The difference between HIPAA and GINA

Healthcare providers, employers, insurers, and patients must understand the difference between the Health Information Portability and Accountability Act (HIPAA) and the Genetic Information Nondiscrimination Act (GINA) as they apply to different types of information.

What is HIPAA?

“The HIPAA [law] of 1996 establishes federal standards protecting sensitive health information from disclosure without a patient's consent,” explains the CDC Public Health Law topic on HIPAA.

HIPAA consists of two components:

1. The Privacy Rule
2. The Security Rule

These state how protected health information (PHI) is used, disclosed, and safeguarded. PHI includes any individually identifiable health information, such as medical records, test results, billing information, insurance details, and any data linked to a patient’s identity and health condition.

HIPAA Privacy Rule

According to the CDC, “The Privacy Rule standards address the use and disclosure of individuals' PHI by entities subject to the rule. These individuals and organizations are called ‘covered entities,’” including healthcare providers, insurers, and their partners.

• Healthcare providers: “Every healthcare provider, regardless of the size of practice, who electronically transmits health information in connection with certain transactions.” These transactions include “Claims, benefit eligibility inquiries, referral authorization requests, [and] other transactions for which HHS has established standards.”
• Health plans: “Health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid… employer-sponsored group health plans, [and] government- and church-sponsored health plans.”
• Healthcare clearinghouses: “Entities processing nonstandard information received from another entity into a standard format or vice versa.”
• Business associates: “A non-member of a covered entity's workforce using individually identifiable health information to perform functions for a covered entity.” These functions include “claims processing, data analysis, utilization review, [and] billing.”

The Privacy Rule also explains patient control and transparency as it “contains standards for individuals' rights to understand and control how their health information is used.”

At the same time, “It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public's health.”

Permitted uses and disclosures of PHI

HIPAA allows certain uses and disclosures of PHI without patient authorization, where “The law permits a covered entity to use and disclose PHI, without an individual's authorization, for the following situations:”

These include:

• “Disclosure to the individual”
• “Treatment, payment, and healthcare operations”
• “Opportunity to agree or object to the disclosure of PHI”
• “Incident to an otherwise permitted use and disclosure”
• “Limited dataset for research, public health, or healthcare operations”

Additionally, “The Privacy Rule permits use and disclosure of PHI… for 12 national priority purposes,” such as “Public health activities… judicial and administrative proceedings… law enforcement… research, under certain conditions… [and] to prevent or lessen a serious threat to health or safety.”

For example, PHI can be disclosed to public health authorities for the purpose of preventing or controlling disease outbreaks, so the necessary information is shared to protect the health and safety of the public.

HIPAA Security Rule

“While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information… in electronic form.” This is known as “Electronic protected health information, or e-PHI.” Therefore, “The Security Rule does not apply to PHI transmitted orally or in writing.”

Under this Rule, covered entities must meet the following requirements:

1. “Ensure the confidentiality, integrity, and availability of all e-PHI.”
2. “Detect and safeguard against anticipated threats to the security of the information.”
3. “Protect against anticipated impermissible uses or disclosures.”
4. “Certify compliance by their workforce.”

Enforcement and penalties

“The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office.” If organizations do not uphold HIPAA Rules, they may be met with “civil monetary or criminal penalties.”

More specifically, fines can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation category. Additionally, criminal penalties can result in fines up to $250,000 and imprisonment for up to 10 years for knowingly obtaining or disclosing PHI without authorization.

The Breach Notification Rule

If a data breach occurs, organizations must notify affected individuals, regulators, and sometimes the media within 60 days of the discovery date. Failure to comply with the Breach Notification Rule can result in further penalties and damage to the organization's reputation.

What is GINA?

The Genetic Information Nondiscrimination Act (GINA) was passed in 2008 to prevent discrimination based on genetic information. GINA was created in response to growing concerns that advances in genetic testing could be used unfairly by employers or insurers.

What does GINA protect?

GINA prohibits discrimination based on:

• Genetic test results
• Family medical history
• Participation in genetic research
• Requests for or receipt of genetic services

Who must comply with GINA?

GINA specifically applies to employers with 15 or more employees, health insurers, employment agencies, and labor organizations.

Protections under GINA

1. Employment protections

GINA stipulates that employers cannot use genetic information in decisions about hiring, firing, promotions, or job assignments. Employers are also restricted from requesting or purchasing genetic information.

