Thank you for reaching out.
We’ll get back to you shortly.

Thank you for reaching out.
We’ll get back to you shortly.

Contact Us

How scientists secure the data driving autism research

Patchwork protections:

So far, major research databases have escaped the attention of rogue actors, experts say. “There are not really instances where malevolent forces have hacked these research databases and caused any real harm,” says Benjamin Berkman, a bioethicist at the NIH in Bethesda, Maryland. But that may be, in part, because healthcare providers with lackluster security are more tempting targets. Health providers account for more than 36 percent of all publicly known security breaches — the most of any single type of organization — according to an analysis of more than 9,000 data breaches from 2005 to 2018.

After the first high-profile demonstrations of de-identifying data showed up, the NIH and some research institutions tightened privacy protections — removing SNP frequencies from websites the public can access, for example, or removing some identifying information, such as ages, from the 1000 Genomes site. But in 2018, as it became evident that virtually no data breaches were actually taking place, the NIH loosened its rules again, providing public access to the genomic data it had taken off public sites a decade earlier. (Researchers leading genetic studies of specific groups can still request that the NIH limit public access.)

“Sometimes the science changes and we, meaning the people who are in charge of protecting the public, we overreact,” says Thomas Lehner, a scientific director at the New York Genome Center who used to coordinate genomics research at the National Institute of Mental Health.

Brain-scan data may also be less vulnerable than last year’s experiment suggests. Experts say that identifying members of the general public in a large database of brain scans is much harder than matching scans to a few dozen photos that were designed to be similar in luminance, size and other features, as happened in that study. Also, autism researchers can use software to remove facial features from brain images in databases — and some of these tools come bundled with image analysis programs. “It’s easy to just remove the face — nobody will ever reconstruct who’s who,” says Martin Styner, a computer scientist at the University of North Carolina at Chapel Hill.

“There are not really instances where malevolent forces have hacked these research databases and caused any real harm.” Benjamin Berkman

Many universities actively protect DNA and brain-scan data by restricting access to them: Researchers must apply for access through a university ethics committee and explain how they intend to use the data. And many studies, such as ABIDE, have protocols for making sure the data they collect from various research groups are de-identified or ‘defaced.’ “We give them scripts for defacing,” says Michael Milham, who directs the International Neuroimaging Data-Sharing Initiative, which supports ABIDE. “Before we ever share [data], we go through and check to make sure the defacing is as it should be.”

Beyond the technical challenges, decoding identities from anonymized data also breaks federal law. “If any of my colleagues tried to do something like identify a particular person, I would expect them to lose their jobs, pay an enormous fine and probably go to jail,” Pelphrey says. In 2010, a medical researcher at the University of California, Los Angeles spent four months in prison for looking into the confidential medical records of his boss, coworkers and celebrity clients such as Tom Hanks, Drew Barrymore and Arnold Schwarzenegger. The year before, in 2009, the University of North Carolina demoted a cancer researcher for negligence and cut her salary almost in half when a breast-imaging database she oversaw was hacked, putting the personal data of 100,000 women at risk. “[The lapse] had quite strong consequences, leading to her retirement,” Styner says.

Researchers who are granted access to large autism research databases such as MSSNG also sign agreements that specify harsh penalties. “Besides legal action, Autism Speaks would revoke privileges to the researchers and institution through our controlled-access point to the database,” says Dean Hartley, Autism Speaks’ senior director of discovery and translational science.

Some U.S. federal data-privacy laws may protect people from harm if their personal data fall into the wrong hands. The U.S. Genetic Information Nondiscrimination Act (GINA), for instance, prevents health insurance providers and large employers from discriminating against people based on a genetic predisposition to a particular condition. But the law does not apply to small businesses, to life or disability insurance providers, or to people who already have a health condition. The Affordable Care Act of 2010 provides more complete privacy protection than GINA by extending protection to people with a confirmed diagnosis and not just to those with a genetic predisposition.

Some states have passed laws to fill gaps in the federal laws and give people the right to seek redress for violations of their privacy. Still, many privacy and security experts remain concerned as more personal health data get shared across more databases. “There are a number of people who have been talking about [whether] we really need to look at GINA in the context of big data and the merging of these databases,” says Karen Maschke, a research scholar at The Hastings Center, a nonprofit bioethics research institute in Garrison, New York.

Even with stronger legal protections, law enforcement or courts can demand access to a research database. To shield the data from such requests, research institutions can obtain a ‘certificate of confidentiality’ from the U.S. Department of Health and Human Services. This protection is not iron-clad, however. Evidence for its effectiveness relies upon a small number of legal cases, and if researchers are unaware that they have the certificate, as many are, they will not invoke it, experts say. What’s more, the certificate becomes moot when laws require the reporting of information about infectious diseases, such as COVID-19, for the sake of public health.

related articles

User Pic

Two studies highlight role of ‘mosaic’ mutations in autism

Mutations seen in only some of the body's cells often affect gene activity in the brain...

