NHGRI logo

Privacy in Genomics

An individual’s privacy should be respected when their genomic information is used for research, clinical applications or other uses. This page summarizes genetic and genomic privacy in these domains, along with information on the specific laws and policies that protect the privacy of genetic and genomic information. In the United States, the applicable privacy protections rest heavily on how and why the information is collected and stored, and stakeholders continue to debate whether we need further measures.

Privacy in Research

When conducting genomics research, two essential values of scientific research should be balanced:

  • the need to share data broadly to maximize its use for ongoing scientific exploration.
  • the need to protect research participants’ privacy.
     

Federal laws like the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA) aim to balance efforts to promote scientific progress and protect patient privacy. This is challenging for genomic data because, with the exception of identical twins, each person’s DNA sequence is unique, which means a DNA sample can never be truly anonymized.

To advance genomics research, NIH houses several databases where researchers can share de-identified genomic data. However, a study published in 2013 shows that research participants can be re-identified using genomic data from one such database paired with genealogical databases and public records. To prevent this, NIH controls access to sensitive or potentially identifiable information in these databases to ensure that researchers who access the data respect the privacy of the research participants (see Genomic Data Sharing Policy below). In addition, NIH issues Certificates of Confidentiality to enable NIH-funded researchers to limit access to research participants’ identifiable health information held at grantee institutions.

Use of Clinical Samples in Research

Specimens collected in medical settings, like blood and tissue taken during biopsies, can serve as excellent sources of samples for genetic and genomic research. For example, scientists can extract DNA from residual de-identified blood spots taken as part of the newborn screening public health program to conduct epidemiological, population-based or other studies on wide-ranging topics such as infectious disease to birth defects. De-identified biospecimens are not considered human subjects research; therefore, they are not subject to the informed consent requirements of the Common Rule. However, some groups raised concerns about this designation. In 2014, Congress passed a law requiring consent for the research use of de-identified blood spots from newborn screening. Revisions to the Common Rule in 2018 reversed this requirement, clarifying that research that uses de-identified newborn blood spots, similar to other de-identified biospecimens, is not human subjects research.

Identifiable populations

Genomic research in identifiable populations (i.e., specific racial or ethnic groups, geographically defined communities and members of ultra-rare disease groups) presents unique privacy concerns due to a diminished ability to protect the privacy of these individuals or groups. For example, members of an identifiable population may experience stigmatization or discrimination if research reveals the group to have a high risk of harboring a genetic variant associated with a specific disease. For some communities, close family relationships may also make it especially challenging to protect participants’ privacy, even if research samples are de-identified.

  • Privacy in Research

    When conducting genomics research, two essential values of scientific research should be balanced:

    • the need to share data broadly to maximize its use for ongoing scientific exploration.
    • the need to protect research participants’ privacy.
       

    Federal laws like the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA) aim to balance efforts to promote scientific progress and protect patient privacy. This is challenging for genomic data because, with the exception of identical twins, each person’s DNA sequence is unique, which means a DNA sample can never be truly anonymized.

    To advance genomics research, NIH houses several databases where researchers can share de-identified genomic data. However, a study published in 2013 shows that research participants can be re-identified using genomic data from one such database paired with genealogical databases and public records. To prevent this, NIH controls access to sensitive or potentially identifiable information in these databases to ensure that researchers who access the data respect the privacy of the research participants (see Genomic Data Sharing Policy below). In addition, NIH issues Certificates of Confidentiality to enable NIH-funded researchers to limit access to research participants’ identifiable health information held at grantee institutions.

    Use of Clinical Samples in Research

    Specimens collected in medical settings, like blood and tissue taken during biopsies, can serve as excellent sources of samples for genetic and genomic research. For example, scientists can extract DNA from residual de-identified blood spots taken as part of the newborn screening public health program to conduct epidemiological, population-based or other studies on wide-ranging topics such as infectious disease to birth defects. De-identified biospecimens are not considered human subjects research; therefore, they are not subject to the informed consent requirements of the Common Rule. However, some groups raised concerns about this designation. In 2014, Congress passed a law requiring consent for the research use of de-identified blood spots from newborn screening. Revisions to the Common Rule in 2018 reversed this requirement, clarifying that research that uses de-identified newborn blood spots, similar to other de-identified biospecimens, is not human subjects research.

