1 See generally Francis S. Collins et al., Heredity and Humanity, New Republic, June 25, 2001, at 27, 28.

2 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,461 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160 and 164).

3 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, Hostat. 1936 (codified primarily in sections of 42 U.S.C. and 29 U.S.C).

4 Title II, Subtitle F (pertaining to administrative simplification and privacy).

5 Title I (pertaining to nondiscrimination).

6 The Potential for Discrimination in Health Insurance Based on Predictive Genetic Tests, Hearing Before the House Comm. on Energy and Commerce, Subcomm. on Commerce, Trade, and Consumer Protection, 107th Cong. 41 (2001) (statement of Karen H. Rothenberg).

7 U.S. Dep't of labor, U.S. Dep't of Health & Human Servs., U.S. Equal Emp. Opportunity Comm'n , U.S. Dep't of Justice, Genetic Information and the Workplace 3 (1998) (contending that “American workers deserve federal legislation to protect them from genetic discrimination in the workplace”), available at http://www.nhgri.nih.gov/HGP/Reports/genetics_ workplace.html.

8 Mark A. Hall & Stephen S. Rich, Genetic Privacy Laws and Patients' Fear of Discrimination by Health Insurers: The View from Genetic Counselors, 28 J.L. Med. & Ethics 245, 246-47 (2000).

9 Katherine P. Geer et al., Factors Influencing Patients' Decisions to Decline Cancer Genetic Counseling Services, 10 J. Genetic Counseling 25, 34 (2001).

10 See Andrews, Lori B., A Conceptual Framework for Genetic Policy: Comparing the Medical, Public Health, and Fundamental Rights Models, 70 Wash. U. L. Q. 221, 258-66 (2001)Google Scholar; see also Miller, Paul S., Is There a Pink Slip in My Genes? Genetic Discrimination in the Workplace, 3 J. Health Care L. & Pol'y 225 (2000)Google Scholar; Rothenberg, Karen H. et al., Genetic Information and the Workplace: Legislative Approaches and Policy Challenges, 275 Science 1755 (1997)CrossRefGoogle Scholar; Rothstein, Mark A. et al., Protecting Genetic Privacy by Permitting Employer Access Only to Job-Related Employee Medical Information: Analysis of a Unique Minnesota Law, 24 Am. J.L. & Med. 399 (1998)Google Scholar.

11 Determination letter (Nov. 21, 2000) from the U.S. Equal Emp. Opportunity Comm'n, Charlotte Dist. Office, Charge No. 14AA00039.

12 See, e.g., Nat'l Conf. of State Legislatures, Genetics Policy Report: Employment Issues (2001) (examining state policy approaches to limiting employer acquisition, use and disclosure of genetic information); Nat'l Conf. of State Legislatures, Genetics Policy Report: Insurance Issues 6(2001) (examining “the highly complex and difficult interplay between advances in genomic science and [state-based] private insurance systems”).

13 45 C.F.R. § 164.534(2001).

14 Id. §§ 160.102-.103.

15 Id. §164.501.

16 Id.

17 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,621 (Dec. 28, 2000).

18 Id. at 82,493.

19 42 U.S.C.A. § 1172(a)(3) (2001). A new federal law enacted in December 2001 eliminates, for the six-month period between April 2003 and October 2003, any requirement that the provider use the DHHS-prescribed standard formats. Administrative Simplification Compliance Act, Pub. L. No. 107-105, § 2, 115 Stat. 1003 (2001).

20 Research involving genetic information will be impacted by the regulation to the extent that researchers attempt to obtain PHI from an entity that is covered by the regulation. Before covered entities can disclose patient identifiable information to researchers, certain requirements must be met. 45C.F.R. § 164.512(i).

21 Id. § 164.501 (defining “treatment,” “payment” and “health care operations”);id. § 164.506(a) (consent requirement). On March 27, 2002, DHHS published proposed modifications to the HIPAA privacy regulation. Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776 (proposed Mar. 27, 2002) (to be codified at 46 C.F.R. pts 160 and 164). DHHS proposed to eliminate the requirement that health care providers obtain the individual's consent before using or disclosing PHI for treatment, payment or health care operations. See 67 Fed. Reg. at 14, 812 (to be codified at 45 C.F.R. § 164.506). DHHS is not expected to issue final changes before late summer 2002.

22 Id. § 164.506(a)(4).

23 Id. §§ 164.508, 164.510, & 164.512.

24 Id. § 164.501 (defining “health care operations”);id. §§ 164.514(e)(l)-(f)(l). DHHS proposed changes to the marketing provisions that, if adopted, would provide even fewer privacy protections than the current regulation. See 61 Fed. Reg. at 14, 811,14, 813 (to be codified at 45 C.F.R. §§ 164.501 & 164.508(a)(3)).

