Complaint: Testing Lab Myriad Genetics Denied Patients Access to Data

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

May 20 — A lab allegedly denied four patients' requests for access to their genetic data, according to a complaint filed May 19 with the HHS by the American Civil Liberties Union.

Myriad Genetics Laboratories, Inc., based in Salt Lake City, tested the four patients for their cancer risks related to the BRCA1 and BRCA2 genes between 2006 and 2014, and allegedly refused to provide additional genetic data beyond a copy of their test reports, the complaint said. Myriad eventually provided the additional genetic data on May 18, the complaint said.

The complaint was filed with the Department of Health and Human Services Office for Civil Rights, which in January released guidance clarifying patients' rights to access their medical records under the Health Insurance Portability and Accountability Act's Privacy Rule. Patients have the right to access most information maintained by an entity covered by HIPAA, with limited exceptions, and they also have the right to access protected health information that is old or archived.

The ACLU complaint said the four patients were especially eager to access their full genetic information due to the fact that Myriad doesn't share any of its data with ClinVar, a freely accessible database operated by the National Center for Biotechnology Information at the National Institutes of Health.

The ACLU previously filed a lawsuit against Myriad in 2013 questioning the company's control of seven patents related to the BRCA1 and BRCA2 genes, which correlate with an increased risk of breast and ovarian cancer.

A unanimous Supreme Court decision in June 2013 found that isolated DNA is not eligible for patenting, and additional laboratories were able to offer tests for the two genes (07 LSLR 622, 6/14/13).

Obligation to Comply

Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA May 20 that Myriad, assuming it's a HIPAA-covered entity, has an obligation to comply with the HIPAA Privacy Rule's patient access provision.

“This has been a big source of ongoing complaints, and an areas that the OCR is particularly focused on,” Nahra said.

While Myriad provided the additional genetic data May 18, Nahra said, the OCR could still say the company should have provided it upon initial request and fine it.

The OCR could also ask Myriad to enter into a formal agreement regarding future patient access issues or determine that there's nothing further to be done, Nahra said.

Nahra said the patient access rule has created a surprising volume of complaints about all kinds of health-care providers.

“I haven't heard anything about the genetic side specifically, and I don't know if there's some proprietary issue that make this tougher than a usual medical record, but it's an ongoing problem,” Nahra said.

Patient Right to Access

A patient's right to their entire genetic record set is a focus of the ACLU, Sandra Park, a senior attorney with the ACLU, told Bloomberg BNA May 20.

Myriad's May 18 release of the additional data is a helpful step, Park said, an acknowledgment that it has the data and can give it to patients.

Park said the complaint is the ACLU's first foray into ensuring patients' full access to their medical records.

She said the ACLU is looking for Myriad to willingly acknowledge a patient's right to full access, either through a voluntary posting on its website or through a resolution agreement with the OCR.

While Park said the January guidance from OCR on patient access was fairly clear, further clarification from the government would be helpful.

Lack of Merit

Ron Rogers, Myriad's executive vice president, corporate communications, told Bloomberg BNA May 20 that Myriad doesn't think the complaint has any merit and should be dropped.

Rogers said Myriad received identical letters from seven patients in February asking for their genetic test results as well as data on any polymorphisms, which are benign mutations that don't increase cancer risk. The letters cited OCR's January subregulatory guidance.

Myriad provided the test results in March, with their designated record set, but was uncertain about providing the polymorphism data, Rogers said.

According to Rogers, Myriad only became aware of the guidance in March and in April met with the OCR in Washington to get additional clarification. At that time, the company was told to provide the polymorphism data, Rogers said, which it has now done.

Rogers said the OCR guidance should have been put out for public comment.

“It's always been our policy to provide patient data, and going forward there will be no obstacles to patient access,” Rogers said.

Rogers said that if the complaint is accepted by the OCR, Myriad will defend itself.

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at

For More Information

The ACLU complaint is at

Request Health Care on Bloomberg Law