    Identifiable populations

    Genomic research in identifiable populations (i.e., specific racial or ethnic groups, geographically defined communities and members of ultra-rare disease groups) presents unique privacy concerns due to a diminished ability to protect the privacy of these individuals or groups. For example, members of an identifiable population may experience stigmatization or discrimination if research reveals the group to have a high risk of harboring a genetic variant associated with a specific disease. For some communities, close family relationships may also make it especially challenging to protect participants’ privacy, even if research samples are de-identified.

Privacy in the Clinic

Because of remarkable advancements in genomics research in recent years, the use of genomic testing has gone from rare to routine in many clinical settings. This type of testing has clear clinical benefits to the patient; however, it introduces new risks to patient privacy, and patients are potentially vulnerable to the misuse of their genetic information. To address this, in 2008 Congress passed the Genetic Information Nondiscrimination Act (GINA) to restrict the access of issuers of health insurance and employers to individuals’ genetic information and to prohibit genetic discrimination. Concerns remain as to the use of genomic information to discriminate against applicants for life, long-term care and disability insurance. In addition to GINA, HIPAA protects patient privacy by restricting the sharing of patients’ medical information.

  • Privacy in the Clinic

    Because of remarkable advancements in genomics research in recent years, the use of genomic testing has gone from rare to routine in many clinical settings. This type of testing has clear clinical benefits to the patient; however, it introduces new risks to patient privacy, and patients are potentially vulnerable to the misuse of their genetic information. To address this, in 2008 Congress passed the Genetic Information Nondiscrimination Act (GINA) to restrict the access of issuers of health insurance and employers to individuals’ genetic information and to prohibit genetic discrimination. Concerns remain as to the use of genomic information to discriminate against applicants for life, long-term care and disability insurance. In addition to GINA, HIPAA protects patient privacy by restricting the sharing of patients’ medical information.

Privacy in Society

Genomics in Law Enforcement

Genetic and genomic information is used by law enforcement to investigate criminal acts and within the legal system to exonerate those who have been falsely convicted of crimes. Authorities use multiple genetic and genomic tools in forensic contexts. The Combined DNA Index System (CODIS) is the Federal Bureau of Investigation (FBI) program of support and software for criminal justice DNA databases. CODIS uses a database of profiles to compare DNA samples from crime scenes with the DNA of convicted criminals and arrestees, or with DNA detected at other crime scenes. Investigative genetic genealogy (IGG) is a new investigative tool that combines genetic analysis with the investigation of publicly available genealogy information, which increases the pool of potential leads for law enforcement. For more information on the use of genetic information in law enforcement, please visit the Investigative Genomics webpage.

Direct-to-Consumer (DTC) Genetic Testing

Direct-to-Consumer (DTC) genetic testing has grown increasingly popular in recent years, and its use is expected to expand. Companies analyze individuals’ DNA and can provide information regarding a person’s genetic ancestry or possible genetic risk for certain health conditions. In addition to companies that sequence individuals’ DNA directly, more companies now offer their own analysis or digital health services to consumers who upload their genetic information. DTC genetic tests have limited regulation, and the growth of the DTC genetic testing industry has resulted in vast databases of consumers’ genetic information, raising serious privacy concerns. While many companies have robust privacy and informed consent policies, no federal laws prohibit companies from providing individuals’ genetic information to third parties. However, the Federal Trade Commission provides some protections and can take enforcement action against companies that make false or misleading statements regarding data privacy and security or companies that fail to protect individuals’ information. Importantly, if an individual chooses to download their genetic information from one of these services or upload it to another, the company that originally collected the data is no longer responsible for any breach of privacy that may occur.

