Is genetic data PHI?

Yes, genetic data is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

What is protected health information (PHI)?

PHI refers to any health information that can be linked to an individual and is held or transmitted by entities covered under HIPAA, including healthcare providers, health plans, and healthcare clearinghouses. This information can be in any form: electronic, paper, or oral.

PHI includes common data like names, addresses, medical diagnoses, treatment information, and payment details. Importantly, the law mandates stringent protections around how this information is used, shared, and stored to prevent unauthorized disclosures.

Learn more: Examples of protected health information (PHI) in healthcare

When is genetic data considered PHI?

According to the National Human Genome Research Institution, “In 2013, as required by the passage of the Genetic Information Nondiscrimination Act, the Privacy Rule was modified to establish that genetic information is considered PHI, and HIPAA-covered entities may not use or disclose PHI that is genetic information for underwriting purposes.” 

This means that genetic information is considered PHI when it is individually identifiable and held or transmitted by a covered entity (like a healthcare provider, health plan, or healthcare clearinghouse) or their business associates. This includes:

• Genetic tests of the individual or their family members
• Family medical history
• Requests for, or participation in, genetic services
• Use of genetic information for healthcare purposes

What is considered genetic information?

The Code of Federal Regulations (45 CFR 160.103) defines genetic information broadly to include:

• “The individual's genetic tests;
• The genetic tests of family members of the individual;
• The manifestation of a disease or disorder in family members of such individual; or
• Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.
• A fetus carried by the individual or family member who is a pregnant woman; and
• Any embryo legally held by an individual or family member utilizing an assisted reproductive technology.”

Examples of genetic data considered PHI

• A patient’s results from a BRCA1 or BRCA2 genetic test, stored in their electronic health record
• Family medical history listed in a primary care provider’s notes
• Records showing that a patient sought or received genetic counseling or testing
• Identifiable DNA sequencing data maintained by a health insurer

When this kind of information is linked to identifiers such as names, dates of birth, or addresses, it qualifies as PHI and must be protected according to HIPAA regulations.

Does HIPAA protect genetic data?

According to the U.S. Department of Health and Human Services (HHS), “genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse.”

Why the protection of genetic data matters

Genetic data is the blueprint of a person’s biological makeup that can reveal predispositions to various conditions, from cancer to Alzheimer’s disease. Moreover, it’s inherently identifiable: even in anonymized datasets, researchers have shown that it’s possible to re-identify individuals using genetic markers. A 2013 study titled Identifying Personal Genomes by Surname Inference, demonstrated that individuals can be re-identified from anonymized genetic datasets by cross-referencing Y-chromosome markers with publicly available genealogy data. The researchers successfully identified nearly 50 individuals from the 1000 Genomes Project, proving that genetic data is inherently identifiable and challenging to fully anonymize

Published in Nature Reviews Genetics, is the study Keeping Pace with the Times — The Genetic Information Nondiscrimination Act of 2008. This paper provides a thorough overview of the potential consequences of genetic data misuse, including:

• Risk of discrimination in employment and insurance, despite existing laws like GINA
• Potential for social stigmatization related to genetic conditions
• Psychological impacts such as anxiety or distress due to disclosure
• Privacy and security concerns extending to biological relatives because of shared genetics

Given these risks, the handling of genetic data must be approached with the utmost care.

What laws protect genetic data?

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA’s Privacy Rule protects all forms of Protected Health Information (PHI), including genetic data. Under HIPAA:

• Covered entities must implement administrative, physical, and technical safeguards to protect genetic data.
• They must obtain patient consent for most disclosures of genetic information.
• They are prohibited from using genetic data for underwriting purposes, like determining insurance eligibility or premium rates.

Genetic Information Nondiscrimination Act (GINA) of 2008

GINA was enacted specifically to address the growing concern that genetic information could be used to discriminate against individuals. It includes two key titles:

• Title I: Prohibits health insurers from using genetic information to determine eligibility, coverage, or premium costs. It also bans insurers from requesting or requiring genetic testing.
• Title II: Prohibits employers from using genetic information when making hiring, firing, promotion, or job placement decisions.

While GINA offers strong protections, it has limitations:

• It does not apply to life, disability, or long-term care insurance.
• It does not extend protections to members of the military, veterans receiving care through the VA, or individuals covered by the Indian Health Service.

Common Rule (45 CFR 46)

For genetic research, the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) requires:

• Informed consent from research participants.
• Review and approval by Institutional Review Boards (IRBs).
• Additional safeguards when research involves identifiable biospecimens or data.

This is particularly relevant for biobanks, universities, and genomic research initiatives using DNA samples or genetic data.

State-level genetic privacy laws

Many states have enacted their own laws to supplement federal protections. Some states go beyond HIPAA and GINA by:

• Requiring explicit consent for genetic testing or disclosure.
• Prohibiting employers or insurers from accessing genetic information altogether.
• Establishing genetic privacy as a civil right or giving individuals ownership over their genetic material.

Examples include:

• California’s Genetic Information Privacy Act (GIPA), which applies to direct-to-consumer genetic testing companies and mandates clear disclosures about data use.
• Illinois Genetic Information Privacy Act, which provides stricter consent requirements and enforces criminal penalties for misuse.

Best practices for handling genetic data

Given the sensitivity and risks, covered entities and their business associates must adopt robust practices:

• Limit access to genetic data to authorized personnel only.
• Implement encryption and security controls for electronic genetic information.
• Obtain proper patient consent and authorizations for genetic testing and data sharing.
• Educate staff on the unique privacy concerns surrounding genetic data.
• Monitor disclosures carefully to avoid unauthorized sharing.
• Use de-identification cautiously, recognizing its limits for genetic data.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What rights do patients have over their genetic information?

Under HIPAA, patients have the right to:

• Access and obtain copies of their genetic information in their medical records
• Request corrections to errors in those records
• Receive a list of disclosures showing who has accessed their PHI
• Request restrictions on certain uses and disclosures
• File complaints if they believe their rights have been violated

Related: What are patient rights under HIPAA?

Does HIPAA protect genetic information stored in research biobanks?

HIPAA protections apply if the biobank is operated by a covered entity and stores identifiable genetic information.