data rights

Know your Rights Around Health Data Privacy


Evolving privacy regulations, changing legal interpretations, and security breaches make it hard to keep up with our rights and risks these days. People are looking for resources to help them cut through the technical jargon regarding personal health data protection. Many simply want to use the technology they have come to enjoy while keeping their health information safe and secure. 

What are health data rights?

To unpack these questions, it’s helpful to review where your health information was first accessed and what your rights are currently. When individuals in the United States consider their health information,  they may be aware that the law regulates how healthcare providers (also known as “covered entities”) use their data. First passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) limits third-party access to personally identifying information stored within the healthcare system. 

Many people may not be aware that this information is used outside the healthcare system for research and other uses beyond medical care. Eighteen data types were established as protected health information (PHI) in the HIPAA Privacy Rule, finalized in 2000. PHI includes types of data such as names and addresses, but it also covers “any other characteristic that could uniquely identify the individual.” However, the HIPAA Privacy Rule only applies to healthcare settings. HIPAA does not protect the privacy of our data held by app providers, government bodies, biotech companies, and other entities that don’t provide healthcare services.

“Health discovery relies on health data. Luna advocates that the most reliable, representative health data comes directly from people. This is why, from Day 1, we’ve built privacy-by-design so that we can protect people and accelerate better health interventions.”

Scott Kahn, Chief Privacy and Information Officer

Since the passage of HIPAA, the amount of information that can be gathered about us has increased exponentially, and data science has advanced significantly. Remember, we just started using email in 1996! Today, computer science methods can combine non-identifying information—as few as two to three pieces of data—into very accurate assignments of a person’s identity. Put differently, the privacy protections that HIPAA gave us two decades ago were not designed with today’s information and science in mind. 

This simple observation has motivated some states and federal legislators to enact data privacy laws that focus on a set of rights for individuals, not institutions.

Read “How Modern Data Privacy Laws Enables Research
Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

You have a right to data privacy

Today, as health and tech consumers, we have rights to data privacy. Modern laws define a person’s rights when it comes to data. They require companies, governments, and organizations to respect these rights when collecting and analyzing data about consumers. We can give permission, known legally as informed consent, for the use of our data, and we have a right to know who is using our data for what, such as a clearly defined public benefit.  

In general, these newer laws require that we are provided the purpose, such as the kind of research being done, for why our data is being collected. One example of these laws in practice is the numerous cookie notifications you receive on practically every website you encounter on the internet. You have the right to change your mind about sharing your data—also known as revoking consent—and the right to confirm that the company destroyed your data. 

We live in a time where data creation is incredibly astounding. Suppose we can use that data to advance causes that matter to us. In that case, we can change the quality and velocity of health interventions. 

At Luna, we appreciate the evolution of these consumer data privacy laws and have operated since Day One to exceed their requirements.

Read about Luna’s Data Protection Impact Assessment.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.


data security mobile phone

The Evolution of Data Privacy: A Q&A with Bojil Velinov, Head of DevOps & Automation at Luna 


Bojil Velinov, Head of DevOps & Automation at Luna, talks about the evolution of data privacy and how Luna is addressing privacy and data security at the company.

From your perspective, how has the conversation on data privacy evolved, and how are you addressing it at Luna?

Data privacy is moving more and more into mainstream conversation, from breaches of social media sites and data leaks to ransomware attacks at medical institutions. Some of our utmost personal information is stored in these places, so it becomes very intimate when such information falls outside of our control. 

Bojil Velinov
Bojil Velinov, Head of DevOps & Automation at Luna

On the professional side, at the last Amazon Web Services annual re:Invent conference, the people I met with and the talks I attended combined my interests in healthcare, regulatory compliance, and data governance. The apparent perspective is that the industry is increasingly focusing on protecting the data subject, which is the technical term for whom the collected data is about. I want to see this topic continue to get more attention.

How are you addressing data privacy at Luna?

We address data privacy and security in multiple ways. We operate by embedding “privacy-by-design” as part of our core values, and we recognize that online privacy needs to be built upon a foundation of data security measures. 

For example, one best practice we have is conducting yearly penetration tests, a type of security test that ensures our application stack is well protected against some of the most common attacks on the internet. It’s one of the ways we work to secure our platform. 

