WPF Report – Privacy, the Precision Medicine Initiative, & the All of Us Research Program: Will Any Legal Protections Apply?



Precision Medicine Initiative and All of Us Research Program report graphic


The report, Privacy, the Precision Medicine Initiative, & the All of Us Research Program: Will Any Legal Protections Apply? was published March 16, 2017. This report is the second edition of an earlier report published in 2016.

Report Authors: Robert Gellman and Pam Dixon.

You are at the report main page, where you can download the report in PDF format.

Report Links:


Background of This Report

This is the second edition of a report originally published by the World Privacy Forum in 2016 about the privacy implications of the Precision Medicine Initiative (PMI), a national volunteer medical research effort. Both editions of the report contain legal analysis about privacy protections applicable to the PMI and recommendations.

The PMI is an ambitious program with a goal of gathering the freely volunteered health and biospecimen data of over a million people to facilitate medical research. The PMI program originally began during the Obama administration and was still in its formative stage when the original 2016 WPF report was published. As of March 2017, the PMI has undergone many changes. First, the PMI was partially renamed, and now includes the All of Us Research Program. The All of Us research program consists of the 1-million person volunteer research volunteer group that will make up the bulk of PMI research program. A second and important change is that the PMI/All of Us program has become an official part of the National Institutes of Health as of January 2017, and the program has now been officially funded. Third, there is now a launch of the PMI/All of Us research program, it is scheduled for April 2017. The April launch will be of the planned pilot research programs, and will involve the enrollment of research participants. With the launch imminent, it is crucial to examine and understand the privacy protections for the PMI and All of Us research program.

The second edition of this report includes updated information about the program and more detail about other aspects of the program that changed in the past year. An important addition to this report is the inclusion of analysis of the recently-enacted 21st Century Cures Act, which specifically impacts the PMI/All of Us program.


Brief Summary of Report

Medical treatments tailored to each individual’s physiology and genetic history have long been a dream, but this dream is data-intensive. Until recently, the lack of a broad set of detailed health information from a wide variety of research subjects stymied medical research efforts. The most current effort to turn personalized, tailored medicine into a reality is the Precision Medicine Initiative (PMI), which now includes the All of Us research program. It is this full PMI/All of Us research program, begun in 2015, that hopes to gather an unprecedented amount of detailed biomedical data sets — including biospecimens and detailed personal health information — from over one million volunteers, the largest group of medical research volunteers that has been assembled thus far in the United States, if not the world.

Collecting, maintaining, reporting results back to research subjects/participants, and sharing biospecimens and health data from over a million volunteers for research requires meaningful privacy protections. To determine how privacy laws may protect PMI data subjects and their information, this report reviews federal privacy laws potentially applicable to the program. The analysis finds that despite the breadth and sensitivity of planned PMI data, the HIPAA health privacy rule and its protections for individuals will not apply to PMI. Other privacy laws may apply, such as the Privacy Act of 1974, but there is considerable uncertainty if that law or other privacy laws apply in whole or in part. The lack of applicability will impact everything from access to results, to control over with whom those results are shared, among many other issues.

In December 2016, Congress enacted the 21st Century Cures Act, a long and complex health policy law that, among many other things, addressed PMI and some privacy matters. The 21st Century Cures Act appears to fix some of the shortcomings with Certificates of Confidentiality that provide privacy protections for research records used in research, but the Act did not answer most of the continuing questions about which existing privacy laws apply to PMI.

The PMI program itself includes a set of privacy principles. These principles are not formal laws. Because this report focuses on analysis of actual privacy law that has enforceable rights and procedures, the voluntary and seemingly unenforceable PMI privacy principles are not the focus of attention.

The key privacy concerns raised by the full PMI/All of Us program include:

  • The lack of applicable privacy law to govern its collection and use of individuals’ health data
  • The potential waiver of the patient-physician legal privilege that can shield data from disclosure through litigation
  • The possibility of law enforcement access to patient records held in the PMI/All of Us databases.

The PMI program still needs to clarify and strengthen the legal and administrative privacy protections that apply to its activities. People who volunteer their biomedical data sets still must be told clearly what specific legal protections apply and do not apply and what rules exist for law enforcement access to patient records and other biomedical data, such as blood samples.


About the Authors

Robert Gellman is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) He has written extensively on health, de-identification, Fair Information Practices, and other privacy topics. Pam Dixon is the founder and Executive Director of the World Privacy Forum. She is the author of eight books, hundreds of articles, and numerous privacy studies, including her landmark Medical Identity Theft study. She has testified before Congress on consumer privacy issues as well as before federal agencies. Dixon and Gellman’s writing collaborations include the seminal report on predictive algorithms, The Scoring of America, and numerous well-regarded privacy-focused research, articles, and policy analyses. They co-authored a reference book on privacy, Online Privacy: A Reference Handbook, (ABC-CLIO 2011) and most recently a chapter on privacy regulation and law in Enforcing Privacy: Regulatory, Legal, and Technological Approaches, (Springer Nature, 2016.)


