American Journal of Law & Medicine

Genetics and privacy.


The science of genetics holds great promise. Ideally, the more scientists learn about the human genome and the functions of specific genes, the better they will understand what causes disease, what can prevent disease and what can cure it. (1) But the hoped for advances in medicine that genetics may bring about will never happen if people are afraid to provide their DNA and work with scientists and doctors on the necessary research. From a privacy perspective, two things are clear: 1) people are afraid of genetic testing and 2) genetic information has been used to hurt people, rather than to help them.

Unfortunately, Americans cannot be assured that their DNA will not be taken or used against their will or without their knowledge. The United States has no coherent policy for whether, when or how genetic testing should be encouraged, facilitated, discouraged or prohibited. Instead, we have policies and practices that impact some people, in some places, under some circumstances. This kind of weak patchwork leaves gaping holes.

Why are the concerns about inappropriate uses and disclosures of genetic information so intense? Genetic information, which is a subset of medical information, is particularly sensitive because it reveals unique and immutable attributes. Those attributes are not just personal, but shared by family members as well. This information has the potential to give us, and others, a frightening, or reassuring, glimpse into the future.

Part II of this Article argues that the concept of genetic "privacy" encompasses genetic "nondiscrimination" and that public policies designed to protect against genetic discrimination should be thought of as part of the larger effort to protect the privacy of genetic information. Part III of this Article discusses how major federal laws protect the privacy of genetic information. This section focuses on the new medical privacy regulation issued by the U.S. Department of Health and Human Services (DHHS) in December 2000 (2) and other aspects of the Health Insurance Portability and Accountability Act (HIPAA). (3) It also includes a discussion of private employer access to genetic information. Part IV addresses bills pending in Congress that build on existing federal protections and add significant privacy protections for genetic information. Part V looks at the largely unregulated new frontier of the Internet to which millions of Americans are turning for health care information and services.


Protecting the privacy of medical information, including genetic information, is a multifaceted endeavor with at least four interrelated components:

* Access: Who should have access to a person's genetic information, under what circumstances and for what purposes?

* Use: How should those who obtain a person's genetic information be allowed to use it?

* Disclosure: To whom should those who obtain/create/receive genetic information be allowed to disclose it, and for what purposes?

* Storage/security: What safeguards and safety precautions should be in place to make sure that genetic information is not obtained, used or disclosed inappropriately?

Looking at each of these components and how they interact is a bit like peeling an onion. One finds layer upon layer of complexity. At its core, the access component includes whether and when one person or entity can request or require that an individual divulge genetic information or undergo genetic testing. Society may very well conclude that the divulging of genetic information in some circumstances is appropriate (e.g., voluntary treatment-related disclosures) yet totally inappropriate in others. Similarly, the use component encompasses how health care providers, health insurers, researchers, pharmaceutical companies and employers, to name a few, should be allowed to use a person's genetic information. The concept of use implies not only permissible uses but impermissible ones as well. Thus, as part of an effort to protect the privacy of genetic information, policymakers could decide to allow health care providers to use genetic information for treatment purposes, but prohibit health insurers from using such information for medical underwriting (i.e., deciding whom to insure and at what price). Laws that achieve the latter are often referred to or categorized as genetic "nondiscrimination" laws rather than privacy laws.

Historically, in the area of genetics, most commentators, advocates and policymakers have tended to separate privacy from nondiscrimination, and develop separate policy tracks to address them, even though this ignores the powerful link between the two. For example, HIPAA contains entirely separate titles and tracks for protecting privacy (4) and protecting against inappropriate uses of medical information, including genetic information, by group health plans and health insurers. (5) Yet, viewed through the lens of the four components listed above, protecting privacy is, in part, about allowing certain uses while prohibiting other uses, including discriminatory uses of genetic information. Few would argue against the notion that the best way to prevent discrimination of all kinds is to use a two-pronged approach. First, cut off access to information about the characteristic at issue, whether national origin, religion, disability or genetic predisposition, where appropriate and feasible. This exemplifies a strict "privacy" approach. Second, prohibit the use of any information obtained despite shutting down the flow of information. Rather than treating privacy laws or policies as separate from nondiscrimination laws or policies, or as addressing different harms or promoting different values, it makes sense to consider both together under the expansive privacy rubric laid out above.


The United States has not established a coherent or comprehensive policy about how American society should view or handle genetic information. While the government has invested considerable resources to promote genetics research, including the sequencing of the human genome, this country has no clear policy about who should have access to genetic information and how it should be used. We have no coherent approach to whether, or under what circumstances, genetic testing should be encouraged, facilitated, discouraged or prohibited. This complete absence of federal policy has led to an ad hoc approach with results that may vary from one clinician to another, one laboratory to another, one employer to another, one insurer to another and one legislature to another.

