California Medical Privacy Fact Sheet C8:

Medical Information Covered by Laws Other than HIPAA

Send to PrinterSend to Printer
Copyright © 2013-2016
Privacy Rights Clearinghouse
Posted March 2013
Revised March 2013
  1. Introduction
  2. Financial records containing medical information
  3. Insurance records containing medical information
  4. School records containing medical information
  5. Employment records containing medical information
  6. Genetic information
  7. Conclusion
  8. Resources

1.  Introduction

In many situations, neither the federal HIPAA regulations nor California's Confidentiality of Medical Information Act (CMIA) will protect your medical information.  However, there are other laws that may apply to protect the privacy of your health information.  This Fact Sheet focuses on the types of health information that may be protected by or covered under other federal or state laws.

2.  Financial records containing medical information

You may not think your financial records contain personal medical information, but in fact, it’s likely they do.  Your medical information can appear in financial records in a number of ways. This will not include actual treatment records, but rather payment information that links you to specific treatments, prescriptions, or services.  For example, if you pay for medical treatment or prescriptions with a check or credit card, you will reveal certain information.   

When your financial records contain this information, there are few restrictions on how it may be shared. This is due, in part, to the fact that the federal Gramm-Leach-Bliley Act (GLB) removed legal separations between banks, insurance companies, and brokerage firms.  (Financial Services Modernization Act of 1999, 15 U.S.C. §§ 6801-6809)  In other words, a single financial institution may offer multiple financial products or services such as loans, financial or investment advice, or insurance.  These companies often call themselves "one-stop financial supermarkets."

A "financial supermarket" may also share your information with its non-financial affiliates.  An affiliate is a company related to a financial institution by common ownership and control. In addition to sharing with affiliates, financial institutions may legally share a great deal of your personal information with their business partners.  As a consumer, it can be very difficult to determine who a financial institution's affiliates and business partners are and where your information—including your medical information—is going. 

For example, if you use your credit card to pay your psychiatrist, or to pay for the medication she prescribes, then the card-issuer may share the transactional information with its partners and affiliates.  These partners or affiliates could include banks, insurers, or financial service companies, along with non-financial businesses For example, AMC Entertainment and are affiliates of JP Morgan Chase.

a. What protections do you have under the Gramm-Leach-Bliley Act?

Gramm-Leach-Bliley (GLB) provides very limited consumer privacy protections. In general, GLB requires your financial institution to:

  • provide you notice of its privacy policy;
  • give you the choice to opt out of certain personal financial information sharing; and
  • store your personal financial information securely. 

GLB applies to financial institutions such as banks, brokers, credit card companies, businesses that issue their own credit cards, and insurers.  It also applies to businesses you may not consider traditional financial institutions.  These include debt collectors, payday lenders, non-bank mortgage lenders, real estate appraisers, and medical services providers that offer a significant number of their patients long-term payment plans that involve interest charges. (For more on financial institutions and the rest of the Act, see the FTC’s outline of GLB.) 

More specifically, GLB applies to a financial institution's practices concerning "nonpublic personal information" which is defined as "personally identifiable information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution." (15 U.S.C., Subchapter 1, § 6809)  It does not distinguish medical information from other types of personal information. 

GLB does distinguish “customers” with whom there is an ongoing relationship from “consumers” with whom there is a one-time or occasional relationship. For example, a financial institution must automatically provide a customer with its privacy notice, and provide annual notice as long as there is an ongoing customer relationship.  Alternatively, consumers are only entitled to notice if a company shares the consumer's information with unaffiliated companies (subject to exceptions).  For more information on which protections apply to customers versus consumers in general, see the FTC’s “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.”

i. Privacy notices

A financial institution must send a privacy notice at the start of a customer's relationship with a financial institution and annually thereafter. This notice must:

  • notify you about the company's information collection and sharing practices;
  • give you the opportunity to opt out of some third-party information sharing and provide a reasonable way of doing so (requiring a customer to write a letter to opt out is not reasonable); and
  • include information about how the financial institution safeguards your information.

