INTRODUCTION

Individuals are increasingly able to gain access to their raw genetic data and are looking to understand them.1 Numerous online services have emerged to satisfy the demand for interpretation, reinterpretation, and self-interpretation of these data.2 Although initial reports indicate that satisfaction with third-party genetic interpretation services is high,3,4 concerns are being raised about their accuracy, safety, and privacy practices.5,6,7,8

Government regulation is a traditional mechanism for addressing potential harms of products and services made available to the public, and it is especially prevalent in the health sector given the special responsibilities of governments to protect public health. In recent years, US federal agencies have exercised some oversight of direct-to-consumer (DTC) genetic testing firms with the goal of reducing consumer confusion about the meaning of test results.9 But these same agencies have not yet exercised regulatory authority with respect to entities whose services consist solely of interpreting, reinterpreting, or facilitating self-interpretation of individuals’ raw genetic data. As a result, there exists substantial uncertainty regarding whether and how third-party genetic interpretation services might be regulated.2,10,11

To clarify this area, we analyzed the potential oversight of third-party genetic interpretation services by the US federal government. Because any regulatory analysis depends on the nature of the regulated activity, we begin by identifying the factors giving rise to expanded individual access to raw genetic data and surveying the landscape of independent services offering to assist with interpretation of these data. We then consider potential oversight of these services by four federal agencies that generally have been active in the regulation of genetic testing services and information: the Centers for Medicare and Medicaid Services (CMS), which regulate clinical laboratories; the Food and Drug Administration (FDA), which regulates medical devices; the Department of Health and Human Services’ Office of Civil Rights (OCR), which enforces health information privacy regulations; and the Federal Trade Commission (FTC), which protects consumers against unfair or deceptive trade practices in commerce. Importantly, this analysis is limited to the regulatory authorities of US agencies, which might not reach third-party genetic interpretation services based in other countries for legal or practical reasons. However, as discussed below, it appears that most services are currently based in the United States, and we find that the scope of federal jurisdiction over these services—while limited—could be appropriate at this time, subject to agency clarification and appropriate exercise of oversight.

EXPANDED ACCESS TO PERSONAL GENETIC DATA

The rise of third-party genetic interpretation is rooted in the expansion of opportunities for individuals to access their raw genetic data, which have been defined as data that result “from the sequencing of an individual’s complete extracted DNA or a portion of the extracted DNA.”12 These data are generated using microarray genotyping or next-generation sequencing, a general term used to encompass a number of technologies that enable rapid determination of all or part of the nucleotide sequence of an individual’s genome. A common way to obtain raw genetic data is from DTC genetic testing providers, whose customer base (according to one estimate) surged to 26 million customers by the start of 2019.13 Although a few states (e.g., Maryland) limit who may order clinical laboratory tests to physicians and other authorized persons,14 many DTC genetic tests are broadly available to US residents. Every major provider in the DTC genetic testing market (including 23andMe, AncestryDNA, and MyHeritage) allows customers to download their raw genetic data, which seems to be a common motivation for pursuing DTC genetic testing in the first place.3 Access to one’s raw data is also a feature of new broker services, such as Genos, that sequence individuals’ genomes and connect those individuals (and their data) to interested researchers.15

However, we should also expect individuals who participate in biomedical research to increasingly access their raw genetic data directly from researchers. Indeed, the historical view of the research community that such data should not be returned is shifting in favor of individual access.16 In July 2018, this practice was endorsed by a committee of the National Academies of Sciences, Engineering, and Medicine (NASEM), which recommended that return of results, including raw genetic data, become a routine consideration in research because it demonstrates respect for participants and promotes transparency and trust in research.16 More recently, the National Institutes of Health (NIH)–sponsored All of Us Research Program joined Harvard’s Personal Genome Project and the University of Michigan’s Genes for Good in promising participants access to their raw genetic data.17

Meanwhile, recent changes to the Health Insurance Portability and Accountability Act (HIPAA) have made it easier for patients and research participants to access their genetic information even when clinicians and researchers do not offer it.18 Since 2001, individuals in the United States have enjoyed a broad right of access to their medical records and other protected health information under HIPAA’s Privacy Rule.19 Before 2014, HIPAA exempted laboratories from compliance with the access right, consistent with federal laboratory regulations that at the time generally prohibited clinical laboratories from providing information directly to individuals.19 In 2014, the Department of Health and Human Services (HHS) revised both regulations to eliminate these barriers to access. As a result, all HIPAA-covered entities, including HIPAA-covered laboratories, are now required to provide individuals their protected health information upon request if it could be used to make decisions about themselves or others.20,21 In 2016, OCR, which enforces HIPAA, issued guidance interpreting this right to include access not only to genetic test reports, but also to “the full gene variant information generated by the test[s].”22