User Pic

In search of ‘social’ subtypes of autism

Mirko Uljarević Senior Research Fellow, School of Psychological Sciences at the Univers...

User Pic

New measures of social skills tap what monkeys see, do

Monkey vision: The amount of time a macaque spends looking at social aspects of images,...

User Pic

Autism genes may play key role in development of amygdala

High expression: Autism-linked genes such as PTEN are highly expressed in the mouse amy...

close  

google analytics policy

we may collect information about your computer, including your IP address, operating system and browser type, for system administration and in order to create reports. This is statistical data about our users' browsing actions and patters, and does not identify any individual.

The only cookies in use on our site are for Google Analytics. Google Analytis is aweb analytics tool that helps website owners understand how visitors engage with their website. GoogleAnalytics customers can view a variety of reports about how visitors interact with their website so that they can improve it.

Like many services, Google Analytics users first-party cookies to track visitor interactions as in our case, where they are used to collect information about how visitors use our site. We then use the information to compile reports and to help use improve our site.

Cookies contain information that is transferred to your computer's hard drive. These cookies are used to store information, such as the time that the current visit occured, whether the visitor has been to the site before and what site referred the visitor to the web page.

Google Analyticsw collets information anonymously. It reports website trends without identifying individual visitors. you can opt out of Google Analytics without affecting how your visit our site- for more information on opting our of being tracked by Google Analytics across all websites you use, visit this Google page

close  

hipaa privacy

Compleat KiDZ

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this Notice of Privacy Practices, please contact our Privacy Officer, by telephone at (704) 824-7800 or in writing at 2675 Court Drive, Gastonia, NC 28054.
This Notice of Privacy Practices describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. Protected health information is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.

A. WE MUST PROTECT YOUR PROTECTED HEALTH INFORMATION

We are required to abide by the terms of this Notice of Privacy Practices. We may change the terms of our Notice of Privacy Practices at any time. The new Notice of Privacy Practices will be effective for all protected health information that we maintain at that time. Upon your request, we will provide you with any revised Notice of Privacy Practices. You may request a revised version by calling or writing our Privacy Officer and requesting that a revised copy be sent to you in the mail or asking for one at the time of your next appointment.

B. USE AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

Your protected health information may be used and disclosed by our office staff others outside of our office who are involved in your care and treatment for the purpose of providing health care services to you.
Your protected health information may also be used and disclosed to pay your health care bills and to support the operation of our practice.
Following are examples of the types of uses and disclosures of your protected health information that we are permitted to make. These examples are not meant to be exhaustive, but to describe the types of uses and disclosures that may be made by our office.

1. Treatment: We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with another provider.
For example, we would disclose your protected health information, as necessary, to a home health agency that provides care to you. We will also disclose protected health information to other healthcare providers who may be treating you.
For example, your protected health information may be provided to a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you. In addition, we may disclose your protected health information from time-to-time to other health care providers (e.g., a specialist or laboratory) who become involved in your care by providing assistance with your health care diagnosis or treatment to us.
2. Payment: We may use and disclose protected health information about you so that the treatment and services you receive at Compleat KiDZ may be billed to and payment may be collected from you, an insurance company, or a third party. This may include certain activities that your health insurance plan may undertake before it approves or pays for the health care services we recommend for you such as: making a determination of eligibility or coverage for insurance benefits, and reviewing services provided to you for medical necessity. For example, if you have a back injury, we may need to give your health plan information about your condition, supplies used, and services you received.
3. Healthcare Operations: We may use or disclose, as needed, your protected health information for healthcare operations. These uses and disclosures are necessary to run Compleat KiDZ and make sure that all of our patients receive quality care. For example, we ma)'use protected health information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine protected health information about many patients to decide what additional services Compleat KiDZ should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, medical students, and other personnel for review and learning purposes, we may remove information that identifies you from this set of protected health information so others may use it to study health care and health care delivery without learning the identities of specific patients.
We may share your protected health information with third party "business associates" that perform various activities (for example, billing or transcription services) for our practice. Whenever an arrangement between our practice and a business associate involves the use or disclosure of your protected health information, we will have a written contract that contains terms that will protect the privacy of your protected health information.
We may use and / or disclose protected health information to contact you to, remind you about an appointment you have for treatment or medical care.
We may use or disclose your protected health information, as necessary, to provide you with information about treatment alternatives or other health--related benefits and services that may be of interest to you. You may contact our Privacy Officer to request that these materials not be sent to you.
4. Other Permitted and Required Uses and Disclosures That May Be Made Without Your Authorization or Opportunity to Agree and Object:
We may use or disclose your protected health information in the following situations without your authorization or providing you the opportunity to agree or object. These situations include:
(i) Required by Law: We may use or disclose your protected health information to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited d to the relevant requirements of the law. You will be notified, if required by law, of any such uses or disclosures.