Surreptitious DNA Testing

Surreptitious DNA testing — or testing without the knowledge of the person being tested — is another potential threat to the privacy of people’s genomic information. Some companies that offer DNA testing allow consumers to obtain genetic analyses of various biological samples without requiring the consent of the individual being tested. DNA samples may come from objects ranging from blood stains to a licked envelope. Laboratories can perform a variety of tests using these DNA samples, including health-related testing and parentage determination. These tests can reveal sensitive or embarrassing personal information.

No federal law prohibits surreptitious testing. Currently, many U.S. states have laws or regulations that govern genomic privacy and illegitimate uses of genomic data. However, these laws vary substantially. While some states prohibit the unauthorized acquisition or analysis of genetic information, others prohibit only unauthorized disclosure. Whether genetic testing can be performed without the consent of the donor may depend on who conducts the test, what the test attempts to determine, how the results will be used and in what state the testing takes place. States also differ on how they enforce these laws.

  • Privacy in Society
    Genomics in Law Enforcement

    Genetic and genomic information is used by law enforcement to investigate criminal acts and within the legal system to exonerate those who have been falsely convicted of crimes. Authorities use multiple genetic and genomic tools in forensic contexts. The Combined DNA Index System (CODIS) is the Federal Bureau of Investigation (FBI) program of support and software for criminal justice DNA databases. CODIS uses a database of profiles to compare DNA samples from crime scenes with the DNA of convicted criminals and arrestees, or with DNA detected at other crime scenes. Investigative genetic genealogy (IGG) is a new investigative tool that combines genetic analysis with the investigation of publicly available genealogy information, which increases the pool of potential leads for law enforcement. For more information on the use of genetic information in law enforcement, please visit the Investigative Genomics webpage.

    Direct-to-Consumer (DTC) Genetic Testing

    Direct-to-Consumer (DTC) genetic testing has grown increasingly popular in recent years, and its use is expected to expand. Companies analyze individuals’ DNA and can provide information regarding a person’s genetic ancestry or possible genetic risk for certain health conditions. In addition to companies that sequence individuals’ DNA directly, more companies now offer their own analysis or digital health services to consumers who upload their genetic information. DTC genetic tests have limited regulation, and the growth of the DTC genetic testing industry has resulted in vast databases of consumers’ genetic information, raising serious privacy concerns. While many companies have robust privacy and informed consent policies, no federal laws prohibit companies from providing individuals’ genetic information to third parties. However, the Federal Trade Commission provides some protections and can take enforcement action against companies that make false or misleading statements regarding data privacy and security or companies that fail to protect individuals’ information. Importantly, if an individual chooses to download their genetic information from one of these services or upload it to another, the company that originally collected the data is no longer responsible for any breach of privacy that may occur.

    Surreptitious DNA Testing

    Surreptitious DNA testing — or testing without the knowledge of the person being tested — is another potential threat to the privacy of people’s genomic information. Some companies that offer DNA testing allow consumers to obtain genetic analyses of various biological samples without requiring the consent of the individual being tested. DNA samples may come from objects ranging from blood stains to a licked envelope. Laboratories can perform a variety of tests using these DNA samples, including health-related testing and parentage determination. These tests can reveal sensitive or embarrassing personal information.

    No federal law prohibits surreptitious testing. Currently, many U.S. states have laws or regulations that govern genomic privacy and illegitimate uses of genomic data. However, these laws vary substantially. While some states prohibit the unauthorized acquisition or analysis of genetic information, others prohibit only unauthorized disclosure. Whether genetic testing can be performed without the consent of the donor may depend on who conducts the test, what the test attempts to determine, how the results will be used and in what state the testing takes place. States also differ on how they enforce these laws.

Laws and Regulations

Several federal laws and regulations provide privacy protections to participants in federally funded research. In addition, other federal laws and policies provide protection in the clinic, insurance or employment areas. Some states have also enacted their own genomic privacy laws that provide additional and varying protections for genetic information, which can be explored in the Genome Statute and Legislation Database.