For more information on the notices regarding a financial institution's privacy policy, see PRC's Fact Sheet 24: Protecting Financial Privacy: The Burden Is on You section 3. More about privacy notices.

ii. Opt-out rights

In its privacy notice, a financial institution must give you the opportunity to opt out of sharing with nonaffiliated companies and certain other third parties.  However, GLB does not require a financial institution to provide customers with an opt-out choice in the following situations:

  • The financial institution shares information with companies it contracts with for services like data processing or account servicing.
  • The financial institution is legally required to disclose the information (such as sharing information with law enforcement or for discovery purposes in litigation).
  • The financial institution has entered into a joint-marketing agreement with an outside company to market financial products or services.

Even if you have not opted out, a financial institution cannot share your account numbers with nonaffiliated companies for marketing purposes, and may not share any means to access your account (such as passwords). Despite the sensitivity of health information, GLB provides no special treatment for medical data. 

PRIVACY TIP: Opt out when you have the option. Your failure to opt out means that you consent to the sharing of your information as stated in the privacy notice.

The Fair Credit Reporting Act (FCRA) compliments GLB opt-out rights.  The FCRA gives you two additional opportunities to limit information sharing between a financial institution and its affiliates: 

  • The FCRA allows you to opt out of sharing information about your creditworthiness with affiliates.  (FCRA § 603(d)(2); 15 U.S.C. § 1681 et. seq.); 
  • The Fair and Accurate Credit Transactions Act (known as the FACT Act or FACTA) amended the FCRA. FACTA requires companies or people to offer individuals an opt-out before they market to you using information obtained from your transactions or account relationship with an affiliate, your account applications, or credit reports and other third-party sources. The person or company must also notify you of your right to opt out and give you a simple means to do so. (FCRA § 624; 15 U.S.C. 15 U.S.C. 1681s-3) For more information, see "FTC Approves Affiliate Marketing Rule Regarding Use of Consumer Information."

The FCRA does not prevent a financial institution from sharing other information, like your Social Security number, income, account balances, and transaction history.  Your transaction history, which includes what you charge on a credit card, is the most likely to reveal medical information. (FCRA §§ Sec 603(d)(2) and 624, Affiliate Sharing; 15 U.S.C. § 1681d-3)

To learn more about GLB and the FCRA, see “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” on the Federal Trade Commission website. The Privacy Rights Clearinghouse also has many resources on financial institutions and how medical information becomes part of your records with them:

You can file a complaint about a GLB or FCRA issue with the Federal Trade Commission, which investigates consumer protection and fraud matters that are not specifically assigned to other agencies. The FTC has jurisdiction over debt collection, credit reports, lending, telemarketing, credit repair services and much more. The FTC's Office of Consumer Protection has an online Complaint Assistant form (also available in Spanish), or you can call (877) FTC-HELP (877-382-4357).

b. What additional rights do you have under California law?

California's Financial Information Privacy Act (known as FIPA or SB 1) exists specifically to offer privacy protections that GLB lacks.  (Cal. Financial Code §§ 4050-4060)  FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal and medical information with affiliates.  FIPA originally had a section to provide such a protection but it was struck down in 2008 when a federal court held that the FCRA pre-empts state law when it comes to sharing personal information with affiliates.  (American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008)). 

Regardless, FIPA still provides more protection than GLB in several important ways:

  • A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). (Cal. Financial Code § 4052.5)
  • You can opt out of information sharing that results from joint-marketing agreements that a financial institution makes with outside companies to market financial products and services. (Cal. Financial Code § 4053(a)(1))

    There are many types of joint marketing arrangements, but quite often they are with telemarketers or direct-mail marketers. An example of this might be a life or auto insurance company that enters into a joint-marketing agreement with a third-party company to sell long-term care insurance. If you are a customer of the life or auto insurance company, it could share your contact information with the third party and also with a direct-mail marketer to pitch the long term care policy. FIPA lets you opt out of this, but GLB does not.
  • You must receive a standardized, single-page notice, like this one from every financial company with which you have a customer relationship.  Envelopes that contain privacy notices must be flagged (so you don't discard them as junk mail and lose your opt-out opportunities). (Cal. Financial Code §§ 4051.5(a)(3) and 4053, generally)

    The California-compliant FIPA notice has a check box for affirming that you do not want your information shared with affiliates.  However, the notice does not explain the difference between creditworthiness information (also called "consumer report information") which may not be shared, and "transaction and experience" information, which may be.

    may be based on information about whether you pay your bills on time, how long you have had credit, and the level of debt you can comfortably carry.  It may also be based on character, general reputation, personal characteristics, or mode of living. Transactional (and experience) information, in the broadest sense, is data based on your interactions or transactions with businesses, organizations, and websites that create a record of those events, such as a payment record.

