HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data

Late last week, a complaint was filed with the Department of Health and Human Services’ Office for Civil Rights by the American Civil Liberties Union after Myriad Genetics refused to provide four patients with copies of their full genetic records – an alleged breach of the HIPAA Privacy Rule.

The patients in question had undergone genetic tests to assess hereditary risk for bladder, breast, and ovarian cancer. Myriad provided the patients with details of the genetic factors which were deemed to be significant and useful for healthcare providers. However, the data provided to the patients did not include information about all of the genetic variants Myriad’s testing had uncovered.

The patients requested copies of all of their genetic data that was held by Myriad Genetics, including the genetic variants that Myriad deemed not to pose a risk to the patients.

Myriad refused to provide copies saying the patients were not entitled to copies of the withheld data. It was claimed that the withheld data was not part of the designated record set which Myriad is required to provide to patients under the HIPAA Privacy Rule.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The complaint was filed with OCR because the patients wanted access to this information so they could “proactively track their families’ genetic dispositions to cancer.” The patients also wanted the option of providing those data to healthcare organizations for research purposes and also to enable them to submit the data to public databases.

After learning of the pending legal action, Myriad voluntarily decided to provide all of the data to the four patients as requested; however, that was not enough to stop legal action being taken against the company for alleged violations of HIPAA Rules.

Myriad does not believe HIPAA Rules have been violated and that the company is within its rights to withhold the data. The data that were initially withheld were not deemed to be relevant to healthcare providers for the purpose of providing treatment to patients, and therefore were not supplied as part of the designated record set.

ACLU senior staff attorney Sandra Park explained that while the four patients now have copies of the information they requested, Myriad still refuses to accept that all genetic testing data should be included in its designated record set. This potentially could result in other patients having difficulty obtaining all of their data in the future. She said “Myriad needs to recognize that HIPAA protects all of its patients’ rights to access their complete genomic information.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.