We also assess the risk(s) for every software feature, such as a login button, entry for one’s username, file uploads, and such. As part of our development process, we ask ourselves: “How do we prevent this feature from being vulnerable to attack?” Implementing detection, prevention, and recovery pieces into each assessed feature is part of our development life-cycle. By exercising due diligence in our design, development, and release processes, we keep the application stack more secure–and ultimately guard privacy.

How do you operationalize privacy-by-design at Luna?

It’s good to think outside the box, such as what possible future attacks on the software could occur. For example, how do we architect a way to be resilient to future vulnerabilities? One way is to utilize continuous integration and deployment (CI & CD) coupled with monitoring tools, security brainstorming sessions and vulnerability scans. 

We’ve taken privacy and security into account very seriously, and from the inception of the platform, one approach we utilize, for example, is envelope encryption–it’s a way to encrypt something in multiple layers. You can envision this as putting a box within a box, but imagine if each was locked within each one, and they have separate keys to unlock them. 

Another approach we have taken is not storing the data in the same location. We keep data fragmented. This way, if one particular location is compromised, it doesn’t reveal the complete picture of what the data represents. 

People who contribute to the Luna platform see how their data is utilized and to some degree magnified. That starts with our language and how we talk about it, it goes through how we implement the guards of that data and finishes with the granular controls of the data we give to each individual. All this establishes trust and demonstrates transparency. 

People have become increasingly aware of the importance of data security and how it affects data privacy. The volume of personal data people generate on the internet pertains to their privacy and their ownership of that particular data. I think what we do often try to put ourselves in the user’s perspective. People who contribute to the Luna platform see how their data is utilized and to some degree magnified. That starts with our language and how we talk about it, it goes through how we implement the guards of that data and finishes with the granular controls of the data we give to each individual. All this establishes trust and demonstrates transparency. 

Can you share more about the penetration test?

There are various ways of having a good posture from a security perspective. For example, how do we ensure our domain or company email is not used by a third party for spoofing? 

Pretend that a bad actor is phishing, for example. In phishing, a technique of fraudulently obtaining private information, email is the most common media. Nowadays there are some “geeky” mechanisms at our disposal, such as using specific signatures in the domain name system (DNS) records. Historically, DNS are the servers that help us find things on the internet. They are the ones knowing where you need to “land” when typing a website name in your browser’s address bar. Now, the same system is utilized to protect us from spam and phishing by allowing the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. This is technically known as DomainKeys Identified Mail (DKIM).

Here’s how it works:  You send an email from lunadna.com to a recipient using Gmail, for example. Upon receiving that email, the Gmail server checks for a setting in the lunadna.com  domain system. It says, “I am receiving this from this particular email service/server, can you confirm the server is authorized to send emails on your behalf?” Simple, yet powerful. I highly recommend any engineer involved with their company’s email and DNS to set this up. 

Many sites today use multi-factor authentication. What are the concepts here?

The concepts are evolving in multi-factor authentication. The tools around them are evolving. At Luna, we try to balance the impact of “extra steps” the member must take and their overall sign-in experience. At the same time, be upfront in explaining why we are putting such controls in place. In short, it’s because we really care for your data security, and we want to ensure that the person entering the platform is indeed you.

Take, for example, the case of ransomware attacks. The breaches in most of these security incidents, at various companies or individual accounts, happen because the password was compromised. That’s really the weakest link in the chain. It’s best not to reuse your passwords! Try using password manager technology to be most data safe. If one of your accounts gets compromised, bad actors can try it on other sites. If you did not reuse your password, you’d be less vulnerable. If you did, then you are out of luck.

Multi-factor authentication, in some cases referred as 2FA, can be leveraged in different ways, such as using email verification, text message, etc. It’s that additional control you put in place that, to some degree, provides another layer of protection. It also has its vulnerabilities, though. 

A practical way to think about multi-factor authentication is to balance the work required for authenticating the user to keep the bad guys out while keeping the process user-friendly. You don’t want to annoy your new participants with a slew of controls before they can see the benefit of your application. A little friction goes a long way, and it’s certainly better than the pain associated with sensitive data loss. 