If you do not exercise the opt-out rights that GLB and FIPA give you, you relinquish the already limited control you have over personal information collected by financial institutions.  Once the financial institution shares your information, you lose all practical control over where it goes and how it is used. If you change your mind later, you can call the financial institutions you deal with directly and ask for an 800 number or website where you can declare your opt-out preferences.  Such financial institutions may include banks, brokers, credit card companies, insurers, and less obvious ones like automobile dealers, payday loan companies, collection agencies, and travel agents.

Information that a financial institution has already shared is out of your control.  Even though the burden is on you to opt out, once you do it, you never have to do it again.  Your choice is effective until you cancel it in writing.

For much more detailed information on protecting your financial privacy in general, see:

3.  Insurance records containing medical information

a. Health insurance under the Affordable Care Act

HIPAA and the CMIA cover health insurers and health plans.  Currently, if you apply for insurance as an individual you must authorize disclosure of your medical records. If you are included in a group health plan application, you will probably have to answer a health information questionnaire so the insurer can determine if you have a pre-existing condition.

Starting in 2014, under the Affordable Care Act (ACA) also called the Patient Protection and Affordable Care Act (PPACA), you will be able to buy insurance from the California Health Benefit Exchange, now called Covered California. (ACA, Public Laws 111-148) Pre-existing medical conditions will no longer affect your eligibility for health insurance purchased either through Covered California or directly from an insurer if you decide to purchase insurance outside the state insurance exchange.  The ACA requires you to either buy health insurance or pay a tax penalty, but does not specify where you must buy it. Under the ACA, insurers will have no need to know your medical history.  For more information, see ACA § 3203(b)(3) titled NO UNDERWRITING REQUIREMENTS.

Instead of your medical history, insurers will base their underwriting on your age, ZIP code (which will be identified with a geographic region), family size, and tobacco use.  Tobacco use will not be a reason for denial of coverage, but if you use tobacco you may be charged up to150 percent of the premium charged to a non-smoker of the same age who lives in the same geographic area. Another factor will be your income, which you will need to disclose in order to determine your eligibility for federal or state subsidies to purchase health insurance through the state insurance exchange, as well as immigration and incarceration status.

In addition, under the ACA, your medical history or health status can be used to rate your participation in employee wellness programs.  As of 2014, the ACA authorizes premium discounts of up to 30 percent of the cost of employment-based health insurance coverage for employees who participate in wellness programs.  Eligibility for the discount may be either based or dependent on the employee’s meeting a certain health status target, such as weight loss or smoking cessation.

For more information on health insurance underwriting (and other issues) under the ACA, you may find these papers helpful:

b. Insurance that considers health a risk factor but is not "health insurance"

There are other types of insurance where health is a risk factor but neither HIPAA nor the CMIA applies. In addition, these types of insurance will not be affected by the ACA.  They may include life, long term care, disability, or auto insurance plans that include medical benefits.  In these situations, you will still be asked to authorize the release of your medical records.  To learn more about what types of policies are not covered by HIPAA, see this U.S. Department of Health and Human Services website.

In California, the Insurance Information and Privacy Protection Act (IIPPA) prohibits insurers from disclosing personal—including medical—information they collect in connection with an insurance application or claim without your written authorization. (Cal. Ins. Code §§ 791-791.28)  Also, medical information in insurance records may not be used for marketing purposes. (Cal. Ins. Code § 791.13)  For more information, see "Insurers: Privacy of Non-Public Personal Information" on the California Department of Insurance website.

4. School records containing medical information

School records may include a great deal of medical information, such as vaccination histories, results of physical examinations to participate in sports, counseling for behavioral problems, and visits to a school nurse. 

California law requires a health examination and evidence of immunizations (or waivers) for all children entering first grade in a public or private school.  (Cal. Health & Safety Code § 124105) The school health exam is very comprehensive. It includes medical and developmental history, unclothed physical exam, dental and nutritional assessments, vision and hearing tests, and diagnostic screening for anemia, lead, urine abnormalities, tuberculosis, and other health issues as needed.  For more information on California's school health exam, see the Department of Health Services publication, "CHDP [Child Health and Disability Prevention Program] School Handbook: School Entry Health Examination Requirements."

