An ongoing legal challenge to the business model of Myriad Genetics highlights how recent policy developments have contributed to a collision between individual interests in access to personal health data and commercial interests in trade secrecy. Having already had its patents on BRCA1/2 genetic variants invalidated in a landmark ruling by the U.S. Supreme Court (1), Myriad now faces efforts to dismantle the proprietary database of genetic variants and their clinical interpretation that it began developing when it was the exclusive provider of BRCA1/2 tests. Despite the competing normative and economic claims in this dispute, we see room for compromise, and potential policy innovations that will incentivize companies to invest in test development while ensuring that their findings can be utilized by others.
Although Myriad initially disclosed variant data it collected from test results, it began keeping the data secret in 2004. Myriad has never disclosed the algorithms and methods it uses to interpret those data (2). Now that Myriad’s patents are invalid, competition in BRCA1/2 testing is growing. However, Myriad claims that other providers have not yet accumulated the quantity of data to match its interpretive accuracy (3). Thus, through maintenance of its database as a lawful trade secret, Myriad has continued to dominate the BRCA 1/2 testing market (3, 4).
In 2016, frustrated by Myriad’s refusal to make its database publicly available and seeking to access and share their personal data, four individuals for whom Myriad performed genetic testing filed a complaint with the U.S. Department of Health and Human Services (HHS) (5). Backed by the American Civil Liberties Union, the complainants assert that a data access right set forth in the Privacy Rule, issued under the Health Insurance Portability and Accountability Act (HIPAA), entitles them to four categories of information specific to their tests: (i) raw and assembled genetic sequence data; (ii) a list of all variants identified, including benign variants; (iii) results of large-scale analyses; and, most broadly, (iv) “records relating to clinical interpretation” of identified variants (5). In essence, this legal maneuver seeks an end-run around trade secret laws by compelling disclosure of individual-level data that, in the aggregate, may be proprietary.
Although Myriad has since disclosed to each complainant a list of identified variants and raw data, Myriad has stated that it does not retain and so cannot disclose any other requested sequence information (5). It is unclear whether Myriad has provided all records responsive to the complainants’ request for clinical interpretive records. Meanwhile, HHS has opened an investigation of the complaint.
Which federal law prevails?
At the heart of this legal conflict are competing normative and economic claims. On one hand, individuals have a compelling personal interest in the data underlying their genetic test reports because those data reveal potentially sensitive information about them and are subject to changing clinical interpretation that they may wish to monitor. Moreover, society is benefited when individuals can widely share genetic data and interpretive records with researchers and others to improve public health. On the other hand, maintaining certain data and processes in secret provides innovators the opportunity to recoup their investment and finance new diagnostic tests and the increasingly complex infrastructure and algorithms on which they are built.
These competing claims are embodied in, respectively, a HIPAA Privacy Rule provision that defines a personal health data access right and trade secret laws that protect commercial interests in intellectual property. Recent expansion of both domains has brought into sharp focus their inherent tension in the context of private genomic databases. Adopted in 2014, the Privacy Rule’s data access provision grants every patient a right of access to a copy of her “protected health information” contained in a “designated record set” (6). Protected health information is defined as “individually identifiable” information related to an individual’s health condition or care; a designated record set includes a patient’s medical records and all other items containing protected health information that are maintained and used “to make decisions about individuals” (7, 8). HHS issued guidance in 2016 interpreting this access right as applied to genetic tests like Myriad’s that utilize next-generation sequencing. According to that guidance, HIPAA-covered clinical laboratories must provide individuals whom they test, upon request, with the full gene variant information generated by such tests (9).
Since Myriad’s algorithm are critical to understanding the clinical significance of genetic variants, there is a good argument that they are covered by the complainants’ request for all “records relating to clinical interpretation” of variants. If so, the question becomes whether Myriad’s algorithms are individually identifiable to the complainants and so constitute protected health information that must be disclosed. While pure algorithms do not identify individuals, records related to the application of these algorithms to specific individuals likely are subject to the Privacy Rule access right when they include individuals’ health information. The other categories of information requested by complainants fall comfortably under the definition of protected health information since they relate to individuals’ health conditions.
Yet, at least some of the requested information may constitute legally protected trade secrets. Until recently, trade secret protection was largely a matter of state law. However, in recognition of the growing importance of trade secrets to U.S. commercial interests, in 2016, President Obama signed into law the Defend Trade Secrets Act (DTSA), which creates a new federal cause of action for trade secret misappropriation. Similar to most state trade secret laws, the DTSA details the universe of protected information to include all “scientific” and “technical” information, including compilations and codes, whether tangible or intangible, and regardless of how they are compiled or stored, so long as the information derives independent economic value from being maintained in secret (10).
Under this definition, the aggregated data at issue in the Myriad controversy potentially qualify as trade secrets. Although genetic sequencing data, variant findings, and analytical results concern specific individuals, courts frequently hold that collections of cultivated data about individuals (like databases of customer preferences) constitute protected trade secrets. Data-manipulation methods like algorithms and formulas that are not readily ascertainable by others are textbook examples of trade secrets (11).