NEW OPTIONS FOR EXPLORING PERSONAL GENETIC DATA

Whether individuals obtain their raw genetic data from a commercial entity, through participation in research, or as part of clinical care, they have an increasing number of options for exploring them.2 For example, services such as GEDmatch provide users insights on their ancestors’ geographic origins and might also match users to genetic relatives. In the wellness space, FoundMyFitness and others explain users’ genetic variants related to sleep, exercise performance, or longevity, while services such as Genetrainer and NutraHacker sell customers diet plans, fitness plans, or nutritional supplements said to be tailored to their DNA. Meanwhile, Promethease, openSNP, LiveWello, and Enlis Genome Personal help users understand the health implications of their genetic variants by providing reports with risk assessments or providing links to relevant scientific literature or other resources. In a detailed landscape analysis of 23 third-party genetic interpretation services conducted in 2016,2 one of us (S.N.) found that the majority of services (n = 16) offered health or wellness information, while 8 offered genetic ancestry information and 5 offered genealogy services. Many users report providing the same raw genetic data to multiple services to gain a variety of health, wellness, or ancestry insights.3,4

Third-party genetic interpretation services also vary widely in their operational structures and features. Of the 23 services analyzed in the landscape analysis,2 15 services were run by companies; 5 by professional scientists in genetics or a related field, most with active academic affiliations; and 3 by citizen scientists. Unpublished data from that study also identified geographic locations of, and costs associated with, services. Approximately two-thirds of services (n = 16) were based in the United States; the rest were based in countries that included Canada, China, and the United Kingdom. Cost to users varied widely: some services were offered at no cost (e.g., DNA.Land, openSNP); some offered both free services and enhanced, paid services (e.g., Promethease, GEDmatch); and others only offered paid services (e.g., NutraHacker, GPS Origins)

The empirical data that have been obtained thus far suggest that users’ experiences with third-party genetic interpretation services are generally positive.3,4 To the extent that they encourage healthy choices and increase engagement in one’s own health care, such services can be beneficial to individuals. They might also enhance what some studies have found to be a general educational benefit from participating in personal genetic testing, where tested individuals have been shown to be more knowledgeable about genetics than untested individuals in classroom settings.23,24 Meanwhile, services that allow users to share data with research projects, public repositories, and each other can benefit society by expanding the scientific knowledge base.1

However, there are also risks associated with the use of third-party genetic interpretation services. For one, if the variant information that individuals upload to the services is inaccurate, their interpretations will also be incorrect.5 According to one study conducted by researchers at Ambry Genetics, a clinical diagnostic laboratory, users’ receipt of inaccurate raw data might not be unusual. With respect to 49 patients who had obtained DTC genetic testing and were referred to the laboratory for confirmatory testing, the researchers could not confirm 40% of the variants previously identified in the raw data.6

Even when the raw data identified from DTC genetic testing are true calls, the interpretations of those variants might be incorrect.6 In the same study, researchers found discrepancies in the classification of eight variants in five genes. DTC genetic testing services or third-party genetic interpretation services had classified those variants as “increased risk,” whereas Ambry classified seven variants as “benign” and one as a variant of unknown significance.6 Although laboratories do not always agree on variant interpretation, other clinical laboratories reportedly agreed with Ambry’s classifications.6

And even when a variant classification is correct, its clinical significance might be misinterpreted by users or their clinicians, particularly if it is not clearly explained or presented. This can result, for example, when confusing graphics or color coding are used.7 Especially with respect to services that provide health-related information, ambiguity or misinterpretation can be distressing for individuals and cause them to act in ways that are costly and potentially harmful.6