Read about Luna’s Data Protection Impact Assessment.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


phone security

The Role of Cybersecurity in the Management of Data Privacy


The focus on data privacy from the general public has surged over the past few years. A large cohort of individuals with little to no experience in informatics now needs to understand the digital environment at a level of detail beyond their expertise or experience.

The intersection between privacy and the much more common issues concerning data security and data breaches has resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

The differences between data security and data privacy

Data security features are measures that allow an individual or an organization to exert control over a digital asset. Security is typically implemented in overlapping layers to minimize the likelihood that control or access to a digital asset will be lost. End users most obviously experience security through password-mediated access control, possibly with a second level of identity verification such as a code sent to a mobile phone via text for identity confirmation. There are also many security safeguards put in place at the infrastructure level to avoid unauthorized access by programmatic “hacking.” Collectively, all these cybersecurity features provide a foundation for control of a digital asset.

In contrast, data privacy is a set of policies layered on top of controlled digital assets. Data privacy can be expressed as a set of rights guaranteed to an individual to access, correct, share, un-share, restrict, transport, and delete their digital assets. Data privacy equally requires a level of transparency around the processing or use of data so the individual can exercise those rights in an informed manner. Absent data security measures to exert control, data privacy policies cannot be implemented.

The intersection between privacy and the much more common issues concerning data security and data breaches have resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

Data privacy policies need to persist over the lifetime of a digital asset whereas data security features are temporal. Once access is given by satisfying all security safeguards, all control of the data asset by the owner is lost. Data privacy rights require a persistent environment that provides data security to prevent external access while allowing agreed use of the data asset for approved purposes. 

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Playing in the sandbox

The use of such securely isolated environments called “sandboxes” supports independence between the individuals (i.e. data users) gaining access to digital assets in the sandbox and the inclusion of digital assets in the sandbox by the data owners. This effectively maintains a level of control over the data asset by the data owner even as the asset is being used or processed within the sandbox by the data users.

There are many new data privacy policies being enacted into law around the world that, to a greater or lesser extent, confer data rights to data owners. The European Union has enacted the General Data Protection Regulation (GDPR), which serves as an exemplar for many countries outside of the EU and for several states within the U.S. But regardless of the data privacy policies in place, all privacy controls are built upon a cybersecurity foundation of data security measures that support control of data assets within a digital environment.

The interplay between security control and an implemented set of privacy policies takes center stage within the Luna platform. 

Security controls are reviewed via SOC 2 protocols that are documented and audited on a regular basis. Data privacy policies are reviewed regularly and assessed with regard to the data rights conferred to individuals and to the potential risks to these individuals incurred by sharing their data. 

Data privacy impact assessments (DPIAs) are performed for the Luna platform and for the sandboxes employed by researchers. It’s noteworthy that within the Luna platform the full spectrum of research inquiry is supported while simultaneously supporting the data privacy rights of all individuals willing to share their health data to advance medical science.

Read about Luna’s Data Protection Impact Assessment.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.


global COVID

Genetic Privacy During the COVID-19 Pandemic


The profile of genetic testing–and the resulting genetic data–has been elevated in public discussions. One reason is because of the COVID-19 pandemic, but also because of an increasing focus on data privacy and the growing belief that individuals should have control of their data.

While concerns exist with the collection of consumer transactional data by Big Tech, considerations of one’s uniquely identifying genetic data–and the privacy controls applied to it–have become more focused. Unlike consumer data that can be expunged and obfuscated, genetic data describes an individual through their entire life. The impact of a data breach with genetic data can have consequences that cannot be undone.

Privacy concerns: consumer data versus genetic data

It is commonplace to securely encrypt data while it’s being stored and even to use technologies like homomorphic encryption to control access to genetic information for research purposes. Such techniques have been used to propagate the most common mode of data use in which it is downloaded onto a researcher’s computation environment. Each download of data is a separate copy that carries with it the liability that the information could be shared or hacked and used for purposes other than it was provided for under informed consent.

An alternative solution, and one that is inherently compatible with modern data privacy frameworks such as the European Union’s General Data Protection Regulation (GDPR), is to not make copies of data. Instead, the use of a computational environment, also known as a sandbox, that can access the data may be provided to each research team to perform analyses. The advent of powerful and readily available cloud-based information services has made this latter solution viable.

