The DTC genetic testing industry has experienced rapid growth and now finds itself in a climate of intensified scrutiny from federal and state regulators. Numerous companies that offer DNA-based health insights, ancestry results, or genetic predisposition information are feeling the heat and being forced to ensure that their operations are in line with an increasingly fragmented federal and state regulatory scheme. It is no easy task. These companies risk enforcement actions from the FDA, penalties for lapses in data privacy, and legal exposure for making false or misleading marketing claims.
This guide covers the critical legal aspects that DTC genetic testing companies must deal with, such as the following:
- FDA regulations concerning genetic testing;
- HIPAA and state privacy laws that concern you and your customers;
- FTC standards for marketing your product; and
- regulatory pitfalls that DTC companies commonly fall into.
FDA Regulations for Genetic Testing: Is Your Product a Medical Device?
One of the first inquiries about compliance for DTC genetic testing firms to consider is whether their offering is subject to FDA oversight, specifically, whether it is a medical device. Health-related tests—those that might indicate a person’s likelihood of coming down with a specific disease, for example—usually have some federal scrutiny. That can be as light as a product being “cleared” by the FDA through a rather straightforward process for low-risk devices.
Genetic tests typically can be divided into three main categories. Medical device tests, which are regulated by the FDA, comprise those that detect genetic markers linked to some disease risk, including the chance of getting certain cancers. In contrast are the general wellness tests that report, among other things, ancestry information. These tests are not regulated by the FDA. A third, mixed bag category includes the Laboratory-Developed Tests., which are used in the somewhat mysterious manner the title suggests.
Companies can refer to the FDA’s guidance on direct-to-consumer (DTC) genetic testing to understand how the agency differentiates between medical and nonmedical devices. This guidance can be found online at the following address: https://www.fda.gov/medical-devices/in-vitro-diagnostics/direct-consumer-tests.
It’s important to note the 2013 FDA action against 23andMe. In this case, the FDA barred the company from marketing genetic health reports because of concerns over the unsubstantiated claims that the health reports made a person’s genetic makeup could impact their health. The company subsequently worked with the FDA to obtain market approval for some of its reports. You can find the FDA’s warning letter linked here: https://mediacenter.23andme.com/press-releases/fda-letter-2013/.
HIPAA and State Privacy Laws Governing Genetic Data
Though numerous DTC genetic testing firms aren’t governed by HIPAA because they don’t qualify as covered entities, they’re still bound to comply with the stringent privacy laws that states have put in place. And in an ever-growing number of states, those laws include specific provisions that deal with the collection and use of genetic data—by both the entities that do the collecting and by the law enforcement agencies that might come a-callin’ after the fact.
A principal piece of federal legislation is the Genetic Information Nondiscrimination Act (GINA). It bars the use of genetic information in making decisions about health insurance, or employment. For more information about GINA, please see: https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008.
California has established the Genetic Information Privacy Act (GIPA), which mandates that before any genetic information can be shared, companies must first obtain explicit written consent. To read the full text of this piece of legislation, go to https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB41. Other states, like Vermont and New York, have enacted similar laws requiring detailed disclosures and consent before any testing can occur.
To safeguard genetic information, firms must unfailingly secure elucidated consent from individuals before gathering any biosamples, employ robust encryption methods for the storage and transfer of delicate data, and follow the path of least resistance by ensuring robust transparency through privacy policies that the average layperson can decipher. A good place to view state-specific genetic privacy laws is the website of the International Association of Privacy Professionals.
FTC Advertising Guidelines: Avoiding Misleading Genetic Test Claims
The FTC closely watches the marketing of DTC genetic testing companies. They want to be sure consumers aren’t being sold a bill of goods. Genetic tests that purport to tell you something useful about your health are supposed to have rigorous and reliable science behind them. Claims of this nature must be backed by solid handfuls of even better science if a company making them want to be on the right side of the law.
To remain compliant, companies need to ensure that all health outcome advertising claims are backed by credible data. Customer testimonials that imply unrealistic, too-good-to-be-true results must be avoided. And whenever a genetic test is used, the limitations of that test must be fully and plainly disclosed.
In 2021, the FTC enforcement case against a DTC genomic testing company resulted in the company’s discontinuation of promotional practices that involved making dubious DTC genomic health risk claims. For businesses wanting to understand the applicable legal standards, a helpful compliance guide can be found at https://www.ftc.gov/business-guidance/resources/health-products-compliance-guidance.
State Licensing Requirements for DNA Testing Laboratories
An additional layer of compliance requires that the lab performing the genetic testing be licensed and certified to operate under both state and federal laws. Most laboratories must be certified under the Clinical Laboratory Improvement Amendments (CLIA), and numerous states—most notably California and New York—have laboratory licensing requirements that exceed those of CLIA.
DTC genetic testing companies should either partner with laboratories certified under the Clinical Laboratory Improvement Amendments (CLIA) or obtain the necessary licenses if they operate their own laboratory. For medical device-type tests, it is likely that some level of physician oversight is also required. Even for non-medical tests such as those for ancestry or lifestyle, companies should very clearly state that the results are not to be used for making medical decisions.
You can find the federal CLIA requirements at https://www.cms.gov/Regulations-and-Guidance/Legislation/CLIA. Information regarding state-specific lab licensing—like that which is needed in New York—is located at https://www.wadsworth.org/regulatory/clep.
Best Practices to Avoid FDA, FTC, and Privacy Law Violations
To limit legal liability, companies that offer direct-to-consumer genetic tests should first ascertain whether the tests are legally classified as medical devices and thus governed by the FDA. If so, the next step is to obtain the necessary clearances and/or approvals before commencing on any marketing efforts. Compliance with both federal and state privacy laws is very much in order, especially when the company in question is working with genetic information that is obviously very sensitive. These practices would seem to eliminate any potential for very likely troublesome FTC actions.
In conclusion, businesses ought to get into the practice of examining and refreshing their privacy policies to keep pace with the new laws being enacted and the old ones undergoing reinterpretation. For instance, last July, the Federal Trade Commission and the Food and Drug Administration, both of which have significant authority to regulate the health marketplace, took a serious look at some of the emerging practices they feel are potentially harmful to consumers.
Conclusion & Call to Action
To work in the DTC genetic testing area requires careful advance planning in the law and active, ongoing compliance. This is a closely watched sector, with the FDA, FTC, and various state agencies taking a close interest. And with all that interest, you can be sure that violations are not going to be looked upon kindly—and they could prove quite costly. If you need help with matters like those we’ve listed here, you might want to give the Cohen Healthcare Law Group a call.
Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.
Contact Us
