Skip to main content

Final regulations published on protection of genetic information

Written by Andrew Matzkin

The Equal Employment Opportunity Commission issued its final regulations implementing the Genetic Information Nondiscrimination Act (“GINA”) on Tuesday.

The Regulations do a nice job of explaining the real-world application of GINA, and especially how GINA may impact normal HR activities which companies may (mistakenly) assume are not covered by GINA.  To start, the Regulations explain GINA’s definitions (for instance, who is a covered “employer” and what constitutes covered “genetic information” as opposed to general medical information).  The Regulations then clarify the scope of GINA’s basic prohibition against: (a) discriminating against employees on the basis of genetic information, (b) limiting, segregating or classifying employees on the basis of genetic information, and (c) retaliating against employees based on opposition to unlawful conduct under GINA or participation in investigations or proceedings under GINA.

Perhaps most helpful -- and unusual for regulatory issuances --  the Regulations also provide a solid explanation of the scope of GINA’s prohibition against requesting, requiring or purchasing genetic information.   For instance, the Regulations explain that an unlawful “request” would include conducting internet searches likely to result in obtaining genetic information, actively listening to conversations or searching personal effects for purpose of obtaining genetic information, or making requests for purposes of obtaining genetic information.

The Regulations also explain the requirements for meeting the exceptions to this prohibition (in other words, how an employer may obtain genetic information without unlawfully “requesting” or “requiring” it), such as how information may be obtained: (a) as a result of “inadvertent” requests for genetic information, (b) as part of the provision of health and genetic services, (c) pursuant to requests for information under the Family and Medical Leave Act, (d) through commercially and publicly available documents, (e) via the monitoring of effects of toxic substances, or (f) pursuant to DNA analysis for law enforcement purposes.

There is also a helpful Q&A that is designed for small businesses and that provides an excellent overview of the Regulations.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.