Myriad Genetics denied its customers access to their full genetic record in violation of federal law.

Should patients have the same right to access their genetic information from a laboratory as they would a copy of their MRI, X-rays, or physical exam records? We believe the answer is clearly yes, which is why today we filed the first complaint seeking to guarantee patients’ rights to their own genetic data.   

The stakes are high. On one side are four patients asserting privacy rights under the Health Insurance Portability and Accountability Act, commonly known as HIPAA, which guarantees access to their entire health record. On the other side is a corporate laboratory with a vested interest in maintaining proprietary control over patient data.

Two of the patients are Barbara Zeughauser and Ken Deutsch, cousins who have lost many family members to breast, lung, and pancreatic cancers. In 2009, Barbara obtained genetic testing and found out that she had an uncommon mutation of the BRCA1 gene that is linked to significantly higher cancer risk. Two years ago, Ken was diagnosed with metastatic bladder cancer and also tested positive for the same genetic variant. That knowledge gave him hope, as doctors thought he would be more responsive to the type of chemotherapy that he was receiving, and following treatment, there is no evidence of cancer.

The entire field of genetics grew from a culture of data sharing, such as the work that led to the reference human genome sequence used by scientists around the world.

Having witnessed firsthand the devastating impact of cancer, as well as the benefits of scientific advancements, Barbara and Ken want to contribute their genetic information to research aimed at better understanding the connections between genes, cancers, and treatment.  They requested their full genetic data record from Myriad Genetics, the Utah lab that performed the testing for them. But in March, Myriad refused to release any of their genetic information beyond the test reports, stating that the patients’ genetic information fell outside of the health information that patients can access under HIPAA. This included the genetic variants it identified in the patients and classified as benign. In effect, Myriad dictated what part of their own genetic information they could obtain. 

Yesterday afternoon, on the eve of the filing of our complaint, Myriad suddenly reversed course.  In an important step forward for Barbara, Ken, and the other patients, it provided them with additional genetic information it had previously withheld. It therefore became clear that Myriad held the data and that they could provide it to patients.  Unfortunately, Myriad specifically said it wanted to “voluntarily” provide the additional information, not that it was doing so because it recognized the rights of all patients to access their full genetic records. Myriad did not rescind its prior position that it was not obligated to provide the genetic data and thus continues to violate HIPAA.

Patients like Barbara and Ken have good reasons for seeking all of their genetic data. First, they want to be able to confirm Myriad’s interpretation of their genes, including any variants it classified as benign, and to be able to monitor their own health as scientific understanding of genetics deepens. Researchers often gain a more complete picture over time of the connections between a particular genetic variant and disease. But unless patients have a full record of their genetic data, which Myriad is obstructing, they cannot proactively track these developments.  

And second, and potentially of even greater importance, the patients all want to contribute their genetic data to collaborative research initiatives. Responsible, patient-centered data sharing is crucial for discovering the relationships between all genetic variants and more effective ways of diagnosing cancer risk and making treatment decisions, as recognized by President Obama’s new Precision Medicine Initiative and the National Cancer Moonshot Initiative spearheaded by Vice President Biden. Indeed, the entire field of genetics grew from a culture of data sharing, such as the work that led to the reference human genome sequence used by scientists around the world.

Yet Myriad departed from this ethos by creating a business based on monopolizing genetic information through patents it obtained on the BRCA1 and BRCA2 genes 20 years ago. We all have these genes, but people with certain mutations have a much higher risk of experiencing breast, ovarian, prostate, and other cancers. Because Myriad controlled patents on the genes, no other lab in the U.S. could provide full testing of these genes to patients, even using a different test. 

In 2013, the U.S. Supreme Court struck down these patents, concluding that they unlawfully claimed products of nature as intellectual property, in a case filed by the ACLU on behalf of 20 scientific and women’s health organizations, geneticists, genetic counselors, and patients. Many other labs now offer more comprehensive and less expensive testing of these genes.

However, Myriad appears intent on holding onto the information it amassed from millions of patients during its 17-year-monopoly in its proprietary database. It will not share its data with NIH-funded public data initiatives, and by denying the patients’ requests for their own data, it is blocking them from contributing as well. Instead, Myriad promotes its own genetic testing services using the data it collected from patients while impeding scientific research and violating patients’ privacy interests in accessing their own information. 

The law is straight-forward: Patients are guaranteed access to their health information — including their genetic data — under HIPAA. In 2014, the U.S. Department of Health and Human Services amended the HIPAA regulations to make clear that all laboratories, which were previously exempted, are subject to this obligation. And earlier this year, HHS released guidance stating that with respect to genetic testing, patients have a right to access “not only the laboratory test reports but also the underlying information generated as part of the test,” including “the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test.”    

The complaint calls on HHS, which enforces HIPAA, to investigate Myriad’s past and ongoing violations of the law. Unless patients’ rights to their own genetic information are enforced, other labs may also choose to follow their own prerogatives at the expense of patient autonomy. Labs should not be able to deprive patients’ access to information about their own genetic make-up and hinder the scientific community’s efforts to prevent and cure cancer.   

For more information, see www.aclu.org/OurGenesOurData