With all of the information in a school record, you may wonder if there are any laws that protect it. The answer is yes. The federal Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records in general, including all of the medical information they contain. (20 U.S.C. § 1232g; 34 CFR § 99) 

FERPA applies to all schools and educational agencies that receive funds under any program administered by the U.S. Department of Education (ED).  This includes virtually all public schools and school districts, as well as most private and public colleges and universities.  Elementary and secondary-level private and religious schools generally do not receive ED funds and are not subject to FERPA.  Medical information in their student records may be protected only by school policies.

FERPA gives parents certain rights regarding their minor children's school records.  When a student turns 18 or attends school beyond high school, he or she becomes an "eligible student" under FERPA and receives the rights formerly held by his or her parents. 

Parents and eligible students have the following rights under FERPA:

  • They may inspect and review the education records a school maintains.  A school does not need to provide copies of records, unless inspection is otherwise impossible (because of distance, for example).  A school may charge for any copies it provides.
  • They may ask a school to correct records they believe are inaccurate or misleading.  If the school declines, a parent or eligible student may request a hearing, administered by a school official with no direct interest in the outcome.

    If the decision comes out against the student, she (or her parent) may put a statement in the school record with her view of the disputed information.  For example, a student or parent might want to dispute a behavioral or psychological assessment that she views as unfair or biased. 
  • A school needs the written consent of a parent or eligible student to release information from an education record, with the following exceptions:
  • to school officials with legitimate educational interest;
  • to a school that a student is transferring to;
  • to specified officials for audit or evaluation purposes;
  • in connection with student financial aid;
  • to organizations conducting studies for or on behalf of the school ( a vague and potentially broad exception);
  • to accrediting organizations;
  • to comply with a judicial order or subpoena;
  • to appropriate authorities in health and safety emergencies; and
  • to authorities in the juvenile justice system, according to state law.
    (34 CFR § 99.31)

In addition, some information in school records is considered "directory" information and may be disclosed without consent.  This includes name, address, phone number, date and place of birth, honors and awards, and dates of attendance.  Fortunately, this exception, widely used by marketers, does not include medical information. 

Parents and eligible students do have the right to opt out of disclosure of directory information. Schools must tell you this and offer you a reasonable amount of time to opt out.

Schools must also notify parents and eligible students annually of all of their rights under FERPA.  The school may determine how it will provide the notice, and individual notice is not required.   This means a school could send a letter or email, but could also put a public notice in a PTA bulletin, student handbook, or newspaper article.

Students who are interested in learning more about their rights under FERPA should read the Department of Education publication, "FERPA General Guidance for Students."

For more information on FERPA and complicated situations where HIPAA may apply in an educational context, see the Department of Education/Health and Human Services publication, "Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records."

5.  Employment records containing medical information

There are many ways that an employer can obtain an employee's medical information.  California's Confidentiality of Medical Information Act (CMIA) requires employers to protect the privacy and security of any medical information they receive.  (Cal. Civ. Code §§ 56.20-56.245)  In addition, California's Fair Employment and Housing Act (FEHA) prohibits employers from using medical information to discriminate against you. (Cal. Gov't Code §§ 12900-12996)

This is important because federal regulations under HIPAA do not apply to employers or employment records even if they contain health-related information. (45 CFR § 160.103; 164.512(b)(1)(v))  HIPAA, unlike California law, treats medical information as simply part of an employment record. 

There are many ways an employer can obtain your medical information.  The list below is extensive but not exhaustive. 

  • Employer-sponsored health plans. These are covered under the HIPAA regulations.  If your employer pays for your health insurance it must keep medical records completely separate from other employment records and comply with the HIPAA Privacy and Security Rules. 
  • Post-job offer and pre-employment medical examination or drug test.  In California, if you are asked to take a medical examination or drug test, it must relate specifically to the requirements of the job you've been offered. (Cal. Gov't Code § 12940 (e-f))
  • On-the-job drug tests.  An employer needs to have a "reasonable suspicion" that you are impaired by drugs or alcohol to require you to take a test.  A reasonable suspicion must be supported by factual, objective evidence that indicates drug or alcohol abuse, such as appearance, behavior, physical symptoms, and inconsistent job performance.  If an employee disputes the substance abuse test, a court will balance the employer’s justification against the employee’s California constitutional right to privacy. (Loder v. City of Glendale, 14 Cal. 4th 846 at 897—98 (1997) and California Constitution, Article I)
  • Employee background checks.  Consumer reporting agencies (CRAs) sell background checks to employers.  CRAs are regulated by the Fair Credit Reporting Act (FCRA), and may not include medical information unless you consent and the information is relevant to the job you are seeking. (FCRA § 604(g))

    For general information on background checks and the FCRA, see PRC's Fact Sheet 16: Employment Background Checks: A Jobseeker's Guide.

