Consumer Privacy Regulations
Today, there are very limited laws directly addressing consumer privacy issues with at-home testing. Ultimately, individual states determine whether a consumer can order a laboratory test directly, without going through a healthcare provider. Some states may have more permissive regulations that allow consumers to order a wide range of diagnostic tests directly, while others may impose restrictions and require involvement or prescriptions from healthcare professionals when it comes to more complex testing. Some common examples of diagnostic tests that may have restrictions or limitations in certain states include genetic tests, HIV and STD tests, diagnostic image tests, and high-risk tests. At-home diagnostic companies entering into this intricate market must prioritize the transparency of their policies concerning the use and storage of customer data in order to gain the trust of consumers and gain market share.
Addressing Data Collection and Privacy Concerns
The sensitive health information that’s collected and stored by diagnostic companies can be vulnerable to data breaches. As a result, at-home testing will bring new cybersecurity and GDPR (General Data Protection Regulation) concerns. At-home diagnostic testing companies must be aware of any applicable regulatory requirements for data privacy and security of health information. In the event of a data breach, the company entrusted with this information must have a breach mitigation plan in place to minimize impact and regain consumer trust.
At a minimum, companies must ensure their clinical partners employ in-house legal counsel experienced in lab and provider group contracting, adhere to HIPAA guidelines, and leverage technology with uncompromised privacy and security controls. The first organizations to address these concerns will be in a suitable position to market and sell their products and likely gain a higher market share.
With the collection and storage of large amounts of sensitive patient data, labeling and indexing must also be carefully managed throughout the shipment, collection, and storage of all patient samples and data. This ensures that the source of the data is accurately recorded, or that samples are being kept anonymous, depending on the case.
Collecting and Protecting Sensitive Data
At-home diagnostic companies handle more than genomic data on the medical side. Like many others, they collect a wide variety of personal data, including information you share with them such as your name, basic identifiers like your address and email address, and, in some cases, facts about your family and your health.
Companies should carefully select third-party vendors with robust security measures to ensure the protection of people’s private information and storage all in one place. This includes measures such as encryption, tokenization, access controls, and regular security audits to protect consumer data from data breaches or unauthorized access. Encryption is the process of converting sensitive data into a code that can only be decoded with a key or password. At-home diagnostics companies should encrypt all sensitive data both in transit (when it’s being sent or received) and at rest (when it’s stored on servers or other storage devices). Tokenization is data security that involves replacing sensitive data, such as personal identifiers or health information, with unique identification symbols called tokens. These tokens have no meaning or value outside the context of the specific system or organization using them and can be especially valuable to ensure the protection of private information in the context of DTC testing companies.
When at-home diagnostics companies use submitted samples for research purposes, they must disclose this to the user and obtain informed consent. When it comes to this health information, an investigation by Consumer Reports has found that direct-to-consumer genetic testing companies employ policies and practices that unnecessarily compromise consumers’ privacy. Clear communication of data protection policies will help differentiate trustworthy companies from unreliable ones.
The Need for Strong Data Governance
Roughly 70% of Americans say they’re not confident that companies will 1) admit mistakes and take responsibility when they misuse data, 2) be held accountable by the government if they misuse data, or 3) use customer data in ways that people would feel comfortable with. In order to enter the market and earn the trust of skeptical consumers, at-home diagnostic companies must take ample precautions to ensure consumers feel comfortable that their data is being protected. Consumers want to know companies are using this data in a responsible and ethical manner, and they need transparency into the policies and practices about how that data will be used, stored, and protected.
There are several rules and regulations that exist to protect privacy with at-home test diagnostics. In the United States, the most prominent of these regulations is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards for the protection of individuals’ electronic protected health information (ePHI). However, it’s important to note that HIPAA does not apply to all DTC diagnostic testing companies. Because DTC genetic and diagnostic testing companies aren’t considered healthcare providers and generally do not fall under the definition of covered entities or business associates under HIPAA, they’re not directly subject to its provisions. This means that these companies may have more leeway in handling and sharing consumers’ health information. They are not legally bound by the same strict privacy and security requirements as HIPAA-covered entities. As a result, there may be potential risks to the privacy and security of individuals’ health data when using DTC tests that both consumers and diagnostic companies must carefully consider.
Responsibility & Transparency
DTC testing companies should provide clearly stated and transparent information about what data is being collected, how it will be used, and any third-party data sharing or analytics practices. They must then obtain informed consent from consumers before collecting and using their personal information. This is especially critical for companies looking to leverage data from at-home diagnostic companies to develop solutions to medical problems, which has been done in various ways. Diagnostic companies may analyze aggregated and anonymized data for research, personalized medicine, and population health management. The submitted data enables the identification of trends, correlations, and early indicators of diseases, facilitating proactive interventions and remote patient care. One example of a front-runner in this innovative approach to healthcare is Viome, a company that uses advanced technologies to analyze collected biological samples to then identify correlations between the microbiome and health conditions. Viome’s analysis is revolutionizing personalized and preventative healthcare by contributing to the discovery of microbial biomarkers for improved diagnostics.
Data privacy and security measures are crucial considerations for any company looking to use data from at-home diagnostic companies for clinical research. Companies must handle and protect personal health information in compliance with applicable laws and regulations to ensure privacy and maintain individuals’ trust.
Looking Ahead: Privacy for At-Home Diagnostics
With Covid-19 causing so much disruption to the FDA and healthcare regulations, many data privacy and collection regulations were overlooked or hastily approved, creating ambiguity surrounding guidelines and best practices for companies. Yet, at-home diagnostic testing is growing in popularity, and testing companies have an obligation to prioritize data privacy and security, adhere to regulations and clear policies, and be transparent with consumers about their data practices to build consumer trust and grow their market share.
At-home test companies must create accessible and secure platforms that provide high-quality care while simultaneously ensuring the protection of patients’ personal and medical information. In order to create the most effective tools to diagnose and monitor medical symptoms, diagnostic companies must take a consumer-first approach and keep the protection and well-being of patients and their private information at the forefront of all data protection processes.
To learn more about our consumer healthcare services, connect with us today.
Subscribe to Clarkston's Insights
Contributions from Julia Hoffman