While concerns exist with the collection of consumer transactional data by Big Tech, considerations of one’s uniquely identifying genetic data–and the privacy controls applied to it–have become more focused.

It is also important to consider that not all genetic information carries a high potential risk to the individual. DNA data on a person’s cancerous mutations are different than the individual’s germline DNA and cannot be used to re-identify an individual. Similarly, the data on a particular variant of a virus, such as SARS-CoV-2, cannot be directly traced back to the individual from which the sample was collected. In both cases, genetic information is distinct from an individual and does not carry a risk to the individual from which it was collected.

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Weighing risks for different types of data

The different risk aspects of different types of genetic information can be different for individuals, institutions, and governments. Whereas individuals may not be at risk of re-identification from pandemic-related DNA data, institutions and moreover governments might experience negative consequences upon disclosure of a novel variant as was seen with South Africa’s disclosure of the omicron variant.

While all public health efforts were bolstered through knowledge of omicron’s existence, the economic consequences felt by South Africa through the travel restrictions and related actions were a far cry from an expression of gratitude by the rest of the world.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.


Doctor with mobile phone

Data Privacy and Health Equity


There is consensus that 2022 will be a busy year for data privacy experts. Many will need to quickly understand and implement the growing list of privacy legislation at the state level—and that is absent any sweeping federal legislation needed to update the country’s antiquated view of data privacy and data governance.

While states such as California are leading the charge in the United States, it is important to recognize that the expression of data privacy as a fundamental human right was first thoroughly expressed by the European Union’s landmark General Data Privacy Regulation (GDPR) which became law in May 2018. Indeed, even when California took steps to address the importance of a person’s right to control the use of data collected on themselves via the California Consumer Privacy Act, a second legislative action was already taking place in the California Data Protection Regulation (CDPR). This further aligns the expression of one’s data sovereignty with the ideal outlined in GDPR.

In 2021, Virginia and Colorado enacted data privacy protections for their citizens, and privacy experts are anticipating even more state-led legislation this year.

What Data Privacy Means to Luna

From the company’s founding in 2017 and the creation of the Luna platform, we believed a tectonic shift in data privacy was about to take place—one that reassigns the control of data from institutions and governments back to individuals. GDPR had yet to be enacted then, but we believed that its tenets would redefine data privacy in ways that could positively address some of the most vexing challenges in human health research.

The history of data misuse in health research is still fresh and remains a top concern for research engagement for some populations. Frequently cited examples include the Tuskegee Study, the appropriation of Henrietta Lack’s tumor cells, and misleading the Havasupai Tribe on how their DNA samples would be used in specific research.

These examples have contributed to the hesitancy of non-European—descended (non-“white”) Americans to participate in health research. More recently, fears around the collection of individuals’ data who may lack formal immigration status in the United States have continued to widen the gap between white and non-white Americans who volunteer to participate in health research through clinical trials and other studies. This has resulted in treatments and policies focused on a single ethnic group. It has also held non-European—descended communities further behind in access to healthcare tools.

The thesis at Luna was to design and implement a platform that embraced an individual’s right to control their health data. Luna was founded on the commitment to use health data in studies to enable broader and deeper participation in health research by all ethnic groups and using all medically relevant attributes. In accomplishing such, it would permit data aggregation at the level required to find research solutions that could be clinically validated for all people and for all ethnicities.

Modern Data Privacy Regulations

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Fast forward to 2022. Legal tech experts are now opining on the challenges posed by state-led privacy legislation motivated by the increasingly prevailing view that data privacy should be a human right. These experts forewarn that the only way to harmonize data in such a regulatory quagmire will be to follow the strictest version of privacy protections for individuals. They point to GDPR as a viable true north.

At Luna, our experience has shown that this approach works exceptionally well for communities seeking novel health treatments for rare diseases and for communities seeking to understand a shared lived experience. It also provides opportunities for commercial pharmaceutical partners that seek to responsibly engage with patients and their support communities by managing each participant’s health data and returning these data once the study has concluded.

As these examples become more extensive and well-known, it is reasonable to assert that the enablement of inclusive and participatory health research will be recognized as a result of modern data privacy regulation rather than the current misbelief that individual data privacy will impede needed health research.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.