    California law also states that an Investigative Consumer Reporting Agency (ICRA) cannot give an employer a report that contains medical information without your consent.  (Cal. Civ. Code § 1786.12(f))

    However, in some cases an employer may conduct a background check based on public record information without using an investigative report.  In this case, the employer does not need your consent and nothing in the statute prohibits the report from containing medical information found in public records. For instance, these may include court proceedings that contain medical testimony or evidence.  Medical information may also come from media stories that reveal you as the subject of a medical study, medical litigation, or an accident that required medical treatment.

    You do have certain protections in this situation under California's Fair Employment and Housing Act (FEHA), which prevents medical information from being used to discriminate in employment.  (Cal. Gov't Code §§ 12900-12996)

    The California Public Records Act (CPRA) also protects you from public disclosure of medical records held by a government agency. The law considers this an unwarranted invasion of personal privacy (Cal. Gov’t Code § 6254(c)). See the Attorney General’s “Summary of the Public Records Act” for more information.

    For more information about background checks in California, see PRC's Fact Sheet 16a: Employment Background Checks in California: A Focus on Accuracy.
  • Workers' compensation claims.  Workers' compensation claims are not public records. However, they become public if a claim is appealed to the Workers' Compensation Appeals Board (WCAB).  Medical records that are part of a claim are not public and are exempt from disclosure based on Article I of the California Constitution, which includes the right to privacy.

    An employer may access workers' compensation records only after making an offer of employment.  The employer must register with the WCAB and confirm that the reasons for seeking access are legitimate.  The WCAB may not reveal medical information and the employer may not withdraw an offer because a claim exists.  (Cal. Labor Code § 132a)

    However, an employer may withdraw an offer if an individual has not revealed previous claims in the job application process.  The federal Americans with Disabilities Act (ADA) prohibits employers from discriminating against disabled individuals based on medical information or the existence of a workers' compensation claim. (42 U.S.C. § 12101)

    Information about requesting workers' compensation records in California is available on the Department of Industrial Relations (DIR) website.
  • Medical records of disabled job applicants and employees.  Both California and federal laws protect disabled individuals.  The ADA (Americans with Disabilities Act) applies to workplaces with 15 or more employees and prohibits employers from discrimination in hiring based on certain medical conditions. (42 U.S.C. § 12101) 

The ADA requires the following:

  • Employers may not ask disabled job applicants—those with a physical or mental impairment that substantially limits "a major life activity"—for medical information or require a physical examination prior to offering employment. (42 U.S.C. § 12102)  Under California's disability law, the limitation does not need to be "substantial" for the protection to apply.  (Unruh Civil Rights Act, Cal. Civ. Code. §§ 54-55.3)
  • After extending a job offer, an employer can ask you to have a medical examination only if it is required of all employees who hold similar jobs.  If the employer withdraws your offer based on the results of a medical examination, the employer must prove that it is physically impossible for you to do the work required.

You can report ADA violations to the U.S. Equal Employment Opportunity Commission (EEOC).  Phone: (800) 669-4000.  The California Attorney General has a helpful pamphlet titled "Legal Rights of Persons with Disabilities."

  • Other ways an employer can acquire employee medical information.  Three federal laws put medical information in the hands of employers: the Family and Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), and the Occupational Health and Safety Act (OSH Act).

The FMLA gives most workers the right to 12 weeks of unpaid leave annually for reasons of personal and family health.  An employee who asks for FMLA leave needs to provide enough information for the employer to determine if the FMLA applies to the request.

If the reason is routine, such as pregnancy or that the employee had to be hospitalized overnight, the employee's statement may be sufficient.  If the request is based on the employee's or a family member's serious medical condition, the employer may require a health care provider's certification, although the employer cannot require actual medical records.

