NEW YORK – Invitae has released its first Data Use Transparency and Impact Report, explaining how it uses de-identified patient genetic testing data, with whom, and under what conditions.
The report, composed of data collected throughout 2021, shows that Invitae shares data largely for research purposes, with the broad aim of advancing precision medicine efforts, which lean heavily upon large amounts of personal genetic information.
Those seeking access to Invitae's data largely come from academic institutions and biopharmaceutical companies that have sponsored Invitae's tests, such as through no-charge testing programs. Invitae reported 47 sponsored programs throughout 2021, working with 31 biopharma companies. Clinical trial recruitment formed another key patient data use area.
Internally, Invitae uses the data for quality control and assurance, the resolution of variants of uncertain significance, product development and improvement, and validation of test performance.
On the patient side, those receiving Invitae's genetic tests are given the option to opt into sharing their data for research and have the right to delete their own data from Invitae's database, should they choose.
"This report shows that our data sharing is not limited just to the circumstances that would benefit us as a company," said Deven McGraw, lead of data stewardship and data sharing at Invitae. "We are deeply committed to being part of the community of researchers, scientists, and companies that are invested in advancing precision medicine."
The company's Medical Affairs team reviews all project proposals, internal or external, that seek to leverage Invitae's data, examining them for things such as a compelling case for biomedical research and IRB approval. Proposals deemed scientifically valid are then further reviewed by a Data Use Committee, composed of a corporate executive, privacy experts, patient data advocates, product managers, and legal counsel.
McGraw described the report as a "trust-building measure," noting that no current legislation yet mandates data usage transparency in the genetic testing field.
"We were not required to produce this report," she said. "We did this because we thought it was important for patients and our customers to understand that we responsibly use their data," adding that Invitae sees the need for, and is supportive of federal legislation to protect data that is not covered by current laws such as the Genetic Information Nondiscrimination Act (GINA) or HIPAA.
GINA, for example, extends only to insurers and healthcare providers, while an increasing number of other entities now receive and manage genetic data, as seen by the proliferation of direct-to-consumer genetic testing services — which also fall outside of HIPAA — and related patient apps.
"We have this tendency in the US to regulate sectorally," McGraw said, noting that while some states have stepped in to fill certain legislative gaps, others have not, creating a scattered patchwork of rules and regulations.
Sterling Sawaya, founder and CEO of genetic information security firm GeneInfoSec, agreed, saying that the weakest points in current legislation include "a lack of recognition that genetic data is both identifiable and also contains sensitive information; disparate and varying levels of state legislation; and a lack of unified federal regulation."
He added that a lot needs to be done to ensure that genetic data is protected. "In general, HIPAA does not seem to recognize that genetic data, potentially along with other data, is both identifiable and sensitive," he said.
Digital genetic data storage also raises the risk for data theft through cyberattacks, something that Ambry Genetics experienced in 2020, when a hacker accessed an employee's email account containing patient names, medical information, Social Security numbers, diagnosis information, health insurance information, and other sensitive information. The company settled a class action lawsuit stemming from that event earlier this year.
While additional security and safe data management measures can help minimize such risks, these often come at high cost, particularly for smaller firms. These barriers represented by these costs should be taken into account by any future legislation, Sawaya said.
"Mandating informational and operation technology best practices could help, but most small-to-medium-sized businesses may find this to be challenging," he said. "Any mandates in this area would need to carefully balance the need for innovation with the risk associated with a lack of genetic information security."
McGraw hopes that Invitae's report might offer policymakers ideas concerning models for how they might regulate identifiable data.
While no other genetic testing company appears to have released a public data usage report such as Invitae's, examples of public data sharing from other firms in this space do exist.
Ambry, for example, made its AmbryShare data sharing program publicly available in 2017. That program, comprised of de-identified germline exome datasets on hereditary breast and ovarian cancer, had previously been available only to select researchers.
"We're excited about releasing this report [and] are pretty sure we're the only ones who have done this," McGraw said. "We think we're kind of a rare club and one that we hope others will join."