Worried About HIPAA? Don’t Forget GINA

As if we don’t have enough acronyms to worry about, there’s one we may not yet have discussed here which is also worth considering. In addition to HIPAA, the Genetic Information  Nondiscrimination Act (GINA) may become a factor in how we handle EMR data security.

In theory, GINA is primarily aimed at the workplace, as its purpose is to bar an employer from requesting or obtaining an individual’s genetic information at any stage of employment. But since GINA construes this to mean not only the results of genetic tests, but anything related to family medical history,even providers who don’t do occupational medicine may have some serious data security issues to consider.

GINA became law in 2008 and regulations have already been promulgated which restrict access to occupational health information. Agencies are beginning to develop their positions on GINA violations, too.

For example, the EEOC recently concluded that if personal health information and occupational health information are stored in the same electronic medical record, it’s probably a violation of both HIPAA and the Americans with Disabilities Act (which also restricts health data access).  The EEOC’s opinion came in the form of an informal discussion letter, and isn’t binding, but you can see where this is ehaded.

Perhaps more frighteningly, individuals can bring private lawsuits for violation of GINA, unlike with HIPAA. So as bad as being slapped with a citation for HIPAA violations can be, a GINA violation may have even wider implications.

Sorry to be a Dolly Downer, folks, but it’s better to know about this than find out about it later. While you may not need to make big changes in your security plans due to GINA, you should probably give it some thought.