This policy vacuum means that people cannot be assured that their genetic information will be kept confidential by all those who obtain it. Fears abound that genetic information will fall into the wrong hands and lead to disastrous personal consequences.

* In a recent Time/CNN poll, 75% of people said they would not want their health insurer to have information about their genetic profile. (6)

* A 1997 survey documenting people's fears about genetic discrimination showed that 63% of people would not take genetic tests if health insurers or employers could obtain the results, while 85% believe that employers should be prohibited from obtaining information about people's genetic conditions, risks and predispositions. (7)

* A recent study involving genetic counselors documents that fear of discrimination is a significant factor affecting willingness to undergo testing and to seek reimbursement from health insurers. (8)

* A recent survey of people who declined cancer genetics counseling reports that concerns related to insurability constitute the greatest barrier to utilizing genetic services. (9)

The repercussions of genetic information falling into the wrong hands can be far ranging and include the loss of insurance, the loss of employment, having a mortgage called in or denied or using genetic information in child custody disputes or personal injury lawsuits. (10) A recent case illustrates what can happen to an employee when her employer learns that she has a genetically based condition. Ms. Terri Seargent was fired from her job despite favorable performance appraisals after she began receiving preventative drug therapy for the Alpha-1-antitrypsin deficiency and submitted claims to her employer's health plan. In November 2000, the local District Office of the U.S. Equal Employment Opportunity Commission found reasonable cause to believe that her employer had violated the Americans with Disabilities Act. (11)


Currently, no comprehensive federal law is in place for protecting the privacy of medical information generally. The same is true for genetic information. Instead, we have a patchwork of federal and state laws that extend protections to health information based on the type of entity that collects or creates the information.

The most important federal law, the HIPAA privacy regulation, took effect in April 2001, reaching health information created or received by private health care providers and health plans. This law, discussed below, is important because it protects the information that people share with their health care providers and health plans as it begins to wind its way through the health care system. One of the primary drawbacks of this regulation is its limited scope. It does not directly regulate other entities that create or receive health information, such as pharmaceutical companies, workers' compensation insurers, employers and many researchers. It only indirectly reaches some of the entities to which a regulated entity is permitted to disclose the information.

Many states have passed laws that protect the privacy of health information, some targeting genetic information, but, like the federal regulation, the approach is often sector-specific. Some state laws may target health care professionals, hospitals or health insurance companies. The laws that specifically target genetic information tend to apply to insurers, HMOs or employers. (12)

In practical terms, to ascertain whether a particular use or disclosure of information is legal or illegal, one needs to know whether federal law, state law or both apply, who or what entity is involved and, in some cases, where or how the information was obtained.


The HIPAA privacy regulation is the first federal law to protect health information created or received by health care providers and health plans. DHHS issued this privacy regulation in final form in December 2000 in accordance with a mandate from Congress dating back to 1996. This regulation took effect on April 14, 2001, and most entities that must comply with it have two years from that date to do SO. (13)

The following entities are required to comply with this new federal law: (14)

* Health care providers (doctors, hospitals, clinics, pharmacists, laboratories, etc.) that transmit claims-type information electronically using standard formats;

* Health plans (broadly defined to include private insurers, employer-sponsored health plans and HMOs as well as a number of health programs sponsored by the federal and state governments); and

* Health care clearinghouses, which act as claims processing intermediaries between health care providers and health plans.

Although the HIPAA privacy regulation singles out only one type of health information for special treatment, psychotherapy notes, genetic information will be protected by this regulation as long as it meets the definition of "protected health information" (PHI). (15) PHI is defined broadly and includes information about the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual. (16) DHHS, in the preamble accompanying the final regulation, confirmed that "the definition of PHI includes genetic information that otherwise meets the statutory definition." (17)

Under this definition, information about genetic tests, services or counseling will clearly be protected, as will information about an individual's family history, an important component of genetic information. Although the definition of PHI does not explicitly refer to family history, DHHS clarified in the introductory preamble that medical information about a family member contained within an individual's medical record is information about the individual. (18)

Health care providers of general medical services that create or receive genetic information, as well as specialists providing genetics services, performing genetic tests or interpreting genetic test results, will have to comply with the HIPAA privacy regulation if they otherwise meet the definition of a covered provider. …

Log in to your account to read this article – and millions more.