Privacy in Genomics

Several federal laws and regulations provide privacy protections to participants in federally funded research. In addition, other federal laws and policies provide protection in the clinic, insurance or employment areas. Some states have also enacted their own genomic privacy laws that provide additional and varying protections for genetic information, which can be explored in the Genome Statute and Legislation Database.

The Common Rule

Published in 1991, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, establishes the baseline standard of ethics for government-funded human subjects research in the United States. In 2017, revisions to the Common Rule were published, aiming to “modernize, simplify and enhance” oversight. The Common Rule requires all federally funded research projects that fall under its definition of “human subjects” to obtain meaningful informed consent from each participant prior to their participation. Investigators must inform participants of potential risks of the study, including risks associated with release of their private information. Informed consents for genomic research should clarify the uses of research results, including who may receive or access the information. Empirical studies show that, when given control over when and with whom their research data is shared, most individuals are eager to participate in research studies. In other words, informed consent fuels scientific discovery and medical progress. For further information about informed consent in genomics and guidance for researchers or IRB members, please see the Informed Consent for Genomics Research Resource.

NIH Genomic Data Sharing Policy

The NIH Genomic Data Sharing Policy sets guidelines on how to protect research participant privacy while still enabling the scientific community access to valuable research data. A key component of the policy is that access to sensitive, individual-level research data held in federal databases is only available to researchers who submit a request. NIH maintains several databases that contain such genomic information, such as the database of genotypes and phenotypes (dbGaP), the NHGRI Genomic Data Science Analysis, Visualization, and Informatics Lab-Space (AnVIL), and The Cancer Genome Atlas (TCGA). To access sensitive data from one of these databases, scientists must request permission for specific uses from Data Access Committees at the NIH or the database’s curating body. It is important to note that not all information in these databases is held under “controlled-access,” and some data is readily accessible.

Certificates of Confidentiality

Certificates of Confidentiality, issued by NIH, can safeguard the privacy of research participants. These certificates impose a requirement for investigators and institutions to withhold identifying information in civil, criminal or other proceeding at federal, state or local levels. For instance, Certificates of Confidentiality may be used when researchers handle sensitive information that could have a negative impact on research participants or damage their employability, insurability, reputation or financial standing. These certificates aim to promote research participation by assuring participants of their privacy. If a researcher is in possession of a certificate, the release of research information is at the discretion of the investigator and their institution. In 2016, the 21st Century Cures Act amended the Public Health Service Act to automatically issue Certificates of Confidentiality for federally funded research that uses identifiable, sensitive information.

Genetic Information Nondiscrimination Act (GINA)

The Genetic Information and Nondiscrimination Act of 2008 (GINA) protects the genetic privacy of the public, including research participants. The passage of GINA makes it illegal for health insurers or employers from requesting or requiring genetic information of an individual or of family members and further prohibits the discriminatory use of such information. Learn more about GINA on the Genetic Discrimination page.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects the confidentiality of patients’ individually identifiable health information — or Protected Health Information (PHI) — that HIPAA-covered entities (e.g., health care providers or an insurance company) hold. There are limits on when and with whom PHI may be shared, but there are no such restrictions on the use or disclosure of PHI that has been de-identified. In 2013, as required by the passage of the Genetic Information Nondiscrimination Act, the Privacy Rule was modified to establish that genetic information is considered PHI, and HIPAA-covered entities may not use or disclose PHI that is genetic information for underwriting purposes.

The Freedom of Information Act (FOIA)

Enacted in 1966, the Freedom of Information Act (FOIA) was the first U.S. law to give citizens the explicit right to access federal documents upon request. Information falling under one of nine classes of material, or one of three types of law enforcement documentation, is immune to FOIA requests. For types of information not clearly exempt, the passage of additional laws can establish FOIA immunity. The 21st Century Cures Act (Cures Act) amended Section 301 of the Public Health Service Act to enable a FOIA exemption for identifiable biomedical information that is gathered or used for research purposes. The law specifies that biomedical information is considered identifiable when there is “at least a very small risk, as determined by current scientific practices or statistical methods” that some combination of the information, the request and other available data sources could be used to deduce the identity of an individual. Based on this definition, the FOIA exemption covers genomic information. The Secretary of Health and Human services can invoke this exemption at their discretion when there is even a small risk that an individual could be identified from the requested information.