For more information, see the U.S. Department of Labor's Fact Sheet: "The Family and Medical Leave Act of 1993."

prohibits employment discrimination based on disability.  An employer may not ask job applicants about disabilities or past or present medical conditions or workers' compensation claims history.  Employers may ask non-disabled applicants about workers' compensation claims, so it is unclear how an employer would know not to ask a person whose disability is not visible.

An employer may only require a physical examination after offering a job and prior to the start date if all new employees in similar jobs are subject to the same requirement.

Employers must keep disabled employees' medical records confidential and separate from other employment records.  The records may be disclosed to a supervisor making a "reasonable accommodation" for a disabled worker; to safety and first aid workers, in the event that a disabled employee needs to be treated or evacuated; to insurance companies that require a medical exam; and otherwise as required by law.

For more information on the ADA, including an 800 number to call if you have questions, see the Equal Employment Opportunity Commission's ADA website.  The Council for Disability Rights also has an FAQ written for consumers.

The OSH Act governs workplace health and safety.  It applies to all private-sector employers with one or more employees.  Employers must keep employment-related medical records for the duration of employment plus 30 years.

A medical record is defined as "…a record concerning the health status of an employee which is made or maintained by a physician, nurse, or other health care personnel or technician." (See OSHA Definitions, 29 C.F.R. § 1910.1020(c)(6))  It includes:

medical examination results (both pre-employment and while employed);

laboratory, diagnostic, and biological monitoring;

doctors' opinions, diagnoses, progress notes, and recommendations;
first-aid records;

descriptions of treatments and prescriptions, and employee medical complaints; and

medical and employment questionnaires and histories, including job description and occupational exposures.

The Department of Labor's OSHA website offers information about workers' rights as well as an FAQ section about specific problems the law covers and compliance requirements for employers.

Cal OSHA complements the federal regulations and limits state agency use and disclosure of all personally identifiable information.  Data—including medical information—can be used only for the purposes for which it was collected, and you must be told what those purposes are.  Disclosure for any other purpose requires your consent.  (Cal. Gov't Code § 11019.9)  For information on filing an OSHA complaint in California, see the Department of Industrial Relations website (in English and Spanish).

As an employee, you have the right to request your OSHA records.  See OSHA's publication, "Access to Medical and Exposure Records."

For more in-depth information on medical privacy in the workplace, see PRC's Fact Sheet C5: Employment and Your Medical Privacy

6.  Genetic information

There is no more private information about us than what is encoded in our DNA.  It is important to know what protections apply to our genetic information.

There are some legal protections against the acquisition and use of genetic information. The 2008 federal Genetic Information Nondiscrimination Act (GINA) addresses some concerns about both the privacy and misuse of genetic information. (Pub. Law 110–233, 122 Stat. 881 (to be codified and scattered in Sections 26, 29, and 42 of the United States Code). It prohibits employers and most health insurers from requesting or requiring employees to provide genetic information. (42 U.S.C.A § 2000ff-1, 29 U.S.C.A. § 1182). GINA also prohibits discrimination—for instance, denying employment or health benefits—based on genetic information. (42 U.S.C.A § 2000ff-1)

Recent updates to HIPAA incorporate genetic information into the definition of protected health information (PHI).  This means that the HIPAA Privacy Rule now apples to the use and disclosure of genetic information.The practical effect of the change is that restrictions on the use and disclosure of genetic information for underwriting purposes now apply to all health plans, rather than the limited plans specified by GINA.

GINA does not prevent the use of genetic information for other types of insurance underwriting, such as life or long term care insurance.  It does not protect against discriminatory use of genetic information in contexts other than employment and health insurance.  GINA also does not regulate access to or disclosure of genetic or whole genome sequence information across all potential users (for example, to prevent a life insurance company that requested a genetic test for a policy application from sharing that information).

The Equal Employment Opportunities Commission (EEOC), which enforces GINA, has information for consumers about the Act and its application. Another reliable source, particularly from a privacy perspective, is the Council for Responsible Genetics.

