This is a rapidly shifting legal space. The below page has not been updated since 2015. We are working to update this content, but for now, please be aware that this information may not be current. When exploring medical privacy issues, it's very useful to have an overview of the laws that affect control and privacy of medical information. We encourage you to read our legal overview.

GINA, HIPAA, and genetic information privacy

Genetics is the new frontier of medicine and genomic data is the raw material of some of the most advanced medical research now underway. Genetic testing is the current paradigm for diagnosis and treatment of many diseases. It’s likely that within 10 years genetic tests for disease markers—such as presymptomatic testing for the risk of developing adult-onset cancers, Alzheimer's, or chronic diseases—and possibly even whole-genome sequencing will be as routine as urinalysis is now. And the greater availability of population-wide genetic information is happening alongside its digitization in a given individual's electronic health record (EHR).

Genetic data can be obtained from cells we routinely shed, is easily shared, and is in high demand for cutting-edge medical research. Genetic data might be used to develop cures for cancer, paranoid schizophrenia, common tooth decay, and far more—multifarious areas of research that can seem irresistibly compelling. So what can protect the privacy of genetic data in such a world?

Not much, actually. Some laws limit how the information can be used, but none truly protects privacy. And that may not even be possible, because genetic information is unique to every individual. It cannot be de-identified; even if separated from obvious identifiers like name and Social Security number, it is still forever linked to only one person in the world. The de-identification “checklist safe harbor” from the Health
insurance Portability and Accountability Act (HIPAA) doesn’t include genetic information.

Genetic nondiscrimination laws

The federal laws that deal with genetic information are GINA (the Genetic Information Nondiscrimination Act of 2008) and, more recently, HIPAA. GINA is essentially an anti-discrimination law that has nothing to do with privacy. It prevents group health and Medicare supplemental plans—but not life, disability, or long-term care plans—from using genetic information to discriminate against you when it comes to insurance.

Title II of GINA prohibits the use of genetic information to discriminate in employment decisions, such as hiring, firing, and promoting. It also restricts employers from asking for or buying genetic information. GINA does not apply, however, unless the employer has more than 15 employees. An Executive Order that accompanies GINA prohibits federal government agencies from obtaining genetic information from employees or job applicants and from using it in hiring and promotion decisions.

The federal Equal Employment Opportunity Commission (EEOC) investigates and enforces GINA claims. One EEOC lawsuit filed in 2013 alleged that a company violated GINA by requesting and requiring job applicants to indicate whether or not they had a family medical history for a variety of diseases and disorders as part of its post-offer, pre-employment medical examination; it was settled for $50,000. A week later the EEOC filed a similar lawsuit against the Founders Pavillion nursing and rehab center in Corning, NY. As of late July 2013, the EEOC "is sifting through about 170 claims filed by workers, applicants and former employees who say companies unlawfully asked for genetic information or used it to discriminate."

In 2013, the HIPAA Omnibus Rule amended HIPAA regulations to include genetic information in the definition of Protected Health Information (PHI). It also prevents use of the data in underwriting for all other types of health insurance plans, but still not for life, disability, or long-term care insurance. Excluding long-term care insurance guarantees that anyone with a tested genetic predisposition to Alzheimer’s, for example, will be uninsurable. According to the definition, genetic information includes your genetic tests and a family member’s, your or a family member’s fetus or embryo, and evidence of a disease in a family member. It does not include your age or gender.

California’s broader genetic anti-discrimination law, known as CalGINA, not only prohibits genetic discrimination in employment (GINA’s scope), but also in housing, provision of emergency services, education, mortgage lending and elections. CalGINA amends the Unruh Civil Rights Act to add genetic information to the list of Californians’ civil rights that entitle them "to full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever." The Government Code contains the employment and other membership provisions of the FEHA. Other sections can be found on the California Department of Fair Employment and Housing website.

One problem with GINA that the Omnibus Rule perpetuates—and CalGINA does not address either—is that GINA is based on a genetics framework that is more than 20 years old. GINA only prohibits discrimination based on genetic information about someone who has not yet been diagnosed1 with a disease; that is, the disease is not yet "manifest." Today there are many tests for genetic markers that may—or may not—be precursors of a disease and also may mean that you could benefit from preventive treatment. If the presence of genetic markers is considered a “manifestation” of a disease, then neither GINA nor HIPAA applies to the information.

Protecting genetic information privacy

With genetic data—or any personal health information (PHI)—it’s important to remember that HIPAA only applies to an organization if it is either a "covered entity" or the business associate (BA) of one. Many non-covered entities collect genetic information, such as online genetic testing companies like 23andMe and genealogy websites like Ancestry.com. At the moment, such businesses are only self-regulated, although the federal Food and Drug Administration (FDA) recently told 23andMe that its over-the-counter saliva collection kit and Personal Genome Service (PGS) was being marketed in violation of the Federal Food, Drug and Cosmetic Act. As the FDA put it: "if the BRCA-related risk assessment for breast or ovarian cancer reports a false positive, it could lead a patient to undergo prophylactic surgery, chemoprevention, intensive screening, or other morbidity-inducing actions, while a false negative could result in a failure to recognize an actual risk that may exist."

Obviously, existing laws that deal with genetic information fall short in many ways. One corrective approach to the limits of GINA and HIPAA—and not only where genetic information is concerned—would be to apply protections to the data itself, rather than making them dependent on who has the data. This dispenses with the patchwork created by "covered entities."

Some major unaddressed issues concerning genetic information privacy

As accessing and recording genetic information progresses, it raises some serious issues.

Employment and eligibility

A recurring issue in medical privacy is lawful uses of information based on overly broad compelled authorizations, such as in states where individuals must sign a release for substantially all of their health records as a condition of employment or when applying for life insurance or government benefits.2 In the context of widespread use of EHRs—interoperable, comprehensive, lifetime individual health records that vastly increase the amount of data that can be disclosed—these kinds of releases create significant privacy risks for all health information, including genetic information.

Newborn screening

Newborn screening is another problem that arises with EHRs and genetic data. Tests done at birth vary from state to state, but all states must screen for at least 21 disorders by law, and some states test for 30 or more.3 Currently, tests are limited to conditions for which childhood medical intervention is possible and may be beneficial.

What if that practice changes to include—or mandate—tests for adult-onset disorders that cannot be treated in childhood—or for which there is no known treatment, such as ALS, Huntington’s disease, or Alzheimer’s? The privacy implications of starting a lifetime EHR that includes information about genetic diseases are enormous, and become even greater if the record comes to include evidence of a genetic propensity toward future, as yet incurable, diseases (not to mention the emotional impact on those designated at birth to succumb to a tragic and incurable disease). A great deal of thoughtful analysis and decisionmaking is required to protect this data—and the individuals connected to it—from exposure, while at the same time not excluding this data from important research.

Law enforcement

There is the growing practice, at all levels of law enforcement, of collecting genetic data from suspects when they are arrested and storing the information in a database for later reference. The Supreme Court held in Maryland v. King that such DNA collection, while subject to the Fourth Amendment (“using a buccal swab on the inner tissues of a person’s cheek in order to obtain DNA samples is a search”), does not require a warrant: when there is already probable cause for a valid arrest for a serious offense, collecting a DNA sample is analogous to taking fingerprints or a photo. (See EFF’s blog posts on Maryland v. King.)

The Ninth Circuit Court of Appeals, en banc, recently upheld a controversial California law that requires people who are arrested for a felony to provide DNA samples that will be stored in a criminal database accessible to local, state, national, and international law enforcement agencies. The requirement is not limited to serious or violent offenses. The plaintiff in the case, Haskell v. Harris, was arrested for protesting the Iraq war, but was never charged or convicted. The Court compared the California law to the Maryland law upheld by the Supreme Court and found no difference and no Fourth Amendment violation.

