Healthcare Information Security

HIPAA and Compliance News

Patients Allege Genetics Company Violated HIPAA Regulations

Several patients have filed a complaint against a genetic testing company after it refused to provide their genetic information, violating HIPAA regulations.

By Jacqueline LaPointe

- Four patients have alleged that a genetic testing company violated HIPAA regulations after it initially refused to provide them with their complete genetic test results, reported an official press release from the American Civil Liberties Union, which represents the patients.

Patients report that a genetics testing company violated HIPAA regulations

“I appreciate that Myriad has provided additional data to me, but I believe that it must give access to all patients who ask for their genetic information,” said Ken Deutsch, one of the individuals who filed the complaint.  “As a cancer patient, I am outraged that a lab could stop me or anyone else from seeing our own genetic information and sharing it with the scientific community.”

In the official complaint with the Department of Health and Human Services (HHS), the individuals explained that they underwent genetic testing from Myriad Genetics to evaluate their risk for developing specific types of cancer, including breast, ovarian, and bladder cancers. Myriad Genetics assessed the genetic variants of each individual and determined if they were clinically significant or benign.

Myriad Genetics provided the patients with results for only the gene variants that are considered clinically significant, which may be useful for healthcare providers in evaluating and treating potential cancers.

After receiving the test results, the four individuals requested that the company send information on all genetic variants, even those that were considered benign. The patients wanted the full test results to proactively track their families’ genetic dispositions to cancer, provide their data to research, and submit their genetic information to public databases, according to the compliant.

READ MORE: HHS Reviews HIPAA Rules Following Hurricane Harvey

The genetics company refused to release the withheld data because the information is not under the designated record set, which patients have a right to access under HIPAA rules. Since the information was not deemed useful for helping providers make healthcare decisions for the patient, the company said it did not have to give it to patients.

According to HHS, a designated record set includes “medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.”

Pending legal action from ACLU, Myriad Genetics sent the withheld data to the complainants, but maintained that it had not violated HIPAA regulations.

“We are thrilled that Myriad took a step in the right direction and provided our clients with the genetic data they sought,” stated ACLU’s senior staff attorney, Sandra Park. “But it’s not enough to provide genetic information only to the patients listed in our complaint. Myriad needs to recognize that HIPAA protects all of its patients’ rights to access their complete genomic information.”

In response, Myriad Genetics released an official statement that explained the compliant lacked “merit and should not be accepted.”

READ MORE: How HIPAA Rules Apply with Law Enforcement Investigations

“We believe the Company has acted appropriately, responsibly and in compliance with the laws and regulations governing patients' rights to access their genetic data,” said Myriad’s general counsel, Richard Marsh, in the press release.  “Our policy is that all patients who receive a test from Myriad can obtain their test results and records directly from the Company or through their healthcare provider.”

Healthcare data security and HIPAA compliance have been trending topics lately when it comes to genetic testing, especially with the Obama Administration’s Precision Medicine Initiative.

The initiative is calling on over one million Americans to voluntarily submit their genetic information to a national research cohort. With the genetic data, the White House aims to support researchers who are focused on finding cures for rare and chronic diseases as well as developing more personalized and patient-centered care models.

However, many healthcare stakeholders are wondering how the Precision Medicine Initiative plans to protect the health information for over one million individuals, especially since the program encourages robust data sharing.

Despite the Obama Administration’s public commitment to patient privacy in the initiative, several industry groups have come forward to encourage the White House to better define their healthcare data security procedures and access control policies.

READ MORE: OCR: Staff Training Key for Data Security, Avoiding Scams

Additionally, a recent report from The World Privacy Forum stated that the Precision Medicine Initiative may not have to comply with HIPAA rules. Since the HIPAA Privacy Rule does not apply to health researchers, the initiative should not be considered a covered entity.

As the HIPAA complaint against Myriad Genetics and the Precision Medicine Initiative show, genetic data is becoming a major key to unlocking better healthcare strategies. But, the industry must ensure that patient privacy is a top priority or individuals may be discouraged from offering up their health information.

Dig Deeper:

Reviewing HIPAA Compliance Enforcement Actions

Understanding the Gray Areas in HIPAA Compliance


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks