OneTrust_Square Banner_300x250_DD_ROS_01_19

As named by Congress, the “Genetic Information Non-Discrimination Act of 2008” (GINA) appears to be just one more employment law adding to the ever-expanding list of characteristics that cannot lawfully form the basis for an employment decision. However, the law’s name camouflages its true nature. GINA, in reality, is a privacy statue that strictly regulates employers’ collection, use, safeguarding and disclosure of “genetic information.” Moreover, two recently filed class action lawsuits demonstrate that many employers may be unwittingly violating GINA even if they conduct no genetic tests.

Critical to understanding GINA’s broad sweep beyond genetic tests is the statute’s definition of the term “genetic information.” That term includes not just genetic test results but also “the manifestation of a disease or disorder in a family member.” Notably, this definition is not limited to “genetic” diseases or disorders; any disease or disorder satisfies the definition of “genetic information.” Further expanding this definition’s scope, GINA defines “family member” to include (a) a dependent, whether born to the individual or adopted; (b) a relative to the fourth degree of the individual, and (c) a relative to the fourth degree of the individual’s dependents.

The practical upshot of this expansive definition is that, on a daily basis, millions of Americans post their genetic information on social media and share their genetic information with their healthcare providers. The Tweet, “Exhausted; spent last night in ER with Joey after asthma attack” reveals a dependent’s disorder (asthma) and, therefore, constitutes “genetic information.” A comment on a Civil War blog, “My great-great-grandfather died from gangrene after a bullet wound at Gettysburg” also reveals “genetic information.” As a third example, posting a joyful comment on Facebook after a cousin’s cancer goes into remission also discloses “genetic information.”

These posts share a common thread: They each reveal the poster’s family medical history (as defined by the Act), and family medical history is critical to medical diagnosis and treatment. Consequently, most first visits to a doctor are preceded by fifteen excruciating minutes reading an encyclopedic list of diseases and disorders associated with each body part and indicating whether any of them has afflicted the patient or the patient’s grandparents, parents, siblings or children.

It is this proliferation of genetic information, and requests for it, that make compliance with GINA’s most basic privacy protection potentially difficult for employers. Under GINA, it is unlawful for an employer to “request, require or purchase genetic information” of an employee or the employee’s family members.

In its first lawsuit enforcing GINA, filed in early May 2013, the Equal Employment Opportunity Commission (EEOC) relied on this prohibition when alleging that the defendant in that case, one of the world’s largest distributors of decorative fabrics, violated GINA. According to the complaint, as part of a pre-employment physical, the fabric distributor’s contract medical examiner required an applicant to complete a questionnaire asking whether she or her family members had suffered from any of a long list of disorders, i.e., family medical history. On the day that the agency filed the complaint, the EEOC also issued a press release announcing that it had settled the case for $50,000.

One week later, the EEOC filed its first class action complaint alleging GINA violations. In that case, which is pending, the EEOC alleges that a New York nursing home violated GINA because it “requests family medical history as part of a pre-employment, return-to-work and annual medical exams of its staff.” Following the EEOC’s lead, private plaintiffs filed a class-action lawsuit against an Illinois laboratory in June 2013, alleging that the lab violated GINA by requiring employees to complete “a medical questionnaire that included questions concerning family medical history.”

Notably, none of these lawsuits alleged that the employer used genetic information in violation of GINA’s anti-discrimination provisions. It was the mere alleged collection of family medical history; i.e., the privacy violation, that triggered the lawsuit.

These lawsuits are just one indicator that the enforcement environment is changing. In its Strategic Enforcement Plan for fiscal years 2012 to 2016, the EEOC identifies GINA as one of six areas where it will focus its enforcement efforts. In addition, the number of charges filed with the EEOC alleging violations of GINA, while still small, increased by nearly 50 percent between fiscal years 2010 and 2012.

While the recent lawsuits focus on the employer’s alleged direct request for family medical history, employers also can indirectly request family medical history in violation of GINA. Employers commonly ask employees to execute a HIPAA-compliant authorization to allow a healthcare provider to disclose their medical information, albeit not genetic information, to the employer. For example, an employer may request medical information to determine whether an employee is fit for duty, requires a requested accommodation, or poses a direct threat in the workplace. As noted above, many healthcare providers obtain family medical history for diagnosis and treatment. Consequently, an employer that asks an employee to sign an authorization permitting disclosure of the employee’s “medical file” or of all protected health information (PHI) for a given time period could inadvertently obtain the employee’s genetic information in the form of family medical history.

While GINA expressly excepts from its purview the situation where an “employer inadvertently requests or requires genetic information,” the EEOC’s regulations implementing GINA narrowly construe the exception as applied to requests for employees’ medical information. Under the applicable regulation, an employer that receives family medical history from an employee’s healthcare provider will generally be presumed to have asked for it in violation of GINA. An employer can avoid this presumption by tailoring the description in the HIPAA-compliant authorization of the PHI to be disclosed so that the authorization is “not likely to result in (the employer’s) obtaining genetic information.”

Alternatively, the employer can specifically direct the provider not to provide family medical history or other genetic information in response to the request. The EEOC’s regulations provide the following “safe harbor” language to avoid liability for unlawfully requesting genetic information from an employee’s healthcare provider:

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. ‘Genetic information’ as defined by GINA, includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual’s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services.

In other words, an employer can help minimize the risk of liability for requesting family medical history in violation of GINA by including the safe harbor language quoted above in the HIPAA-compliant authorization tendered to an employee when the employee’s medical information, but not the employee’s family medical history or other genetic information, is needed for an employment decision.

With employers increasingly turning to social media for recruiting and to investigate allegations of employee misconduct, the risk of collecting genetic information in the form of family medical history also has increased. Under the EEOC’s implementing regulations, an employer does not violate GINA if “it acquires genetic information from documents that are commercially and publicly available for review… including … information communicated through … the Internet.” In other words, an employer who happens on a publicly available social media post similar to the posts described above would not violate GINA. However, the implementing regulations also provide that this exception does not apply to “genetic information acquired through sources with limited access, such as social networking sites . . . which require permission to access through a specific individual.”

Under a literal reading of this exception, an employer who obtains access to posts disclosing family medical history on a Facebook page where the user has set his or her privacy settings to “friends only” apparently would violate GINA even if the user had friended the manager or co-worker who brings the family medical history to the employer’s attention. Whether that is how the law will eventually be interpreted by the courts is uncertain.

While a comprehensive discussion of GINA is beyond the scope of this article, the recent EEOC enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA. These efforts should include, at a minimum, the following:

  • Eliminate direct requests for family medical history (except in the narrow circumstances not discussed here where such requests are permitted);
  • Include the “safe harbor” language in any HIPAA authorization provided to a medical provider for release of an employee’s medical information;
  • Train recruiters and other employees who may access applicants’ or employees’ social media content not to record genetic information or rely on it for any employment decision.

While these steps should help mitigate the most significant risks arising from GINA, employers should conduct a comprehensive review of their compliance with this statute as the enforcement environment becomes less forgiving.

Written By

Philip Gordon


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»