The United States has the world’s largest database of DNA profiles. As of November 2013, the FBI’s National DNA Index (NDIS) contains over 12 million profiles, and it is still growing. These are primarily from criminals and criminal suspects, but the database also includes parolees, probationers, and people who were simply arrested.4 It is bound to grow as more states expand the categories of people compelled to give DNA samples for law enforcement.5 Law enforcement is also known to collect DNA surreptitiously from suspects’ cigarette butts and coffee cups.

Responding to the difficulty in making an exact DNA match from crime scene evidence, in 2008 California became the first state to authorize “familial” or “kinship” matches, which are by design less precise.

Another area of concern in law enforcement DNA collection is the current trend for predictive modeling or behavioral genomics. It raises questions about the potential use of DNA databases to reveal the genetic tendencies of individuals toward certain types of criminal behavior, like violence. Could this lead to practices like preventive detention or protective custody of individuals believed to have a genetic disposition toward crime or anti-social behavior?

Consent for Disclosure

Finally, there is a complex ethical issue around the consent for disclosure of genetic information or biospecimens that contain DNA, for research purposes and otherwise. We’re used to thinking of consent as individual, which makes sense when the health information is mainly about that person. Genetic information is different: analysis of an individual’s DNA is highly informative about his or her offspring, siblings, and parents. The Supreme Court of Iceland, for instance, found in 2003 that a woman had a right to opt out of her father’s genetic information being retained in Iceland’s national DNA database. Genetic information also bears on demographic categorization, as many genetic predispositions toward specific diseases or conditions are strongly associated with specific ethnic or racial groups.6 Is individual consent appropriate when DNA analysis can reveal significant information about other people—as we now see for familial DNA searches?

Resources

For a critique of existing genetic information non-discrimination laws, see “Are Genetic Discrimination Laws Up to the Task?,” an interview with Mark Rothstein in Medscape Today. Rothstein holds the Herbert F. Boehl Chair of Law and Medicine and is the Founding Director of theInstitute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine.

  • 1. See the National Coalition for Health Professional Education in Genetic (NCHPEG) GINA information website for what GINA does and does not cover. NCHPEG was established in 1996 by the American Medical Association, the American Nurses Association, and the National Human Genome Research Institute to educate health professionals about human genetics.
  • 2. Circumstances that require individuals to authorize the release of their medical records is a complex subject, with many variations. Keep in mind that under current HIPAA regulations, medical information includes genetic information.
    - Employment: In California, CalGINA adds "genetic information" to the Fair Housing and Employment Act (FEHA) as a prohibited basis for discrimination in employment.
    - Life insurance: The federal GINA does not protect against discrimination in life insurance underwriting based on genetic information. (See the National Human Genome Research Institute’s GINA Fact Sheet, especially the section “What’s not included?”) Life insurers require you to release your medical records when you apply. CalGINA does, however, prevent discriminatory use of genetic information in denying life insurance coverage and setting premiums.
    -Government benefits: Existing laws already prohibit discrimination against individuals by programs or activities administered or funded by the State of California or a state agency. CalGINA amends Gov’t Code § 11135 to prohibit such discrimination based on genetic information.

  • 3. The National Newborn Screening and Global Resource Center (NNSGRC) provides links to each state’s screening requirements, along with other information and resources concerning newborn screening.
  • 4. See state-by-state numerical tally of DNA profiles by the type of offender.
  • 5. See EFF’s amicus brief in Haskell v. Harris, concerning warrantless collection of a DNA sample from an arrestee at the time of booking.
  • 6. See the American Indian and Alaska Native Resource Center's article on the Havasupai Tribe and the lawsuit settlement aftermath. The lawsuit arose from university researchers’ use of DNA samples intended for diabetes research for unconsented follow-on research in areas as unrelated as "schizophrenia, migration, and inbreeding, all of which are taboo topics for the Havasupai."
Help defend your right to privacy.
Help defend your right to privacy. DONATE TO EFF