HIPAA and GINA Explained: What They Cover, How They Differ, and Your Rights

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of your health information in the United States. When a covered entity handles your data, that information is called protected health information (PHI), and it includes your genetic information.

Who must follow HIPAA

• Covered entities: health plans, most healthcare providers, and healthcare clearinghouses.
• Business associates: vendors and service providers that create, receive, maintain, or transmit PHI for covered entities.

What counts as PHI (including genetic information)

Protected health information (PHI) includes any individually identifiable health data tied to your past, present, or future health status or care. Genetic test results, family medical history, and participation in genetic services are all PHI when handled by covered entities or their business associates.

HIPAA Security Rule and breach notification—at a glance

The HIPAA Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI)—for example, risk analysis, access controls, audit logs, and encryption where appropriate. If unsecured PHI is breached, covered entities must issue timely notifications to you and regulators.

HIPAA Privacy Rule Protections

Your individual rights

• Access and copies: You can inspect and obtain copies of your records (including electronic copies) generally within 30 days.
• Amendments: You may request corrections to inaccurate or incomplete information.
• Restrictions: You can ask for limits on certain uses or disclosures; if you pay in full out-of-pocket, you may require a provider not to share that service information with your health plan.
• Confidential communications: You can direct providers or plans to contact you at alternative addresses or numbers.
• Accounting and notice: You can receive an accounting of certain disclosures and must receive a Notice of Privacy Practices.

How your information may be used or disclosed

Covered entities may use or disclose PHI without your authorization for treatment, payment, and healthcare operations, while applying the “minimum necessary” standard to most non-treatment uses. Limited disclosures are also permitted for public health, legal, or safety purposes, and de-identified data falls outside HIPAA.

Genetic information and underwriting limits

The HIPAA Privacy Rule, as aligned with the Genetic Information Nondiscrimination Act (GINA), prohibits most health plans from using or disclosing genetic information for health insurance underwriting. This strengthens genetic data protection and helps ensure your genetic test results or family history cannot be used to set premiums or eligibility for coverage.

GINA Overview

The Genetic Information Nondiscrimination Act (GINA) is a federal law that protects you from genetic discrimination in two spheres: health insurance (Title I) and employment (Title II). GINA complements HIPAA by focusing on when and how genetic information may be used—not merely how it must be safeguarded.

What counts as genetic information

• Results of your or your family members’ genetic tests (for example, BRCA, pharmacogenomic, or carrier screening).
• Family medical history that indicates a risk of disease.
• Use of genetic services or participation in genetic research.
• Genetic information about a fetus or embryo.

GINA does not treat manifested disease (a condition you already have) as “genetic information,” though other laws may protect you in that situation.

What GINA does not cover

• Life, disability, and long-term care insurers are generally outside GINA Title I.
• GINA Title II applies to employers with 15 or more employees; smaller employers are not covered.
• GINA does not mandate insurance coverage for specific genetic tests or treatments.

GINA Title I Health Insurance Protections

GINA Title I bars group health plans and health insurers from using your genetic information for health insurance underwriting. Plans cannot request or require genetic testing, cannot base eligibility or premium decisions on your genetic data or family history, and cannot classify you as having a preexisting condition based solely on genetic risk.

While insurers may consider current, manifested conditions under general rating rules, they cannot use genetic predictions about future disease to limit eligibility, raise premiums, or impose waiting periods. These protections work alongside the HIPAA Privacy Rule to keep your genetic information out of underwriting decisions.

GINA Title II Employment Protections

GINA Title II protects you from employment genetic discrimination. Employers may not use genetic information when making decisions about hiring, firing, job assignments, compensation, or benefits, and they generally may not request, require, or purchase genetic information about you or your family members.

Limited acquisition exceptions

• Inadvertent acquisition (the “water-cooler” scenario).
• Leave certifications (for example, under family and medical leave laws) requiring limited family medical history.
• Voluntary wellness programs with prior written authorization and strong confidentiality safeguards.
• Genetic monitoring of workplace exposures with written consent and aggregated reporting to the employer.
• Certain forensic uses for quality control in law enforcement contexts.