(ii) Public Health: We may disclose your protected health information for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. For example, a disclosure may be made for the purpose of preventing or controlling disease, injury or disability.

(iii) Communicable Diseases: We may disclose your protected health information, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.

(iv) Health Oversight: We may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies t-rat oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.

(v) Abuse or Neglect: We may disclose your protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your protected health information if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.

(vi) Legal Proceedings: We may disclose protected health information in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), or in certain conditions in response to a subpoena, discovery request or other lawful process.

(vii) Law Enforcement: We may also disclose protected health information, so long as applicable legal requirements are met, for law enforcement purposes, these law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of our practice, and (6) medical emergency (not on our premises) and it is likely that a crime has occurred.

(viii) Research: We may disclose your protected health information to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your protected health information.

(ix) Criminal Activity: Consistent with applicable federal and state laws, we may disclose your protected health information, if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We may also disclose protected health information if it is necessary for law enforcement authorities to identify or apprehend an individual.

(x) Military Activity and National Security: When the appropriate conditions apply, we may use or disclose protected health information of individuals who are Armed Forces personnel (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits, or (3) to foreign military authority if you are a member of that foreign military services. We may also disclose your protected health information to authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized.

(xi) Workers' Compensation: We may disclose your protected health information as authorized to comply with workers' compensation laws and other similar legally established programs.
5. Other Permitted and Required Uses of Disclosures That Require Providing You the Opportunity to Agree or Object
We may use and disclose your protected health information in the following instances. You have the opportunity to agree or object to the use or disclosure of all or part of your protected health information. If you are not present or able to agree or object to the use or disclosure of the protected health information, then we may, using professional judgment, determine whether the disclosure is in your best interest.

Others Involved in Your Health Care or Payment for our Care:

Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your protected health information that directly relates to that person's involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may use or disclose protected health information to notify or assist in notifying a family member, personal representative or any other person that is responsible for your care of your location, general condition or death. Finally, we may use or disclose your protected health information to an authorized public or private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in your health care.
6. Uses and Disclosures of Protected Health Information Based upon Your Written Authorization Other uses and disclosures of your protected health information will be made only with your written authorization, unless otherwise permitted or required by law as described below. You may revoke this authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose your protected health information for the reasons covered by your written authorization. Please understand that we are unable to take back any disclosures already made with your authorization.
C. YOUR RIGHTS
Following is a statement of your rights with respect to your protected health information and a brief description of how you may exercise these rights
1. You have the right to inspect and copy your protected health information
This means you may inspect and obtain a copy of protected health information about you for so long as we maintain the protected health information. You may obtain your medical record that contains medical and billing records and any other records that we use for making decisions about you. As permitted by federal or state law, we may charge you a reasonable copy fee for a copy of your records.
2. You have the right to request a restriction of your protected health information
This means you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment or health care operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply.

We are not required to agree to a restriction that you may request. If we agree to the requested restriction, we may not use or disclose your protected health information in violation of that restriction unless it is needed to provide emergency treatment. With this in mind, please discuss any restriction you wish to request with your health provider.

You may request a restriction by making your request in writing to our Privacy Officer. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
3. You have the right to request to receive confidential communications from us by alternative means or at an alternative location
We will accommodate reasonable requests. We may also condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. We will not request an explanation from you as to the basis for the request. Please make this request in writing to our Privacy Officer.
4. Your may have right to amend your protected health information
This means you may request an amendment of protected health information about you in a designated record set for so long as we maintain this information. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please contact our Privacy Officer if you have questions about amending your medical record.
5. You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice of Privacy Practices. It excludes disclosures we may have made to you if you authorized us to make the disclosure, to family members or friends involved in your care, or for notification purposes, for national security or intelligence, to law enforcement (as provided in the privacy rule) or correctional facilities, as part of a limited data set disclosure. The right to receive this information is subject to certain exceptions, restrictions and limitations.
6. You have the right to obtain a paper copy of this notice from us
upon request, even if you have agreed to accept this notice electronically.
D. COMPLAINTS
You may complain to us or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You may file a complaint with us by notifying our Privacy Officer of your complaint. We will not retaliate against you for filing a complaint

You may contact our Privacy Officer at (704) 824-7800 for further information about the complaint process.

This notice was published and becomes effective on August l, 2011.