25 The authorization would have to meet the requirements of 45 C.F.R. § 164.508.

26 Id. § 164.502(b). If the set of proposed modifications referred to in note 21 is adopted, health plans would have greater leeway to request PHI for the plan'sown health care operations purposes. Under the current privacy regulation, health care providers can only use and disclose PHI for their own treatment, payment or health care operations. The modifications DHHS has proposed would permit providers to disclose PHI for the health plan's health care operations purposes. See 67 Fed. Reg. 14,781 (to be codified at 45 C.F.R. § 164.506(c)).

27 Id. § 164.504(f)(1).

28 See Part IV.A for discussion of a pending federal bill (S. 318/H.R. 602, 107th Cong. (2001)) that would prohibit group health plans and insurers from disclosing genetic information to the employer that sponsors the group health plan.

29 45 C.F.R. § 164.504(f)(2)(iii).

30 Id.

31 Id. § 160.103 (defining “health care provider” and “covered entity”).

32 Id. § 160.102(a)(3).

33 29 U.S.C.A. § 1182 (a)(1)(F) (West 2001).

34 Id. § 1182(b)(1).

35 42 U.S.C.A. § 300gg-41 (West 2001).

36 See section 264(c)(2) of Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936;see also 45 C.F.R. §§ 160.202-.203 (2001).

37 42 U.S.C.A. §§ 300gg-23, 300gg-46.

38 Genetics Policy Report: Insurance Issues, supra note 12.

39 Id. at Appendix A.

40 Id.

41 Id. at 17.

42 This section of the Article focuses on genetic information in the hands of private employers. Federal government workers have additional protections as a result of an executive order issued by President Clinton in February 2000. Exec. Order No. 13,145, 65 Fed. Reg. 6,877 (Feb. 10, 2000).

43 Am. Mgmt Ass'n, 2001 Ama Survey on Survey on Workplace; Medical Testing (2001). A summary of key findings can be found at http://www.amanet.org/research/summ.htm.

44 Id.

45 Id.

46 Employer access to PHI via group health plans and flexible spending accounts is impacted by the HIPAA privacy regulation, which is discussed in Part III.B of this Article.

47 For a history of workplace genetic testing, see U.S. Cong., Office of Tech. Assessment, Genetic Monitoring and Screening in the Workplace (1990). See also L. Camille Hebert, Genetic Testing, in Employee Privacy Law (2001).

48 Am. Mgmt Ass'n, supra note 43.

49 Id.

50 °Id.

51 Id.

52 id.

53 United States Equal Emp. Opportunity Comm'n v. Burlington N. Santa Fe Ry., Civ. No. CO1-4013 MWB (N.D. Iowa 2001); Bhd. of Maint. of Way Employees et al. v. Burlington N. Santa Fe Ry. et al., Civ. No. CO1-4012 MWB (N.D. Iowa 2001).

54 See, e.g., NewsHour with Jim Lehrer, Genetic Testing (PBS broadcast June 7, 2001), available at http://www.pbs.org/newshour/bb/health/jan-june01/genetest_06-07.html.

55 The Railway reached an initial settlement with the EEOC in April 2001, agreeing to stop requiring genetic tests, using genetic information relating to its employees and disclosing such information to the public. Charges pending at the EEOC were resolved through a mediated settlement reached in May 2002. The May settlement was filed in the U.S. District Court for the Eastern District of Wisconsin and is subject to court approval. United States Equal Emp. Opportunity Comm'n v. Burlington N. Santa Fe Ry. Co., Civ. No. 02-C-0456 (E.D. Wis. 2002). Under the May settlement, the Railway agrees to not use genetic tests in required medical examinations of employees, to provide enhanced ADA training to its medical and claims personnel and to have senior management review all significant medical policies and practices. The settlement also calls for the payment of $2.2 million to the employees who were directed to appear for the disputed medical examinations. Press Release, E.E.O.C, EEOC and BNSF Settle Genetic Testing Case Under Americans With Disabilities Act (May 8, 2002), available at http://www.eeoc.gov/press/5-8-02.html.

56 42U.S.C. § 12112(d) (1994).

57 Id § 12112(d)(3)(B).

58 For a recent, comprehensive discussion and critique of the ADA's approach to medical examinations and inquiries, see, for example, Sharona Hoffman, Preplacemenl Examinations andJobRelatedness: How to Enhance Privacy and Diminish Discrimination in the Workplace, 49 Kansas L. Rev. 517(2001).

59 For a thorough discussion of the ADA and genetic discrimination, see Miller, supra note 10.

60 For a comprehensive discussion of how the ADA'S coverage has been significantly restricted, see Feldblum, Chai R., Definition of Disability Under Federal Anti-Discrimination Law: What Happened? Why? And What Can We Do About It?, 21 Berkeley J. Emp. & Labor L. 91 (2000)Google Scholar.

