The Genetic Information Privacy Act (GIPA) of Illinois, effective from January 1, 1998, and with subsequent amendments, is a comprehensive law designed to safeguard genetic information of individuals. It outlines specific rules and regulations regarding the use, disclosure, and protection of genetic data, emphasizing privacy and non-discrimination. 

To promote the goals of the Act, violations come with stiff penalties: $2,500 in liquidated damages for negligent violations, rising to $15,000 or higher for intentional or reckless violations.  The penalties are as to each violation, and the penalties can be increased if actual damages exceed the listed minimum penalty. 

The primary aim of the Illinois GIPA is to give individuals more control over their personal information. This is achieved by imposing obligations on businesses and organizations that collect genetic data.  It applies to any entity, regardless of its business location, that handles the personal information of Illinois residents. This means any company located outside of Illinois is still subject to the law and the penalties if they breach them regarding Illinois residents. This ensures the law covers a wide range of companies, including those operating online. 

In passing the Act, the Illinois General Assembly recognized the value of genetic testing and acknowledged concerns regarding the potential misuse of genetic information. Their stated intent was to promote the voluntary and confidential use of genetic data while preventing discriminatory use. 

Similar to GIPA is the Illinois Biometric Information Protection Act (“BIPA”), which also contains penalties for misuse. BIPA lawsuits have resulted in large settlements from companies who violated the law, with common examples including employers who collected employee biometric data such as fingerprints when hourly employees clock in and clock out. 

Illinois GIPA – The Language of the Law 

GIPA strictly forbids employers and their representatives from directly or indirectly demanding, requesting, or acquiring genetic information as a condition of employment. It also bars retaliation against employees who decline to provide such information. From Section 15: 

Except as otherwise provided in this Act, genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information. 

Employers must handle genetic information in line with federal guidelines and only disclose it in specific cases, such as for managing employee benefits.  Section 410 ILCS 513/5: 

Limiting the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish an intended purpose, when being transmitted by or on behalf of a covered entity under HIPAA, is a key component of health information privacy. 

The limits for employers are further defined in Section 25: 

An employer, employment agency, labor organization, and licensing agency shall not directly or indirectly do any of the following: 

1. solicit, request, require or purchase genetic testing or genetic information of a person or a family member of the person, or administer a genetic test to a person or a family member of the person as a condition of employment, preemployment application, labor organization membership, or licensure; 
2. affect the terms, conditions, or privileges of employment, preemployment application, labor organization membership, or licensure, or terminate the employment, labor organization membership, or licensure of any person because of genetic testing or genetic information with respect to the employee or family member, or information about a request for or the receipt of genetic testing by such employee or family member of such employee; 
3. limit, segregate, or classify employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee because of genetic testing or genetic information with respect to the employee or a family member, or information about a request for or the receipt of genetic testing or genetic information by such employee or family member of such employee; and 
4. retaliate through discharge or in any other manner against any person alleging a violation of this Act or participating in any manner in a proceeding under this Act. 

“Genetic information” is defined according to HIPAA regulations (45 CFR 160.103). It encompasses data about an individual’s or their family members’ genetic tests, the presence of diseases or disorders, or any engagement with genetic services or related clinical research. 

“Minimum necessary” is defined as HIPAA’s standard for using, requesting, and disclosing health information (45 CFR 164.502(b) and 165.514(d). 

GIPA – $2,500 and $15,000 Penalties per Violation 

GIPA contains direct penalties of $2,500 and $15,000 per violation. Those penalties are minimums, and the law allows for additional damages for any violation that has higher actual damages.   The law defines the higher $15,000 penalty as when a violation as occurred due to intentional or reckless actions. 

Recent cases have been filed against companies, both inside and outside of Illinois, for violations of GIPA and Illinois citizens’ rights.  Looking at existing cases and existing claims, common themes emerge regarding alleged violations: 

1. Employers requesting medical history of employees:  An employer who requests medical history and receives medical history including history about a family history of genetic diseases, may be violating GIPA. 
2. Employers requesting medical history of prospective employees:  An employer who requests medical history during the interview process can violate GIPA.  Complaints have alleged this against both private companies and public entities. 
3. Third Party Disclosure, employment: Companies working with employers or prospective employers who receive genetic information during screening, testing, or other means. 
4. Third Party Disclosure, other: DNA testing companies, or other companies with the rights to use or gather data, may send the data to third parties to process or handle despite the third party not having consent of the patient or customer.

Some examples of how these violations manifested:  An employer requires a physical examination of prospective employees. The result of that physical was a verbal request to disclose medical history, including family medical history which includes medical conditions with genetic predispositions. The employer further asks for a form with family medical history.  In this case, it can be alleged that the employer violated GIPA both with the exam questions, and again in requesting completion of the written form.  If this data is submitted to a third party for processing, this may constitute another violation if that third party also lacks proper consent. 

Companies that violate GIPA face not just the penalties of $2,500, $15,000 or more per violation, but the plaintiffs will also be entitled to recover their expenses and attorneys’ fees. 

Privacy Lawyers 

If you believe you had a violation of GIPA, BIPA, or other privacy laws, we invite you to schedule a consultation with our attorneys. Schneider Wallace Cottrell Konecky LLP is a national law firm that represents citizens in protecting their rights. Contact us at 1-800-689-0024 or info@schneiderwallace.com

Schneider Wallace Cottrell Konecky LLP

• Tel: 415-421-7100
• Toll Free: 800-689-0024
• Fax: 415-421-7105
• Email: info@schneiderwallace.com