ABOUT THE FUTURE OF PRIVACY FORUM The Future of Privacy Forum (FPF) is a catalyst for privacy leadership and scholarship, advancing responsible data practices in support of emerging technologies. FPF is based in Washington, DC, and includes an advisory board comprising leading figures from industry, academia, law, and advocacy groups. ABOUT PRIVACY ANALYTICS Privacy Analytics, an IQVIA company, allows healthcare organizations to quickly and easily apply a responsible de-identification methodology that ensures individual privacy and legal compliance. Authors: Carson Martinez, Policy Fellow, Future of Privacy Forum Elizabeth Jonker, CIPP/C, Privacy Analytics Acknowledgments This paper benefited from contributions and editing support from Rachele Hendricks-Sturrup, FPF Health Policy Counsel; Katelyn Ringrose, FPF Policy Fellow; Kelsey Finch, FPF Policy Counsel; Khaled El Emam, Founder of Privacy Analytics; Luk Arbuckle, Chief Methodologist of Privacy Analytics; Shweta Kumar, FPF intern; and Joshua Cornwell, FPF intern. For questions about this publication, please contact Rachele Hendricks-Sturrup at
[email protected]. A Practical Path Toward Genetic Privacy in the United States | 2 TABLE OF CONTENTS Introduction 3 I. Regulatory Requirements for De-identification of Protected Health Information (PHI) 7 The HIPAA Privacy Rule 8 Genetic Data and the HIPAA Privacy Rule 10 Beyond HIPAA 12 II. Challenging De-identification of Genetic Data 13 III. Technical Solutions 16 Differential Privacy 17 Secure (Multi-Party) Computation 20 IV. A Practical Path Forward 23 Conclusion 25 Appendix 27 A Practical Path Toward Genetic Privacy in the United States | 3 INTRODUCTION 1 The volume of genetic data is growing—some estimates predict between 100 million and 2 2 billion human genomes will be sequenced by 2025 worldwide.