61 Protecting Against Genetic Discrimination: The Limits of Existing Laws, Hearing Before the Sen. Comm. on Health, Educ, Labor, and Pensions, 107th Cong. (2002) (testimony of Joanne L. Hustead, Senior Counsel, Health Privacy Project, Inst, for Health Care Research and Policy, Georgetown Univ.), available at http://www.senate.gov/~labor/Hearings-2002/feb2002/feb2002.htm.

62 Genetics Policy Report: Employment Issues, supra note 12, at 4.

63 Id.

64 S. 318, 107th Cong. (2001); H.R. 602, 107th Cong. (2001). The House and Senate versions of the Genetic Nondiscrimination in Health Insurance and Employment Act are identical in most respects. Except where differences between the House and Senate versions are at issue, this Article will refer to the section numbers in the House bill.

65 S. 1995, 107th Cong. (2002). This bill effectively replaces an earlier bill introduced by Senator Snowe, S. 382, 107th Cong. (2001).

66 Both bills use the term “issuer” rather than “insurer.” HIPAA defines “issuer” to include insurance companies, insurance services, insurance organizations, and HMOs. See 42 U.S.C.A. § 300gg-91(b)(2) (West 2001). This section of the Article uses the more familiar term “insurer” instead.

67 H.R. 602 § 101(e) (adding definition of “protected genetic information” to section 733(d) of ERISA).

68 S. 1995 § 101(c) (adding definition of “genetic information” to section 733(d) of ERISA).

69 45 CF.R. § 160.103(2001).

70 Title II of the bill also contains prohibitions that apply to employment agencies, labor organizations, and apprenticeship/training programs. H.R. 602, 107th Cong. §§ 203, 204, & 205.

71 Id. § 101(c) (adding new subsection (n) to section 502 of ERISA); id. § 102(c) (adding new subsection (c) to sections 2722 and 2761 of the Public Health Service Act); id. § 207.

72 Id. § 101(b).

73 Id. §§101-102.

74 Id. § 101(b) (adding new subsection (e) to section 702 of ERISA).

75 Id.

76 The HIPAA privacy regulation applies to all group health plansexcept those that are self-administered and have fewer than fifty participants. 45 C.F.R. § 160.103 (defining “group health plan”). In all likelihood, few group plans will fall into this excepted category. According to congressional testimony submitted by the National Association of Health Underwriters, although it is not common, there are some employer groups in the mid-size range (50-300 participants) that self-administer their plans, but no mention is made of smaller groups where that is the case. See Genetic Non-Discrimination: Implications for Employer Provided Health Care Plans, Hearing Before the House Comm. on Educ. and the Workforce, Subcomm. on Employer-Employee Relations, 107th Cong. 29 (2001) (statement of Janet Stokes Trautwein).

77 As discussedsupra note 26, proposed modifications to the privacy regulation would permit a health plan or insurer to disclose PHI to another covered entity for therecipient's own payment or health care operations purposes. See Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776, 14,812 (proposed Mar. 27, 2002) (to be codified at 45 C.F.R. § 164.506(c)(3) & (4)).

78 45 C.F.R. § 160.103 (defining “business associate”).

79 Id. § 164.501 (defining “health care operations”).

80 29 U.S.C. §§ 1001-1461 (1994).

81 See Kaiser Family Found. & Health Research and Educ. Trust, Employer Health Benefits: 2001 Annual Survey 163 (2001), available at http://www.kff.org/content/2001/ 20010906a. (showing that 36% of large employers and 21 % of midsize employers in the U.S. have the ability to link claims data to individual employees).

82 H.R. 602 § 202(a)(3).

83 Id.

84 S. 318, 107th Cong. § 203(a)(3)(C) (2001). This section of the Senate bill also states that family history obtained for this purpose “will not be disclosed to persons other than medical personnel involved in or responsible for assessing whether further medical evaluation is needed to diagnose a current disease, or medical condition or disorder, except as otherwise permitted by this title.” Id. § 203(a)(3)(C)(ii)(III). If the purpose of this subsection is to limit accesswithin the employer organization—so that only medical personnel (as distinct from management, administrative or supervisory personnel) are aware of the family history—the language should be clarified to better protect privacy. The use of the word “disclosed” implies that there may be someone other than these medical personnel deciding whether to disclose it to the medical personnel. Stating that such information “will not be available to, accessed by, or used by persons other than medical personnel” would be clearer and would better protect privacy.

85 H.R. 602 § 202(a)(1).

86 Id. § 202(a)(2).

87 Id. § 206.

88 Id. § 206(a).

89 Id. § 206(b).

90 Id. § 202(a)(3)(A)(iv). For an additional suggestion aimed at improving the privacy protections in the Senate version of the bill, see supra note 83.