Compromise and implications
A provision in HIPAA’s authorizing statute may help avoid a direct collision of these laws and provide each side a partial win. According to that provision, HIPAA standards “shall not require disclosure of trade secrets or confidential commercial information” (12). Myriad’s obligation to comply with data access requests therefore does not seem to extend to the aggregated data that comprise Myriad’s proprietary database or related architectural and algorithmic information. A similar conclusion was reportedly reached by HHS as to proprietary cognitive test materials, which the agency confirmed test developers did not need to disclose even if they included protected health information “to the extent that doing so would result in a disclosure of trade secrets” (13). Thus, if some of Myriad’s trade secrets are revealed in records that include the complainants’ individually identifiable health data, Myriad should be allowed to redact its proprietary information before disclosure, and if redaction is not possible, withhold the material altogether. Otherwise, Myriad might have a claim that the data access right constitutes a “regulatory taking” under the Constitution (14).
Although Myriad has a valid trade secrecy claim with respect to its database, it seems unlikely that a particular patient’s health information would qualify as a distinct, protectable trade secret vis-à-vis that patient. Myriad has already disclosed patient-level data to the complainants, suggesting that it is unlikely to press such an interpretation. Thus, by exercising data access rights, Myriad’s customers may be able to obtain basic information needed to reconstruct Myriad’s database brick by brick.
HHS’s investigation is ongoing and the dispute might be resolved informally. If it proceeds to formal deliberation and the agency’s decision is appealed to federal court, however, the case could drag on for years. Regardless of its procedural path, the case raises difficult questions about data access and sharing that have far-reaching policy implications.
While Myriad’s database has been called an anomaly given its facilitation by patents, secrecy-enabling market segmentation and dominance can result from mechanisms unrelated to patent rights. As tests become more complex and specialized tools are increasingly required to store and analyze data, competition in specific diagnostics will naturally decrease. And if the U.S. Food and Drug Administration (FDA) exercises its discretionary authority to regulate lab-developed tests, development and services will narrow to those labs having resources to navigate the regulatory approval process. Especially where the test is not a companion to a drug, the universe of those who can afford this effort may be small (15).
To stimulate continued competition and innovation, some incentive is necessary to persuade companies to invest in clinical test development. For tests that require only modest upfront investment, insurance coverage and adequate reimbursement may be sufficient. But for the expanding universe of diagnostics that rely on sophisticated algorithms to analyze vast quantities of data, additional policy levers may be required. The traditional levers are patenting and trade secrecy, but as demonstrated by the Myriad dispute, their application to critical health services is troubling from ethical and public health perspectives when it limits patient access to those services or restricts information flow in a manner that could compromise patient care.
An alternative policy lever is the proposed coupling of expanded FDA oversight of diagnostics with new market exclusivities (16). Modeled after existing exclusivities granted to drugs and biologics, a new diagnostic exclusivity would give test originators a time-limited period during which the FDA may not approve copycat applications. If the exclusivity is conditioned on disclosure of certain data or if the exclusivity period is sufficiently brief, data silos can be minimized. Given that regulatory exclusivities are shorter in duration than patents, which expire after 20 years, and trade secrecy, which can continue indefinitely, monopolistic pricing can be kept in check.
With respect to information that ultimately is disclosed, whether voluntarily or as a regulatory requirement, several practical barriers must still be overcome to achieve the full benefits of patient-to-researcher sharing, These include the low genetic literacy of most patients and many clinicians; interoperability issues that arise when data are provided in different formats than those used by researchers; and a collective action problem sustained by the relatively high costs of obtaining and sharing individual-level data. In the end, these practical barriers may prove more formidable than the legal barriers in realizing a future in which genetic data are freely shared and broadly utilized.
Acknowledgements:
All authors contributed equally to this work. This work was funded by National Human Genome Research Institute (NIH) grant RO1-HG006460-S1. The authors declare no competing financial interests.
References:
- 1.Association for Molecular Pathology v. Myriad Genetics, Inc., No. 12–398, 133 S. Ct. 2107 (13 June 2013).
- 2.Cook-Deegan R, Conley JM, Evans JP, Vorhaus D, Eur. J. Hum. Genet 21, 585–588 (2003). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3.Begley S, As revenue falls, a pioneer of cancer gene testing slams rivals with overblown claims. STAT News (29 Nov. 2016). [Google Scholar]
- 4.Walker J, Myriad Genetics fights off threats from rivals. Wall Street J. (3 May 2015). [Google Scholar]
- 5.Health information privacy complaint (19 May 2016); https://www.aclu.org/sites/default/files/field_document/2016.5.19_hipaa_complaint.pdf.
- 6.HHS, Security and privacy, Access of individuals to protected health information, Code of Federal Regulations (CFR) 45, part 164.524 (2017).
- 7.HHS, General administrative requirements, Definitions, Code of Federal Regulations (CFR) 45, part 160.103 (2017).
- 8.HHS, Security and privacy, Definitions, Code of Federal Regulations (CFR) 45, part 164.501 (2017).
- 9.HHS, Individuals’ right under HIPAA to access their health information (7 Jan. 2016); www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee. [Google Scholar]
- 10.Defend Trade Secrets Act of 2016, Public Law 114-153 (11 May 2016).
- 11.“Definition of Trade Secrets” in Trade Secrets Law (Mar. 2016), § 3:34–37. [Google Scholar]
- 12.Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (21 Aug. 1996), codified 42 U.S.C. § 1320d-1(e) (2017).
- 13.Feldman R, Newman J, Stanford Tech. Law Rev 16, 623–655 (2013). [PMC free article] [PubMed] [Google Scholar]
- 14.Evans BJ, Gen. Med 16, 504–509 (2014). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 15.Hopkins MM, Hogarth S, Nature Biotech. 30, 498–500 (2012). [DOI] [PubMed] [Google Scholar]
- 16.Sachs RE, Univ. of California Davis Law Rev 49, 1881–1940 (2016). [Google Scholar]