Genomic Data and Privacy: Background and Relevant Law (CRS Report for Congress)
Premium Purchase PDF for $24.95 (18 pages)
add to cart or
subscribe for unlimited access
Pro Premium subscribers have free access to our full library of CRS reports.
Subscribe today, or
request a demo to learn more.
| Release Date |
May 11, 2015 |
| Report Number |
R44026 |
| Report Type |
Report |
| Authors |
Amanda K. Sarata, Coordinator; Wendy Ginsberg; C. Stephen Redhead; Daniel J. Richardson |
| Source Agency |
Congressional Research Service |
Summary:
Advances in genomics technology and information technology infrastructure, together with
policies regarding the sharing of research data, support new approaches to genomic research but
also raise new issues with respect to privacy. The development of new genomic sequencing
technologies has allowed for the generation of big data, and recent changes in information
technology infrastructure have facilitated big data storage and analytics. These developments are
expected to support significant changes in health research and, eventually, in health care delivery.
Genetic and genomic research—and other “omics” research—have generated large amounts of
genetic data. If these “large-scale genomic data” are generated as a part of research funded by the
National Institutes of Health (NIH), then they are subject to specific data sharing policies and are
often held in publicly available databases. Among other things, advances in sequencing
technology have enabled this research, making large amounts of data available at a rate that has
generally outpaced the ability to both store and analyze that data.
NIH has established a comprehensive policy for the sharing of genomic data that “applies to all
NIH-funded research that generates large-scale human or non-human genomic data as well as the
use of these data for subsequent research.” This policy requires investigators to outline their data
sharing plans as part of their funding applications; if investigators fail to submit the required data,
NIH may withhold funding. Investigators are required to de-identify the data prior to submitting it
to NIH-designated data repositories, according to the requirements of both the HHS Common
Rule and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Some recent studies have begun to suggest that different types of molecular data may be more
likely to cause privacy issues than had been previously understood, and specifically, that deidentified
large-scale genomic sequence data may in fact be able to be reidentified. In a recent
study, researchers were able to reidentify research participants using the publicly available deidentified
personal genome data and other publicly available metadata.
This demonstration of reidentified individuals in a research study using de-identified genome data
raises the question of whether—and if so, how—relevant current law should be modified in
response to this new capability. Relevant law governs informed consent, access to research data,
and the use of this data, and includes (1) the Health Insurance Portability and Accountability Act
(HIPAA) Privacy and Security Rules; (2) the HHS Regulations for the Protection of Human
Research Subjects, or the Common Rule; and (3) the Genetic Information Nondiscrimination Act
of 2008 (GINA). In addition, the Freedom of Information Act (FOIA) is relevant, not in the sense
that it protects information from a potential privacy breach, but in that it allows public access to
much of the information held by the federal government. This report discusses these
considerations in the context of each of the relevant laws and regulations.
