Want to know what's happening next in healthcare?

MedCityNews is the leading online news source for the business of innovation in healthcare.


“MedCity news is a peerless national resource for those of us who really want to stay on top the very latest news in healthcare from incumbents to startups. ”

Elliot Menschik, DreamIt Ventures partner; Venturef0rth founder; Penn professor


Sign up for our daily newsletter


Just in time for HIPAA update, researchers ID 50 men in genomic database

8:27 pm by | 2 Comments

It’s the kind of thing that data privacy advocates fear most: that the massive amounts of de-identified genomic data collected through diagnostic tests and exchanged by scientists for research will somehow be hacked and the true identities behind the data will be revealed. But that’s exactly what happened when a group of researchers discovered a loophole and were able to identify 50 males as part of a study published by the journal Science this month.

Yaniv Erlich, a human geneticist at the Whitehead Institute for Biomedical Research in Cambridge, Massachusetts led the study, according to Nature. The researchers used a “surname interface” to find patterns in the Y chromosome and search recreational genetic genealogy databases. A summary describing the study said:

“We show that a combination of a surname with other types of metadata, such as age and state, can be used to triangulate the identity of the target. A key feature of this technique is that it entirely relies on free, publicly accessible Internet resources.”

That’s not the sort of thing data sharing champions particularly like and in a cautious move, the NIH division — US National Institute of General Medical Sciences — removed some data from public view.

Advertisement

The study concludes that people who participate in genomic research need to be better informed of data security risks, according to a Fierce Health IT article.

It’s a worrying development, particularly since it comes just as the new rules for the 17 year old Health Insurance Portability and Accountability Act were published this week (coming in at a weighty 532 pages). Although it may be a bit of a reach to connect HIPAA, which  is more concerned with patient data in electronic medical records, with genomics, that’s the direction we’re moving in.

A Reuters article illustrating the difference between the old and new HIPAA rules on data breaches said:

Before the change, companies only had to report the breach if the disclosure of information presented a significant risk of financial, reputational or other harm to the patient. Now if there’s an unauthorized disclosure and the health information is likely compromised, the company has to notify the patients and the government regardless of the risk of harm. If the breach affects more than 500 people in a certain area, the company must also inform the local media.

It looks like this is the kind of breach that would result in some particularly onerous penalties, depending on whether the NIH would be considered a healthcare company or “business associate,” in the eyes of the law. It’s sure to cause much more debate between those urging a more cautious approach to how data is handled and those who want  data to be more freely available for a variety of needs such as advancing personalized medicine to developing a better understanding of population health trends.

Copyright 2014 MedCity News. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Stephanie Baum

By Stephanie Baum

Stephanie Baum is the East Coast Innovation Reporter for MedCityNews.com. She enjoys covering healthcare startups across health IT, drug development and medical devices and innovations deployed to improve medical care. She graduated from Franklin & Marshall College in Pennsylvania and has worked across radio, print and video. She's written for The Christian Science Monitor, Dow Jones & Co. and United Business Media.
Visit website | More posts by Author

2 comments
brdi
brdi like.author.displayName 1 Like

Well, I'm afraid this is just out of our hands. We can and perhaps should try to stop the acquisition of the identity where that was not intended, but we will not be able to put the beast back in its cage. the old days are over wether we like it or not. Trying to harvest the benefits of the Information Age, we will pay a price.