would be incentivized to protect that data and ensure it’s used properly

When there is a health data mishap, there are a couple ways that organizations can address that breach of trust, he said. Organizations can provide impacted employees some kind of identity theft protection that will help them mitigate any harm. Further, the company is required to address whatever has resulted in the breach and do whatever it can to make sure it can’t happen again in the future.

“Whether it’s the employer’s health plan, a hospital system, or a technology provider, everybody’s reputation is contingent on successfully mitigating that,” Oleksiak said. “You just have to start over again, and try to fill that cup of trust back up.”

Oleksiak also suggested that employers follow a key tenet of only getting and storing the minimum necessary data. Even though people involved with employee health plans most likely want to use patient data for the right reasons, people who can hack into these systems can access everything, including more unnecessary data.

Ultimately, this is an issue of balance. According to the aforementioned Georgetown Law Technology Review “Re-Identification of ‘Anonymized’ Data,” “data utility and individual privacy are on opposite ends of the spectrum. The more scrubbed the data is, the less useful it is.”

Still, there are positive things companies can do with this data, Oleksiak said. No matter what privacy rules and regulations are put in place, a bad actor is going to find a way to do something that’s for their own benefit.

“Hopefully we write rules that go after people that abused their position or access to data, but still allow everybody else that’s doing it for the right reasons to get the job done,” he said.

December 16, 2019June 29, 2023

Court Finds That the ADA Does Not Protect Employee’s Dormant Genetic Condition

Sherryl Darby has the BRCA1 gene, otherwise known as the breast cancer gene, the best known gene associated with breast-cancer risk. Approximately two months after she started working as an administrative assistant at Childvine, an early childcare provider, Darby opted to have a double mastectomy to decrease her risk of developing breast cancer in the future. Two weeks later, Childvine fired her.

Despite the close-in-time link between Darby’s surgery and her termination, the district court dismissed her ADA lawsuit.

While “normal cell growth” is a major life activity the ADA protects, the court could not find that the BRCA1 gene is a physical impairment that substantially limits normal cell growth.

Although mindful that the ADA is to be broadly construed, the Court concludes that Plaintiff fails to state a claim upon which relief can be granted. Plaintiff has offered no statutory, regulatory, or caselaw support for her “legal conclusion couched as a factual allegation” that the BRCA1 gene, like cancer itself, is a physical impairment that substantially limits normal cell growth. And the Court’s own research has found none.

It is true that the Sixth Circuit has held that some conditions, even when dormant, may constitute a physical impairment.… But this is not a circumstance akin to remission of cancer. Rather, it is, presently, the absence of cancer.

The Court’s decision should not be read to trivialize Plaintiff’s legitimate fear of developing breast cancer or minimize the transformative measures she took to avoid it. It merely recognizes that this Court’s role is to interpret, not legislate. To expand the definition of physical impairment to include a condition that might lead to a disability in the future effectively puts every employee under ADAAA protection.

Whatever issues I have issues with this decision (and I have some big ones) could have been cured by pleading this case differently. I question why Darby pleaded her protected disability as an actual disability instead of a regarded as disability. I think she would have a had a much better chance at surviving dismissal if she framed her claim as one in which her employer terminated her based in its perception of her having a disability (which does not require any proof of any actual disability) instead of any actual disability itself.

Moreover, in many cases its largely irrelevant whether the ADA covers a dormant genetic disorder because another statute already does—GINA, the Genetic Information Nondiscrimination Act. GINA prevents employers from using genetic information in employment decisions. GINA likely wouldn’t have helped Sherryl Darby, because it does not appear the issue of her having the BRCA1 gene arose until her lawsuit (and long after her termination).

This case will be often be cited for the proposition that the law does not protect an employee’s dormant genetic condition. While that is true based on how Darby pleaded her claims in this case, employers should not treat Darby as a license to discriminate, as doing so will likely violate both the ADA and GINA in many cases.

