Data we collect, generate, store, and use
What data does Invitae collect?
We collect the information we need in order to provide a high-quality customer experience, including the information below.
Personal information, such as:
- Date of birth
- Billing & shipping addresses
- Payment information (such as insurance ID or credit card numbers)
- Contact information (such as email address or phone number)
- Protected health information
Protected health information, such as:
- Personal information (mentioned above)
- Medical history (when provided)
- Laboratory results
- Insurance information
- Other health information provided by you or your healthcare provider
Web behavior data, such as:
- Browser data
- Device information
- IP address
How we use and share it
What is identifiable data?
Identifiable data includes protected health information, such as information about your health status, any healthcare you have received, or payments for healthcare that can be linked back to you as an individual. This includes your test results, medical records, and payment history.
How does Invitae use identifiable data?
Invitae uses your identifiable data to produce genetic testing results and bill for our testing services. Please see the How we protect your information section below for details on how we keep your identifiable data secure.
Does Invitae share identifiable data outside of the company?
Invitae will never sell or lease/rent your identifiable data to any third party (including academic researchers) without your explicit consent. This applies to all data listed above under What data does Invitae collect? (including your email address and phone number). Even with your consent, Invitae limits the sharing of identifiable data outside of the company as much as possible.
That said, there are a few specific instances in which we do we share information with others in order to provide you with our services, including:
- The healthcare provider who ordered your test, and in some cases his or her office staff
- Your insurance company to obtain payment for your test (if you choose to bill insurance)
- A company that processes billing claims and payments (and is contractually obligated to protect your privacy and security)
- Legal guardians or personal representatives (if applicable)
In addition, there may be special circumstances where we need to disclose identifiable data as permitted under the US Health Insurance Portability and Accountability Act (HIPAA), including:
- To ensure compliance with rules of government health programs such as Medicare or Medicaid
- In response to a court order, subpoena or other lawful process
- In connection with public health activities, such as reporting diseases to authorized public health authorities
- As otherwise required by applicable law
Who we share it with
What is de-identified data?
De-identified data is information that cannot be reasonably linked to a specific individual. HIPAA provides a safe harbor method for the de-identification of protected health information, which includes the removal of the following 18 identifiers:
- Specific geographical identifiers
- Dates (other than year) directly related to an individual
- Phone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health insurance numbers
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers (e.g., license plate numbers)
- Device identifiers and serial numbers
- IP address
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Invitae removes all of the identifiers listed above and takes further precautions around genetic information by ensuring any information shared includes:
- No more than 4 common genetic variants
- No more than 6 rare genetic variants
- No unique, large family relationship data
Once all of these identifiers are removed and precautions are taken, we believe that the de-identified data cannot reasonably be traced to you or used to identify you or your genetic information as an individual.
When does Invitae share de-identified data?
We share de-identified data in specific ways that help advance medical care and the clinical practice of genetics. For example, we share de-identified data about genetic variants we observe with a few carefully selected public databases to advance the understanding of genetic information. One such database is ClinVar, a centralized resource managed by the National Center for Biotechnology Information (NCBI) and the National Institutes of Health (NIH) that enables genetic testing laboratories to improve the practice of medicine by uncovering links between specific genetic variants and disease. ClinVar submissions include in which gene the variant was seen, variant description, classification of the variant (positive, negative, or uncertain), and explanation for why the variant was classified as it was. See an example ClinVar entry here.
Subject to applicable law, we may also share de-identified data through research collaborations with universities, hospitals, other laboratories, or companies (that, for example, are developing a treatment for a disease). For example, if a university research group is studying patients with variants in a specific gene, we may provide a list of the variants we’ve seen. The list might include the patients’ age range (in decade), gender, variant name, and how we classified the variant (positive, negative, or uncertain).
What are the benefits of sharing de-identified data?
Sharing de-identified genetic data is an essential component of the system by which laboratories assess and improve the quality of the genetic testing they provide. It can also significantly accelerate medical research for both individual patients and society as a whole.
In addition to patients owning and controlling their genetic data, Invitae also believes that genetic information is more valuable when shared. We encourage patients to choose to share their de-identified genetic variants with the medical and scientific community to help accelerate our understanding of genetic conditions, improve genetic testing, find new therapies, and eventually prevent disease.
Setting your data sharing preferences
How can someone tested at Invitae set their data sharing preferences?
The easiest way to set your data sharing preferences is by logging into the Preferences section of your Invitae portal account. For all Invitae testing excluding sponsored testing programs (see below), you may opt out of (or, in certain regions, including the European Union, opt in to) sharing certain de-identified data. If you cannot create an online account, you can also inform Invitae of your preferences in writing.
Opting out means that Invitae will no longer share your de-identified data in accordance with your preference settings. However, we cannot withdraw or reverse the sharing of any de-identified data that may have been disclosed prior to you opting out.
How can Patients Insights Network users change their preferences?
If you have chosen to share information through an Invitae Patients Insights Network (PIN), you can change your sharing preferences or ask to withdraw your information from the PIN in full at any time. Simply log in to your PIN account to update your preferences. De-identified information shared between the time that you initially agreed to share your information and when you update your preferences to no longer share data cannot be recalled.
Sponsored testing programs and clinical trials
What are sponsored testing programs?
Through sponsored testing programs, patients can elect to have a third party company (not their insurance company) pay for their testing at Invitae. In these programs, certain de-identified and other data are shared with program sponsors. Examples of information shared through these programs include the ordering clinician’s contact information, test ordered, variant name, and interpretation. No patient-identifiable information is shared with program sponsors.
Can patients tested through sponsored testing programs opt out of sharing their data?
Patients who choose to receive testing through sponsored testing programs or via a clinical trials may not opt out of sharing specific de-identified data, as defined by the program or trial. However, such patients can still set their data sharing preferences as described above; these preferences will apply to the sharing of data for purposes not related to the sponsored testing programs.
A list of available sponsored testing programs is available here.
Setting your contact preferences
How can someone tested at Invitae set their contact preferences?
We may contact you about other Invitae products and services we believe may be of interest to you. To request that we only send you notifications about specific topics, please update your settings within your Invitae portal account. To request that we send none of these notifications to you, either update the settings within your account or click on the unsubscribe link at the bottom of any Invitae email.
Your contact preferences have no bearing on receiving your test results; you may not opt out of non-promotional messages regarding your account or service-related emails.
How we protect the information of people who receive testing at Invitae
How does Invitae protect my information?
As a healthcare company, we are subject to and fully comply with the privacy and security requirements under HIPAA. We take great care to use technical, administrative and physical safeguards to secure your personal information and protect it against misuse, loss or alteration. Information that you provide through our websites is encrypted using industry-standard secure sockets layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access.
You play a vital role in protecting your information. Please refrain from emailing us any sensitive information. Please also be sure to choose a secure password when registering for an Invitae portal account and never reveal this password to any third-parties. Immediately notify us if you become aware of any unauthorized access to your account so we can disable it.