The Common Rule

Published in 1991, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, establishes the baseline standard of ethics for government-funded human subjects research in the United States. In 2017, revisions to the Common Rule were published, aiming to “modernize, simplify and enhance” oversight. The Common Rule requires all federally funded research projects that fall under its definition of “human subjects” to obtain meaningful informed consent from each participant prior to their participation. Investigators must inform participants of potential risks of the study, including risks associated with release of their private information. Informed consents for genomic research should clarify the uses of research results, including who may receive or access the information. Empirical studies show that, when given control over when and with whom their research data is shared, most individuals are eager to participate in research studies. In other words, informed consent fuels scientific discovery and medical progress. For further information about informed consent in genomics and guidance for researchers or IRB members, please see the Informed Consent for Genomics Research Resource.

NIH Genomic Data Sharing Policy

The NIH Genomic Data Sharing Policy sets guidelines on how to protect research participant privacy while still enabling the scientific community access to valuable research data. A key component of the policy is that access to sensitive, individual-level research data held in federal databases is only available to researchers who submit a request. NIH maintains several databases that contain such genomic information, such as the database of genotypes and phenotypes (dbGaP), the NHGRI Genomic Data Science Analysis, Visualization, and Informatics Lab-Space (AnVIL), and The Cancer Genome Atlas (TCGA). To access sensitive data from one of these databases, scientists must request permission for specific uses from Data Access Committees at the NIH or the database’s curating body. It is important to note that not all information in these databases is held under “controlled-access,” and some data is readily accessible.

Certificates of Confidentiality

Certificates of Confidentiality, issued by NIH, can safeguard the privacy of research participants. These certificates impose a requirement for investigators and institutions to withhold identifying information in civil, criminal or other proceeding at federal, state or local levels. For instance, Certificates of Confidentiality may be used when researchers handle sensitive information that could have a negative impact on research participants or damage their employability, insurability, reputation or financial standing. These certificates aim to promote research participation by assuring participants of their privacy. If a researcher is in possession of a certificate, the release of research information is at the discretion of the investigator and their institution. In 2016, the 21st Century Cures Act amended the Public Health Service Act to automatically issue Certificates of Confidentiality for federally funded research that uses identifiable, sensitive information.

Genetic Information Nondiscrimination Act (GINA)

The Genetic Information and Nondiscrimination Act of 2008 (GINA) protects the genetic privacy of the public, including research participants. The passage of GINA makes it illegal for health insurers or employers from requesting or requiring genetic information of an individual or of family members and further prohibits the discriminatory use of such information. Learn more about GINA on the Genetic Discrimination page.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects the confidentiality of patients’ individually identifiable health information — or Protected Health Information (PHI) — that HIPAA-covered entities (e.g., health care providers or an insurance company) hold. There are limits on when and with whom PHI may be shared, but there are no such restrictions on the use or disclosure of PHI that has been de-identified. In 2013, as required by the passage of the Genetic Information Nondiscrimination Act, the Privacy Rule was modified to establish that genetic information is considered PHI, and HIPAA-covered entities may not use or disclose PHI that is genetic information for underwriting purposes.

The Freedom of Information Act (FOIA)

Enacted in 1966, the Freedom of Information Act (FOIA) was the first U.S. law to give citizens the explicit right to access federal documents upon request. Information falling under one of nine classes of material, or one of three types of law enforcement documentation, is immune to FOIA requests. For types of information not clearly exempt, the passage of additional laws can establish FOIA immunity. The 21st Century Cures Act (Cures Act) amended Section 301 of the Public Health Service Act to enable a FOIA exemption for identifiable biomedical information that is gathered or used for research purposes. The law specifies that biomedical information is considered identifiable when there is “at least a very small risk, as determined by current scientific practices or statistical methods” that some combination of the information, the request and other available data sources could be used to deduce the identity of an individual. Based on this definition, the FOIA exemption covers genomic information. The Secretary of Health and Human services can invoke this exemption at their discretion when there is even a small risk that an individual could be identified from the requested information.

  • Laws and Regulations

    Several federal laws and regulations provide privacy protections to participants in federally funded research. In addition, other federal laws and policies provide protection in the clinic, insurance or employment areas. Some states have also enacted their own genomic privacy laws that provide additional and varying protections for genetic information, which can be explored in the Genome Statute and Legislation Database.