These services also pose risks related to privacy. Consistent with one study’s finding of substantial variability in the privacy policies of 84 US-based DTC genetic testing firms and 6 US-based third-party genetic interpretation services,25 we have observed that the privacy policies and terms-of-use agreements published by third-party genetic interpretation services sometimes follow markedly different practices regarding, among other things, whether they store data uploaded to their sites and to whom users’ data will be made available. For example, Promethease stores “raw genomes” uploaded to its website only if a user creates an account, although the user may permanently delete the data at any time; otherwise, the data is automatically deleted upon generation of a report (the report is deleted within 45 days) or within 24 hours if a report is not generated.26 DNA.Land does not have a feature that allows users to delete a specific “DNA file” once it has been uploaded, although it seems that a user may delete all files by deleting his or her account,27 while GEDmatch allows users to delete their raw data, genealogy data, and profile information, although this information “may be stored as part of a backup or recovery plan.”28 As another example, Promethease states that it does not share users’ “DNA data” with, or sell them to, “any external party, period,”26 whereas DNA.Land might share users’ aggregated genetic data with researchers but does not share individual-level data without a user’s “explicit permission.”29 GEDmatch does not disclose users’ data to third parties; those data are only available to “GEDmatch personnel, including volunteers, on a need to know basis.”28 Other scholars have characterized the privacy policies of third-party genetic interpretation services that they inspected as “vague” and “non-specific.”8 The concern is that such services might not sufficiently safeguard against the disclosure of users’ genetic information to unauthorized individuals or the downstream uses of that information to embarrass, abuse, or discriminate against users or their genetic relatives.

Of course, none of these risks are unique to third-party genetic interpretation services. Clinical laboratories also can return false positives and make mistakes in classifying variants, and privacy is a major issue for every entity that handles health data. However, as discussed below, clinical laboratories and health care institutions and providers are subject to regulations aimed at ensuring competence and reducing risk of errors that could cause harm. By contrast, thus far, federal agencies have not taken any formal position with respect to their authority to regulate third-party genetic interpretation services. As a result, these services have largely been left to regulate themselves.

REGULATORY OVERSIGHT OF PERSONAL GENETIC INTERPRETATION SERVICES

It is not yet known whether self-regulation is working, on balance, to the benefit—or at least not to the detriment—of users of these services. On the one hand, regulatory freedom has supported the growth of a competitive market that encompasses the provision of a range of services offered at various price points—and in some cases free. It also has lowered barriers to entry for firms that might not have the resources to navigate legal compliance. GEDmatch, for example, was developed by genealogy hobbyists and the relative matching services it provides have come to be regarded as the go-to destination for serious genetic genealogists.30 On the other hand, the absence of regulation might lead to lower quality services. If so, it is important to clarify the scope of regulatory authority over third-party genetic interpretation services to understand the ways in which the federal government might work to minimize risks of harm to users. Here, we probe the regulatory scope of four US federal agencies that potentially have relevant authority given their historical roles in the oversight of genetic services and information: CMS, FDA, OCR, and FTC.

CMS

The Centers for Medicare and Medicaid Services administer (in partnership with state health departments) the Clinical Laboratory Improvement Amendments (CLIA) of 1988 and implementing regulations. CLIA governs all clinical laboratories operating in or returning test results to individuals in the United States, where clinical laboratories are defined as any “facility for the…examination of materials derived from the human body for the purpose of providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, human beings.”31 CLIA requires clinical laboratories to hold certificates applicable to the type of laboratory examinations they perform and to demonstrate compliance with regulations addressing, among other things, personnel qualification and training, quality control, and proficiency testing.31,32 CLIA also requires that laboratories have processes in place to ensure that the tests they perform produce analytically valid results.

Although many US-based DTC genetic testing firms appear to use CLIA-certified laboratories to process biospecimens, not all of them do33—presumably on grounds that they do not return health-related information to consumers or their physicians. Some academic research laboratories that do not conduct clinical testing are also not certified by CLIA.16 When required to comply with CLIA certification and state clinical laboratory licensure requirements, however, noncompliance can result in a range of enforcement actions, including certificate or license suspension, civil monetary penalties, and criminal sanctions. It can also result in significant adverse publicity, which occurred in 2017 when CMS thwarted a DTC genetic testing firm’s plans to give away tests at a Baltimore Ravens game because its laboratories were not CLIA certified but, in the view of CMS, the firm’s compliance with CLIA was required because it returned health-related information to consumers.34