2. Health insurance protections

GINA states that health insurers cannot use genetic information to determine eligibility, adjust premiums based on genetic risk, or request genetic testing.

What GINA does not cover

GINA does not apply to life insurance, disability insurance, or long-term care insurance. It also does not cover manifested diseases (i.e., conditions that have already been diagnosed).

What is the difference between privacy and discrimination

HIPAA protects the privacy and security of health information, while GINA protects individuals from discrimination based on genetic information. HIPAA regulates how information is handled, and GINA regulates how information is used to make decisions.

Additionally, HIPAA covers all forms of PHI, including medical records, diagnoses, and treatment history, while GINA specifically applies to genetic information, like DNA test results and family medical history.

Furthermore, HIPAA is enforced by the HHS, while GINA is enforced by agencies like the Equal Employment Opportunity Commission (EEOC) and the Department of Labor.

Where HIPAA and GINA overlap

Although these laws serve different purposes, they may intersect when it comes to genetic information in healthcare settings.

Genetic Information as PHI

Under HIPAA, genetic information is considered protected health information; therefore, PHI must be stored securely, cannot be shared without authorization, and patients have rights over access and disclosure.

While HIPAA protects the privacy of genetic information, GINA guarantees that even if that information is accessed legally, it cannot be used to discriminate in employment or health insurance decisions.

For example, if a patient undergoes genetic testing at a hospital, HIPAA keeps the test results confidential, and they are only shared with authorized parties. GINA then protects those results so they cannot be used by an employer or health insurer to discriminate against the patient.

In another scenario, if an employer offers a wellness program that includes family medical history questionnaires, GINA restricts how this information can be collected and used, and HIPAA may apply if a healthcare provider is involved in handling the data.

If a healthcare provider experiences a data breach involving genetic test results, HIPAA requires breach notification and safeguards. While GINA does not directly address the breach, it would apply if the exposed data is later used discriminatorily.

Common misconceptions

“HIPAA protects me from discrimination”

HIPAA only governs data privacy and does not prevent discrimination. If someone uses an individual’s genetic information unfairly, only then does GINA apply.

“GINA covers all insurance”

GINA only applies to health insurance. It does not protect against discrimination in life, disability, or long-term care insurance.

“Employers can never access health information”

Employers may receive certain health-related information (e.g., through workplace programs), but HIPAA and GINA restrict how that data can be handled and used.

Why HIPAA and GINA matter

HIPAA and GINA work together to better protect individuals. Without HIPAA, protected health information, including genetic information, could be exposed or misused. Without GINA, even properly protected data could still be used to discriminate against individuals. That’s why both laws address data privacy risks, ethical and social risks, and compliance considerations for organizations.

As such, healthcare providers must adhere to HIPAA rules to safeguard PHI, including genetic data, train staff on proper data handling and disclosure, and understand that sharing genetic information could have GINA implications.

Employers cannot request genetic information unless clearly permitted, and they must check that their wellness programs comply with GINA requirements. Any received health information must also be kept confidential.

Ultimately, insurers may not use genetic information for underwriting or pricing decisions and must comply with both HIPAA (for data handling) and GINA (for discrimination prevention).

Read also: The intersection of HIPAA, GINA, and secure communication

FAQs

How do HIPAA and GINA relate to each other?

Both HIPAA and GINA safeguard patients’ protected health information (PHI). HIPAA covers a broad range of health data, while GINA specifically addresses the use and disclosure of genetic information.

What is protected health information (PHI)?

PHI includes any information about health status, provision of health care, or payment for health care that can be linked to an individual and is protected under HIPAA regulations.

Read also: What is protected health information (PHI)?

What are the penalties for violating HIPAA or GINA?

Penalties for violating HIPAA include civil fines ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year, and criminal penalties with fines up to $250,000 and imprisonment for up to ten years for the most severe violations involving malicious intent or personal gain.

For GINA violations, penalties typically involve civil fines, and violators may be required to pay damages, legal fees, and undertake corrective actions, such as job reinstatement and payment of back wages, to remedy discriminatory practices based on genetic information. Both sets of penalties vary based on the severity and willfulness of the breach.

Go deeper: What are the penalties for HIPAA violations?