About the World Privacy Forum

The World Privacy Forum is a non-profit public interest research and consumer education group that focuses on the research and analysis of privacy-related issues. Founded in 2003, the Forum publishes significant privacy research and policy studies on health privacy, privacy self-regulation, financial privacy and identity issues, biometrics, and data broker privacy practices among other issues. The Patient’s Guide to HIPAA is a long-standing resource maintained at WPF. WPF members have testified before Congress regarding privacy issues, including health privacy, and have regularly contributed privacy expertise to agency-level workshops at the Federal Trade Commission, the FDA, and HHS. For more, see www.worldprivacyforum.org.


Key Findings:

  • Medical record data and biospecimen data that consumers donate to the PMI and All of Us research program are not covered by the core federal health privacy law while in the hands of the PMI/All of Us program. The health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) does not apply to the PMI and will not apply to most research activities conducted using information available from the PMI.
  • Consumers may have no formal legal right to obtain their own information from the PMI unless a US government agency administers the PMI, something that is not expected. The Privacy Act of 1974, which provides individuals with the ability to review data collected about them by a government agency, applies only if a federal agency operates the PMI. We do not yet know with certainty if a federal agency will operate any part of the PMI. However, if a federal agency operates the PMI, the Privacy Act’s disclosure provisions allow agencies considerable authority to disclose records subject to the Act and to define new categories of disclosures at any time through new rules. In particular, the Act allows many types of disclosure to foreign, national, state, and local law enforcement agencies with few procedural prerequisites. We do not yet know what disclosure authority will apply to PMI records or even if they are subject to the Privacy Act. (See Appendix C.)
  • Patients who share their health records and biospecimens with the PMI could lose the ability to claim a physician-patient privilege in unrelated judicial proceedings.
  • A limited amount of patient records shared with PMI may be protected from subsequent disclosure if 42 C.F.R. Part 2 (rules governing substance abuse records) applied to the records at their original source. If so, records disclosed to the PMI from health care providers subject to the substance abuse privacy rules would retain their confidentiality if disclosed to the PMI. This may be the only existing privacy law applicable to the PMI, although it would cover few of the health records in the PMI.
  • Certificates of confidentiality for research activities available through the Department of Health and Human Services may offer some legal protections for research records, but there are many uncertainties about the scope and value of the certificates. There are known limitations about the protections this would offer. The December 2016 21st Century Cures Act may result in general improvements to the legal protections afforded by certificates.
  • When volunteers enroll in the PMI, they donate a great deal of personal information in the form of medical records and biospecimens. However, collection of cell phone, social media, sensor, and other real-time data are under discussion. How the privacy of these classes of real-time data not traditionally part of health records will be handled is an unknown. Further administrative records about volunteers – as opposed to health information – may be extensive and present their own privacy concerns. Administrative records may include contact information, identification numbers, employment and educational history, location data, and more.
  • Nothing in the 21st Century Cures Act enacted in December 2016 resolves any of the uncertainties about the application of existing privacy laws to PMI program and activities.


Key Recommendations:

  1. The PMI and All of Us research program needs to detail its structure and organization with clarity so that the privacy protections or lack of privacy protections for its records can be assessed. The public needs to be clearly informed what institutions will maintain information in the PMI and where they are located. The PMI must explain how privacy laws, if any, will apply to it. The privacy and security standards issued so far do not answer the questions about what legal protections will apply.
  1. The PMI should not begin soliciting information or biospecimens from or about individuals until it clearly describes the applicable privacy protections. The description should include potential uses and disclosures of PMI information for law enforcement and national security purposes. The description of applicable privacy rules should cover health records, administrative records, and any real-time monitoring from mobile or other devices. Volunteers should be told expressly if HIPAA does not apply to the PMI.
  1. The E-Government Act of 2002 requires federal agencies to conduct a Privacy Impact Assessment before they develop or procure information technology systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public.[1] We have not seen a PIA for the PMI. There is an immediate need for a PIA that includes an opportunity for public comment and debate.
  1. If the Privacy Act of 1974 applies to PMI or any significant part of it, then the National Institutes of Health should publish a system of records notice and allow adequate time for public comment.
  1. If the Privacy Act of 1974 does not apply to the PMI, then it is possible that no health privacy or other privacy law will apply to most data and biospecimens. As a result, patient data could be vulnerable to a host of unrelated public and private demands and activities. If so, then PMI may need its own privacy law in place before it starts.

[1] See Office of Management and Budget, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (2003)(M-03-22), https://obamawhitehouse.archives.gov/omb/memoranda_m03-22/.