    The Common Rule

    Published in 1991, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, establishes the baseline standard of ethics for government-funded human subjects research in the United States. In 2017, revisions to the Common Rule were published, aiming to “modernize, simplify and enhance” oversight. The Common Rule requires all federally funded research projects that fall under its definition of “human subjects” to obtain meaningful informed consent from each participant prior to their participation. Investigators must inform participants of potential risks of the study, including risks associated with release of their private information. Informed consents for genomic research should clarify the uses of research results, including who may receive or access the information. Empirical studies show that, when given control over when and with whom their research data is shared, most individuals are eager to participate in research studies. In other words, informed consent fuels scientific discovery and medical progress. For further information about informed consent in genomics and guidance for researchers or IRB members, please see the Informed Consent for Genomics Research Resource.

    NIH Genomic Data Sharing Policy

    The NIH Genomic Data Sharing Policy sets guidelines on how to protect research participant privacy while still enabling the scientific community access to valuable research data. A key component of the policy is that access to sensitive, individual-level research data held in federal databases is only available to researchers who submit a request. NIH maintains several databases that contain such genomic information, such as the database of genotypes and phenotypes (dbGaP), the NHGRI Genomic Data Science Analysis, Visualization, and Informatics Lab-Space (AnVIL), and The Cancer Genome Atlas (TCGA). To access sensitive data from one of these databases, scientists must request permission for specific uses from Data Access Committees at the NIH or the database’s curating body. It is important to note that not all information in these databases is held under “controlled-access,” and some data is readily accessible.

    Certificates of Confidentiality

    Certificates of Confidentiality, issued by NIH, can safeguard the privacy of research participants. These certificates impose a requirement for investigators and institutions to withhold identifying information in civil, criminal or other proceeding at federal, state or local levels. For instance, Certificates of Confidentiality may be used when researchers handle sensitive information that could have a negative impact on research participants or damage their employability, insurability, reputation or financial standing. These certificates aim to promote research participation by assuring participants of their privacy. If a researcher is in possession of a certificate, the release of research information is at the discretion of the investigator and their institution. In 2016, the 21st Century Cures Act amended the Public Health Service Act to automatically issue Certificates of Confidentiality for federally funded research that uses identifiable, sensitive information.

    Genetic Information Nondiscrimination Act (GINA)

    The Genetic Information and Nondiscrimination Act of 2008 (GINA) protects the genetic privacy of the public, including research participants. The passage of GINA makes it illegal for health insurers or employers from requesting or requiring genetic information of an individual or of family members and further prohibits the discriminatory use of such information. Learn more about GINA on the Genetic Discrimination page.

    Health Insurance Portability and Accountability Act (HIPAA)

    The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects the confidentiality of patients’ individually identifiable health information — or Protected Health Information (PHI) — that HIPAA-covered entities (e.g., health care providers or an insurance company) hold. There are limits on when and with whom PHI may be shared, but there are no such restrictions on the use or disclosure of PHI that has been de-identified. In 2013, as required by the passage of the Genetic Information Nondiscrimination Act, the Privacy Rule was modified to establish that genetic information is considered PHI, and HIPAA-covered entities may not use or disclose PHI that is genetic information for underwriting purposes.

    The Freedom of Information Act (FOIA)

    Enacted in 1966, the Freedom of Information Act (FOIA) was the first U.S. law to give citizens the explicit right to access federal documents upon request. Information falling under one of nine classes of material, or one of three types of law enforcement documentation, is immune to FOIA requests. For types of information not clearly exempt, the passage of additional laws can establish FOIA immunity. The 21st Century Cures Act (Cures Act) amended Section 301 of the Public Health Service Act to enable a FOIA exemption for identifiable biomedical information that is gathered or used for research purposes. The law specifies that biomedical information is considered identifiable when there is “at least a very small risk, as determined by current scientific practices or statistical methods” that some combination of the information, the request and other available data sources could be used to deduce the identity of an individual. Based on this definition, the FOIA exemption covers genomic information. The Secretary of Health and Human services can invoke this exemption at their discretion when there is even a small risk that an individual could be identified from the requested information.

Last updated: February 6, 2024