November 30, 2016June 29, 2023

Genetic Testing Gets Toothy as a Workplace Benefit

Amway Corp. is joining a growing list of large employers adopting genetic testing as a workplace benefit.

Starting in January, the multilevel marketing giant will offer genetic testing by Interleukin Genetics Inc., a Waltham, Massachusetts, developer of genetic tests for chronic inflammatory diseases such as heart disease, diabetes and arthritis. Using a cheek swab, Interleukin’s ILUSTRA genetic risk test, previously called PerioPredict, can detect a person’s tolerance of inflammation levels, said Interleukin CEO Mark Carbeau. Proper dental care can lower inflammation levels, which affect other areas of health, like risk of diabetes, heart disease and stroke, he said.

“Inflammatory burden systemically is created by bacteria in your gums, so the notion is if we clean up your mouth, we can cool down a large source of chronic inflammation and that allows the body to control and manage those other sources more effectively,” Carbeau said.

Amway joins the likes of Visa Inc. and insurer Aetna Inc. to introduce genetic testing for employees. Visa is offering genetic testing for breast and ovarian cancer, while Aetna implemented a pilot program testing employees at risk for heart disease, stroke and diabetes. Companies including venture capital firm Andreessen Horowitz and online survey company SurveyMonkey also are using genetic testing among their employee population.

Genetic testing in the workplace presents legal hurdles that could limit wider use, said Seth Perretta, partner with Groom Law in Washington, D.C.

Companies can’t require employees to take a medical exam under the Americans with Disabilities Act. Under the Genetic Information Nondiscrimination Act, or GINA, a federal law protecting people from genetic discrimination in health care and employment, employers can’t tie a financial incentive to the completion of a genetic testing program.

“Offering genetic testing outside a major medical plan would be rife with legal risk for the employer,” said Perretta. “It would almost certainly have to be structured as part of the major med plan or limited to folks enrolled in an employer-sponsored med plan. And it would have to be fully voluntary.”

Still, there’s value to it, Perretta added. “But for some reason Congress has clearly spoken that from a policy perspective, they’d rather have the ailment manifest itself prior to an employer getting involved.”

There are also privacy concerns. It can feel like a step down the path of the employer getting too involved in the personal lives of its employees, said Jim Winkler, Aon Hewitt’s global health innovation leader. Employees need to know that their employers won’t have access to the data, and employers have to communicate that effectively, he said.

Interleukin’s program is a voluntary benefit that is covered by GINA. Interleukin explains to the employer the test’s purpose and how it would be used, but only provides the genetic information to the employee’s individual dentist.

Amway chose to offer this in their group health plan to encourage employees to expand their awareness of their personal health risks and the various resources available to them, said Tom Boehr, manager of corporate wellness and employee engagement at Amway, in an email.

wf_1116_fyb_genetictesting_winkler-jim-2016_300px — Like “many things in our lives that are technology enabled, there is probably an element of inevitability to this. It’s just a question of, ‘Is it in the next year? The next five years? The next 20 years?’” said Winkler.

“The offering is another form of education that Amway is introducing to its employees in order to further empower them to make health care choices that are in their best interest,” Boehr said.

Genetic testing is still new in the benefits space, but Winkler believes that, like “many things in our lives that are technology enabled, there is probably an element of inevitability to this. It’s just a question of, ‘Is it in the next year? The next five years? The next 20 years?’ ” he said.
The technology involved and the equipment used are becoming more efficient and less expensive. Ten years ago, the costs to isolate specific attributes of DNA was in the tens of thousands of dollars, and today it’s in the hundreds of dollars, Winkler said. Possibly, as genetic testing solutions become less expensive, consumers may become more interested, at which point employers wouldn’t even necessarily have to offer the benefit.

He compared it to Fitbits and other wearable devices. Five years ago, the only people who used them were the ones who got them from their employer. Now, they have a huge commercial market.

“You could start to see this in the genetic testing space as well — over what period of time, I don’t know,” he said.