Confidentiality duties

If an employer lawfully obtains genetic information, it must be kept as a confidential medical record, stored separately from personnel files, and disclosed only in very limited circumstances.

Anti-retaliation and remedies

Employers may not retaliate against you for asserting GINA rights. You can file a charge with the Equal Employment Opportunity Commission (EEOC), typically within 180 days of the alleged violation (sometimes up to 300 days, depending on your state).

Relationship Between HIPAA and GINA

At-a-glance differences

• Focus: HIPAA emphasizes privacy, security, and breach notification for PHI; GINA prohibits misuse of genetic information in health insurance and employment.
• Who must comply: HIPAA applies to covered entities and business associates; GINA Title I applies to health plans/insurers, and Title II applies to covered employers.
• Your rights: HIPAA grants access, amendment, restrictions, and privacy notices; GINA grants freedom from genetic-based underwriting and employment decisions.

Where they intersect

• Genetic information is PHI under HIPAA and receives privacy protections.
• Most health plans are barred from using genetic information for health insurance underwriting under GINA-aligned HIPAA rules.
• HIPAA generally does not cover employment records; GINA Title II fills that gap for genetic information in the workplace.

Practical scenarios

• Your doctor orders a genetic test for treatment; HIPAA allows use and sharing for treatment while protecting privacy.
• A health plan asks for your family history to set premiums; GINA Title I prohibits using that data for underwriting.
• An employer asks about a parent’s cancer to assess your job fitness; GINA Title II forbids this and protects you from retaliation.

Enforcement and Exceptions

Who enforces what

• HIPAA: U.S. Department of Health and Human Services Office for Civil Rights (OCR) investigates complaints and enforces the HIPAA Privacy Rule and HIPAA Security Rule.
• GINA Title I: Federal oversight involves HHS, the Department of Labor (for ERISA group health plans), and the Department of the Treasury.
• GINA Title II: The Equal Employment Opportunity Commission enforces workplace protections and anti-retaliation provisions.

Key exceptions and special situations

• Insurance scope: GINA does not cover life, disability, or long-term care insurers; some protections may come from state law.
• Employer size: Employers with fewer than 15 employees are not covered by Title II.
• Wellness programs: Genetic data collection must be voluntary, with written authorization and confidentiality; incentives that function as health insurance underwriting are restricted.
• Legitimate needs: Limited exceptions allow inadvertent acquisition, certain leave certifications, consented genetic monitoring, and narrow forensic uses.

Conclusion

HIPAA guards the privacy and security of health data—including genetic information—while GINA prevents that genetic data from being misused in health insurance underwriting and employment. Together, they deliver robust genetic data protection: your health plan cannot use your genes to set premiums, and your employer cannot use them to make job decisions.

FAQs.

What protections does HIPAA provide for genetic information?

Under the HIPAA Privacy Rule, genetic information held by covered entities is protected PHI. You have rights to access and amend records, request restrictions and confidential communications, and receive breach notifications. In addition, most health plans are barred from using or disclosing genetic information for underwriting purposes.

How does GINA protect against genetic discrimination?

GINA prohibits health insurers from using genetic information for eligibility, premium setting, or other health insurance underwriting decisions, and it bars employers from using or acquiring genetic information when making employment decisions. It also requires confidentiality for any lawfully obtained genetic data.

What entities enforce GINA regulations?

For health insurance protections under Title I, oversight is shared among federal agencies including HHS, the Department of Labor, and the Department of the Treasury. For employment protections under Title II, the Equal Employment Opportunity Commission investigates and enforces compliance.

What exceptions exist under GINA?

Key exceptions include inadvertent acquisition of genetic information, certain leave-related certifications, voluntary wellness programs with written authorization and strict confidentiality, consented genetic monitoring for workplace exposures, and limited forensic uses. Also, life, disability, and long-term care insurers are generally outside GINA Title I, and employers with fewer than 15 employees are not covered by Title II.