A critical issue in determining whether CLIA covers third-party genetic interpretation services is whether they qualify as regulated “laboratories” if they do not collect and process biospecimens. Because the statute defines a clinical laboratory in a way that seems to require direct engagement with physical human specimens, third-party genetic interpretation services appear to be outside CMS’s jurisdiction.35 However, CMS has not yet ruled out the possibility that it might attempt to regulate them. At recent meetings of the Clinical Laboratory Improvement Advisory Committee (CLIAC), an advisory body under the aegis of the Centers for Disease Control and Prevention, a CMS official discussed “nontraditional” testing models according to which different entities separately perform the “wet” (specimen handling) and “dry” (data analysis and other bioinformatics) functions of a test.36,37 CLIAC recommended the formation of a working group to consider “the need for optimal oversight by CLIA” of these nontraditional testing models.37

In the end, CMS might take the position that an entity providing only dry test services is subject to CLIA. But given the limitations of the current statutory language, a legislative amendment to broaden the definition of “clinical laboratory” would likely be needed, a prospect we view as unlikely.

FDA

Under the authority of the Federal Food, Drug & Cosmetic Act (FDCA), the FDA regulates medical “devices,” which are defined as instruments and related articles intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease or intended to affect a bodily structure or function.38 One category of regulated medical devices encompasses in vitro diagnostic medical devices, or IVDs, which are intended for use in the collection, preparation, or examination of human biospecimens.39

Whether a product is a regulated medical device is generally determined, in the first instance, from the manufacturer’s representations in product labeling.35 In general, devices that are categorized as moderate or high risk may not be commercially distributed or promoted without FDA premarket authorization or approval. Failure to comply with applicable requirements can result in a number of penalties, including civil monetary and criminal penalties.

The FDA has taken the position that tests developed and used in-house by clinical laboratories to analyze patient biospecimens—so-called laboratory-developed tests, or LDTs—meet the definition of an IVD and fall within the agency’s regulatory jurisdiction.40 The FDA has historically exercised enforcement discretion with respect to LDTs—i.e., it has not required clinical laboratories performing LDTs to comply with IVD requirements.35 However, the agency generally does not exercise enforcement discretion with respect to firms providing DTC genetic tests, whether or not they qualify as LDTs.35,41

By contrast, the FDA has not yet taken an official position with respect to third-party genetic interpretation services. The FDA has, however, long asserted its authority to regulate software that qualifies as a regulated medical device. Medical software regulated by the FDA includes “software as a medical device” (SaMD) that is intended to be used for one or more medical purposes and is not embedded in another medical device.42

In 2016, the 21st Century Cures Act amended the FDCA to expressly exclude certain medical software from the definition of a regulated medical device.43 Specifically, the Cures Act excluded software that is intended “for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition.”43 The Cures Act also excluded certain “clinical decision support” (CDS) software used to assist clinical decision making, provided specified criteria are met. In particular, to be excluded, CDS software must not be “intended to acquire, process, or analyze a medical image or signal from an IVD or a signal acquisition system.43 In draft guidance, FDA has stated that algorithms that “analyze and interpret genomic data (such as genetic variations to determine a patient’s risk for a particular disease)” are not excluded medical software because they “acquire, process, or analyze physiologic signals” if the intent of interpreting genomic data is to provide diagnostic, prognostic, or predictive functionalities.44 With respect to “patient decision support” software that otherwise meets the Cures Act criteria for CDS, FDA stated that such software would be subject to its enforcement discretion.44

Applying these provisions to third-party genetic interpretation services, the FDA clearly lacks authority to regulate services that provide or facilitate interpretations of genetic data solely for purposes of helping users understand their ancestors’ geographic origins or identify their genetic relatives, as such interpretations are not intended for use in disease diagnosis, prognosis, treatment, or prevention and do not affect any bodily function or structure.45 With respect to third-party genetic interpretation services that do provide health-related information, however, the regulatory picture is murky. Services that interpret genetic data solely for the purpose of providing diet or fitness plans are likely to be the kind of “low risk” wellness devices that are excluded from the definition of a regulated medical device or to which the agency has applied enforcement discretion, but it is unclear whether the FDA’s regulatory authority or interest would extend to “bridge-to-the-literature” services that solely link users to published literature relevant to their variants.2 Further, although services that analyze signals from DNA genotyping or sequencing platforms to provide their users insights on the potential health implications of their raw data might qualify as medical software that is subject to the agency’s SaMD regulatory framework, it is unclear whether they are the kind of patient decision support software over which the agency will exercise enforcement discretion.

