As named by Congress, the “Genetic Information Non-Discrimination Act of 2008” (GINA) appears to be just one more employment law adding to the ever-expanding list of characteristics that cannot lawfully form the basis for an employment decision. However, the law’s name camouflages its true nature. GINA, in reality, is a privacy statue that strictly regulates employers’ collection, use, safeguarding, and disclosure of “genetic information.” Moreover, two recently filed class action lawsuits demonstrate that many employers may be unwittingly violating GINA even if they conduct no genetic tests.
Critical to understanding GINA’s broad sweep beyond genetic tests is the statute’s definition of the term “genetic information.” That term includes not just genetic test results but also “the manifestation of a disease or disorder in a family member.” Notably, this definition is not limited to “genetic” diseases or disorders; any disease or disorder satisfies the definition of “genetic information.” Further expanding this definition’s scope, GINA defines “family member” to include (a) a dependent, whether born to the individual or adopted; (b) a relative to the fourth degree of the individual, and (c) a relative to the fourth degree of the individual’s dependents.
The practical upshot of this expansive definition is that, on a daily basis, millions of Americans post their genetic information in social media and share their genetic information with their health care providers. The Tweet, “Exhausted; spent last night in ER with Joey after asthma attack” reveals a dependent’s disorder (asthma) and, therefore, constitutes “genetic information.” A comment on a Civil War blog, “My great-great-grandfather died from gangrene after a bullet wound at Gettysburg” also reveals “genetic information.” As a third example, posting a joyful comment on Facebook after a cousin’s cancer goes into remission also discloses “genetic information.” These posts share a common thread: they each reveal the poster’s family medical history (as defined by the Act). And, family medical history is critical to medical diagnosis and treatment. Consequently, most first visits to a doctor are preceded by fifteen excruciating minutes reading an encyclopedic list of diseases and disorders associated with each body part and checking whether any of them has afflicted the patient or the patient’s grandparents, parents, siblings or children.
It is this proliferation of genetic information, and requests for it, that make compliance with GINA’s most basic privacy protection potentially difficult for employers. Under GINA, it is unlawful for an employer to “request, require or purchase genetic information” of an employee or the employee’s family members. In its first lawsuit enforcing GINA, filed in early May 2013, the EEOC relied on this prohibition when alleging that the defendant in that case, one of the world’s largest distributors of decorative fabrics, violated GINA. According to the complaint, as part of a pre-employment physical, the fabric distributor’s contract medical examiner required an applicant to complete a questionnaire asking whether she or her family members had suffered from any of a long list of disorders, i.e., family medical history. On the day that the agency filed the complaint, the EEOC also issued a press release announcing that it had settled the case for $50,000.
One week later, the EEOC filed its first class action complaint, alleging GINA violations. In that case, which is pending, the EEOC alleges that a New York nursing home violated GINA because it “requests family medical history as part of a pre-employment, return-to-work, and annual medical exams of its staff.” Following the EEOC’s lead, private plaintiffs filed a class action lawsuit against an Illinois laboratory in June 2013, alleging that the lab violated GINA by requiring employees to complete “a medical questionnaire that included questions concerning family medical history.” Notably, none of these lawsuits alleged that the employer used genetic information in violation of GINA’s anti-discrimination provisions. It was the mere alleged collection of family medical history, i.e., the privacy violation, that triggered the lawsuit.
These lawsuits are just one indicator that the enforcement environment is changing. In its Strategic Enforcement Plan for fiscal years 2012 to 2016, the EEOC identifies GINA as one of six areas where it will focus its enforcement efforts. In addition, the number of charges filed with the EEOC alleging violations of GINA, while still small, increased by nearly 50% between fiscal years 2010 and 2012.
While the recent lawsuits focus on the employer’s alleged direct request for family medical history, employers also can indirectly request family medical history in violation of GINA. Employers commonly ask employees to execute a HIPAA-compliant authorization to allow a health care provider to disclose their medical information, albeit not genetic information, to the employer. For example, an employer may request medical information to determine whether an employee is fit for duty, requires a requested accommodation, or poses a direct threat in the workplace. As noted above, many health care providers obtain family medical history for diagnosis and treatment. Consequently, an employer that asks an employee to sign an authorization permitting disclosure of the employee’s “medical file” or of all protected health information (PHI) for a given time period could inadvertently obtain the employee’s genetic information in the form of family medical history.
While GINA expressly excepts from its purview the situation where an “employer inadvertently requests or requires genetic information,” the EEOC’s regulations implementing GINA narrowly construe the exception as applied to requests for employees’ medical information. Under the applicable regulation, an employer that receives family medical history from an employee’s health care provider will generally be presumed to have asked for it in violation of GINA. An employer can avoid this presumption by tailoring the description in the HIPAA-compliant authorization of the PHI to be disclosed so that the authorization is “not likely to result in [the employer’s] obtaining genetic information.”
Alternatively, the employer can specifically direct the provider not to provide family medical history or other genetic information in response to the request. The EEOC’s regulations provide the following “safe harbor” language to avoid liability for unlawfully requesting genetic information from an employee’s health care provider:
The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. ‘Genetic information’ as defined by GINA, includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual’s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services.
In other words, an employer can help minimize the risk of liability for requesting family medical history in violation of GINA by including the safe harbor language quoted above in the HIPAA-compliant authorization tendered to an employee when the employee’s medical information, but not the employee’s family medical history or other genetic information, is needed for an employment decision.
With employers increasingly turning to social media for recruiting and to investigate allegations of employee misconduct, the risk of collecting genetic information in the form of family medical history also has increased. Under the EEOC’s implementing regulations, an employer does not violate GINA if “it acquires genetic information from documents that are commercially and publicly available for review . . ., including . . . information communicated through . . . the Internet.” In other words, an employer who happens on a publicly available social media post similar to the posts described above would not violate GINA. However, the implementing regulations also provide that this exception does not apply to “genetic information acquired through sources with limited access, such as social networking sites . . . which require permission to access through a specific individual.” Under a literal reading of this exception, an employer who obtains access to posts disclosing family medical history on a Facebook page where the user has set his or her privacy settings to “friends only” apparently would violate GINA even if the user had friended the manager or co-worker who brings the family medical history to the employer’s attention. Whether that is how the law will eventually be interpreted by the courts is uncertain.
While a comprehensive discussion of GINA is beyond the scope of this article, the recent EEOC enforcement actions and private class action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA. These efforts should include, at a minimum, the following:
- Eliminate direct requests for family medical history (except in the narrow circumstances not discussed here where such requests are permitted);
- Include the “safe harbor” language in any HIPAA authorization provided to a medical provider for release of an employee’s medical information;
- Train recruiters and other employees who may access applicants’ or employees’ social media content not to record genetic information or rely on it for any employment decision.
While these steps should help mitigate the most significant risks arising from GINA, employers should conduct a comprehensive review of their compliance with this statute as the enforcement environment becomes less forgiving.
This post originally ran in the IAPP’s Privacy Tracker blog