NHGRI logo

Federal Policy Recommendations Including HIPAA

The NIH Health Insurance Portability and Accountability Act of 1996 (HIPAA) [hhs.gov] required HHS to develop standards for protecting the privacy of individually identifiable health information from inappropriate use and disclosure. The resulting Privacy Rule [hhs.gov] came into effect on April 14, 2003. Within the Privacy Rule, genetic information is treated as all other "Protected Health Information." The Privacy Rule does not preempt more stringent state law, therefore, there are many state laws that prevail over the Privacy Rule.

NIH GUIDE Notice on the effect of the HIPAA Privacy Rule [privacyruleandresearch.nih.gov]

HIPAA was also the first step toward implementation of the policy recommendations on health insurance and provided some protection from discrimination, but gaps remain.

For health insurance in the group market, HIPAA does:
  • Prohibit excluding an individual from group coverage because of past or present medical problems, including genetic information.

  • Prohibit charging a higher premium to an individual than to others in the group.

  • Limit exclusions in group health plans for pre-existing conditions to 12 months, and prohibit such exclusions if the individual has been previously covered for that condition for 12 months or more.

  • State explicitly that genetic information in the absence of a current diagnosis of illness shall not be considered a preexisting condition.
HIPAA does not:
  • Prohibit the use of genetic information as a basis for charging a group more for health insurance.

  • Limit the collection of genetic information by insurers and prohibit insurers from requiring an individual to take a genetic test.

  • Limit the disclosure of genetic information by insurers.

  • Apply to individual health insurers except if covered by the portability provision.

HIPAA Privacy Rule: Information for Researchers

Privacy/Confidentiality

In the mid 1990s, the National Human Genome Research Institute (NHGRI) and the National Action Plan on Breast Cancer (NAPBC) co-sponsored an initiative to address privacy and confidentiality of information in genetics research. Following previous successful collaborations to address genetic discrimination in health insurance and employment, NHGRI and NAPBC initiated an assessment of the protections for confidentiality in genetics research.

A workshop on privacy in genetics research was held on Sept. 16 and 17 in Bethesda, Md. The purpose of this workshop was to address key unresolved issues identified at a June 1997 Planning Meeting and to develop a set of policy recommendations.

NHGRI Policy Recommendations on Research Privacy Guidelines

  1. Privacy protections for experimental research data in which health care is not delivered should exceed the protections established for medical records. Rules for third-party access to medical records should not be uniformly applied to experimental research data.

  2. Researchers should not place individually identifiable experimental research data not utilized for health care in the medical record.

  3. Informed consent for research participation should include information about all potential disclosures of research information and the nature and magnitude of the risks from such disclosures. Adequate measures to ensure compliance and punish violations should be in place.

  4. Current practices to protect confidentiality of experimental research data should be studied and best practices should be developed.

  5. Protections similar to Certificates of Confidentiality should be developed to protect research subjects from compelled disclosure of research results.

  6. Research participants should have access to experimental research data except when:

    1. The information includes information obtained under a promise of confidentiality, is about another person, and patient inspection would cause harm to another individual;

    2. Access to the information may reasonably be expected to endanger the life or physical safety of the research participant or anyone else;

    3. Access would break the "masking" of the study or otherwise significantly interfere with the conduct or results of the study; or

    4. The research results are of unproven clinical validity, and the IRB has judged that there is no benefit to the research subjects. In such circumstances, the informed consent must explicitly state that individual research results will not be shared.

Last Reviewed: February 28, 2012

Last updated: February 28, 2012