Finally, and as a more general matter, it is unsettled whether the FDA’s authority extends to software that is developed and used by third-party genetic interpretation services but is not itself commercially distributed. The commercial nature of these services is also relevant to potential First Amendment limitations on the agency’s regulatory authority.45,46,47 In particular, it is at least arguable that third-party genetic interpretation services may be engaged in “speech” that qualifies for constitutional protection against FDA restriction. The scope of that protection could be especially robust if the speech is not considered commercial—for example, if the third-party genetic interpretation service is provided for free and outside any commercial context.45

OCR

Shifting to privacy concerns, OCR is responsible for enforcing the HIPAA Privacy Rule, which prohibits covered entities and their business associates from making unauthorized disclosures of protected health information except in specified circumstances.48,49 Covered entities are defined as health plans, health care clearinghouses, and health care providers who transmit health information in electronic form to carry out certain activities related to furnishing, billing, or receiving payment for health care,50 while business associates include individuals and entities that create, receive, maintain, or transmit protected health information on behalf of a covered entity.50 We are not aware of any third-party genetic interpretation service that has the necessary affiliation to a health care institution to qualify as a covered entity or business associate and therefore is required to comply with HIPAA with respect to the data it handles.

However, if a service does qualify as a covered entity or business associate, now or in the future, its privacy obligations apply only to “protected health information,” which is broadly defined as any information (including genetic information) that relates to an individual’s health, health care, or payment for health care and identifies or reasonably could identify the individual.50 Because every person’s genome is unique (with the exception of identical twins), there is a question whether genetic data should be considered inherently identifiable. HHS recently declined to answer this question with respect to a different set of regulations.51 However, it is highly likely that raw genetic data that users upload to third-party genetic interpretation services, and any health information that the services report back to users, would be considered identifiable because it is linked as a practical matter to specific individuals—if not by name, then by email address or other unique identifier.52

Still, if the personal genetics landscape continues to evolve independent of health care institutions and providers, the vast majority of services will not be required to comply with HIPAA privacy mandates, although they might be subject to state law privacy mandates applicable to health information generally53 or genetic information specifically54 that are broader in scope.

FTC

Where HIPAA privacy protections do not apply, the FTC has the ability to ensure the privacy of, and other consumer protections for, those who use third-party genetic interpretation services. The FTC is responsible for consumer protection through enforcement of the Federal Trade Commission Act (FTCA).55 This statute authorizes the FTC not only to eliminate, but also to prevent, “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.”56 Under this broad statutory grant, the FTC polices unfair and deceptive acts related to the collection, sharing, and use of consumer information, where failure to honor a privacy policy or provide adequate data security can constitute a violation of the FTCA.57

The statute also encompasses unfair or deceptive health claims associated with products and services. The FTC has discretion to determine what evidence is necessary to ensure health claims are nondeceptive, and it has made clear that it expects such claims to be supported by rigorous scientific support. For example, the agency has required substantiation of health claims by randomized clinical trials,58 including in the context of companies making nutrigenetic and dermagenetic claims.59

The FTC’s jurisdiction under the FTCA extends to persons, partnerships, and corporations, which are defined to include any incorporated or unincorporated association that is organized to carry on business for its own profit or that of its members.56,60 In a limited number of cases, the FTC has successfully brought enforcement actions against nonprofit associations that were used as vehicles to obtain profit. Although the determination of whether a person or entity is covered by the FTCA is a fact-intensive inquiry, it is likely that many third-party genetic interpretation services are covered to the extent they charge for services. It bears emphasis, however, that the commercial nature of transactions will not necessarily determine the outcome of this inquiry.

In addition to the FTCA, the FTC enforces dozens of other statutes, some of which include provisions intended to promote online privacy and data security, such as the Children’s Online Privacy Protection Act (COPPA)61 and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).62 Some of these statutes are not limited to profit-directed enterprises and so potentially reach many third-party genetic interpretation services.

The FTC has limited resources, however, and so even where it has the authority to take action, the agency might not elect to exercise it but instead prioritize other matters. For example, the FTC has largely taken a wait-and-see approach to regulation of DTC genetic testing, with actions limited to issuing consumer guidance in 2006 to encourage a skepticism of DTC claims63 and taking targeted enforcement actions against GeneLink, Inc.,64 foru™ International Corporation,65 and L’Oréal USA, Inc.66 in 2014 for deceiving consumers by misrepresenting the science behind their marketing claims. Recently, Congress called upon the FTC to take action to ensure that the privacy policies of DTC genetic testing companies are “clear, transparent, and fair to consumers,”67 and one media outlet suggested that the agency has launched an investigation.68 Thus far, however, the FTC has not taken targeted action against the third-party genetic interpretation industry.