Recent amendments to the California Fair Employment and Housing Act (FEHA) and the Unruh Civil Rights Act greatly extend GINA’s prohibition against discrimination based on genetic information. Changes to the FEHA affect not only employment but also housing, business services, emergency medical services, licensing qualifications, life insurance coverage, mortgage lending, and participation in state-funded or state-administered programs. Changes to the Unruh Civil Rights Act affect access to accommodations, advantages, facilities, privileges, or services provided by business establishments. (Cal. Gov’t Code §§ 12921, 12940(a), (b), and (c); Cal. Civ. Code § 51)

There are, however, many companies in the business of private genetic testing for such things as health and susceptibility to disease, physical traits, ancestry, and paternity.  These are called “direct-to-consumer” or DTC services, and they collect genetic samples (generally a saliva swab) to do their analysis.  The best known DTC company is probably 23andme.  In addition, is a popular genealogy website that has an optional DNA test for individuals who want to explore their origins more deeply than just through public records databases.  The Genetics and Public Policy Center (GPPC) at Johns Hopkins University has a fairly current list of DTC companies, and the types of tests they do. 

The privacy of genetic material turned over to a DTC company and the results generated are protected only by the company’s privacy policy.  If you’re considering an online DTC genetic test, read the site’s privacy policy very carefully.  Does it give you any control over the use of your genetic material or test results, or is it basically just a disclaimer that tells you the company can do whatever it wants with your genetic information?

Currently DTC genetics companies fall under only the FTC’s regulations that prohibit unfair or deceptive acts or practices (15 U.S.C. 45(a)) and the FDA’s regulations that prohibit false advertisements for foods, drugs, devices, and services (15 U.S.C. 52). 

Along with DTC genetics tests, the rapidly evolving field of whole genome sequencing raises many complex privacy and ethical issues.  Whole genome sequencing is decoding an individual’s genetic material into the sequences of its chemical components: adenine (A) guanine (G), thymine (T), and cytosine (C).  The result might look like this: CAGTCGCGAATACAGG.  The next step is translating these strings of letters into what they mean in terms of how the genome works: what do these genes do, how are they related, and how do the various parts of the genome coordinate their activities. 

To learn more about this genetics frontier and the privacy issues involved, see the Presidential Commission for the Study of Bioethical Issues’ report, Privacy and Progress in Whole Genome Sequencing (October 2012).

7.  Conclusion

It would be a great benefit to the medical privacy of individuals—and also clear up a lot of confusion and regulatory clutter—if protections applied to the information itself, independent of who or what entity, public or private, has the information.  Unfortunately, that it not the case.  As you can see from this Fact Sheet, the privacy of your medical information that is not covered by HIPAA or the CMIA is highly contextual, and some contexts are better than others.  The best you can do is be aware of the types of records you would not generally think of as containing medical information, such as your financial records, and what your rights are over who can access and use that information.

8.  Resources

California laws and resources

To find the full text of California laws, visit

California Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code §§ 56-56.37)

California Fair Employment and Housing Act (FEHA) (Cal. Gov't Code §§ 12900-12996)

California Financial Information Privacy Act (FIPA) (Cal. Fin. Code §§ 4050-4060)

California Insurance Information and Privacy Protection Act (Cal. Ins. Code §§ 791-791.28)

California Public Records Act (CPRA) (Cal. Gov't Code § 6254(c))

Unruh Civil Rights Act (Cal. Civ. Code § 51)

Cal OSHA (The Division of Occupational Safety and Health)

California Office of Privacy Protection
915 Capitol Mall, Suite 200
Sacramento, CA 95814

State of California Office of Health Information Integrity (CalOHII)
1600 9th Street, Room 460
Sacramento, CA 95814
Phone: (916) 651-6907

Office of the Attorney General
California Department of Justice
Attn: Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244
Phone: (800) 952-5225

Federal laws and resources

Americans with Disabilities Act (ADA) (42 U.S.C. § 12101)

Fair Credit Reporting Act (FCRA) (15 U.S.C. §1681)

Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g; 34 CFR § 99)

Family and Medical Leave Act (FMLA)

Genetic Information Nondiscrimination Act (GINA)(Pub. Law 110-233, 122 Stat. 881)

Gramm Leach Bliley Act (GLB) (15 U.S.C. §§ 6801-6809)

Occupational Health and Safety Administration (OSHA)

For More Information on HIPAA:

U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: (866) 627-7748

To file a complaint about a HIPAA violation
Regional offices of the HHS Office for Civil Rights

Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.