DPI16_Banner_300x250 WITH COPY

As named by Congress, the “Genetic Information Non-Discrimination Act of 2008” (GINA) appears to be just one more employment law adding to the ever-expanding list of characteristics that cannot lawfully form the basis for an employment decision. However, the law’s name camouflages its true nature. GINA, in reality, is a privacy statue that strictly regulates employers’ collection, use, safeguarding and disclosure of “genetic information.” Moreover, two recently filed class action lawsuits demonstrate that many employers may be unwittingly violating GINA even if they conduct no genetic tests.

Critical to understanding GINA’s broad sweep beyond genetic tests is the statute’s definition of the term “genetic information.” That term includes not just genetic test results but also “the manifestation of a disease or disorder in a family member.” Notably, this definition is not limited to “genetic” diseases or disorders; any disease or disorder satisfies the definition of “genetic information.” Further expanding this definition’s scope, GINA defines “family member” to include (a) a dependent, whether born to the individual or adopted; (b) a relative to the fourth degree of the individual, and (c) a relative to the fourth degree of the individual’s dependents.

The practical upshot of this expansive definition is that, on a daily basis, millions of Americans post their genetic information on social media and share their genetic information with their healthcare providers. The Tweet, “Exhausted; spent last night in ER with Joey after asthma attack” reveals a dependent’s disorder (asthma) and, therefore, constitutes “genetic information.” A comment on a Civil War blog, “My great-great-grandfather died from gangrene after a bullet wound at Gettysburg” also reveals “genetic information.” As a third example, posting a joyful comment on Facebook after a cousin’s cancer goes into remission also discloses “genetic information.”

These posts share a common thread: They each reveal the poster’s family medical history (as defined by the Act), and family medical history is critical to medical diagnosis and treatment. Consequently, most first visits to a doctor are preceded by fifteen excruciating minutes reading an encyclopedic list of diseases and disorders associated with each body part and indicating whether any of them has afflicted the patient or the patient’s grandparents, parents, siblings or children.

It is this proliferation of genetic information, and requests for it, that make compliance with GINA’s most basic privacy protection potentially difficult for employers. Under GINA, it is unlawful for an employer to “request, require or purchase genetic information” of an employee or the employee’s family members.

In its first lawsuit enforcing GINA, filed in early May 2013, the Equal Employment Opportunity Commission (EEOC) relied on this prohibition when alleging that the defendant in that case, one of the world’s largest distributors of decorative fabrics, violated GINA. According to the complaint, as part of a pre-employment physical, the fabric distributor’s contract medical examiner required an applicant to complete a questionnaire asking whether she or her family members had suffered from any of a long list of disorders, i.e., family medical history. On the day that the agency filed the complaint, the EEOC also issued a press release announcing that it had settled the case for $50,000.

One week later, the EEOC filed its first class action complaint alleging GINA violations. In that case, which is pending, the EEOC alleges that a New York nursing home violated GINA because it “requests family medical history as part of a pre-employment, return-to-work and annual medical exams of its staff.” Following the EEOC’s lead, private plaintiffs filed a class-action lawsuit against an Illinois laboratory in June 2013, alleging that the lab violated GINA by requiring employees to complete “a medical questionnaire that included questions concerning family medical history.”

Notably, none of these lawsuits alleged that the employer used genetic information in violation of GINA’s anti-discrimination provisions. It was the mere alleged collection of family medical history; i.e., the privacy violation, that triggered the lawsuit.

These lawsuits are just one indicator that the enforcement environment is changing. In its Strategic Enforcement Plan for fiscal years 2012 to 2016, the EEOC identifies GINA as one of six areas where it will focus its enforcement efforts. In addition, the number of charges filed with the EEOC alleging violations of GINA, while still small, increased by nearly 50 percent between fiscal years 2010 and 2012.

While the recent lawsuits focus on the employer’s alleged direct request for family medical history, employers also can indirectly request family medical history in violation of GINA. Employers commonly ask employees to execute a HIPAA-compliant authorization to allow a healthcare provider to disclose their medical information, albeit not genetic information, to the employer. For example, an employer may request medical information to determine whether an employee is fit for duty, requires a requested accommodation, or poses a direct threat in the workplace. As noted above, many healthcare providers obtain family medical history for diagnosis and treatment. Consequently, an employer that asks an employee to sign an authorization permitting disclosure of the employee’s “medical file” or of all protected health information (PHI) for a given time period could inadvertently obtain the employee’s genetic information in the form of family medical history.

While GINA expressly excepts from its purview the situation where an “employer inadvertently requests or requires genetic information,” the EEOC’s regulations implementing GINA narrowly construe the exception as applied to requests for employees’ medical information. Under the applicable regulation, an employer that receives family medical history from an employee’s healthcare provider will generally be presumed to have asked for it in violation of GINA. An employer can avoid this presumption by tailoring the description in the HIPAA-compliant authorization of the PHI to be disclosed so that the authorization is “not likely to result in (the employer’s) obtaining genetic information.”

Alternatively, the employer can specifically direct the provider not to provide family medical history or other genetic information in response to the request. The EEOC’s regulations provide the following “safe harbor” language to avoid liability for unlawfully requesting genetic information from an employee’s healthcare provider:

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. ‘Genetic information’ as defined by GINA, includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual’s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services.

In other words, an employer can help minimize the risk of liability for requesting family medical history in violation of GINA by including the safe harbor language quoted above in the HIPAA-compliant authorization tendered to an employee when the employee’s medical information, but not the employee’s family medical history or other genetic information, is needed for an employment decision.

With employers increasingly turning to social media for recruiting and to investigate allegations of employee misconduct, the risk of collecting genetic information in the form of family medical history also has increased. Under the EEOC’s implementing regulations, an employer does not violate GINA if “it acquires genetic information from documents that are commercially and publicly available for review… including … information communicated through … the Internet.” In other words, an employer who happens on a publicly available social media post similar to the posts described above would not violate GINA. However, the implementing regulations also provide that this exception does not apply to “genetic information acquired through sources with limited access, such as social networking sites . . . which require permission to access through a specific individual.”

Under a literal reading of this exception, an employer who obtains access to posts disclosing family medical history on a Facebook page where the user has set his or her privacy settings to “friends only” apparently would violate GINA even if the user had friended the manager or co-worker who brings the family medical history to the employer’s attention. Whether that is how the law will eventually be interpreted by the courts is uncertain.

While a comprehensive discussion of GINA is beyond the scope of this article, the recent EEOC enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA. These efforts should include, at a minimum, the following:

  • Eliminate direct requests for family medical history (except in the narrow circumstances not discussed here where such requests are permitted);
  • Include the “safe harbor” language in any HIPAA authorization provided to a medical provider for release of an employee’s medical information;
  • Train recruiters and other employees who may access applicants’ or employees’ social media content not to record genetic information or rely on it for any employment decision.

While these steps should help mitigate the most significant risks arising from GINA, employers should conduct a comprehensive review of their compliance with this statute as the enforcement environment becomes less forgiving.

Written By

Philip Gordon


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»