Veracuity blog

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email
Share on print

Balancing patient privacy and research in care delivery, including the use of electronic health records (EHRs) for screening and research, is an ongoing challenge. Registries that contain information that is sensitive and confidential represent a unique set of challenges that impact patient populations enrolled in clinical trials. In an “honest-broker” model, the registry shares only de-identified data with investigators. For example, the Brain Health Registry asks the potential participants to complete a series of online tests, allows access to medical records, and provides blood samples and saliva for genetic tests [1]. A survey regarding patient attitudes to handling sensitive patient information conducted in 2007 by Privacy Consulting Group revealed that patients hold very strong concerns about the handling of their data, especially when it comes to any use of data not directly related to patient care [2].

Medical records are used frequently for research without the explicit consent of patients. These records include a wide range of information, including rich-content clinical genomic data that can still be used for research without the patients’ consent as long as the information is de-identified and shared under data use agreements with other HIPAA covered entities. Kulynych and Greely (2017) explored the consequences of the proliferation of electronic health records in the context of genetic privacy risks [3].

As the cost of gene sequencing decreases, its uptake in clinical practice continues to increase and practical utility becomes more intuitive. Genome researchers increasingly seek electronic health records as an inexpensive source of population-wide data on genome, health, and phenotype. This type of research often occurs without the patients’ consent and knowledge. This practice is in stark contrast with patient expectations of privacy and control over their data.

Recently, genetic testing company 23andMe piloted a new program that encourages some of their users to share much more than their genetic information. Customers were asked to provide access to their medical records, prescriptions, and laboratory results for research purposes. The company partnered with pharmaceutical giant GSK for access to genetic and other health data of the company’s customers to use in drug development [4].

Under the Privacy Rule, it is possible to utilize electronic medical records for a variety of purposes, including billing, quality improvement, or public health functions. These disclosures are permitted without the patients’ consent, although patients may request an account of instances of PHI disclosures, including public health, during the past six years. Very few patients exercise this right, arguably because of a lack of awareness.

Overall, patient expectations of privacy and control over their data do not seem to be aligned with the current state of affairs in medical research and the use of medical data, and the level of protection offered by HIPAA.


[1] Brain Health Registry. How It Works | Brain Health Registry. Brainhealthregistryorg. 2018. Available at:

[2] Institute of Medicine. 2010. Clinical Data as the Basic Staple of Health Learning: Creating and Protecting a Public Good: Workshop Summary. Washington, DC: The National Academies Press.

[3] Kulynych J, Greely H. Clinical genomics, big data, and electronic medical records: reconciling patient rights with research when privacy and science collide. J Law Biosci. 2017:lsw061. doi:10.1093/jlb/lsw061.

[4] Hendrickson, Z. (2019). 23andMe is throwing its hat into the EHR ring against Apple’s Health Records platform. Retrieved 10 August 2019, from

More to explorer

Subscribe to our newsletter