Misha Angrist, writing in Nature News comments ("Genetic privacy needs a more nuanced approach") on the recent study that demonstrated the possibility of finding the true identities of research participants who provided anonymized DNA samples . Adding some context to the study, Angrist discusses the current federal privacy regime, and the way that genetic research relies upon the anonymizing techniques now shown to be insecure:
Although genetic data are considered protected health information under the HIPAA, many of the protections disappear when the information is ‘de-identified’ — that is, the 18 identifiers specified in the act (including names, addresses, birthdates and the like) are removed. And because genetic information is not one of those 18 identifiers, it does not need to be removed from health records to follow the letter of HIPAA privacy. If researchers do not know who you are, and cannot easily find out, then their obligations to you diminish by orders of magnitude. Furthermore, their protocols are less likely to need full review by an institutional review board; their grant applications become less onerous; and their technology costs go down.
...What if the absence of the 18 identifiers isn’t enough to protect someone’s identity?
If genotyping becomes sufficiently cheap, and personal information sufficiently interlinked within corporate or government databases, then personal identification of genetic samples will be ubiquitous. The constraint on ubiquitous identification is not the cost of genotyping, which is already cheap enough for anyone motivated to identify a sample. The remaining constraint is the interlinking of databases.
- . Identifying Personal Genomes by Surname Inference. Science. 2013;339(6117):321 - 324.