The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Being “Friend” With Your Employer May Allow Him to Acquire Your Genetic Information

Leave a comment

The Equal Employment Opportunity Commission (EEOC) has issued a final rule to implement Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA), which takes effect January 10, 2011. These regulations, which include a section-by-section analysis of GINA, amends 29 CFR chapter XIV by adding part 1635.

GINA was enacted to protect job candidates and employees against discrimination based on their genetic information, and to restrict acquisition and disclosure of this information. Title II of GINA required the EEOC to issue implementing regulations, and these have just been published in the Federal Register.

Section 1635.9(c) deals with GINA’s relation with HIPAA Privacy Regulations. GINA section 206(c) provides that Title II of GINA does not apply to uses and disclosures of health information governed by the HIPAA Privacy Rule. Therefore, states section 1635.11(d), “entities subject to the HIPAA Privacy Rule must continue to apply the requirements of the HIPAA Privacy Rule, and not the requirements of GINA Title II and these implementing regulations, to genetic information that is protected health information. For example, if a hospital subject to the HIPAA Privacy Rule treats a patient who is also an employee of the hospital, any genetic information that is obtained or created by the hospital in its role as a health care provider is protected health information and is subject to the requirements of the HIPAA Privacy Rule and not those of GINA.”

However, if the covered entity acts as an employer, any genetic information obtained by the entity in its capacity as an employer is subject to GINA Title II and the EEOC rule.

The final rule also modifies slightly the language of GINA on Purpose, following comments made by the American Civil Liberties Union, Coalition for Genetic Fairness, Genetic Alliance and the Genetics and Public Policy Center (see Section 1635.1). GINA used to refer to the “deliberate acquisition” of genetic information as being prohibited, but this reference has been removed, as the EEOC agreed with these organizations that a covered entity may violate GINA even without having a specific intent to acquire information. Some organizations had pointed out that a covered entity may engage in acts that would present a heightened risk, “even without a specific intention to do so, such as when they… access sources of information (e.g., certain types of databases, Web sites or a social networking sites that are likely to contain genetic information about individuals).

Indeed, there has been quite a bit of reporting lately on the use by employers of social media sites to gather information about job candidates, including police departments. How should we interpret the wording of the regulations, “likely to contain genetic information about individuals”? GINA section 201(4) defines genetic information as information from genetic tests, genetics tests of family members, family medical history, and an individual’s or one of his family member’s request for or receipt of genetic services. So posting on a wall a message such as “Mom just got tested for the breast cancer gene” qualifies as “genetic information” under GINA. Therefore, every single social networking site is “likely to contain genetic information about individuals.”

However, Section 1635.8(b) provides for several inadvertent acquisition exceptions to the general prohibition to acquire genetic information. One of these inadvertent acquisition exceptions is stated in Section 1635.8 (b)(4)(ii)(D), and applies when a “manager, supervisor, union representative, or employment agency representative inadvertently learns genetic information from a social media platform which he or she was given permission to access by the creator of the profile at issue (e.g., a supervisor and employee are connected on a social networking site and the employee provides family medical history on his page.” Therefore, whether the employee or the candidate has accepted the covered entity (or one of its agents) as a “friend” or a contact will determine whether the acquisition of genetic information on a social networking site will be inadvertent or not. Should this be one more reason not to “friend” your employer?

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s