91 Title II of the bill also contains prohibitions that apply to employment agencies, labor organizations, and apprenticeship/training programs. S. 1995, 107th Cong. §§ 203, 204 & 205 (2002).

92 Id. § 101(b) (adding new subsection (d) to section 702 of ERISA).

93 Id. § 101(b) (adding new subsection (e) to section 702 of ERISA).

94 C.F.R. § 164.501 (2001).

95 See discussionsupra Part III.B.

96 S. 1995 § 101(b) (adding new subsection (d) to section 702 of ERISA).

97 Id. § 101(a)(3).

98 Id. § 102(b).

99 To make the bill's prohibitions on the use of genetic information more effective, the bill should limit collection of genetic information. Limiting collection of genetic information in the first place is the first line of defense in the effort to end discrimination on the basis of genetic information.

100 Id. § 101(b) (adding new subsection (d) to section 702 of ERISA).

101 This title of S. 1995 closely parallels S. 382, which was introduced a year earlier than S. 1995 and is clearly the model for S. 1995.

102 S. 1995 § 202(b).

103 Id. § 202(b)(1).

104 Id. § 202(b)(2).

105 Id. § 202(b)(3).

106 Id. § 202(a)(1).

107 Id. § 202(a)(2).

108 Id. § 206.

109 Id. § 206(a)(1).

110 Id. § 206(a)(2).

111 Id. § 202(b)(1)(E).

112 “eHealth” has been defined as “the use of emerging information and communication technology, especially the Internet, to improve or enable health and health care.” T.R. Eng, Robert Wood Johnson Found., The Ehealth Landscape: A Terrain Map of Emerging Information and Communication Technologies in Health and Health Care 20 (2001).

113 Janlori Goldman & Zoe Hudson, Virtually Exposed: Privacy and E-Health, Health Affairs, Nov/Dec 2000, 140, at 140-41.

114 See, for example, the DNA LifePrint Management Kit, at http://www.dna-lifeprint.com (last visited Mar. 30, 2002).

115 See, for example, the DNA identification and banking services, at http://www.genetree.com (last visited Mar. 30, 2002).

116 See, e.g., Global TeleGenetics GeneScene, at http://www.genescene.com (last visited Mar. 23, 2002).

117 See, e.g., GeneTree DNA Testing Ctr., at http://www.genetree.com (last visited Mar. 23, 2002).

118 See The Ehealth Landscape, supra note 111.

119 A few are ranked in the top 500 most visited Web sites by Media Metrix, a service provided by Jupiter Media Metrix, which measures user activity and site traffic, at http://www.jmm.com.

120 Pew Internet & Am. Life Project, More Online, Doing More 7 (2001), at http://www.pewinternet.org/reports/index.asp.

121 http://www.google.com.

122 Matthew R.G Taylor et al.. Use of the Internet by Patients and Their Families to Obtain Genetics-Related Information, 76 Mayo Clinical Proceedings 772, 775-76 (2001).

123 This regulation is discussed in Part III.

124 Health Privacy Project, Pew Internet & Am. Life Project, Exposed Online: Why the New Federal Health Privacy Regulation Doesn't Offer Much Protection to Internet User. 7 (2001).

125 This authority emanates from section 5 of the Federal Trade Commission Act, 15 U.S.C. §§ 41-77 (1994).

126 The FTC found in its May 2000 study that about 40% of commercial websites do not have privacy policies or post poorly drafted privacy policies. U.S. Fed. Trade Comm'n, Privacy Online: Fair Information Practices in the Electronic Marketplace 14 (2000).

127 C.F.R. § 160.103 (2001).

128 See DNA Sciences, at http://www.dna.com (last visited Mar. 31, 2002).

129 45 CF.R. §160.103.

130 The privacy regulation applies to providers of health care. The regulation defines “health care” as including the sale or dispensing of a drug, device, equipment or other item in accordance with a prescription. Id. § 160.103. “Health care” therefore does not include over-the-counter drugs.

131 42 U.S.C.A. § 1172(a)(3) (West 2001); 45 CF.R. § 160.102.

132 45 CF.R. § 160.103 (defining “transaction”).

133 Id. § 162.923(a).

134 The Administrative Simplification Compliance Act, Pub. L. No. 107-105, 115 Stat. 1003 (2001), extended the compliance time frame from Oct. 2002 to Oct. 2003.

135 See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,461, 82,568 (Dec. 28, 2000) (“Lastly, we clarify that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf.”)

136 Administrative Simplification Compliance Act, § 2.

137 C.F.R. § 164.520 (notice of privacy practices); 45 C.F.R. § 164.506(a) (consent requirement). See supra note 21 for discussion of a proposed modification to the privacy regulation that would eliminate the provider consent requirement.