HIPAA protects against genetic information discrimination by treating genetic information held by a HIPAA Covered Entity or Business Associate as protected health information under the HIPAA Privacy Rule, restricting when that information may be used or disclosed, and prohibiting most health plans from using or disclosing genetic information for underwriting purposes.
Genetic information includes information about an individual’s genetic tests, the genetic tests of family members, and family medical history when it is collected or maintained by a covered entity as part of health care or health plan operations. When genetic information meets the definition of protected health information, the HIPAA Privacy Rule limits its use and disclosure to permitted purposes such as treatment, payment, and health care operations and to other permitted disclosures authorized by regulation. Disclosures that do not fit a permitted category require a valid HIPAA authorization from the individual or the individual’s personal representative, and uses and disclosures that are not for treatment remain subject to the HIPAA Minimum Necessary Rule.
The HIPAA Privacy Rule places specific limits on health plan underwriting practices by restricting the use or disclosure of genetic information for underwriting purposes by most health plans, including use for eligibility determinations, premium setting, and other underwriting activities as defined by regulation. This restriction reduces the likelihood that genetic risk information held by a health plan will be used to differentiate coverage terms. The restriction does not convert HIPAA into a general employment discrimination statute, and discrimination prohibitions for employers arise under other laws, but HIPAA controls disclosures of protected health information from covered entities to employers except in narrow permitted situations.
The HIPAA Security Rule reduces unauthorized access to electronic protected health information that includes genetic information by requiring risk analysis and risk management and safeguards such as access controls, authentication, audit controls appropriate to the environment, integrity controls, and transmission security. Business Associate Agreements are required when vendors create, receive, maintain, or transmit protected health information on behalf of a covered entity, which extends contractual controls to genetic information handled by service providers. When an impermissible use or disclosure of unsecured protected health information occurs, the HIPAA Breach Notification Rule requires a documented assessment and notifications when required, which supports timely awareness and remediation when genetic information is exposed.