How to evaluate a genomic research project’s privacy and security practices Genetics and Privacy

How can I evaluate a genomic research projects’ privacy and security practices?

Genomic research programs raise important questions regarding collection of non-health data by the government, use of such data in determining eligibility for services under Medicaid and Medicare schemes, integration of mobile health data to create risk profiles, and use of aggregated de-identified data for non health policy making. There are some existing legal protections for federally funded research programs which protects researchers from being forced to disclose identifying information about you in legal proceedings. However, many of the issues raised by genomic research programs like All of Us are not addressed through these laws. Given the limitations in law, some questions to ask yourself when evaluating these programs include:

  • Do these programs recognize the importance of implementing robust security and privacy practices?
  • How do they communicate such practices?
  • Who is responsible for implementing these practices?
  • What steps are taken to de-identify data? What other steps are taken in presenting aggregate data?
  • Do they allow public access to participant level data?

Please read more here.

Do I have a right to access my electronic health records? How do I make such a request?

Yes, if you make a request, health care institutions involved in your care have a legal obligation to provide you with  protected health information they collect about you.  This right extends to many different types of information or data including clinical case notes, medical records, billing receipts, insurance documents, lab test results, X-rays or scans, disease management program files, and more. The records should include data or information used to make decisions about you.

First make sure to check that the healthcare institution you are seeking data from is regulated under HIPAA as a ‘covered entity’ or ‘business associate’. By way of an example, a doctor or pharmacy that uses electronic methods to process claims is a HIPAA covered entity.  Also make sure that the information or data you are seeking is your ‘protected health information’.

Healthcare institutions may require you to submit a written request with the option of doing so electronically. They are expected to verify your identity when processing such requests. However, they cannot impose conditions that may make it very difficult for you to make the request or retrieve your data – for example, they cannot ask you to physically come to the office and verify your identity when you have asked for the record to be sent to your home.

You can request that the data be provided in paper or digital formats. The healthcare institution has to comply with the request as long as it can be easily reproduced in your chosen format. If, for example, you ask for data to be sent to you over email and the healthcare institution finds it difficult to do so, they can suggest certain alternatives, such as a secure file sharing service or a USB drive. The healthcare institution can charge you reasonable fees to process such requests to cover labor, supply, and postage costs.

Your right to access your data also allows you to ask the healthcare institution to send your records to any other person or organization. You have to make such requests in writing, authorize the requests, and clearly identify the person or organization to whom you want the records sent. Similar to its obligations when you make a request for the data, the healthcare institution will need to promptly send such records in the format you requested.

Please read more here.