Yet, the FTC is well positioned to take selective enforcement action against the industry by using its investigatory powers to gain intimate knowledge of these services and identify which (if any) pose serious risk to consumers. It could also help services better understand their legal obligations by releasing reports and tools that provide practical guidance. A potential model for this approach is the Mobile Health Apps Interactive Tool69 that the FTC produced in cooperation with OCR, the FDA, and the Office of the National Coordinator for Health Information Technology to help mobile health app developers identify the laws that might apply to their apps. Ultimately, however, the FTC’s decision to take action against third-party genetic interpretation services will depend on a number of factors, including its conclusions regarding the kind and severity of risks to consumers that they present and the ways in which the agency might have the greatest impact.

RECOMMENDATIONS

Although there is significant heterogeneity of third-party genetic interpretation services, it is possible to draw broad conclusions regarding the scope of US federal authority to regulate them. Specifically, the scope of federal jurisdiction is limited, but it might be sufficient at this time given that the landscape of these services remains relatively small. Although OCR likely cannot reach third-party genetic interpretation services, CMS has the indirect ability to promote the safety of those that interpret data generated by CLIA-regulated laboratories by ensuring that the laboratories’ genetic tests are performed according to processes that produce analytically valid results. CMS cannot reach—even indirectly—those services that interpret raw genetic data generated by laboratories that are not CLIA certified. However, problems with the analytic validity of those data should be reduced if federal agencies adopt the recommendations of the NASEM committee to permit the return of research results, including raw genetic data, generated by such laboratories if they comply with externally accountable quality management systems.16

Further, depending on the specific context, the FDA might have jurisdiction to regulate certain software used by these services to provide health-related genetic interpretations, while the FTC has authority over many services, regardless of the type of information they generate and potentially including some noncommercial services. Here, clarity on questions related to jurisdictional scope is needed. Specifically, the FDA should issue guidance regarding its statutory authority to regulate third-party genetic interpretation services, while Congress should clarify the FTC’s authority under the FTCA to regulate entities that generally do not engage in commercial transactions, including but not limited to third-party genetic interpretation services.

Other questions concern when and how the FDA and FTC should exercise the authorities that they do have over third-party genetic interpretation services. At this time, very few services appear to claim that the information they provide is intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease. If such services become more common, however, it would be helpful for the FDA to clarify whether the agency intends to regulate the software used by these services in accordance with the SaMD regulatory framework previously discussed and to provide guidance on appropriate validation for this software. It would also be helpful to know whether in the FDA's view, services that describe themselves as “bridges” to health literature and resources, or services that provide their users health insights, qualify as the kind of patient decision support software over which the FDA has stated it will exercise enforcement discretion.44

To complement the FDA’s activities, we support the FTC taking an active regulatory role with respect to wellness and genealogy services. Given its significant resource constraints, the agency would greatly benefit from the fact-finding efforts of others to gain a detailed and up-to-date picture of this landscape. These efforts should include collecting data on the corporate structures and business models used by these services to help evaluate the agency’s jurisdiction over them. In addition, to understand the scope and nature of potential harms experienced by users, it would be helpful to collect additional information about who exactly is using these services and why.3 In light of research indicating that the privacy and data security policies of some personal genomics services are not as transparent or comprehensive as they could be,25 we recommend that the agency begin with these issues and provide practical guidance to help not only third-party genetic interpretation services but all DTC genetic services understand their legal obligations related to privacy and security practices.

In sum, to ensure appropriate oversight of third-party genetic interpretation services, there might not be a need for new legal authorities. Rather, clarification and thoughtful exercise by a number of administrative agencies of their existing authorities might be sufficient to protect against the potential risks presented by these services at this time. Although the resources of these agencies are limited, given that the risks associated with these services (balanced against their benefits) are still not yet fully understood, we believe it would be premature to recommend the allocation of additional resources to regulate them. However, as the landscape of third-party genetic interpretation services continues to evolve and interact with users’ raw genetic data in new ways, it may be necessary to revisit this conclusion.